Arch Linux Security Advisory ASA-201510-25 ========================================== Severity: Medium Date : 2015-10-30 CVE-ID : CVE-2015-8011 CVE-2015-8012 Package : lldpd Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package lldpd before version 0.7.19-1 is vulnerable denial of service. Resolution ========== Upgrade to 0.7.19-1. # pacman -Syu "lldpd>=0.7.19-1" The problems have been fixed upstream in version 0.7.19. Workaround ========== None. Description =========== - CVE-2015-5714 (denial of service) A buffer overflow has been discovered when handling management address TLV. When a remote device was advertising a too large management address while still respecting TLV boundaries, lldpd would crash due to a buffer overflow. - CVE-2015-5715 (denial of service) A vulnerability has been discovered that is triggering an application crash while using assert() if a malformed packet is handled. Impact ====== A remote attacker is able to crash the application leading to denial of service. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8011 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8012 http://seclists.org/oss-sec/2015/q4/198