CVE-2013-4350

NameCVE-2013-4350
DescriptionThe IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)stretch4.9.228-1fixed
stretch (security)4.9.290-1fixed
buster4.19.208-1fixed
buster (security)4.19.194-3fixed
bullseye5.10.84-1fixed
bullseye (security)5.10.46-5fixed
bookworm5.15.5-2fixed
sid5.15.15-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcewheezy3.2.53-1
linuxsource(unstable)3.11.5-1
linux-2.6source(unstable)(not affected)

Notes

- linux-2.6 <not-affected> (Vulnerable code not present)
https://www.openwall.com/lists/oss-security/2013/09/13/2
http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=95ee62083cb6453e056562d91f597552021e6ae7

Search for package or bug name: Reporting problems