Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libndp: CVE-2016-3698: denial of service due to insufficient validation of source of NDP messages

Related Vulnerabilities: CVE-2016-3698  

Source

Debian Bug report logs - #824545
libndp: CVE-2016-3698: denial of service due to insufficient validation of source of NDP messages

version graph

Package: src:libndp; Maintainer for src:libndp is Andrew Ayer <agwa@andrewayer.name>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 17 May 2016 11:09:01 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version libndp/1.4-2

Fixed in versions libndp/1.4-2+deb8u1, libndp/1.6-1

Done: Andrew Ayer <agwa@andrewayer.name>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Andrew Ayer <agwa@andrewayer.name>:
Bug#824545; Package src:libndp. (Tue, 17 May 2016 11:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Andrew Ayer <agwa@andrewayer.name>. (Tue, 17 May 2016 11:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libndp: CVE-2016-3698: denial of service due to insufficient validation of source of NDP messages
Date: Tue, 17 May 2016 13:07:06 +0200
Source: libndp
Version: 1.4-2
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for libndp.

CVE-2016-3698[0]:
denial of service due to insufficient validation of source of NDP messages

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-3698
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1329366
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3698

The new upstream version 1.6 fixes the issue as well.

Regards,
Salvatore

Marked as fixed in versions libndp/1.4-2+deb8u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 May 2016 12:39:15 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Andrew Ayer <agwa@andrewayer.name> to control@bugs.debian.org. (Tue, 17 May 2016 16:27:11 GMT) (full text, mbox, link).

Reply sent to Andrew Ayer <agwa@andrewayer.name>:
You have taken responsibility. (Tue, 17 May 2016 19:51:08 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 17 May 2016 19:51:08 GMT) (full text, mbox, link).

Message #14 received at 824545-close@bugs.debian.org (full text, mbox, reply):

From: Andrew Ayer <agwa@andrewayer.name>
To: 824545-close@bugs.debian.org
Subject: Bug#824545: fixed in libndp 1.6-1
Date: Tue, 17 May 2016 19:49:04 +0000
Source: libndp
Source-Version: 1.6-1

We believe that the bug you reported is fixed in the latest version of
libndp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 824545@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Ayer <agwa@andrewayer.name> (supplier of updated libndp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 May 2016 09:20:12 -0700
Source: libndp
Binary: libndp-dbg libndp-dev libndp-tools libndp0
Architecture: source
Version: 1.6-1
Distribution: unstable
Urgency: high
Maintainer: Andrew Ayer <agwa@andrewayer.name>
Changed-By: Andrew Ayer <agwa@andrewayer.name>
Description:
 libndp-dbg - Library for Neighbor Discovery Protocol (debug symbols)
 libndp-dev - Library for Neighbor Discovery Protocol (development files)
 libndp-tools - Library for Neighbor Discovery Protocol (tools)
 libndp0    - Library for Neighbor Discovery Protocol
Closes: 781755 824545
Changes:
 libndp (1.6-1) unstable; urgency=high
 .
   * New upstream release. Fixes CVE-2016-3698. (Closes: #824545, #781755)
   * Drop kfreebsd patch, since it has been merged upstream.
   * Bump Standards-Version to 3.9.8 (no changes needed)
Checksums-Sha1:
 be09eed63dbe13b87368311bca5e72f8965c61cc 2019 libndp_1.6-1.dsc
 300e63fcf69f6239dc6c5f82770437d5ffbc2dd4 364406 libndp_1.6.orig.tar.gz
 7cb9eabd0f614ad1e62f942783940b99b3f4c09c 3120 libndp_1.6-1.debian.tar.xz
Checksums-Sha256:
 fa8ca96bc180c4c686cddb2d654d9a43cae38609e2b98ac1de35be68414b1d50 2019 libndp_1.6-1.dsc
 0c7dfa84e013bd5e569ef2c6292a6f72cfaf14f4ff77a77425e52edc33ffac0e 364406 libndp_1.6.orig.tar.gz
 831061abbb1bc6c05b9c57ab72f410ef38f9a1eec7eccdbed6c6f0f4eb448e29 3120 libndp_1.6-1.debian.tar.xz
Files:
 5d560df3f2d54395d58623fa411f7b7d 2019 net optional libndp_1.6-1.dsc
 1e54d26bcb4a4110bc3f90c5dd04f1a7 364406 net optional libndp_1.6.orig.tar.gz
 e7cdff16f4b3b200a3e386e5378aaf83 3120 net optional libndp_1.6-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXO3MhAAoJEJ0V9ORH5MgyJKEQAIuGZuPf1zO87M8T1fWyvtHz
OvraKeQqCp2SpcNmfuN8imyktM+zEKhpynMrjuSUAHqqygteidYS+TgiVZ/SIT1T
H3f2Cnyw83mQZSBfun28jjcz3f36lIQNrQjfbkZHN+u5OMPQxt4RL9tCevaZUSBi
AfHqVj+nKYPF4wtysnUISa21nPicSFDIzNttpZUbnIpX3xJgqgkfiAxTIarYBluq
DaTd70dPvd5EmlcgJnOOkvDO0H0CodlZGT+Nwd0LljysWFvr7pkKcWQ8QHs9r8tH
2/6jnKdW/0BdjBjbVXAr9PuxKyd261Lv5Q4kDH9xg3OTBWMGfwkI85K2pq3XZket
pHPgeq94UxkK0EQU1Y0rDeVctGKEoahjUwnpqbZwJ1X1zxau+/H4MrNKwhsIYWAO
Nqis5Tq6Nmd2Ez/vnptfRWyo1u2FcXrxnQlRYz+8zirvdr25AeBORek0+Qbmk761
0a1iyrt+sEM2JcLLdP/idZ1vAdKPSkB1ScmxvmuUNsdcFE0Oc40jTxsraNip5YEd
ZD2jG/jHk42Q7WISE011Y2LZAVPyJ/HlO7tcNJX+lfMUZFkwjb8JJv0ONlT24KIk
HIWCOQfTKEdhrxjbicZNTSiOjGbRoXe519KJIkgAeDBwsXapEp0u9zSWKhzChCjM
6ZZjkeOcRtkXAZMciB0H
=c3b/
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 17 Jun 2016 07:27:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:43:56 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started