[Debian-ha-maintainers] corosync_2.4.2-3+deb9u1_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Sun Apr 22 15:49:54 BST 2018
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Apr 2018 09:05:14 CEST
Source: corosync
Binary: corosync corosync-notifyd corosync-qdevice corosync-qnetd corosync-doc corosync-dev libcfg6 libcmap4 libcorosync-common4 libcpg4 libquorum5 libsam4 libtotem-pg5 libvotequorum8 libcfg-dev libcmap-dev libcorosync-common-dev libcpg-dev libquorum-dev libsam-dev libtotem-pg-dev libvotequorum-dev
Architecture: source
Version: 2.4.2-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian HA Maintainers <debian-ha-maintainers at lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi at debian.org>
Description:
corosync - cluster engine daemon and utilities
corosync-dev - cluster engine generic development (transitional package)
corosync-doc - cluster engine HTML documentation
corosync-notifyd - cluster engine notification daemon
corosync-qdevice - cluster engine quorum device daemon
corosync-qnetd - cluster engine quorum device network daemon
libcfg-dev - cluster engine CFG library development
libcfg6 - cluster engine CFG library
libcmap-dev - cluster engine CMAP library development
libcmap4 - cluster engine CMAP library
libcorosync-common-dev - cluster engine common development
libcorosync-common4 - cluster engine common library
libcpg-dev - cluster engine CPG library development
libcpg4 - cluster engine CPG library
libquorum-dev - cluster engine Quorum library development
libquorum5 - cluster engine Quorum library
libsam-dev - cluster engine SAM library development
libsam4 - cluster engine SAM library
libtotem-pg-dev - cluster engine Totem library development
libtotem-pg5 - cluster engine Totem library
libvotequorum-dev - cluster engine Votequorum library development
libvotequorum8 - cluster engine Votequorum library
Changes:
corosync (2.4.2-3+deb9u1) stretch-security; urgency=high
.
* [c2ee7ce] New patch fixing CVE-2018-1084: integer overflow in
exec/totemcrypto.c.
An integer overflow leading to an out-of-bound read was found in
authenticate_nss_2_3() in Corosync. An attacker could craft a malicious
packet that would lead to a denial of service.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1084
Thanks to Jan Friesse
* [cfd0189] New patches fixing other vulnerabilities similar to CVE-2018-1084.
The msgio patch fixes a real problem when message length > 2^31, which
can't be mitigated by enabling encryption of the Corosync traffic.
The other patches fix buffer overflows resulting in stack corruption
and uses of unallocated memory; these can be mitigated by encryption.
* [2ce17dc] The security patches introduced a new symbol
Checksums-Sha256:
6fc804d8c37e7e56bc01f9b90a1857fe8e0cb1a9abe0b1ada5bcf77ead25c59d 3595 corosync_2.4.2-3+deb9u1.dsc
63cf0c83a33962304f63af8e14054b624d3b6de52ed214f68002dc4e0397c558 43288 corosync_2.4.2-3+deb9u1.debian.tar.xz
f26e3011309fe4bcce94b1dc20ea8c462f19483a73f3ca62f13b925d011a4ba9 1152240 corosync_2.4.2.orig.tar.gz
Checksums-Sha1:
97e3c0e70b358307985746102a376785090314c1 3595 corosync_2.4.2-3+deb9u1.dsc
5a4c66fdf10c0ee7ae4998316284d9300c3514ca 43288 corosync_2.4.2-3+deb9u1.debian.tar.xz
fdb77f06158d0a5fae931ea99e5d146e96f14914 1152240 corosync_2.4.2.orig.tar.gz
Files:
23967f0b240cdfbcae9b49768745a70b 3595 admin optional corosync_2.4.2-3+deb9u1.dsc
67f7242c56ece39e8d03231f11b7a829 43288 admin optional corosync_2.4.2-3+deb9u1.debian.tar.xz
547fa78704da53aa35912be58d31035f 1152240 admin optional corosync_2.4.2.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlrRqLUACgkQOsj3Fkd+
2yMSsRAAnLBZdwjcToghac7CoVdPV749UWMYqK1+mOMok4DFCfYPNmThPDpnPrTb
2QUJJwEojkAnKQZ4ty/CYlFZ+hdKDpoH3krmOlDYgRAVv026NkzHh6KHc8vOwZTr
j1izqe5JKj9uwbVfqjIVyMeTqVpe6h+rX+nzlmFNqPdISXWxKA6gmvLcUJith0Uo
JrHhiA0HgBSfj6UxXb1FgMBpwO1FwqIAi20i95actzusl8Pnh7nCmhhKZXjz15jc
loDA3apezZf5c2cyIXYuLzFATpxY7nRe/qxhyle/HxfeUQb3P/6IoaM2Am8LjO2L
N6nbjK4zgYl5thrkhVZgui8PeLddwUlOAFj3sr2llspL+KM2R7xoF2/CausNwLO5
5B8JvzKkA7v3r9f6Uxzs4SbJed3C+83M5HjzLl1hWUaYmFxMVzutNcIsSwnem343
82P+uTXtgHIVuIjFXr6bksZW5WNvke7/Rwl9jpMPwgrktWIUGgFj9tlUon0lmUTA
T/Cvlz0SmN9cdcVa3hhdRO1CF0+08czimZExNLZqJgS3ut1rpp3QiA1PDuypjuFQ
S2DnJz9bRi/v4kXfSRaqaCboyoogeoOJU2hjvn3dIL/nzvpE6if0S3XGct+gmzjZ
fqyM2fZGWDcABzxoT6yzG8F9Iq2wjPf5gI7F9AijagggkhInoM8=
=FVw7
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the Debian-ha-maintainers
mailing list