[SECURITY] [DLA 2944-1] nbd security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2944-1] nbd security update
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 10 Mar 2022 12:44:53 -0500 (EST)
Message-id: <[🔎] 164693426336.573724.4562445062164397389@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2944-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
March 10, 2022                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : nbd
Version        : 1:3.15.2-3+deb9u1
CVE ID         : CVE-2022-26495
Debian Bugs    : #1003863 #1006915

An integer overflow (with a resultant heap-based buffer overflow)
was discovered in the nbd Network Block Device server. A value of
0xffffffff in the name length field could have caused a zero-sized
buffer to be allocated for the name, resulting in a write to a
dangling pointer.

For Debian 9 "Stretch", this problem has been fixed in version
1:3.15.2-3+deb9u1.

We recommend that you upgrade your nbd packages.

For the detailed security status of nbd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbd

Thanks to Wouter Verhelst for help in preparing this update.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmIqOPAACgkQHpU+J9Qx
HlhCvA/+KTVzR0cusjyKiDfvFIMdb8AuGXo+NleOL29v/oZiIf20cFy1vpbSAmuS
xCpft1Vx8kn1ia1f7QFVR4g66gOs5liKTlkrcrbBffXvBSki+/O/TuP7rWeS76a8
10Q+rXOzvCMVPNOthbebVR8pYERp7saLPcJFjT6s/tfB3sBO6JuTt2NxSEb3co46
qstXqfKODTZtO+tHVpekYAZsj8+nYxdW9Ngc5AP9LUeMzSZs4/iyHXwD23/4YLkx
E86rFFGDLm/Z73F6Ol/uqS0RTUyrDKkYRMrmpatx75oc9NPEF3sPJlNPr9w95r15
xGHu9RVtMv9QNEsyjhhDVLwK1nNCQa9+4GEqXHGNE/g0heXv7fZtDltHBiqidb2P
MX9FYlTACgMHq5zLMy0+w+phQV0L3vZGqHX1Ly40O0HL2UdcziG9Z8cJjQJ3bKn0
FQvbHidE9MUKcHfU6cIEvXF+AByFRrp3nj+GA3d99TKfOL5ffVRCGFhWj9Xhs8lE
tRbTvYxYdER2eRuXRbxuThrNR+oxPaq2jP26Av8+HGMgA1o+HwSOhLg/xqKx8yPq
6YuvkQN5+VHJD7JqPP2UU52+s1GcMQxS42LB0rlLvuGxcdLDSzG10TcEbwg2Evl7
2KzRahAMX7ZaWjzo8jYXiItnhk4+M84MId/N4HHWgD+KKVhZQc0=
=M1jQ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2942-1] firefox-esr security update
Next by Date: [SECURITY] [DLA 2943-1] ruby-sidekiq security update
Previous by thread: [SECURITY] [DLA 2942-1] firefox-esr security update
Next by thread: [SECURITY] [DLA 2943-1] ruby-sidekiq security update
Index(es):
- Date
- Thread