Fedora has issued an advisory on June 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4DE6NEEUEC3XI62GE2MB2EK5BUCZ6MCP/ According to this ESNET advisory: https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc The issue is fixed upstream in versions 3.1.3 and 3.0.12. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
I have uploaded a updated package for Mageia 5 and submitted push request for cauldron. I don't know how to test it, just make sure it works :) Suggested advisory: ======================== Updated iperf packages fix security vulnerability: A malicious process can connect to an iperf server and, by sending a malformed message on the control channel, corrupt the server process's heap area. This can lead to a crash (and a denial of service), or theoretically a remote code execution as the user running the iperf server. A malicious iperf server could potentially mount a similar attack on an iperf client. References: https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc ======================== Updated packages in core/updates_testing: ======================== lib(64)iperf0-3.0.12-1.mga5 lib(64)iperf-devel-3.0.12-1.mga5 iperf-3.0.12-1.mga5 Source RPMs: iperf-3.0.12-1.mga5.src.rpm
Assignee: mageia => qa-bugs
Suggested advisory: ======================== Updated iperf packages fix security vulnerability: A malicious process can connect to an iperf server and, by sending a malformed message on the control channel, corrupt the server process's heap area. This can lead to a crash (and a denial of service), or theoretically a remote code execution as the user running the iperf server. A malicious iperf server could potentially mount a similar attack on an iperf client (CVE-2016-4303). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4303 https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4DE6NEEUEC3XI62GE2MB2EK5BUCZ6MCP/
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Testing complete on Mageia 5 x86_64, just testing that it works. On machine 1, "iperf3 -s". On machine 2, "iperf3 -c 192.168.10.101" (the ip address of machine 1). Both systems show the transfer rates. Advisory committed to svn, validating the update.
CC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA5-64-OK advisoryKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0235.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
CC: (none) => sunyydv999