Bug 1189634 (CVE-2021-3716)

Summary: VUL-1: CVE-2021-3716: nbdkit: STARTTLS vulnerability for nbdkit
Product: [openSUSE] openSUSE Distribution Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: OtherAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P4 - Low CC: jfehlig
Version: Leap 15.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/307716/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3716:3.5:(AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1189208    

Description Gianluca Gabrielli 2021-08-20 10:09:48 UTC
A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.
Comment 1 Gianluca Gabrielli 2021-08-20 10:10:17 UTC
Please update to v1.27.5 or above.
Comment 2 James Fehlig 2021-08-25 23:19:53 UTC
(In reply to Gianluca Gabrielli from comment #1)
> Please update to v1.27.5 or above.

Actually it appears to be 1.27.6 or newer

git describe --contains 09a13dafb7bb3a38ab52eb5501cba786365ba7fd

I've submitted 1.27.8 to Factory. For Leap 15.3, I suppose it needs to go the usual route through SUSE:SLE-15-SP3:Update?
Comment 3 OBSbugzilla Bot 2021-08-25 23:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1189634) was mentioned in
https://build.opensuse.org/request/show/914307 Factory / nbdkit
Comment 6 James Fehlig 2022-02-08 22:52:29 UTC
In the meantime Factory and SLE15 SP3 have nbdkit 1.29.4, which includes the fix for this vulnerability. AFAIK the virt team is done with this bug. Passing to the security team...