Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3389-1 lldpd

Debian Security Advisory

DLA-3389-1 lldpd -- LTS security update

Date Reported:

10 Apr 2023

Affected Packages:

lldpd

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2020-27827, CVE-2021-43612.

More information:

It was discovered that there were two potential denial of service (DoS) attacks in lldpd, a implementation of the IEEE 802.1ab (LLDP) protocol used to administer and monitor networking devices.

• CVE-2020-27827

  A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.

• CVE-2021-43612

  crash in SONMP decoder

For Debian 10 Buster, these problems have been fixed in version 1.0.3-1+deb10u1.

We recommend that you upgrade your lldpd packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS