SB2018032210 - Gentoo update for collectd
Published: March 22, 2018 Updated: March 22, 2018
Security Bulletin ID
SB2018032210
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Denial of service (CVE-ID: CVE-2017-16820)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists due to the csnmp_read_table function in the snmp.c code in the SNMP plug-in of the collectd daemon. A remote attacker can send specially crafted input to the target system, trigger a double-free memory condition and cause the collected daemon to crash.
2) Input validation error (CVE-ID: CVE-2017-18240)
The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownership of PID file directory to the collectd account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL (when the service is stopped).
Remediation
Install update from vendor's website.