oss-sec mailing list archives
Incomplete data at nvd for CVE-2014-8159 (infiniband / verbs)
From: Peter Kjellström <cap () nsc liu se>
Date: Tue, 17 Mar 2015 18:02:41 +0100
My first post and it may not even be the right place so sorry in advance... Not entirely sure what to expect from the nvd site for a CVE like this (about 1 week old counting from redhats advisory) but information is at best incomplete at: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8159 Here are a few problems with the info: * rhel6 / 2.6.32 is listed as impacted (but already the linked bz expands this to rhel5 and rhel7. * In fact this bug (as I understand it) is in all versions of the verbs kernel module except some point in 3.19.xxx and rhel6 updates. Affected list grows to: 1) other distributions building kernel with infiniband/verbs enabled 2) other distributions providing "external" infiniband/verbs modules 3) other sources providing 3rd party infiniband/verbs modules * I know that Mellanox (found under 3 above) has released an update (MLNX_OFED 2.4-1) that fixes the issue, but this info is missing. https://community.mellanox.com/message/4401#4401 If this was not the correct place to contribute/fix information maybe someone can point me in the correct direction. /Peter K
Current thread:
- Incomplete data at nvd for CVE-2014-8159 (infiniband / verbs) Peter Kjellström (Mar 17)
- Re: Incomplete data at nvd for CVE-2014-8159 (infiniband / verbs) cve-assign (Mar 17)