DPDK announcements
 help / color / Atom feed
* [dpdk-announce] Vhost-user CVE-2018-1059
@ 2018-04-23 15:55 Maxime Coquelin
  0 siblings, 0 replies; only message in thread
From: Maxime Coquelin @ 2018-04-23 15:55 UTC (permalink / raw)
  To: announce

Dear users,

All versions of DPDK's Vhost-user library are vulnerable to out-of-bound
accesses initiated by a buggy or malicious guest.

This vulnerability has been assigned CVE-2018-1059.

Users are strongly encouraged to upgrade to the latest releases:
- v16.11.6 (LTS): https://fast.dpdk.org/rel/dpdk-16.11.6.tar.xz
- v17.08.2: https://fast.dpdk.org/rel/dpdk-17.08.2.tar.xz
- v17.11.2 (LTS): https://fast.dpdk.org/rel/dpdk-17.11.2.tar.xz
- v18.02.1: https://fast.dpdk.org/rel/dpdk-18.02.1.tar.xz

Starting DPDK v17.11, rte_vhost_gpa_to_vva() API was introduced for
external Vhost backends to be able to translate guest's physical
addresses to Vhost process's virtual addresses.
This API is now marked as deprecated, and users must replace its use
with the new rte_vhost_va_from_guest_pa() API. This new API takes an
extra length parameter that must be checked properly.

Patches fixing this vulnerability will soon be posted to the dev
mailing-list for upstream master, and to the stable mailing-list for
stable branches.

Kind regards,
Maxime

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-23 15:55 [dpdk-announce] Vhost-user CVE-2018-1059 Maxime Coquelin

DPDK announcements

Archives are clonable:
	git clone --mirror http://inbox.dpdk.org/announce/0 announce/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 announce announce/ http://inbox.dpdk.org/announce \
		announce@dpdk.org
	public-inbox-index announce


Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.announce


AGPL code for this site: git clone https://public-inbox.org/ public-inbox