Bug 1189634 - (CVE-2021-3716) VUL-1: CVE-2021-3716: nbdkit: STARTTLS vulnerability for nbdkit
VUL-1: CVE-2021-3716: nbdkit: STARTTLS vulnerability for nbdkit
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 15.3
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2021-08-20 10:09 UTC by Gianluca Gabrielli
Modified: 2022-02-22 12:58 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-20 10:09:48 UTC
A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.
Comment 1 Gianluca Gabrielli 2021-08-20 10:10:17 UTC
Please update to v1.27.5 or above.
Comment 2 James Fehlig 2021-08-25 23:19:53 UTC
(In reply to Gianluca Gabrielli from comment #1)
> Please update to v1.27.5 or above.

Actually it appears to be 1.27.6 or newer

git describe --contains 09a13dafb7bb3a38ab52eb5501cba786365ba7fd

I've submitted 1.27.8 to Factory. For Leap 15.3, I suppose it needs to go the usual route through SUSE:SLE-15-SP3:Update?
Comment 3 OBSbugzilla Bot 2021-08-25 23:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1189634) was mentioned in
https://build.opensuse.org/request/show/914307 Factory / nbdkit
Comment 6 James Fehlig 2022-02-08 22:52:29 UTC
In the meantime Factory and SLE15 SP3 have nbdkit 1.29.4, which includes the fix for this vulnerability. AFAIK the virt team is done with this bug. Passing to the security team...