[Debian-ha-maintainers] Bug#699615: Re: Bug#699615: CVE-2013-0250 - corosync: Remote DoS due improper HMAC initialization

Salvatore Bonaccorso carnil at debian.org
Fri Feb 22 15:05:14 UTC 2013


Control: found -1 1.99.9-1

Hi all

I had a look at the version in experimental:

On Mon, Feb 18, 2013 at 09:23:20PM +0100, Martin Gerhard Loschwitz wrote:
> I don't think we have Corosync 2.0 anywhere (we have 1.99 in experimental, I
> don't know if that specific version is affected or not just yet). So can we please
> tag this bug accordingly?

The version in experimental has on lines 407 and 408:

407         hash_param.data = 0;
408         hash_param.len = 0;

which is in init_nss_hash. So this looks like corosync in experimental
is affected.

Regards,
Salvatore



More information about the Debian-ha-maintainers mailing list