Package: collectd Version: 5.1.0-3 Severity: important Tags: patch, security, upstream, fixed-upstream
Emilien Gaspar has identified a heap overflow in collectd's network plugin which can be triggered remotely and is potentially exploitable. The identifier CVE-2016-6254 has been assigned to this issue. This issue has been fixed in the released 5.5.2 and 5.4.3. Please update the version provided by Debian to a non-vulnerable version. For the oldstable and stable branches, please add the following patches to fix the issue: https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18 https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7 The second patch is unrelated to CVE-2016-6254. It fixes an initialization issue with libgcrypt which could theoretically lead to a half-initialized library being used. Best regards, —octo -- collectd – The system statistics collection daemon Website: http://collectd.org Google+: http://collectd.org/+ GitHub: https://github.com/collectd Twitter: http://twitter.com/collectd
signature.asc
Description: Digital signature
