openslp-2.0.0-8.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10065-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z openslp-2.0.0-8.1 on GA media These are all security issues fixed in the openslp-2.0.0-8.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10065 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-3609/ SUSE CVE CVE-2010-3609 page https://www.suse.com/security/cve/CVE-2016-4912/ SUSE CVE CVE-2016-4912 page https://www.suse.com/security/cve/CVE-2016-7567/ SUSE CVE CVE-2016-7567 page openSUSE Tumbleweed openslp-2.0.0-8.1 openslp-32bit-2.0.0-8.1 openslp-devel-2.0.0-8.1 openslp-server-2.0.0-8.1 openslp-2.0.0-8.1 as a component of openSUSE Tumbleweed openslp-32bit-2.0.0-8.1 as a component of openSUSE Tumbleweed openslp-devel-2.0.0-8.1 as a component of openSUSE Tumbleweed openslp-server-2.0.0-8.1 as a component of openSUSE Tumbleweed The extension parser in slp_v2message.c in OpenSLP 1.2.1, and other versions before SVN revision 1647, as used in Service Location Protocol daemon (SLPD) in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, allows remote attackers to cause a denial of service (infinite loop) via a packet with a "next extension offset" that references this extension or a previous extension. NOTE: some of these details are obtained from third party information. CVE-2010-3609 openSUSE Tumbleweed:openslp-2.0.0-8.1 openSUSE Tumbleweed:openslp-32bit-2.0.0-8.1 openSUSE Tumbleweed:openslp-devel-2.0.0-8.1 openSUSE Tumbleweed:openslp-server-2.0.0-8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-3609.html CVE-2010-3609 https://bugzilla.suse.com/642571 SUSE Bug 642571 The _xrealloc function in xlsp_xmalloc.c in OpenSLP 2.0.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a large number of crafted packets, which triggers a memory allocation failure. CVE-2016-4912 openSUSE Tumbleweed:openslp-2.0.0-8.1 openSUSE Tumbleweed:openslp-32bit-2.0.0-8.1 openSUSE Tumbleweed:openslp-devel-2.0.0-8.1 openSUSE Tumbleweed:openslp-server-2.0.0-8.1 moderate 5.4 AV:N/AC:H/Au:N/C:N/I:N/A:C 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4912.html CVE-2016-4912 https://bugzilla.suse.com/1074356 SUSE Bug 1074356 https://bugzilla.suse.com/980722 SUSE Bug 980722 Buffer overflow in the SLPFoldWhiteSpace function in common/slp_compare.c in OpenSLP 2.0 allows remote attackers to have unspecified impact via a crafted string. CVE-2016-7567 openSUSE Tumbleweed:openslp-2.0.0-8.1 openSUSE Tumbleweed:openslp-32bit-2.0.0-8.1 openSUSE Tumbleweed:openslp-devel-2.0.0-8.1 openSUSE Tumbleweed:openslp-server-2.0.0-8.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7567.html CVE-2016-7567 https://bugzilla.suse.com/1001600 SUSE Bug 1001600 https://bugzilla.suse.com/1074356 SUSE Bug 1074356