CVE-2017-7401 Amazon Linux Security Advisory for collectd: ALAS-2017-829

Infinite loop due to incorrect interaction of parse_packet() and parse_part_sign_sha256() functions:
Collectd contains an infinite loop due to how the parse_packet() and parse_part_sign_sha256() functions interact. If an instance of collectd is configured with "SecurityLevel None" and with empty "AuthFile" options an attacker can send crafted UDP packets that trigger the infinite loop, causing a denial of service. (CVE-2017-7401 )

QID Detection Logic (Authenticated):
We check for file versions less than 5.7.1-3.18.amzn1 for the following files: collectd-memcachec, collectd-curl_xml, collectd-bind, collectd-lua, collectd-java, collectd-snmp, collectd-write_sensu, collectd-dns, libcollectdclient, collectd-apache, collectd-ipmi, collectd-lvm, collectd-chrony, collectd-mysql, collectd-nginx, collectd-netlink, collectd-varnish, collectd-amqp, collectd-iptables, perl-Collectd, collectd-drbd, collectd-python, collectd-generic-jmx, collectd-email, collectd-postgresql, collectd, collectd-write_http, collectd-web, collectd-debuginfo, collectd-dbi, collectd-openldap, collectd-rrdcached, collectd-notify_email, libcollectdclient-devel, collectd-zookeeper, collectd-rrdtool, collectd-utils, collectd-write_tsdb, collectd-curl, collectd-ipvs, collectd-hugepages, collectd-gmond,

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

Please refer to Amazon advisory ALAS-2017-829 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ALAS-2017-829: Amazon Linux (collectd (5.7.1-3.18.amzn1) on i686)

ALAS-2017-829: Amazon Linux (collectd (5.7.1-3.18.amzn1) on x86_64)

ALAS-2017-829: Amazon Linux (collectd (5.7.1-3.18.amzn1) on src)