A heap-based buffer overflow flaw was found in collectd's network plugin. The flaw allowed a remote attacker to crash the collectd daemon (denial of service) or possibly execute remote code using a crafted network packet. For this flaw to be exploited, the network plugin must be enabled.
The following flaw was found in collectd:
Emilien Gaspar has identified a heap overflow in collectd's network plugin which can be triggered remotely and is potentially exploitable. The identifier CVE-2016-6254 has been assigned to this issue.
This issue has been fixed in the released 5.5.2 and 5.4.3.
The second patch is unrelated to CVE-2016-6254. It fixes an initialization issue with libgcrypt which could theoretically lead to a half-initialized library being used.
Created collectd tracking bugs for this issue:
Affects: fedora-all [bug 1360710]
Affects: epel-all [bug 1360711]