Debian Security Advisory

DLA-304-1 openslp-dfsg -- LTS security update

Date Reported:
03 Sep 2015
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 623551, Bug 687597, Bug 795429.
In Mitre's CVE dictionary: CVE-2010-3609, CVE-2012-4428, CVE-2015-5177.
More information:

Several issues have been found and solved in OpenSLP, that implements the Internet Engineering Task Force (IETF) Service Location Protocol standards protocol.

  • CVE-2010-3609

    Remote attackers could cause a Denial of Service in the Service Location Protocol daemon (SLPD) via a crafted packet with a next extension offset.

  • CVE-2012-4428

    Georgi Geshev discovered that an out-of-bounds read error in the SLPIntersectStringList() function could be used to cause a DoS.

  • CVE-2015-5177

    A double free in the SLPDProcessMessage() function could be used to cause openslp to crash.

    For Debian 6 Squeeze, these problems have been fixed in openslp-dfsg version 1.2.1-7.8+deb6u1.

    We recommend that you upgrade your openslp-dfsg packages.