On 11/12/2019 3:15 PM, Ferruh Yigit wrote: > A vulnerability was fixed in DPDK. > > Some downstream stakeholders were warned in advance in order to coordinate the > release of fixes and reduce the vulnerability window. > > Problem: > A malicious container which has direct access to the vhost-user socket can > keep > sending messages which may cause leaking resources until resulting a DOS. > > All users of the vhost library are strongly encouraged to upgrade as soon as > possible. > > CVE-2019-14818 > Bugzilla: https://bugs.dpdk.org/show_bug.cgi?id=363 > Severity: Medium > CVSS scores: 6.8 > > > > Commits: > main repo > https://git.dpdk.org/dpdk/commit/?id=612e17cf6d7b > https://git.dpdk.org/dpdk/commit/?id=bf472259dde6 > > 19.08.1 > https://git.dpdk.org/dpdk-stable/commit/?h=19.08&id=fa674d08985f > https://git.dpdk.org/dpdk-stable/commit/?h=19.08&id=6547dd563ea9 > > 18.11.4 (LTS) > https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=70583a6b9b1c > https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=f8898927bb16 > > 17.11.8 (LTS) > https://git.dpdk.org/dpdk-stable/commit/?h=17.11&id=3b1b44a1c82a > https://git.dpdk.org/dpdk-stable/commit/?h=17.11&id=8a8dbd0ec19e > https://git.dpdk.org/dpdk-stable/commit/?h=17.11&id=1f6147d9a01f > > 16.11.10 (LTS EOL) > https://git.dpdk.org/dpdk-stable/commit/?h=16.11&id=5fbb5c2919b6 > https://git.dpdk.org/dpdk-stable/commit/?h=16.11&id=3863340f93b8 > https://git.dpdk.org/dpdk-stable/commit/?h=16.11&id=8790f4c3bcd2 > https://git.dpdk.org/dpdk-stable/commit/?h=16.11&id=1bf11cfb7c7c >
A regression has been found on the above commits when VHOST_USER_VRING_NOFD_MASK is set, there is a suggested fix [1], review and testing is going on. We are planning to have an update tomorrow. Sorry for the inconvenience caused. [1] https://patches.dpdk.org/patch/62956/
