SUSE-SU-2022:1276-1: important: Security update for nbd
SUSE Security Update: Security update for nbd
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1276-1
Rating: important
References: #1196827 #1196828
Cross-References: CVE-2022-26495 CVE-2022-26496
CVSS scores:
CVE-2022-26495 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26495 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26496 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26496 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for nbd fixes the following issues:
- CVE-2022-26495: Fixed an integer overflow with a resultant heap-based buffer overflow (bsc#1196827).
- CVE-2022-26496: Fixed a stack-based buffer overflow when parsing the name field by sending a crafted NBD_OPT_INFO (bsc#1196828).
Update to version 3.24 (bsc#1196827, bsc#1196828, CVE-2022-26495, CVE-2022-26496):
* https://github.com/advisories/GHSA-q9rw-8758-hccj
Update to version 3.23:
* Don't overwrite the hostname with the TLS hostname
Update to version 3.22:
- nbd-server: handle auth for v6-mapped IPv4 addresses - nbd-client.c: parse the next option in all cases
- configure.ac: silence a few autoconf 2.71 warnings
- spec: Relax NBD_OPT_LIST_META_CONTEXTS
- client: Don't confuse Unix socket with TLS hostname
- server: Avoid deprecated g_memdup
Update to version 3.21:
- Fix --disable-manpages build
- Fix a bug in whitespace handling regarding authorization files - Support client-side marking of devices as read-only
- Support preinitialized NBD connection (i.e., skip the negotiation). - Fix the systemd unit file for nbd-client so it works with netlink (the
more common situation nowadays)
Update to 3.20.0 (no changelog)
Update to version 3.19.0:
* Better error messages in case of unexpected disconnects * Better compatibility with non-bash sh implementations (for configure.sh)
* Fix for a segfault in NBD_OPT_INFO handling
* The ability to specify whether to listen on both TCP and Unix domain sockets, rather than to always do so
* Various minor editorial and spelling fixes in the documentation.
Update to version 1.18.0:
* Client: Add the "-g" option to avoid even trying the NBD_OPT_GO message
* Server: fixes to inetd mode
* Don't make gnutls and libnl automagic.
* Server: bugfixes in handling of some export names during verification.
* Server: clean supplementary groups when changing user. * Client: when using the netlink protocol, only set a timeout when there
actually is a timeout, rather than defaulting to 0 seconds * Improve documentation on the nbdtab file
* Minor improvements to some error messages
* Improvements to test suite so it works better on non-GNU userland environments
- Update to version 1.17.0:
* proto: add xNBD command NBD_CMD_CACHE to the spec
* server: do not crash when handling child name
* server: Close socket pair when fork fails
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1276=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1276=1
Package List:
- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
nbd-3.24-150000.3.3.1
nbd-debuginfo-3.24-150000.3.3.1
nbd-debugsource-3.24-150000.3.3.1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
nbd-3.24-150000.3.3.1
nbd-debuginfo-3.24-150000.3.3.1
nbd-debugsource-3.24-150000.3.3.1
References:
https://www.suse.com/security/cve/CVE-2022-26495.html
https://www.suse.com/security/cve/CVE-2022-26496.html
https://bugzilla.suse.com/1196827
https://bugzilla.suse.com/1196828
A nbd security update has been released for openSUSE Leap 15.3 and 15.4.
