In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_main.c omits certain reinitialization, leading to a use-after-free.
CVE: (none) => CVE-2020-15475
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15475
Source RPM: ndpi-1.4.0-0.1.svn7329.3.mga5.src => libndpi-2.6-2.mga8.src.rpmWhiteboard: (none) => MGA7TOO
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelienAssignee: bugsquad => smelror
updating to latest version to fix this CVE in cauldron. can we do the update on mageia 7 ?
CC: (none) => mageiaVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
libndpi-3.4-1.mga8 is the updated version in Cauldron. It's only used by ntopng, so as long as the updated version works with that in Mageia 7, then we're good. It looks like 3.4 updates the library major, so we'd have to rebuild ntopng if we updated it.
Summary: ndpi securty issue CVE-2020-15475 => libndpi securty issue CVE-2020-15475
Status comment: (none) => Fixed upstream in 3.4, updating would require updating ntopng
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Status: NEW => RESOLVEDResolution: (none) => OLD