Ferenc Wágner napsal(a):
Jan Friesse <jfrie...@redhat.com> writes:
Ferenc Wágner napsal(a):
I wonder if c139255 (totemsrp: Implement sanity checks of received
msgs) has direct security relevance as well.
Not entirely direct, but quite similar.
Should I include that too in the Debian security update? Debian
stable has 2.4.2, so I'm cherry picking into that version.
Yes, please include all
fc1d5418533c1faf21616b282c2559bed7d361c4..b25b029fe186bacf089ab8136da58390945eb35c
Hi Honza,
Ferenc,
I'm confused, the commit I mentioned above is not in the range you
provided. Besides, I can only include targeted security fixes for
Actually it is. c139255 = master/camelback branch,
50e17ffc736f0052e921c861b6953ba8938e4103 = needle branch.
exploitable vulnerabilities in a stable security update. A pre-
authentication buffer overflow (CVE-2018-1084) most certainly qualifies,
while the msgio cleanup does not. Missing checks for messages being
Patch "msgio: Fix reading of msg longer than i32" is not only cleanup.
It also fixes real problem when message length > 2^31 .
sent (08cb237) are hard to judge for me... wouldn't expoiting this
require root privileges to start with? Also, how much of these issues
None of these require root privileges
can be mitigated by enabling encryption or strict firewalling?
All (including the CVE one) can be mitigated by strict firewall. The CVE
one and the msgio cannot be mitigated by encryption, other issues can be.
Basically, I'll need more ammo to push all these changes through the
Security Team.
We can probably do CVE for others.
Honza
(I'll package 2.4.4 for testing/unstable and eventually provide a stable
backport of it, but that goes through different channels.)
_______________________________________________
Users mailing list: Users@clusterlabs.org
https://lists.clusterlabs.org/mailman/listinfo/users
Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org
