|
|
Subscribe / Log in / New account

Debian alert DLA-3084-1 (ndpi)



From:
              Anton Gladky <gladk@debian.org>


To:
              <debian-lts-announce@lists.debian.org>


Subject:
              [SECURITY] [DLA 3084-1] ndpi security update


Date:
              Sun, 28 Aug 2022 11:52:45 +0200


Message-ID:
              <20220828095245.0B1A24A020A@localhost.localdomain>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3084-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Anton Gladky
August 27, 2022                               https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ndpi
Version        : 2.6-3+deb10u1
CVE ID         : CVE-2020-15472 CVE-2020-15476

Two security issues have been discovered in ndpi: deep packet inspection
library.


CVE-2020-15472

    H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in
lib/protocols/h323.c.

CVE-2020-15476

    Oracle protocol dissector has a heap-based buffer over-read in ndpi_search_oracle.

For Debian 10 buster, these problems have been fixed in version
2.6-3+deb10u1.

We recommend that you upgrade your ndpi packages.

For the detailed security status of ndpi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ndpi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMLOuQACgkQ0+Fzg8+n
/wa5EhAAk2gRn9sJAlealaLCTNtatgM1VNAS6+qans3GFqUd++lzcD5DX1i2e6Tx
lOR55eWNLeMqx3wP6w67Ik+uPvEfmPg6AKk/EiGkcgRfw8A5ZFdAXfg8yT7cC723
X/9qK7FepHR0cB297vzXezrWggV/Mjbsbfx3ZfMyUiS5S4iwSR5sqsNNXdLkudKC
E3AymRsUKhOty6TSCRilNOd5kvORx9eJvUUTJca8Tfo6LwTQBCRWyTX6hU/5gQqP
el5n2K+MZJ5eV0+ckrj8w8dCLT5y3M+/qgZGSosOMdqKSDZrNzDdvuUF8EKSjN6z
4H+ba5u4Fxr6oDCC4V4uCijsSTvbslH+XwGMCKGABxPL3Yq+ldC7H9mZIi5bJEGr
gwu4iEeIAzIlTPdLvyycBqgLPV8S2Dzv7HV5Z1SXp6f38fUBczBTyq0kBSXkivOq
tAH6eKGtqkiW1VXY1JSCl197GaxDrHQkBdFG3bDI+3hX0Kx9MN8qXBc0mShOkGep
788dVF38OL5BtOLVRwTLCsqGX2+mZX1hA1SgvZ8v3wg4Y3gZoIP/p0UYNsa3XFEV
DZ3QamPS/YZlWhLfa05sTC+CaM5+W7SYkTaPT84wpyPd3//XaXYUuK+LUxBnkt7N
t9PCZPXxSc+xlsECEWadAiXvTVDN7Q7iBkjuqps19PcQy4mMQjs=
=ufUV
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds