SUSE Security Update: Security update for nbd ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1276-1 Rating: important References: #1196827 #1196828 Cross-References: CVE-2022-26495 CVE-2022-26496 CVSS scores: CVE-2022-26495 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-26495 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-26496 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-26496 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for nbd fixes the following issues: - CVE-2022-26495: Fixed an integer overflow with a resultant heap-based buffer overflow (bsc#1196827). - CVE-2022-26496: Fixed a stack-based buffer overflow when parsing the name field by sending a crafted NBD_OPT_INFO (bsc#1196828). Update to version 3.24 (bsc#1196827, bsc#1196828, CVE-2022-26495, CVE-2022-26496): * https://github.com/advisories/GHSA-q9rw-8758-hccj Update to version 3.23: * Don't overwrite the hostname with the TLS hostname Update to version 3.22: - nbd-server: handle auth for v6-mapped IPv4 addresses - nbd-client.c: parse the next option in all cases - configure.ac: silence a few autoconf 2.71 warnings - spec: Relax NBD_OPT_LIST_META_CONTEXTS - client: Don't confuse Unix socket with TLS hostname - server: Avoid deprecated g_memdup Update to version 3.21: - Fix --disable-manpages build - Fix a bug in whitespace handling regarding authorization files - Support client-side marking of devices as read-only - Support preinitialized NBD connection (i.e., skip the negotiation). - Fix the systemd unit file for nbd-client so it works with netlink (the more common situation nowadays) Update to 3.20.0 (no changelog) Update to version 3.19.0: * Better error messages in case of unexpected disconnects * Better compatibility with non-bash sh implementations (for configure.sh) * Fix for a segfault in NBD_OPT_INFO handling * The ability to specify whether to listen on both TCP and Unix domain sockets, rather than to always do so * Various minor editorial and spelling fixes in the documentation. Update to version 1.18.0: * Client: Add the "-g" option to avoid even trying the NBD_OPT_GO message * Server: fixes to inetd mode * Don't make gnutls and libnl automagic. * Server: bugfixes in handling of some export names during verification. * Server: clean supplementary groups when changing user. * Client: when using the netlink protocol, only set a timeout when there actually is a timeout, rather than defaulting to 0 seconds * Improve documentation on the nbdtab file * Minor improvements to some error messages * Improvements to test suite so it works better on non-GNU userland environments - Update to version 1.17.0: * proto: add xNBD command NBD_CMD_CACHE to the spec * server: do not crash when handling child name * server: Close socket pair when fork fails Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1276=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1276=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): nbd-3.24-150000.3.3.1 nbd-debuginfo-3.24-150000.3.3.1 nbd-debugsource-3.24-150000.3.3.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): nbd-3.24-150000.3.3.1 nbd-debuginfo-3.24-150000.3.3.1 nbd-debugsource-3.24-150000.3.3.1 References: https://www.suse.com/security/cve/CVE-2022-26495.html https://www.suse.com/security/cve/CVE-2022-26496.html https://bugzilla.suse.com/1196827 https://bugzilla.suse.com/1196828