CVE-2020-25645

NameCVE-2020-25645
DescriptionA flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2417-1, DLA-2494-1, DSA-4774-1, ELA-339-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)jessie, jessie (lts)3.16.84-1vulnerable
stretch (security)4.9.320-2fixed
stretch (lts), stretch4.9.320-3fixed
buster (security), buster, buster (lts)4.19.316-1fixed
bullseye5.10.223-1fixed
bullseye (security)5.10.226-1fixed
bookworm6.1.115-1fixed
bookworm (security)6.1.119-1fixed
trixie6.12.5-1fixed
sid6.12.6-1fixed
linux-4.19 (PTS)stretch (security)4.19.232-1~deb9u1fixed
stretch (lts), stretch4.19.316-1~deb9u1fixed
linux-4.9 (PTS)jessie, jessie (lts)4.9.303-1~deb8u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcejessie(unfixed)end-of-life
linuxsourcestretch4.9.246-1DLA-2494-1
linuxsourcebuster4.19.152-1DSA-4774-1
linuxsource(unstable)5.8.14-1
linux-4.19sourcestretch4.19.152-1~deb9u1DLA-2417-1
linux-4.9sourcejessie4.9.246-2~deb8u1ELA-339-1

Notes

https://git.kernel.org/linus/34beb21594519ce64a55a498c2fe7d567bc1ca20

Search for package or bug name: Reporting problems