[LEDE-DEV] CVE-2016-10229 Remote code execution vulnerability in kernel networking subsystem
hauke at hauke-m.de
Sun Apr 16 05:11:36 PDT 2017
On 04/16/2017 01:41 PM, yanosz wrote:
> CVE-2016-10229 was patched in android recently. While some distributions
> (ie Debian: https://security-tracker.debian.org/tracker/CVE-2016-10229)
> are not vulnerable due to having backported parts of the kernel code
> before, I wonder about the status in Lede (and OpenWRT).
> There are some rumors, that MSG_PEEK might be used in dnsmasq, but I
> don't know any details here.
> What's the current status in lede?
This was fixed in the following upstream Linux kernel versions:
LEDE 17.01 (kernel 4.4.50) was never affected by this problem.
OpenWrt 15.05.1 (kernel 3.18.23) is affected by this problem, this was
fixed in December 2016 in the OpenWrt CC branch by updating to version
kernel version 3.18.45.
I only checked which kernel version have the fix, which Debian linked, I
have *not* checked if OpenWrt or LEDE are really exploitable. I also
read that dnsmasq uses the problematic functionality, but I haven't
More information about the Lede-dev