CVE-2017

CVE 2017-14199

Buffer overflow in getaddrinfo().

• Zephyr project bug tracker ZEPSEC-12

• PR6158 fix for 1.11.0

CVE 2017-14201

The shell DNS command can cause unpredictable results due to misuse of stack variables.

Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote code execution.

This has been fixed in release v1.14.0.

• Zephyr project bug tracker ZEPSEC-17

• PR13260 fix for v1.14.0

CVE 2017-14202

The shell implementation does not protect against buffer overruns resulting in unpredictable behavior.

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or telnet connected user to cause a crash, possibly with arbitrary code execution.

This has been fixed in release v1.14.0.

• Zephyr project bug tracker ZEPSEC-18

• PR13048 fix for v1.14.0