SUSE-SU-2025:20289-1: moderate: Security update for iperf

[SLE-UPDATES]

# Security update for iperf

Announcement ID: SUSE-SU-2025:20289-1  
Release Date: 2025-04-22T14:08:15Z  
Rating: moderate  
References:

  * bsc#1234705

  
Cross-References:

  * CVE-2024-53580

  
CVSS scores:

  * CVE-2024-53580 ( SUSE ):  6.8
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2024-53580 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2024-53580 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  
Affected Products:

  * SUSE Linux Micro Extras 6.0

  
  
An update that solves one vulnerability can now be installed.

## Description:

This update for iperf fixes the following issues:

Update to 3.18 (bsc#1234705, CVE-2024-53580):

  * SECURITY NOTE: Thanks to Leonid Krolle Bi.Zone for discovering a JSON type
    security vulnerability that caused a segmentation fault in the server.
    (CVE-2024-53580) This has now been fixed. (PR#1810)
  * UDP packets per second now reports the correct number of packets, by
    reporting NET_SOFTERROR if there's a EAGAIN/EINTR errno if no data was sent
    (#1367/PR#1379).
  * Several segmentation faults related to threading were fixed. One where
    `pthread_cancel` was called on an improperly initialized thread (#1801),
    another where threads were being recycled (#1760/PR#1761), and another where
    threads were improperly handling signals (#1750/PR#1752).
  * A segmentation fault from calling `freeaddrinfo` with `NULL` was fixed
    (PR#1755).
  * Some JSON options were fixed, including checking the size for `json_read`
    (PR#1709), but the size limit was removed for received server output
    (PR#1779).
  * A rcv-timeout error has been fixed. The Nread timeout was hardcoded and
    timed out before the `--rcv-timeout` option
  * There is no longer a limit on the omit time period
  * Fixed an output crash under 32-bit big-endian systems
  * An issue was fixed where CPU utilization was unexpectedly high during
    limited baud rate tests. The `--pacing-timer` option was removed, but it is
    still available in the library
  * Add SCTP information to `--json` output and fixed compile error when SCTP is
    not supported (#1731).
  * `--fq-rate` was changed from a uint to a uint64 to allow pacing above 32G.
    Not yet tested on big-endian systems

  * Build with OpenSSL for key based authentication support

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro Extras 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-296=1

## Package List:

  * SUSE Linux Micro Extras 6.0 (aarch64 s390x x86_64)
    * iperf-3.18-1.1
    * iperf-debugsource-3.18-1.1
    * libiperf0-debuginfo-3.18-1.1
    * iperf-debuginfo-3.18-1.1
    * libiperf0-3.18-1.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-53580.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1234705

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250604/a552db59/attachment.htm>