[ubuntu-hardened] Urgent 11: Security Vulnerability

[Seth Arnold]

Hello Sagar,

On Fri, Sep 06, 2019 at 10:41:04PM +0000, Sagar Wani wrote:
> Today it was disclosed that URGENT11 set of vulnerabilities are not
> restricted to VxWorks but affect other platforms too that are using
> IPnet TCP/IP stack.

>   1.  Does Ubuntu use IPNet stack in any of it's implementations?
>   2.  Are you aware if Ubuntu is affected by URGENT11?

"IPNet" is quite generic, so it's difficult to be confident, but I skimmed
the list of filenames in all our currently available packages that match
'ipnet' in their name, and only one looks vaguely like it could be a
user-space implementation of TCP/IP:

https://github.com/greearb/xorp.ct/blob/master/xorp/libxorp/ipnet.hh

I don't know if this one is related to the findings in the VxWorks TCP/IP
stack or not. Do you know if this is related?

I didn't see any more-specific filenames mentioned in the Urgent11 paper,
such as ipnet_ip4.c, in our unpacked sources.

On Fri, Sep 06, 2019 at 10:45:46PM +0000, Sagar Wani wrote:
> Sagar Wani would like to recall the message, "Urgent 11: Security Vulnerability".

Just a heads up, this appears to leak outside of your organization, at
least on occasion.

On Fri, Sep 06, 2019 at 10:46:52PM +0000, Sagar Wani wrote:
> Does Ubuntu 2008 has IPNet stack in any of it's implementations?

My unpacked archives do not go back as far as 2008; they only cover what's
in currently supported Ubuntu releases from 12.04 LTS and newer.

Do note Ubuntu 8.04 LTS support ended in 2013:
https://lists.ubuntu.com/archives/ubuntu-announce/2013-March/000168.html

If you have Ubuntu 8.04 LTS systems running I strongly recommend updating
them to a currently-supported release: https://wiki.ubuntu.com/Releases

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20190906/6dee7e3f/attachment.sig>