Hi, On Tue, Jul 26, 2016 at 10:48:58AM +0200, Florian Forster wrote: > Emilien Gaspar has identified a heap overflow in collectd's network > plugin which can be triggered remotely and is potentially exploitable. > The identifier CVE-2016-6254 has been assigned to this issue. > > This issue has been fixed in the released 5.5.2 and 5.4.3. > Please update the version provided by Debian to a non-vulnerable > version. > > For the oldstable and stable branches, please add the following patches > to fix the issue: > > https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18
Thank you for reporting this. > https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7 > > The second patch is unrelated to CVE-2016-6254. It fixes an > initialization issue with libgcrypt which could theoretically lead to a > half-initialized library being used. I've reported a separate bug for this issue: https://bugs.debian.org/832577 Cheers, Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
signature.asc
Description: Digital signature