CVE-2018-1108

NameCVE-2018-1108
Descriptionkernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)jessie3.16.56-1+deb8u1fixed
jessie (security)3.16.59-1fixed
stretch4.9.110-1vulnerable
stretch (security)4.9.110-3+deb9u6vulnerable
buster, sid4.18.10-2fixed
linux-4.9 (PTS)jessie (security)4.9.110-3+deb9u5~deb8u1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsource(unstable)4.16.5-1medium
linuxsourcejessie(not affected)
linuxsourcewheezy(not affected)
linux-4.9sourcejessie(unfixed)medium

Notes

[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
Fixed by: https://git.kernel.org/linus/43838a23a05fbd13e47d750d3dfd77001536dd33
https://bugs.chromium.org/p/project-zero/issues/detail?id=1559

Search for package or bug name: Reporting problems