On Tue, Apr 04, 2017 at 12:38:19PM +0200, Salvatore Bonaccorso wrote:
> Source: collectd
> Version: 5.4.1-6
> Severity: important
> Tags: security patch upstream
>
> Hi,
>
> the following vulnerability was published for collectd.
>
> CVE-2017-7401[0]:
> | Incorrect interaction of the parse_packet() and
> | parse_part_sign_sha256() functions in network.c in collectd 5.7.1 and
> | earlier allows remote attackers to cause a denial of service (infinite
> | loop) of a collectd instance (configured with "SecurityLevel None" and
> | with empty "AuthFile" options) via a crafted UDP packet.
What's the status? It would be great if this could be fixed before the stretch
release.
Cheers,
Moritz
