Arch Linux: ASA-201510-25 Medium: Lldpd Denial Of Service

Arch Linux Security Advisory ASA-201510-25
=========================================
Severity: Medium
Date    : 2015-10-30
CVE-ID  : CVE-2015-8011 CVE-2015-8012
Package : lldpd
Type    : denial of service
Remote  : Yes
Link    : 

Summary
======
The package lldpd before version 0.7.19-1 is vulnerable denial of service.

Resolution
=========
Upgrade to 0.7.19-1.

# pacman -Syu "lldpd>=0.7.19-1"

The problems have been fixed upstream in version 0.7.19.

Workaround
=========
None.

Description
==========
- CVE-2015-5714 (denial of service)

A buffer overflow has been discovered when handling management address
TLV. When a remote device was advertising a too large management address
while still respecting TLV boundaries, lldpd would crash due to a buffer
overflow.

- CVE-2015-5715 (denial of service)

A vulnerability has been discovered that is triggering an application
crash while using assert() if a malformed packet is handled.

Impact
=====
A remote attacker is able to crash the application leading to denial of
service.

References
=========
https://www.cve.org/CVERecord?id=CVE-2015-8011
https://www.cve.org/CVERecord?id=CVE-2015-8012
https://seclists.org/oss-sec/2015/q4/198