[ClusterLabs] Corosync 2.4.4 is available at corosync.org!
Jan Pokorný
jpokorny at redhat.com
Thu Apr 12 14:13:42 UTC 2018
On 12/04/18 14:33 +0200, Jan Friesse wrote:
> I am pleased to announce the latest maintenance release of Corosync
> 2.4.4 available immediately from our website at
> http://build.clusterlabs.org/corosync/releases/.
>
> This release contains a lot of fixes, including fix for CVE-2018-1084.
Security related updates would preferably provide more context
as a cue for users to evaluate urgency of applying the update
(or particular patch as denote below) and/or to consider the
risks involved.
That being said, there was this announcement at the oss-security list
earlier today: http://www.openwall.com/lists/oss-security/2018/04/12/2
from which I quote:
An integer overflow leading to an out-of-bound read was found
in authenticate_nss_2_3() in Corosync. An attacker could craft
a malicious packet that would lead to a denial of service.
> Complete changelog for 2.4.4:
>
> [...]
>
> totemcrypto: Check length of the packet
--
Poki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20180412/588b19ba/attachment.sig>
More information about the Users
mailing list