Fix an endless loop DoS vulnerability in parse_packet().

[pkg-collectd.git] / debian / changelog

diff --git a/debian/changelog b/debian/changelog
index 9b6f06c4d21e126dbf26ab4dc846ac7536aa457e..792b53ff82961d4afaffc8c5ad238a1ca5f18990 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,24 @@
-collectd (5.1.0-3+deb7u1) UNRELEASED; urgency=high
+collectd (5.1.0-3+deb7u3) wheezy-security; urgency=high
+
+  * CVE-2017-7401: Fix an endless loop DoS vulnerability in parse_packet().
+    When a correct "Signature part" is received by a Collectd instance
+    configured without the AuthFile option, an endless loop occurs due to a
+    missing pointer increment to the next unprocessed part. (Closes: #859494)
+
+ -- Chris Lamb <lamby@debian.org>  Tue, 04 Apr 2017 16:45:15 +0200
+
+collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high
+
+  * debian/patches/bts833013-gcry-init.dpatch: Fix initialization of
+    libgcrypt: Initialize the library before using any other functions to
+    ensure that thread-safety is set up appropriately. This fixes potential
+    crashes of the network plugin and a regression introduced in
+    5.1.0-3+deb7u1 which ultimately surfaced the issue. Thanks to Antoine
+    Sirinelli for reporting this. (Closes: #833013)
+
+ -- Sebastian Harl <tokkee@debian.org>  Wed, 03 Aug 2016 22:59:23 +0200
+
+collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high
 
   * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
     plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
@@ -12,7 +32,7 @@ collectd (5.1.0-3+deb7u1) UNRELEASED; urgency=high
     cause the program to be initialized without the desired, secure settings.
     (Closes: #832577)
 
- -- Sebastian Harl <tokkee@debian.org>  Wed, 27 Jul 2016 10:14:42 +0200
+ -- Sebastian Harl <tokkee@debian.org>  Thu, 28 Jul 2016 20:52:12 +0200
 
 collectd (5.1.0-3) unstable; urgency=low