lldpd-1.0.18-4.el9

エラータID: AXSA:2024-9355:03

Release date: 
Friday, December 13, 2024 - 14:07
Subject: 
lldpd-1.0.18-4.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

LLDP is an industry standard protocol designed to supplant proprietary Link-Layer protocols such as EDP or CDP. The goal of LLDP is to provide an inter-vendor compatible mechanism to deliver Link-Layer notifications to adjacent network devices.

Security Fix(es):

* lldp/openvswitch: denial of service via externally triggered memory leak (CVE-2020-27827)
* lldpd: out-of-bounds read when decoding SONMP packets (CVE-2021-43612)
* lldpd: CDP PDU Packet cdp.c out-of-bounds read (CVE-2023-41910)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.5 Release Notes linked from the References section.

CVE-2020-27827
A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-43612
In lldpd before 1.0.13, when decoding SONMP packets in the sonmp_decode function, it's possible to trigger an out-of-bounds heap read via short SONMP packets.
CVE-2023-41910
An issue was discovered in lldpd before 1.0.17. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. This occurs in cdp_decode in daemon/protocols/cdp.c.

Solution: 

Update packages.

CVEs: 
CVE-2020-27827
A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-43612
In lldpd before 1.0.13, when decoding SONMP packets in the sonmp_decode function, it's possible to trigger an out-of-bounds heap read via short SONMP packets.
CVE-2023-41910
An issue was discovered in lldpd before 1.0.17. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. This occurs in cdp_decode in daemon/protocols/cdp.c.
Additional Info: 

N/A

Download: 

SRPMS
  1. lldpd-1.0.18-4.el9.src.rpm
    MD5: c28b29d70b220178fb605d4a27b24aee
    SHA-256: 176c71bd631e660d7ccf70c5a9cf638fd5eb98e16a9b7e63e31d32d1ad13812b
    Size: 1.91 MB

Asianux Server 9 for x86_64
  1. lldpd-1.0.18-4.el9.i686.rpm
    MD5: 21bccf5ffa8e29dce85edf718d01e4c1
    SHA-256: 9d1c9b82dfbe56d1bec17d8797f4361251f989bb734f3854820c33f4a1504ad3
    Size: 195.43 kB
  2. lldpd-1.0.18-4.el9.x86_64.rpm
    MD5: b19f1ce4709df6fb8a1a1625863343d3
    SHA-256: 0f999186fe104c4044a571f994318cf2b3e8b49aa8d1162a18d0879206db3531
    Size: 198.89 kB
  3. lldpd-devel-1.0.18-4.el9.i686.rpm
    MD5: bb32d90af6ecaa3d31737d847732b8b6
    SHA-256: 9a7f4b804d3addb32844331ee6e779ed247cfa653dbe05df497f1fb51408cf62
    Size: 21.08 kB
  4. lldpd-devel-1.0.18-4.el9.x86_64.rpm
    MD5: a04ff5d2fa1ae294081d39c9f98fdb26
    SHA-256: f1d31c4e972efdace8db48e408672b8e8c9df37d6966489b621f012cff567a86
    Size: 21.07 kB