[ClusterLabs] Corosync 2.4.4 is available at corosync.org!

Jan Pokorný jpokorny at redhat.com
Thu Apr 12 10:13:42 EDT 2018


On 12/04/18 14:33 +0200, Jan Friesse wrote:
> I am pleased to announce the latest maintenance release of Corosync
> 2.4.4 available immediately from our website at
> http://build.clusterlabs.org/corosync/releases/.
> 
> This release contains a lot of fixes, including fix for CVE-2018-1084.

Security related updates would preferably provide more context
as a cue for users to evaluate urgency of applying the update
(or particular patch as denote below) and/or to consider the
risks involved.

That being said, there was this announcement at the oss-security list
earlier today: http://www.openwall.com/lists/oss-security/2018/04/12/2
from which I quote:

  An integer overflow leading to an out-of-bound read was found
  in authenticate_nss_2_3() in Corosync. An attacker could craft
  a malicious packet that would lead to a denial of service.

> Complete changelog for 2.4.4:
> 
> [...]
> 
>       totemcrypto: Check length of the packet

-- 
Poki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20180412/588b19ba/attachment-0002.sig>


More information about the Users mailing list