This issue was addressed by ensuring that a STARTTLS command is sent after the LIST or LSUB command.
– CVE-2018-14632: There is a heap based buffer overflow in the telnet server in Alpine 2.25 and earlier when handling specially crafted commands. A remote attacker could exploit this vulnerability by sending a command that could result in a large amount of data being sent to the server. An attacker could leverage this vulnerability to cause a denial of service (crash) of the application. – CVE-2018-14633: There is a heap based buffer overflow in the telnet server in Alpine 2.25 and earlier when handling specially crafted commands that trigger sending a large amount of data to the server. An attacker could exploit this vulnerability by sending a command that could result in a large amount of data being sent to the server. An attacker could leverage this vulnerability to cause a denial of service (crash) of the application. – CVE-2018-14634: There is a stack based buffer overflow in the telnet server in Alpine 2.25 and earlier when processing a large amount of data. An attacker could exploit this vulnerability by sending a command that could result in a large amount of data being sent to the server. An attacker could leverage this vulnerability to cause a denial of service (crash) of the application. – CVE-2018-14635: There is a stack based buffer overflow in the telnet server in Alpine 2.25 and earlier when processing
Products Affected
Alpine Linux 2.25 and earlier versions.
Installation and Upgrade Notes
The following instructions are for Alpine 2.28, the current release at the time of this advisory.
1. Upgrade your system to a supported version:
Alpine 2.6 (not vulnerable)
Alpine 2.7 (not vulnerable)
Alpine 2.8 (not vulnerable)
Alpine 2.9 (not vulnerable)
Alpine 2.10 (not vulnerable)
Alpine 2.11 (not vulnerable)
2. Apply all available updates:
- For Alpine Linux versions prior to v2, apply patches from vendor URL
- For Alpine Linux v2 and later, upgrade with "alpine pk3 update" command
Timeline
Published on: 11/03/2022 06:15:00 UTC
Last modified on: 12/12/2022 21:03:00 UTC