Emilien Gaspar discovered that collectd, a statistics collection and monitoring daemon, incorrectly processed incoming network packets. This resulted in a heap overflow, allowing a remote attacker to either cause a DoS via application crash, or potentially execute arbitrary code. Upstream fix: https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18 Additionally, security researchers at Columbia University and the University of Virginia discovered that collectd failed to verify a return value during initialization. This meant the daemon could sometimes be started without the desired, secure settings. Upstream bug: https://github.com/collectd/collectd/issues/1665 Upstream fix: https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7 Affected versions: <5.5.2 Unaffected versions: >=5.5.2
Fixed via: > commit 9d5c0697e68fde681d07d283a2a8a3c67d5a7823 > Author: Thomas Deutschmann > Date: Thu Aug 11 18:26:01 2016 +0200 > > app-admin/collectd: Bump to v5.5.2 > > - New upstream release (Fixes CVE-2016-6254) > > - Dependency on sys-fs/xfsprogs atom can now be controlled using the > new "xfs" USE flag. > If you don't enable "xfs" USE flag the df plugin will be unable to > filter on XFS partitions. > > - Fixes build issues with sys-fs/xfsprogs-4.7.0 (#590998) > > - Cherry-picked patches for upstream issue "network plugin causes core > dumps" (#1870) > > Gentoo-Bug: https://bugs.gentoo.org/590998 > > Package-Manager: portage-2.3.0
Security cleanup via: > commit 51ddf1381bb577a44651f74f4b653d05094e9cb0 > Author: Thomas Deutschmann > Date: Thu Aug 11 18:30:37 2016 +0200 > > app-admin/collectd: Drop old security vulnerable version > > Package-Manager: portage-2.3.0