[ClusterLabs] Corosync 2.4.4 is available at corosync.org!

Jan Friesse jfriesse at redhat.com
Fri Apr 13 06:11:02 EDT 2018

Ferenc Wágner napsal(a):
> Jan Friesse <jfriesse at redhat.com> writes:
>> Ferenc Wágner napsal(a):
>>> I wonder if c139255 (totemsrp: Implement sanity checks of received
>>> msgs) has direct security relevance as well.
>> Not entirely direct, but quite similar.
>>> Should I include that too in the Debian security update?  Debian
>>> stable has 2.4.2, so I'm cherry picking into that version.
>> Yes, please include all
>> fc1d5418533c1faf21616b282c2559bed7d361c4..b25b029fe186bacf089ab8136da58390945eb35c
> Hi Honza,


> I'm confused, the commit I mentioned above is not in the range you
> provided.  Besides, I can only include targeted security fixes for

Actually it is. c139255 = master/camelback branch, 
50e17ffc736f0052e921c861b6953ba8938e4103 = needle branch.

> exploitable vulnerabilities in a stable security update.  A pre-
> authentication buffer overflow (CVE-2018-1084) most certainly qualifies,
> while the msgio cleanup does not.  Missing checks for messages being

Patch "msgio: Fix reading of msg longer than i32" is not only cleanup. 
It also fixes real problem when message length > 2^31 .

> sent (08cb237) are hard to judge for me... wouldn't expoiting this
> require root privileges to start with?  Also, how much of these issues

None of these require root privileges

> can be mitigated by enabling encryption or strict firewalling?

All (including the CVE one) can be mitigated by strict firewall. The CVE 
one and the msgio cannot be mitigated by encryption, other issues can be.

> Basically, I'll need more ammo to push all these changes through the
> Security Team.

We can probably do CVE for others.


> (I'll package 2.4.4 for testing/unstable and eventually provide a stable
> backport of it, but that goes through different channels.)

More information about the Users mailing list