ALT Linux Team

Package xen update in sisyphus on 2018-01-24

ALT-PU-2018-1076-1

Package xen updated to version 4.10.0-alt4.S1 for branch sisyphus in task 198493.

Closed vulnerabilities

Published: 2018-07-27

BDU:2019-04100

Уязвимость сервера Network Block Device (NBD) эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (8.6) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2018-07-27
Modified: 2024-11-21

CVE-2017-15118

A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.

Severity: HIGH (7.5) Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-07-27
Modified: 2024-11-21

CVE-2017-15119

The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (8.6) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top