[3.7] icinga2: Multiple vulnerabilities (CVE-2018-6532, CVE-2018-6534, CVE-2018-6535)
CVE-2018-6532: An issue was discovered in Icinga 2.x through 2.8.1.
By sending specially crafted (authenticated and unauthenticated)
requests, an attacker can exhaust a lot of memory on the server side,
triggering the OOM killer.
Fixed in Version:
Icinga 2.8.2.
References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/6103
https://nvd.nist.gov/vuln/detail/CVE-2018-6532
CVE-2018-6534: An issue was discovered in Icinga 2.x through 2.8.1.
By sending specially crafted messages,
an attacker can cause a NULL pointer dereference, which can cause the
product to crash.
Fixed in Version:
Icinga 2.8.2.
References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/6104
https://nvd.nist.gov/vuln/detail/CVE-2018-6534
CVE-2018-6535: An issue was discovered in Icinga 2.x through 2.8.1.
The lack of a constant-time
password comparison function can disclose the password to an attacker.
Fixed in Version:
Icinga 2.8.2.
References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/5715
https://nvd.nist.gov/vuln/detail/CVE-2018-6535
(from redmine: issue id 8716, created on 2018-03-23, closed on 2018-03-29)
- Relations:
- copied_to #8714 (closed)
- parent #8714 (closed)
- Changesets:
- Revision 4cd48f4c by Natanael Copa on 2018-03-27T12:48:19Z:
community/icinga2: security upgrade to 2.8.2 (CVE-2018-6532,CVE-2018-6534,CVE-2018-6535)
fixes #8716