Bugzilla – Bug 1189634
VUL-1: CVE-2021-3716: nbdkit: STARTTLS vulnerability for nbdkit
Last modified: 2022-02-22 12:58:33 UTC
A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.
Please update to v1.27.5 or above.
(In reply to Gianluca Gabrielli from comment #1)
> Please update to v1.27.5 or above.
Actually it appears to be 1.27.6 or newer
git describe --contains 09a13dafb7bb3a38ab52eb5501cba786365ba7fd
I've submitted 1.27.8 to Factory. For Leap 15.3, I suppose it needs to go the usual route through SUSE:SLE-15-SP3:Update?
This is an autogenerated message for OBS integration:
This bug (1189634) was mentioned in
https://build.opensuse.org/request/show/914307 Factory / nbdkit
In the meantime Factory and SLE15 SP3 have nbdkit 1.29.4, which includes the fix for this vulnerability. AFAIK the virt team is done with this bug. Passing to the security team...