Subject: [ASA-202101-29] lldpd: information disclosure Arch Linux Security Advisory ASA-202101-29 ========================================== Severity: Medium Date : 2021-01-20 CVE-ID : CVE-2020-27827 Package : lldpd Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1451 Summary ======= The package lldpd before version 1.0.8-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 1.0.8-1. # pacman -Syu "lldpd>=1.0.8-1" The problem has been fixed upstream in version 1.0.8. Workaround ========== None. Description =========== A security issue was found in lldpd before version 1.0.8. A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine. Impact ====== A remote attack can leak information through crafted packets. References ========== https://github.com/lldpd/lldpd/blob/master/NEWS https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61 https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html https://github.com/openvswitch/ovs/pull/337 https://github.com/openvswitch/ovs/commit/f915f32f5667e3b9d460055d8b47fa5d204ce83a https://security.archlinux.org/CVE-2020-27827