dpdk-19.11.3-1.el8

エラータID: AXSA:2021-1390:01

Release date: 
Thursday, February 4, 2021 - 12:22
Subject: 
dpdk-19.11.3-1.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The dpdk packages provide the Data Plane Development Kit, which is a set of libraries and drivers for fast packet processing in the user space.

The following packages have been upgraded to a later upstream version: dpdk (19.11.3).

Security Fix(es):

* dpdk: librte_vhost Malicious guest could cause segfault by sending invalid Virtio descriptor (CVE-2020-10725)

* dpdk: librte_vhost Integer overflow in vhost_user_set_log_base() (CVE-2020-10722)

* dpdk: librte_vhost Integer truncation in vhost_user_check_and_alloc_queue_pair() (CVE-2020-10723)

* dpdk: librte_vhost VHOST_USER_GET_INFLIGHT_FD message flooding to result in a DoS (CVE-2020-10726)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-10722
A vulnerability was found in DPDK versions 18.05 and above. A missing check for an integer overflow in vhost_user_set_log_base() could result in a smaller memory map than requested, possibly allowing memory corruption.
CVE-2020-10723
A memory corruption issue was found in DPDK versions 17.05 and above. This flaw is caused by an integer truncation on the index of a payload. Under certain circumstances, the index (a UInt) is copied and truncated into a uint16, which can lead to out of bound indexing and possible memory corruption.
CVE-2020-10725
A flaw was found in DPDK version 19.11 and above that allows a malicious guest to cause a segmentation fault of the vhost-user backend application running on the host, which could result in a loss of connectivity for the other guests running on that host. This is caused by a missing validity check of the descriptor address in the function `virtio_dev_rx_batch_packed()`.
CVE-2020-10726
A vulnerability was found in DPDK versions 19.11 and above. A malicious container that has direct access to the vhost-user socket can keep sending VHOST_USER_GET_INFLIGHT_FD messages, causing a resource leak (file descriptors and virtual memory), which may result in a denial of service.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. dpdk-19.11.3-1.el8.src.rpm
    MD5: 770fd98e2e4e645631cbec50cddeb304
    SHA-256: 842db00ce45b8cb70f3f086521e5ec056c0cf7dd960d4635b016bbe0976a0a1a
    Size: 11.89 MB

Asianux Server 8 for x86_64
  1. dpdk-19.11.3-1.el8.x86_64.rpm
    MD5: 20ac1431cf8ff1117747750d51052402
    SHA-256: 60b54adb3398d49694e37f89d6bafbb6bef0f671d5c11cc523a6113665d37926
    Size: 2.13 MB
  2. dpdk-devel-19.11.3-1.el8.x86_64.rpm
    MD5: 22fd78c6930eb511e80020466318ecc9
    SHA-256: a4beb6a485b457e5289224c35674b9a27e70296b01cc5f8b290df2937df64403
    Size: 376.52 kB
  3. dpdk-doc-19.11.3-1.el8.noarch.rpm
    MD5: 43072b962f3cd4ee1546ad3f2356f188
    SHA-256: 7e1aee205c7d70b0057afaffea2d88eea84c389e9610093363717c864bf33649
    Size: 10.02 MB
  4. dpdk-tools-19.11.3-1.el8.x86_64.rpm
    MD5: 7e3be4a6f50d43182ebe34cb2d8aed66
    SHA-256: be063325633a3751068bc0f21211bd4a6da38a1d5bd10b5db0482ce85cf05c1c
    Size: 32.75 kB