Urgent 11: Security Vulnerability

Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Urgent 11: Security Vulnerability

Sagar Wani

Hi Ubuntu Team,

 

Does Ubuntu 2008 has IPNet stack in any of it’s implementations?

 

 

Thank you.

 

Kind Regards.

Sagar Wani

Product Security

Edwards Lifesciences

Tel: +1 949-250-0277

 




This message contains information which may be confidential and privileged. Unless you are the intended addressee (or authorized to receive for the intended addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply and delete the message. To the extent contractual confidentiality obligations exist, this message and all information transmitted with it are designated "Confidential".

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: Urgent 11: Security Vulnerability

Seth Arnold
Hello Sagar,

On Fri, Sep 06, 2019 at 10:41:04PM +0000, Sagar Wani wrote:
> Today it was disclosed that URGENT11 set of vulnerabilities are not
> restricted to VxWorks but affect other platforms too that are using
> IPnet TCP/IP stack.

>   1.  Does Ubuntu use IPNet stack in any of it's implementations?
>   2.  Are you aware if Ubuntu is affected by URGENT11?

"IPNet" is quite generic, so it's difficult to be confident, but I skimmed
the list of filenames in all our currently available packages that match
'ipnet' in their name, and only one looks vaguely like it could be a
user-space implementation of TCP/IP:

https://github.com/greearb/xorp.ct/blob/master/xorp/libxorp/ipnet.hh

I don't know if this one is related to the findings in the VxWorks TCP/IP
stack or not. Do you know if this is related?

I didn't see any more-specific filenames mentioned in the Urgent11 paper,
such as ipnet_ip4.c, in our unpacked sources.

On Fri, Sep 06, 2019 at 10:45:46PM +0000, Sagar Wani wrote:
> Sagar Wani would like to recall the message, "Urgent 11: Security Vulnerability".

Just a heads up, this appears to leak outside of your organization, at
least on occasion.

On Fri, Sep 06, 2019 at 10:46:52PM +0000, Sagar Wani wrote:
> Does Ubuntu 2008 has IPNet stack in any of it's implementations?

My unpacked archives do not go back as far as 2008; they only cover what's
in currently supported Ubuntu releases from 12.04 LTS and newer.

Do note Ubuntu 8.04 LTS support ended in 2013:
https://lists.ubuntu.com/archives/ubuntu-announce/2013-March/000168.html

If you have Ubuntu 8.04 LTS systems running I strongly recommend updating
them to a currently-supported release: https://wiki.ubuntu.com/Releases

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (499 bytes) Download Attachment