Nixpkgs: Important CVE regarding bluethooth exploit

Created on 12 Sep 2017  路  6Comments  路  Source: NixOS/nixpkgs

Issue description

There have been two recent CVEs (CVE-2017-1000250, CVE-2017-1000251 aka BlueBorne). While CVE-2017-1000251 seems to be mitigated partially by having CONFIG_CC_STACKPROTECTOR=y in the default kernel config, but the remote memory disclosure bug for unauthenticated(!) attackers in BlueZ (CVE-2017-1000250) seems to be more pressing for NixOS.

There has been no upstream release yet by the BlueZ project, but Ubuntu has patches for several versions. https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BlueBorne

I guess it might be a good idea for someone with more experience to look into the issue and maybe backport/apply Ubuntu's or Redhat's patches to BlueZ and update the linux kernel.

security
Source
picture Moredread

Most helpful comment

Is this planned to be backported to 17.03?

picture sjagoe on 21 Sep 2017
👍2

All 6 comments

Sorry, I might be a bit panicking, but remote exploits freak me a bit out. :p

Moredread picture Moredread on 12 Sep 2017

@Elkhazrajy Good question, doesn't seem so atm.

Moredread picture Moredread on 13 Sep 2017

@grahamc @fpletz

(we should have a NixOS/security-team handle)

FRidh picture FRidh on 13 Sep 2017
👍1

Is anyone on this one?

copumpkin picture copumpkin on 16 Sep 2017

I'll take care of it.

fpletz picture fpletz on 18 Sep 2017

Is this planned to be backported to 17.03?

sjagoe picture sjagoe on 21 Sep 2017
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

copumpkin picture copumpkin  路  3Comments
ob7 picture ob7  路  3Comments
chris-martin picture chris-martin  路  3Comments
vaibhavsagar picture vaibhavsagar  路  3Comments
copumpkin picture copumpkin  路  3Comments