[3.1] collectd: heap overflow in the network plugin (CVE-2016-6254)

A heap overflow in collectd’s network plugin which can be triggered remotely and is potentially exploitable.

Fixed In Version:

collectd 5.5.2, collectd 5.4.3

References:

https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-6254

Patches:

https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18
https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7

The second patch is unrelated to CVE-2016-6254. It fixes an initialization issue with libgcrypt which could theoretically lead to a half-initialized library being used.

(from redmine: issue id 5992, created on 2016-08-03, closed on 2016-12-15)

Relations:
- parent #5987 (closed)
Changesets:
- Revision 67311d9c by Sergei Lukin on 2016-12-15T08:17:30Z:

main/collectd: security upgrade to 5.4.3 - fixes #5992

CVE-2016-6254

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information