Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-304-1 openslp-dfsg

Debian Security Advisory

DLA-304-1 openslp-dfsg -- LTS security update

Date Reported:

03 Sep 2015

Affected Packages:

openslp-dfsg

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 623551, Bug 687597, Bug 795429.
In Mitre's CVE dictionary: CVE-2010-3609, CVE-2012-4428, CVE-2015-5177.

More information:

Several issues have been found and solved in OpenSLP, that implements the Internet Engineering Task Force (IETF) Service Location Protocol standards protocol.

• CVE-2010-3609

  Remote attackers could cause a Denial of Service in the Service Location Protocol daemon (SLPD) via a crafted packet with a next extension offset.

• CVE-2012-4428

  Georgi Geshev discovered that an out-of-bounds read error in the SLPIntersectStringList() function could be used to cause a DoS.

• CVE-2015-5177

  A double free in the SLPDProcessMessage() function could be used to cause openslp to crash.

  For Debian 6 Squeeze, these problems have been fixed in openslp-dfsg version 1.2.1-7.8+deb6u1.

  We recommend that you upgrade your openslp-dfsg packages.