Hi,
On Tue, Jul 26, 2016 at 10:48:58AM +0200, Florian Forster wrote:
> Emilien Gaspar has identified a heap overflow in collectd's network
> plugin which can be triggered remotely and is potentially exploitable.
> The identifier CVE-2016-6254 has been assigned to this issue.
>
> This issue has been fixed in the released 5.5.2 and 5.4.3.
> Please update the version provided by Debian to a non-vulnerable
> version.
>
> For the oldstable and stable branches, please add the following patches
> to fix the issue:
>
> https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18
Thank you for reporting this.
> https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7
>
> The second patch is unrelated to CVE-2016-6254. It fixes an
> initialization issue with libgcrypt which could theoretically lead to a
> half-initialized library being used.
I've reported a separate bug for this issue:
https://bugs.debian.org/832577
Cheers,
Sebastian
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
signature.asc
Description: Digital signature
