7.5 - USN-2477-1

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	libevent vulnerability

Informations
Name	USN-2477-1	First vendor Publication	2015-01-19
Vendor	Ubuntu	Last vendor Modification	2015-01-19
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS

Summary:

libevent could be made to crash or run programs if it processed specially crafted data.

Software Description: - libevent: Asynchronous event notification library

Details:

Andrew Bartlett discovered that libevent incorrectly handled large inputs to the evbuffer API. A remote attacker could possibly use this issue with an application that uses libevent to cause a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.10:
libevent-2.0-5 2.0.21-stable-1ubuntu1.14.10.1

Ubuntu 14.04 LTS:
libevent-2.0-5 2.0.21-stable-1ubuntu1.14.04.1

Ubuntu 12.04 LTS:
libevent-2.0-5 2.0.16-stable-1ubuntu0.1

Ubuntu 10.04 LTS:
libevent-1.4-2 1.4.13-stable-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2477-1
CVE-2014-6272

Package Information:
https://launchpad.net/ubuntu/+source/libevent/2.0.21-stable-1ubuntu1.14.10.1
https://launchpad.net/ubuntu/+source/libevent/2.0.21-stable-1ubuntu1.14.04.1
https://launchpad.net/ubuntu/+source/libevent/2.0.16-stable-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libevent/1.4.13-stable-1ubuntu0.1

Original Source

Url : http://www.ubuntu.com/usn/USN-2477-1

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-189	Numeric Errors (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:27146

Oval ID:	oval:org.mitre.oval:def:27146
Title:	SUSE-SU-2014:1283-1 -- Security update for libevent
Description:	This update fixes a buffer overflow in the buffered event handling in libevent. (CVE-2014-6272) Security Issues: * CVE-2014-6272 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6272>
Family:	unix	Class:	patch
Reference(s):	SUSE-SU-2014:1283-1 CVE-2014-6272	Version:	3
Platform(s):	SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11	Product(s):	libevent
Definition Synopsis:
Operation system section SUSE Linux Enterprise Server 11.x is installed AND SUSE Linux Enterprise Desktop 11.x is installed AND libevent-1_4-2 RPM is earlier than 0:1.4.5-24.24.1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Libevent Project Libevent cpe:2.3:a:libevent_project:libevent:2.1.4:alpha:::::: cpe:2.3:a:libevent_project:libevent:2.1.3:alpha:::::: cpe:2.3:a:libevent_project:libevent:2.1.2:alpha:::::: cpe:2.3:a:libevent_project:libevent:2.1.1:alpha:::::: cpe:2.3:a:libevent_project:libevent:2.0.9:rc:::::: cpe:2.3:a:libevent_project:libevent:2.0.8:rc:::::: cpe:2.3:a:libevent_project:libevent:2.0.7:rc:::::: cpe:2.3:a:libevent_project:libevent:2.0.6:rc:::::: cpe:2.3:a:libevent_project:libevent:2.0.5:beta:::::: cpe:2.3:a:libevent_project:libevent:2.0.4:alpha:::::: cpe:2.3:a:libevent_project:libevent:2.0.3:alpha:::::: cpe:2.3:a:libevent_project:libevent:2.0.21:::::::* cpe:2.3:a:libevent_project:libevent:2.0.20:::::::* cpe:2.3:a:libevent_project:libevent:2.0.2:alpha:::::: cpe:2.3:a:libevent_project:libevent:2.0.19:::::::* cpe:2.3:a:libevent_project:libevent:2.0.18:::::::* cpe:2.3:a:libevent_project:libevent:2.0.17:::::::* cpe:2.3:a:libevent_project:libevent:2.0.16:::::::* cpe:2.3:a:libevent_project:libevent:2.0.15:::::::* cpe:2.3:a:libevent_project:libevent:2.0.14:::::::* cpe:2.3:a:libevent_project:libevent:2.0.13:::::::* cpe:2.3:a:libevent_project:libevent:2.0.12:::::::* cpe:2.3:a:libevent_project:libevent:2.0.11:::::::* cpe:2.3:a:libevent_project:libevent:2.0.10:::::::* cpe:2.3:a:libevent_project:libevent:2.0.1:alpha:::::: cpe:2.3:a:libevent_project:libevent:1.4.9:::::::* cpe:2.3:a:libevent_project:libevent:1.4.8:::::::* cpe:2.3:a:libevent_project:libevent:1.4.7:::::::* cpe:2.3:a:libevent_project:libevent:1.4.6:::::::* cpe:2.3:a:libevent_project:libevent:1.4.5:::::::* cpe:2.3:a:libevent_project:libevent:1.4.4:::::::* cpe:2.3:a:libevent_project:libevent:1.4.3:::::::* cpe:2.3:a:libevent_project:libevent:1.4.2:rc:::::: cpe:2.3:a:libevent_project:libevent:1.4.14:::::::* cpe:2.3:a:libevent_project:libevent:1.4.13:::::::* cpe:2.3:a:libevent_project:libevent:1.4.12:::::::* cpe:2.3:a:libevent_project:libevent:1.4.11:::::::* cpe:2.3:a:libevent_project:libevent:1.4.10:::::::* cpe:2.3:a:libevent_project:libevent:1.4.1:beta:::::: cpe:2.3:a:libevent_project:libevent:1.4.0:beta::::::	40
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:7.0:::::::*	1

Nessus® Vulnerability Scanner

Date	Description
2018-06-28	Name : The remote EulerOS host is missing a security update. File : EulerOS_SA-2018-1164.nasl - Type : ACT_GATHER_INFO
2016-03-28	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2016-085-01.nasl - Type : ACT_GATHER_INFO
2015-03-26	Name : The remote Debian host is missing a security update. File : debian_DLA-137.nasl - Type : ACT_GATHER_INFO
2015-02-09	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201502-07.nasl - Type : ACT_GATHER_INFO
2015-01-26	Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-68.nasl - Type : ACT_GATHER_INFO
2015-01-20	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2477-1.nasl - Type : ACT_GATHER_INFO
2015-01-12	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_daa8a49b99b911e48f663085a9a4510d.nasl - Type : ACT_GATHER_INFO
2015-01-09	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-017.nasl - Type : ACT_GATHER_INFO
2015-01-07	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3119.nasl - Type : ACT_GATHER_INFO
2014-10-11	Name : The remote SuSE 11 host is missing a security update. File : suse_11_libevent-141006.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2015-08-26 00:28:12	Multiple Updates
2015-08-24 21:33:41	Multiple Updates
2015-01-21 13:27:16	Multiple Updates
2015-01-19 17:22:24	First insertion

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	41
Nessus® Exploit(s)	10

	Related
7.5	CVE-2014-6272
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

7.5 - USN-2477-1

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU