[Debian-ha-maintainers] Bug#699615: CVE-2013-0250 - corosync: Remote DoS due improper HMAC initialization
Salvatore Bonaccorso
carnil at debian.org
Sun Feb 17 13:58:16 UTC 2013
Hi Luciano and Moritz
On Sat, Feb 02, 2013 at 01:54:32PM +0100, Luciano Bello wrote:
> Package: corosync
> Severity: important
> Tags: security patch
> Justification: user security hole
>
> Hi there,
> Please, take a look to this thread: http://seclists.org/oss-sec/2013/q1/212
> The patch is included there too.
Disclaimer: Did not made a throughout analysis, but upstream mentions
in [1], which could help here:
[1]: http://www.openwall.com/lists/oss-security/2013/02/01/2
----cut---------cut---------cut---------cut---------cut---------cut-----
No, this version is not correct.
corosync >= 2.0 to < 2.3 are affected.
corosync 2.3 and higher have the fix.
Also, the DoS reason is not correct. The junk filter part is a
consequence on how libnss work and should be dropped.
Subject should be:
"CVE Request -- Corosync (2.0 <= X < 2.3): Remote DoS due improper HMAC
initialization"
----cut---------cut---------cut---------cut---------cut---------cut-----
But this might still need some checking and/or confirmation with
upstream.
Regards,
Salvatore
More information about the Debian-ha-maintainers
mailing list