Cloud Foundry Logo
blog single gear
Security Advisory

USN-3068-1 Libidn vulnerabilities

USN-3068-1 Libidn vulnerabilities




Canonical Ubuntu, libidn

Versions Affected

Canonical Ubuntu 14.04 LTS


Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos discovered that Libidn incorrectly handled invalid UTF-8 characters. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service, or possibly disclose sensitive memory. (CVE-2015-2059)

Hanno Böck discovered that Libidn incorrectly handled certain input. A remote attacker could possibly use this issue to cause Libidn to crash, resulting in a denial of service. (CVE-2015-8948, CVE-2016-6262, CVE-2016-6261, CVE-2016-6263)

Affected Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.21 AND 3232.x versions prior to 3232.19 AND other versions prior to 3262.12 are vulnerable
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.78.0


Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team has released patched BOSH stemcells 3146.21 and 3232.19 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.21 OR 3232.x versions to 3232.19
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.78.0 or later versions


Thijs Alkemade, Hanno Böck, Gustavo Grieco, Nikos Mavrogiannopoulos, and Daniel Stenberg


Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR