CVE-2024-41090 / CVE-2024-41091 kernel: virtio-net: tun: mlx5_core short frame denial of service
- Thread starter TheMrg
- Start date
Hi,
thank you for the report! Telling from the upstream fixes [0][1], yes, Proxmox VE is also affected, because the current kernel contains the older commits that introduced the issue. While the initial report [2] mentions a crash with the
[0]: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=ed7f2afdd0e0
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=049584807f1d
[2]: https://seclists.org/oss-sec/2024/q3/110
[3]: https://git.proxmox.com/?p=pve-kernel.git;a=commit;h=a791b86e0a851967b699eaec132b977284cf55a8
thank you for the report! Telling from the upstream fixes [0][1], yes, Proxmox VE is also affected, because the current kernel contains the older commits that introduced the issue. While the initial report [2] mentions a crash with the
mlx5 driver, it's not clear if other network drivers also suffer from a DoS. The fixes have been backported [3] and are contained from the next kernel package, i.e. 6.8.8-4-pve which will be made available later today.[0]: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=ed7f2afdd0e0
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=049584807f1d
[2]: https://seclists.org/oss-sec/2024/q3/110
[3]: https://git.proxmox.com/?p=pve-kernel.git;a=commit;h=a791b86e0a851967b699eaec132b977284cf55a8
kernels 6.8.8-4-pve and 6.5.13-6-pve for our bookworm based products (pve-no-subscription, pmgtest, pbstest) and 5.15.158-2-pve for our bullseye based products (pve-no-subscription, pmgtest, pbstest) containing the fixes are now publically available.
