[Debian] Medium CVE: CVE-2024-5564 libndp: a buffer overflow in NetworkManager

Bug #2069552 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Peng Zhang

Bug Description

CVE-2024-5564: https://nvd.nist.gov/vuln/detail/CVE-2024-5564

A vulnerability was found in libndp. This flaw allows a local malicious user to cause a buffer overflow in NetworkManager, triggered by sending a malformed IPv6 router advertisement packet. This issue occurred as libndp was not correctly validating the route length information.

Base Score: Medium

Reference:

['libndp0_1.6-1_amd64.deb===>libndp0_1.6-1+deb11u1_amd64.deb']
https://security-tracker.debian.org/tracker/DSA-5713-1

CVE References

Peng Zhang (pzhang2)
Changed in starlingx:
assignee: nobody → Peng Zhang (pzhang2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/924054

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/924054
Committed: https://opendev.org/starlingx/tools/commit/1e67f9496bbefebc6f9ca3d6688169c5c1c00ca6
Submitter: "Zuul (22348)"
Branch: master

commit 1e67f9496bbefebc6f9ca3d6688169c5c1c00ca6
Author: Peng Zhang <email address hidden>
Date: Wed Jul 10 09:02:17 2024 +0000

    Debian: libndp0: fix CVE-2024-5564

    Upgrade libndp0 to 1.6-1+deb11u1

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2024-5564
    https://security-tracker.debian.org/tracker/DSA-5713-1
    https://www.tenable.com/plugins/nessus/200648

    TestPlan:
    PASS: downloader; build-pkgs
    PASS: build-image

    Closes-Bug: 2069552

    Change-Id: I17b7be188d236a6ddf6a7c0732acbfdde22d1348
    Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.