SUSE Security Update: Security update for nbd
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:1276-1
Rating:             important
References:         #1196827 #1196828 
Cross-References:   CVE-2022-26495 CVE-2022-26496
CVSS scores:
                    CVE-2022-26495 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-26495 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-26496 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-26496 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for nbd fixes the following issues:

   - CVE-2022-26495: Fixed an integer overflow with a resultant heap-based
     buffer overflow (bsc#1196827).
   - CVE-2022-26496: Fixed a stack-based buffer overflow when parsing the
     name field by sending a crafted NBD_OPT_INFO (bsc#1196828).


   Update to version 3.24 (bsc#1196827, bsc#1196828, CVE-2022-26495,
   CVE-2022-26496):
     * https://github.com/advisories/GHSA-q9rw-8758-hccj

   Update to version 3.23:
     * Don't overwrite the hostname with the TLS hostname

   Update to version 3.22:
     - nbd-server: handle auth for v6-mapped IPv4 addresses
     - nbd-client.c: parse the next option in all cases
     - configure.ac: silence a few autoconf 2.71 warnings
     - spec: Relax NBD_OPT_LIST_META_CONTEXTS
     - client: Don't confuse Unix socket with TLS hostname
     - server: Avoid deprecated g_memdup

   Update to version 3.21:
     - Fix --disable-manpages build
     - Fix a bug in whitespace handling regarding authorization files
     - Support client-side marking of devices as read-only
     - Support preinitialized NBD connection (i.e., skip the negotiation).
     - Fix the systemd unit file for nbd-client so it works with netlink (the
       more common situation nowadays)

   Update to 3.20.0 (no changelog)

   Update to version 3.19.0:
     * Better error messages in case of unexpected disconnects
     * Better compatibility with non-bash sh implementations (for
       configure.sh)
     * Fix for a segfault in NBD_OPT_INFO handling
     * The ability to specify whether to listen on both TCP and Unix domain
       sockets, rather than to always do so
     * Various minor editorial and spelling fixes in the documentation.

   Update to version 1.18.0:
     * Client: Add the "-g" option to avoid even trying the NBD_OPT_GO message
     * Server: fixes to inetd mode
     * Don't make gnutls and libnl automagic.
     * Server: bugfixes in handling of some export names during verification.
     * Server: clean supplementary groups when changing user.
     * Client: when using the netlink protocol, only set a timeout when there
       actually is a timeout, rather than defaulting to 0 seconds
     * Improve documentation on the nbdtab file
     * Minor improvements to some error messages
     * Improvements to test suite so it works better on non-GNU userland
       environments

   - Update to version 1.17.0:
     * proto: add xNBD command NBD_CMD_CACHE to the spec
     * server: do not crash when handling child name
     * server: Close socket pair when fork fails


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-1276=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-1276=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      nbd-3.24-150000.3.3.1
      nbd-debuginfo-3.24-150000.3.3.1
      nbd-debugsource-3.24-150000.3.3.1

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      nbd-3.24-150000.3.3.1
      nbd-debuginfo-3.24-150000.3.3.1
      nbd-debugsource-3.24-150000.3.3.1


References:

   https://www.suse.com/security/cve/CVE-2022-26495.html
   https://www.suse.com/security/cve/CVE-2022-26496.html
   https://bugzilla.suse.com/1196827
   https://bugzilla.suse.com/1196828