Advisories » MGASA-2016-0185

Updated libndp packages fix CVE-2016-3698

Publication date: 18 May 2016
Modification date: 18 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3698

Description

Updated libndp package fixes security vulnerability:

Libndp is a library (used by NetworkManager) that provides a wrapper for the
IPv6 Neighbor Discovery Protocol. It also provides a tool named ndptool for
sending and receiving NDP messages.

Security Fix(es):

It was found that libndp did not properly validate and check the origin of
Neighbor Discovery Protocol (NDP) messages. An attacker on a non-local network
could use this flaw to advertise a node as a router, allowing them to perform
man-in-the-middle attacks on a connecting client, or disrupt the network
connectivity of that client. (CVE-2016-3698)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18477
• https://rhn.redhat.com/errata/RHSA-2016-1086.html
• http://openwall.com/lists/oss-security/2016/05/17/9
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3698

SRPMS

5/core

• libndp-1.4-3.1.mga5