Security update for shadowsocks-libev SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2667-1 Final 1 1 2019-12-11T09:13:53Z current 2019-12-11T09:13:53Z 2019-12-11T09:13:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for shadowsocks-libev This update for shadowsocks-libev fixes the following issues: - Update version to 3.3.3 * Refine the handling of suspicious connections. * Fix exploitable denial-of-service vulnerability exists in the UDPRelay functionality (boo#1158251, CVE-2019-5163) * Fix code execution vulnerability in the ss-manager binary (boo#1158365, CVE-2019-5164) * Refine the handling of fragment request. * Fix a high CPU bug introduced in 3.3.0. (#2449) * Enlarge the socket buffer size to 16KB. * Fix the empty list bug in ss-manager. * Fix the IPv6 address parser. * Fix a bug of port parser. * Fix a crash with MinGW. * Refine SIP003 plugin interface. * Remove connection timeout from all clients. * Fix the alignment bug again. * Fix a bug on 32-bit arch. * Add TCP fast open support to ss-tunnel by @PantherJohn. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2667 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F7462ADKEIGO6IMEKW3GLMBQL3G52ZFY/#F7462ADKEIGO6IMEKW3GLMBQL3G52ZFY E-Mail link for openSUSE-SU-2019:2667-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1158251 SUSE Bug 1158251 https://bugzilla.suse.com/1158365 SUSE Bug 1158365 https://www.suse.com/security/cve/CVE-2019-5163/ SUSE CVE CVE-2019-5163 page https://www.suse.com/security/cve/CVE-2019-5164/ SUSE CVE CVE-2019-5164 page openSUSE Leap 15.1 libshadowsocks-libev2-3.3.3-lp151.2.3.1 shadowsocks-libev-3.3.3-lp151.2.3.1 shadowsocks-libev-devel-3.3.3-lp151.2.3.1 shadowsocks-libev-doc-3.3.3-lp151.2.3.1 libshadowsocks-libev2-3.3.3-lp151.2.3.1 as a component of openSUSE Leap 15.1 shadowsocks-libev-3.3.3-lp151.2.3.1 as a component of openSUSE Leap 15.1 shadowsocks-libev-devel-3.3.3-lp151.2.3.1 as a component of openSUSE Leap 15.1 shadowsocks-libev-doc-3.3.3-lp151.2.3.1 as a component of openSUSE Leap 15.1 An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher and a local_address, arbitrary UDP packets can cause a FATAL error code path and exit. An attacker can send arbitrary UDP packets to trigger this vulnerability. CVE-2019-5163 openSUSE Leap 15.1:libshadowsocks-libev2-3.3.3-lp151.2.3.1 openSUSE Leap 15.1:shadowsocks-libev-3.3.3-lp151.2.3.1 openSUSE Leap 15.1:shadowsocks-libev-devel-3.3.3-lp151.2.3.1 openSUSE Leap 15.1:shadowsocks-libev-doc-3.3.3-lp151.2.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F7462ADKEIGO6IMEKW3GLMBQL3G52ZFY/#F7462ADKEIGO6IMEKW3GLMBQL3G52ZFY https://www.suse.com/security/cve/CVE-2019-5163.html CVE-2019-5163 https://bugzilla.suse.com/1158251 SUSE Bug 1158251 An exploitable code execution vulnerability exists in the ss-manager binary of Shadowsocks-libev 3.3.2. Specially crafted network packets sent to ss-manager can cause an arbitrary binary to run, resulting in code execution and privilege escalation. An attacker can send network packets to trigger this vulnerability. CVE-2019-5164 openSUSE Leap 15.1:libshadowsocks-libev2-3.3.3-lp151.2.3.1 openSUSE Leap 15.1:shadowsocks-libev-3.3.3-lp151.2.3.1 openSUSE Leap 15.1:shadowsocks-libev-devel-3.3.3-lp151.2.3.1 openSUSE Leap 15.1:shadowsocks-libev-doc-3.3.3-lp151.2.3.1 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F7462ADKEIGO6IMEKW3GLMBQL3G52ZFY/#F7462ADKEIGO6IMEKW3GLMBQL3G52ZFY https://www.suse.com/security/cve/CVE-2019-5164.html CVE-2019-5164 https://bugzilla.suse.com/1158365 SUSE Bug 1158365