[arch-security] [ASA-201605-26] libndp: man-in-the-middle
anthraxx at archlinux.org
Tue May 24 15:40:08 UTC 2016
Arch Linux Security Advisory ASA-201605-26
Date : 2016-05-24
CVE-ID : CVE-2016-3698
Package : libndp
Type : man-in-the-middle
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package libndp before version 1.6-1 is vulnerable to
Upgrade to 1.6-1.
# pacman -Syu "libndp>=1.6-1"
The problem has been fixed upstream in version 1.6
Libndp before version 1.6 does properly validate and check the origin of
Neighbor Discovery Protocol (NDP) messages. An attacker on a non-local
network can exploit this flaw to advertise a node as a router, which
allows them to re-route the traffic through an attacker-controlled node.
A remote unauthenticated attacker is able to send specially crafted
messages to a client and act as a man-in-the-middle between the client
and a server or disrupt client traffic.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security