Missing verification of host key for kdump server
The kdump implementation is missing the host key verification in the kdump and mkdumprd OpenSSH integration of kdump prior to version 2012-01-20. This is similar to CVE-2011-3588, but different in that the kdump implementation is specific to SUSE. A remote malicious kdump server could use this flaw to impersonate the correct kdump server to obtain security sensitive information (kdump core files).
References
- https://www.suse.com/security/cve/CVE-2011-4190/ x_refsource_CONFIRM
- https://bugzilla.suse.com/show_bug.cgi?id=722440 x_refsource_CONFIRM
- https://www.suse.com/security/cve/CVE-2011-4190/ x_transferred x_refsource_CONFIRM
- https://bugzilla.suse.com/show_bug.cgi?id=722440 x_transferred x_refsource_CONFIRM
- https://www.suse.com/security/cve/CVE-2011-4190/ x_refsource_CONFIRM
- https://bugzilla.suse.com/show_bug.cgi?id=722440 x_refsource_CONFIRM
- https://www.suse.com/security/cve/CVE-2011-4190/ x_transferred x_refsource_CONFIRM
- https://bugzilla.suse.com/show_bug.cgi?id=722440 x_transferred x_refsource_CONFIRM
Affected products
kdump
- <2012-01-20
Matching in nixpkgs
pkgs.sockdump
Dump unix domain socket traffic with bpf
-
nixos-unstable 0-unstable-2023-12-11
- nixpkgs-unstable 0-unstable-2023-12-11
- nixos-unstable-small 0-unstable-2023-12-11
-
nixos-25.11 0-unstable-2023-12-11
- nixos-25.11-small 0-unstable-2023-12-11
- nixpkgs-25.11-darwin 0-unstable-2023-12-11
Package maintainers
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>
-
@picnoir Félix Baylac-Jacqué <felix@alternativebit.fr>
-
@ehmry Emery Hemingway <ehmry@posteo.net>