lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet. References: http://www.openwall.com/lists/oss-security/2015/10/18/2 http://www.openwall.com/lists/oss-security/2015/10/30/2 Upstream patches: https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00 https://github.com/vincentbernat/lldpd/commit/9221b5c249f9e4843f77c7f888d5705348d179c0
Statement: The lldpd package as shipped with Red Hat Enterprise Linux 8 is not affected by this flaw because it has already received the patch. The flaw affects versions before 0.8.0 and the shipped version is 1.0.1+
All versions of openvswitch shipped by Red Hat are not affected by this flaw as the vulnerable code in lldpd is not used by openvswitch.
External References: http://www.openwall.com/lists/oss-security/2015/10/18/2 http://www.openwall.com/lists/oss-security/2015/10/30/2
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-8012