Security vulnerability in TCP stack implementation

[betweendayandnight]

On August 6 and 10, 2016, National Vulnerability Database issued a security alert on the TCP stack implementation that it says affects the Linux kernel.

For further information on the security vulnerability, please click the following URL:

https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-5696

Could the experts here confirm that OpenBSD versions 5.9 and 5.10 are NOT compromised by it? If they are, when can the community expect a fix for it?

[jggimi]

1. The best place to ask questions of the Project would be through their mailing lists. This is a third party forum, and we're primarily users here, not experts. I may try to help answer questions, but I'm in the former category, not the latter.
2. The vulnerability you cite references only the Linux kernel. The specific Linux kernel source code module referenced is net/ipv4/tcp_input.c, which is both Linux-specific and has a completely different provenance from the OpenBSD protocol stack's module with a similar name: src/sys/netinet/tcp_input.c. If you look at the two modules, you can see that they are completely different.
3. The only way to know for certain if there is a similar vulnerability would be to test the exploit.
   
   I don't have the skills to develop exploit tests myself. I attempted to do so recently for a pair of CVEs affecting one of the ports I maintain, in order to show the upstream project that they were vulnerable and should apply patches. I was unsuccessful in recreating the exploit tests but the upstream project applied the patches anyway. The CVE patches are in the current version of the port; the updated port removes the CVE patches as they are now included in the application. http://marc.info/?l=openbsd-ports&m=146997546125497&w=2