Candidate: CVE-2017-7401
PublicDate: 2017-04-03 14:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7401
Description:
 Incorrect interaction of the parse_packet() and parse_part_sign_sha256()
 functions in network.c in collectd 5.7.1 and earlier allows remote
 attackers to cause a denial of service (infinite loop) of a collectd
 instance (configured with "SecurityLevel None" and with empty "AuthFile"
 options) via a crafted UDP packet.
Ubuntu-Description:
 It was discovered that collectd mishandles certain malformed network packets.
 A remote attacker could use this vulnerablity to cause a Denial of Service or
 consume system resources.
Notes:
Bugs:
 https://github.com/collectd/collectd/issues/2174
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859494
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_collectd:
 upstream: https://github.com/collectd/collectd/commit/f6be4f9b49b949b379326c3d7002476e6ce4f211
upstream_collectd: released (5.1.0-3+deb7u3)
precise_collectd: ignored (reached end-of-life)
precise/esm_collectd: DNE (precise was needed)
trusty_collectd: ignored (out of standard support)
trusty/esm_collectd: needed
vivid/stable-phone-overlay_collectd: DNE
vivid/ubuntu-core_collectd: DNE
xenial_collectd: ignored (end of standard support, was needed)
yakkety_collectd: ignored (reached end-of-life)
zesty_collectd: ignored (reached end-of-life)
artful_collectd: ignored (reached end-of-life)
bionic_collectd: not-affected (5.7.2-2ubuntu1)
cosmic_collectd: not-affected (5.7.2-2ubuntu1)
disco_collectd: not-affected (5.7.2-2ubuntu1)
eoan_collectd: not-affected (5.7.2-2ubuntu1)
focal_collectd: not-affected (5.7.2-2ubuntu1)
groovy_collectd: not-affected (5.7.2-2ubuntu1)
hirsute_collectd: not-affected (5.7.2-2ubuntu1)
impish_collectd: not-affected (5.7.2-2ubuntu1)
devel_collectd: not-affected (5.7.2-2ubuntu1)