[ClusterLabs] Corosync 2.4.4 is available at corosync.org!

Ferenc Wágner wferi at niif.hu
Fri Apr 13 04:39:30 EDT 2018


Jan Friesse <jfriesse at redhat.com> writes:

> Ferenc Wágner napsal(a):
>
>> I wonder if c139255 (totemsrp: Implement sanity checks of received
>> msgs) has direct security relevance as well.
>
> Not entirely direct, but quite similar.
>
>> Should I include that too in the Debian security update?  Debian
>> stable has 2.4.2, so I'm cherry picking into that version.
>
> Yes, please include all
> fc1d5418533c1faf21616b282c2559bed7d361c4..b25b029fe186bacf089ab8136da58390945eb35c

Hi Honza,

I'm confused, the commit I mentioned above is not in the range you
provided.  Besides, I can only include targeted security fixes for
exploitable vulnerabilities in a stable security update.  A pre-
authentication buffer overflow (CVE-2018-1084) most certainly qualifies,
while the msgio cleanup does not.  Missing checks for messages being
sent (08cb237) are hard to judge for me... wouldn't expoiting this
require root privileges to start with?  Also, how much of these issues
can be mitigated by enabling encryption or strict firewalling?
Basically, I'll need more ammo to push all these changes through the
Security Team.

(I'll package 2.4.4 for testing/unstable and eventually provide a stable
backport of it, but that goes through different channels.)
-- 
Thanks,
Feri



More information about the Users mailing list