Security update for libevent SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0220-1 Final 1 1 2018-01-25T19:26:59Z current 2018-01-25T19:26:59Z 2018-01-25T19:26:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libevent This update for libevent fixes the following security issues: - CVE-2016-10195: DNS remote stack overread vulnerability (bsc#1022917) - CVE-2016-10196: stack/buffer overflow in evutil_parse_sockaddr_port() (bsc#1022918) - CVE-2016-10197: out-of-bounds read in search_make_new() (bsc#1022919) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-01/msg00091.html E-Mail link for openSUSE-SU-2018:0220-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 libevent-2.0.21-10.1 libevent-2_0-5-2.0.21-10.1 libevent-2_0-5-32bit-2.0.21-10.1 libevent-devel-2.0.21-10.1 libevent-2.0.21-10.1 as a component of openSUSE Leap 42.2 libevent-2_0-5-2.0.21-10.1 as a component of openSUSE Leap 42.2 libevent-2_0-5-32bit-2.0.21-10.1 as a component of openSUSE Leap 42.2 libevent-devel-2.0.21-10.1 as a component of openSUSE Leap 42.2 libevent-2.0.21-10.1 as a component of openSUSE Leap 42.3 libevent-2_0-5-2.0.21-10.1 as a component of openSUSE Leap 42.3 libevent-2_0-5-32bit-2.0.21-10.1 as a component of openSUSE Leap 42.3 libevent-devel-2.0.21-10.1 as a component of openSUSE Leap 42.3 The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read. CVE-2016-10195 openSUSE Leap 42.2:libevent-2.0.21-10.1 openSUSE Leap 42.2:libevent-2_0-5-2.0.21-10.1 openSUSE Leap 42.2:libevent-2_0-5-32bit-2.0.21-10.1 openSUSE Leap 42.2:libevent-devel-2.0.21-10.1 openSUSE Leap 42.3:libevent-2.0.21-10.1 openSUSE Leap 42.3:libevent-2_0-5-2.0.21-10.1 openSUSE Leap 42.3:libevent-2_0-5-32bit-2.0.21-10.1 openSUSE Leap 42.3:libevent-devel-2.0.21-10.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00091.html https://www.suse.com/security/cve/CVE-2016-10195.html CVE-2016-10195 https://bugzilla.suse.com/1022917 SUSE Bug 1022917 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 https://bugzilla.suse.com/1075618 SUSE Bug 1075618 https://bugzilla.suse.com/1123122 SUSE Bug 1123122 Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument. CVE-2016-10196 openSUSE Leap 42.2:libevent-2.0.21-10.1 openSUSE Leap 42.2:libevent-2_0-5-2.0.21-10.1 openSUSE Leap 42.2:libevent-2_0-5-32bit-2.0.21-10.1 openSUSE Leap 42.2:libevent-devel-2.0.21-10.1 openSUSE Leap 42.3:libevent-2.0.21-10.1 openSUSE Leap 42.3:libevent-2_0-5-2.0.21-10.1 openSUSE Leap 42.3:libevent-2_0-5-32bit-2.0.21-10.1 openSUSE Leap 42.3:libevent-devel-2.0.21-10.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00091.html https://www.suse.com/security/cve/CVE-2016-10196.html CVE-2016-10196 https://bugzilla.suse.com/1022918 SUSE Bug 1022918 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 https://bugzilla.suse.com/1075618 SUSE Bug 1075618 The search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname. CVE-2016-10197 openSUSE Leap 42.2:libevent-2.0.21-10.1 openSUSE Leap 42.2:libevent-2_0-5-2.0.21-10.1 openSUSE Leap 42.2:libevent-2_0-5-32bit-2.0.21-10.1 openSUSE Leap 42.2:libevent-devel-2.0.21-10.1 openSUSE Leap 42.3:libevent-2.0.21-10.1 openSUSE Leap 42.3:libevent-2_0-5-2.0.21-10.1 openSUSE Leap 42.3:libevent-2_0-5-32bit-2.0.21-10.1 openSUSE Leap 42.3:libevent-devel-2.0.21-10.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00091.html https://www.suse.com/security/cve/CVE-2016-10197.html CVE-2016-10197 https://bugzilla.suse.com/1022919 SUSE Bug 1022919 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 https://bugzilla.suse.com/1075618 SUSE Bug 1075618 https://bugzilla.suse.com/1123122 SUSE Bug 1123122