Arch Linux Security Advisory ASA-202101-29 ========================================== Severity: Medium Date : 2021-01-20 CVE-ID : CVE-2020-27827 Package : lldpd Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1451 Summary ======= The package lldpd before version 1.0.8-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 1.0.8-1. # pacman -Syu "lldpd>=1.0.8-1" The problem has been fixed upstream in version 1.0.8. Workaround ========== None. Description =========== A security issue was found in lldpd before version 1.0.8. A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine. Impact ====== A remote attack can leak information through crafted packets. References ========== https://github.com/lldpd/lldpd/blob/master/NEWS https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff... https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html https://github.com/openvswitch/ovs/pull/337 https://github.com/openvswitch/ovs/commit/f915f32f5667e3b9d460055d8b47fa5d20... https://security.archlinux.org/CVE-2020-27827