Source: opennds Version: 9.10.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for opennds. CVE-2023-41101[0]: | An issue was discovered in the captive portal in OpenNDS before | version 10.1.3. get_query in http_microhttpd.c does not validate the | length of the query string of GET requests. This leads to a stack- | based buffer overflow in versions 9.x and earlier, and to a heap- | based buffer overflow in versions 10.x and later. Attackers may | exploit the issue to crash OpenNDS (Denial-of-Service condition) or | to inject and execute arbitrary bytecode (Remote Code Execution). CVE-2023-41102[1]: | An issue was discovered in the captive portal in OpenNDS before | version 10.1.3. It has multiple memory leaks due to not freeing up | allocated memory. This may lead to a Denial-of-Service condition due | to the consumption of all available memory. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41101 https://www.cve.org/CVERecord?id=CVE-2023-41101 [1] https://security-tracker.debian.org/tracker/CVE-2023-41102 https://www.cve.org/CVERecord?id=CVE-2023-41102 [3] https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx [4] https://github.com/openNDS/openNDS/commit/69dde77927b252e2a4347170504a785ac5d50c33 Regards, Salvatore