A nbd security update has been released for Debian GNU/Linux 9 LTS to address an integer overflow.
DLA 2944-1: nbd security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2944-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
March 10, 2022 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : nbd
Version : 1:3.15.2-3+deb9u1
CVE ID : CVE-2022-26495
Debian Bugs : #1003863 #1006915
An integer overflow (with a resultant heap-based buffer overflow)
was discovered in the nbd Network Block Device server. A value of
0xffffffff in the name length field could have caused a zero-sized
buffer to be allocated for the name, resulting in a write to a
dangling pointer.
For Debian 9 "Stretch", this problem has been fixed in version
1:3.15.2-3+deb9u1.
We recommend that you upgrade your nbd packages.
For the detailed security status of nbd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbd
Thanks to Wouter Verhelst for help in preparing this update.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS