SuSE Local Security Checks : openSUSE: Security Advisory for iperf (SUSE-SU-2023:3887-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.833495

Category: SuSE Local Security Checks

Title: openSUSE: Security Advisory for iperf (SUSE-SU-2023:3887-1)

Summary: The remote host is missing an update for the 'iperf'; package(s) announced via the SUSE-SU-2023:3887-1 advisory.

Description: Summary:
The remote host is missing an update for the 'iperf'
package(s) announced via the SUSE-SU-2023:3887-1 advisory.

Vulnerability Insight:
This update for iperf fixes the following issues:

* update to 3.15 (bsc#1215662, ESNET-SECADV-2023-0002):

* Several bugs that could allow the iperf3 server to hang waiting for input on
the control connection has been fixed (ESnet Software Security Advisory
ESNET-SECADV-2023-0002)

* A bug that caused garbled output with UDP tests on 32-bit hosts has been
fixed (PR #1554, PR #1556). This bug was introduced in iperf-3.14.

* A bug in counting UDP messages has been fixed

* update to 3.14 (bsc#1213430, CVE-2023-38403):

* fixes a memory allocation hazard that allowed a remote user to crash an
iperf3 process

* update to 3.13:

* Added missing bind_dev getter and setter.

* a fix for A resource leak bug in function iperf_create_pidfile (#1443)

* doc: Fix copy-and-paste error leading to wrong error message

* Fix crash on rcv-timeout with JSON logfile

* update to 3.12:

* cJSON has been updated to version 1.7.15 (#1383).

* The --bind host % dev option syntax now works properly (#1360 /

* A server-side file descriptor leak with the --logfile option has been fixed
(#1369 / #1360 / #1369 / #1389 / #1393).

* A bug that caused some large values from TCP_INFO to be misprinted as
negative numbers has been fixed (#1372).

* Using the -k or -n flags with --reverse no longer leak into future tests
(#1363 / #1364).

* There are now various debug level options available with the --debug
option. These can be used to adjust the amount of debugging output (#1327).

* A new --snd-timeout option has been added to set a termination timeout for
idle TCP connections (#1215 / #1282).

* iperf3 is slightly more robust to out-of-order packets during UDP connection
setup in --reverse mode (#914 / #1123 / #1182 / #1212 /

* iperf3 will now use different ports for each direction when the --cport and

- -bdir options are set (#1249 / #1259).

* The iperf3 server will now exit if it can't open its log file

* Various help message and output fixes have been made (#1299 /

* Various compiler warnings have been fixed (#1211 / #1316).

* Operation of bootstrap.sh has been fixed and simplified (#1335 /

* Flow label support / compatibility under Linux has been improved

* Various minor memory leaks have been fixed (#1332 / #1333).

* A getter/setter has been added for the bind_port parameter (--cport option).
(#1303, #1305)
Description truncated. Please see the references for more information.

Affected Software/OS:
'iperf' package(s) on openSUSE Leap 15.4, openSUSE Leap 15.5.

Solution:
Please install the updated package(s).

CVSS Score:
7.8

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-38403
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BV6EBWWF4PEQKROEVXGYSTIT2MGBTLU7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M25Z5FHTO3XWMGP37JHJ7IIIHSGCLKEV/
http://seclists.org/fulldisclosure/2023/Oct/24
http://seclists.org/fulldisclosure/2023/Oct/26
https://bugs.debian.org/1040830
https://cwe.mitre.org/data/definitions/130.html
https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc
https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9
https://github.com/esnet/iperf/issues/1542
https://lists.debian.org/debian-lts-announce/2023/07/msg00025.html

Copyright Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.833495
Category:	SuSE Local Security Checks
Title:	openSUSE: Security Advisory for iperf (SUSE-SU-2023:3887-1)
Summary:	The remote host is missing an update for the 'iperf'; package(s) announced via the SUSE-SU-2023:3887-1 advisory.
Description:	Summary: The remote host is missing an update for the 'iperf' package(s) announced via the SUSE-SU-2023:3887-1 advisory. Vulnerability Insight: This update for iperf fixes the following issues: * update to 3.15 (bsc#1215662, ESNET-SECADV-2023-0002): * Several bugs that could allow the iperf3 server to hang waiting for input on the control connection has been fixed (ESnet Software Security Advisory ESNET-SECADV-2023-0002) * A bug that caused garbled output with UDP tests on 32-bit hosts has been fixed (PR #1554, PR #1556). This bug was introduced in iperf-3.14. * A bug in counting UDP messages has been fixed * update to 3.14 (bsc#1213430, CVE-2023-38403): * fixes a memory allocation hazard that allowed a remote user to crash an iperf3 process * update to 3.13: * Added missing bind_dev getter and setter. * a fix for A resource leak bug in function iperf_create_pidfile (#1443) * doc: Fix copy-and-paste error leading to wrong error message * Fix crash on rcv-timeout with JSON logfile * update to 3.12: * cJSON has been updated to version 1.7.15 (#1383). * The --bind host % dev option syntax now works properly (#1360 / * A server-side file descriptor leak with the --logfile option has been fixed (#1369 / #1360 / #1369 / #1389 / #1393). * A bug that caused some large values from TCP_INFO to be misprinted as negative numbers has been fixed (#1372). * Using the -k or -n flags with --reverse no longer leak into future tests (#1363 / #1364). * There are now various debug level options available with the --debug option. These can be used to adjust the amount of debugging output (#1327). * A new --snd-timeout option has been added to set a termination timeout for idle TCP connections (#1215 / #1282). * iperf3 is slightly more robust to out-of-order packets during UDP connection setup in --reverse mode (#914 / #1123 / #1182 / #1212 / * iperf3 will now use different ports for each direction when the --cport and - -bdir options are set (#1249 / #1259). * The iperf3 server will now exit if it can't open its log file * Various help message and output fixes have been made (#1299 / * Various compiler warnings have been fixed (#1211 / #1316). * Operation of bootstrap.sh has been fixed and simplified (#1335 / * Flow label support / compatibility under Linux has been improved * Various minor memory leaks have been fixed (#1332 / #1333). * A getter/setter has been added for the bind_port parameter (--cport option). (#1303, #1305) Description truncated. Please see the references for more information. Affected Software/OS: 'iperf' package(s) on openSUSE Leap 15.4, openSUSE Leap 15.5. Solution: Please install the updated package(s). CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-38403 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BV6EBWWF4PEQKROEVXGYSTIT2MGBTLU7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M25Z5FHTO3XWMGP37JHJ7IIIHSGCLKEV/ http://seclists.org/fulldisclosure/2023/Oct/24 http://seclists.org/fulldisclosure/2023/Oct/26 https://bugs.debian.org/1040830 https://cwe.mitre.org/data/definitions/130.html https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9 https://github.com/esnet/iperf/issues/1542 https://lists.debian.org/debian-lts-announce/2023/07/msg00025.html
Copyright	Copyright (C) 2024 Greenbone AG