CVE-2013-4350

NameCVE-2013-4350
DescriptionThe IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
NVD severitymedium (attack range: remote)
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)wheezy3.2.65-1fixed
wheezy (security)3.2.68-1+deb7u1fixed
jessie3.16.7-ckt9-2fixed
jessie (security)3.16.7-ckt9-3~deb8u1fixed
stretch, sid3.16.7-ckt9-3fixed
linux-2.6 (PTS)squeeze, squeeze (security)2.6.32-48squeeze6fixed
squeeze (lts)2.6.32-48squeeze11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsource(unstable)3.11.5-1medium
linuxsourcewheezy3.2.53-1medium
linux-2.6source(unstable)(not affected)

Notes

- linux-2.6 <not-affected> (Vulnerable code not present)
http://www.openwall.com/lists/oss-security/2013/09/13/2
http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=95ee62083cb6453e056562d91f597552021e6ae7

Search for package or bug name: Reporting problems