SUSE-SU-2022:1276-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2022/suse-su-20221276-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:1276-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2022:1276-1
Related
Published
2022-04-20T07:17:17Z
Modified
2022-04-20T07:17:17Z
Summary
Security update for nbd
Details

This update for nbd fixes the following issues:

  • CVE-2022-26495: Fixed an integer overflow with a resultant heap-based buffer overflow (bsc#1196827).
  • CVE-2022-26496: Fixed a stack-based buffer overflow when parsing the name field by sending a crafted NBDOPTINFO (bsc#1196828).

Update to version 3.24 (bsc#1196827, bsc#1196828, CVE-2022-26495, CVE-2022-26496): * https://github.com/advisories/GHSA-q9rw-8758-hccj

Update to version 3.23: * Don't overwrite the hostname with the TLS hostname

Update to version 3.22: - nbd-server: handle auth for v6-mapped IPv4 addresses - nbd-client.c: parse the next option in all cases - configure.ac: silence a few autoconf 2.71 warnings - spec: Relax NBDOPTLISTMETACONTEXTS - client: Don't confuse Unix socket with TLS hostname - server: Avoid deprecated g_memdup

Update to version 3.21: - Fix --disable-manpages build - Fix a bug in whitespace handling regarding authorization files - Support client-side marking of devices as read-only - Support preinitialized NBD connection (i.e., skip the negotiation). - Fix the systemd unit file for nbd-client so it works with netlink (the more common situation nowadays)

Update to 3.20.0 (no changelog)

Update to version 3.19.0: * Better error messages in case of unexpected disconnects * Better compatibility with non-bash sh implementations (for configure.sh) * Fix for a segfault in NBDOPTINFO handling * The ability to specify whether to listen on both TCP and Unix domain sockets, rather than to always do so * Various minor editorial and spelling fixes in the documentation.

Update to version 1.18.0: * Client: Add the '-g' option to avoid even trying the NBDOPTGO message * Server: fixes to inetd mode * Don't make gnutls and libnl automagic. * Server: bugfixes in handling of some export names during verification. * Server: clean supplementary groups when changing user. * Client: when using the netlink protocol, only set a timeout when there actually is a timeout, rather than defaulting to 0 seconds * Improve documentation on the nbdtab file * Minor improvements to some error messages * Improvements to test suite so it works better on non-GNU userland environments

  • Update to version 1.17.0:
    • proto: add xNBD command NBDCMDCACHE to the spec
    • server: do not crash when handling child name
    • server: Close socket pair when fork fails
References

Affected packages

openSUSE:Leap 15.3 / nbd

Package

Name
nbd
Purl
pkg:rpm/opensuse/nbd&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.24-150000.3.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "nbd": "3.24-150000.3.3.1"
        }
    ]
}