CVE-2014-6272
libevent - security update
Description
Multiple integer overflows in the evbuffer API in Libevent 1.4.x before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function, which triggers a heap-based buffer overflow or an infinite loop. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2015-6525 for the functions that are only affected in 2.0 and later.
How to fix CVE-2014-6272
To remediate CVE-2014-6272, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.21-stable-2 or later
- —upgrade to 1.4.13-stable-1+deb6u1 or later
- —upgrade to 2.0.19-stable-3+deb7u1 or later
Is CVE-2014-6272 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.0.21-stable-2
- from 0, < 1.4.13-stable-1+deb6u1
- from 0, < 2.0.19-stable-3+deb7u1