Overview

File _patchinfo of Package patchinfo.23733

<patchinfo incident="23733">
  <issue tracker="bnc" id="1196827">VUL-0: CVE-2022-26495:  nbd: integer overflow with a resultant heap-based buffer overflow</issue>
  <issue tracker="bnc" id="1196828">VUL-0: CVE-2022-26496: nbd: stack-based buffer overflow when parsing the name field by sending a crafted NBD_OPT_INFO</issue>
  <issue tracker="cve" id="2022-26495"/>
  <issue tracker="cve" id="2022-26496"/>
  <packager>dirkmueller</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for nbd</summary>
  <description>This update for nbd fixes the following issues:

- CVE-2022-26495: Fixed an integer overflow with a resultant heap-based buffer overflow (bsc#1196827).
- CVE-2022-26496: Fixed a stack-based buffer overflow when parsing the name field by sending a crafted NBD_OPT_INFO (bsc#1196828). 


Update to version 3.24 (bsc#1196827, bsc#1196828, CVE-2022-26495, CVE-2022-26496):
  * https://github.com/advisories/GHSA-q9rw-8758-hccj

Update to version 3.23:
  * Don't overwrite the hostname with the TLS hostname

Update to version 3.22:
  - nbd-server: handle auth for v6-mapped IPv4 addresses 
  - nbd-client.c: parse the next option in all cases
  - configure.ac: silence a few autoconf 2.71 warnings
  - spec: Relax NBD_OPT_LIST_META_CONTEXTS 
  - client: Don't confuse Unix socket with TLS hostname
  - server: Avoid deprecated g_memdup

Update to version 3.21:
  - Fix --disable-manpages build
  - Fix a bug in whitespace handling regarding authorization files
  - Support client-side marking of devices as read-only
  - Support preinitialized NBD connection (i.e., skip the negotiation).
  - Fix the systemd unit file for nbd-client so it works with netlink (the
    more common situation nowadays)

Update to 3.20.0 (no changelog)

Update to version 3.19.0:
  * Better error messages in case of unexpected disconnects
  * Better compatibility with non-bash sh implementations
    (for configure.sh)
  * Fix for a segfault in NBD_OPT_INFO handling
  * The ability to specify whether to listen on both TCP and Unix
    domain sockets, rather than to always do so
  * Various minor editorial and spelling fixes in the documentation.

Update to version 1.18.0:
  * Client: Add the "-g" option to avoid even trying the NBD_OPT_GO
    message
  * Server: fixes to inetd mode
  * Don't make gnutls and libnl automagic.
  * Server: bugfixes in handling of some export names during verification.
  * Server: clean supplementary groups when changing user.
  * Client: when using the netlink protocol, only set a timeout
    when there actually is a timeout, rather than defaulting to 0
    seconds
  * Improve documentation on the nbdtab file
  * Minor improvements to some error messages
  * Improvements to test suite so it works better on non-GNU
    userland environments

- Update to version 1.17.0:
  * proto: add xNBD command NBD_CMD_CACHE to the spec
  * server: do not crash when handling child name
  * server: Close socket pair when fork fails
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places