CVE-2020-15472: In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
CVE-2020-15473: In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.
CVE-2020-15475: In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_main.c omits certain reinitialization, leading to a use-after-free.
CVE-2020-15476: In nDPI through 3.2, the Oracle protocol dissector has a heap-based buffer over-read in ndpi_search_oracle in lib/protocols/oracle.c.
Please fix them.
The package has not entered testing even though the delay is over
normal
The package has not entered testing even though the 5-day delay is over.Check why.
Depends on packages which need a new maintainer
normal
The packages that ndpi depends on which need a new maintainer are:
This package has been requested to
be removed. This means that, when this request gets
processed by an ftp-master, this package will no longer be in
unstable, and will automatically be removed from testing too
afterwards. If for some reason you want keep this package in
unstable, please discuss so in the bug. Please see bug number #980216 for more information.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/n/ndpi.png){kind=link}