Source: keepalived Version: 1:2.3.1-1 Severity: normal Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for keepalived. This is mainly for tracking the upstream fix once it lands in Debian unstable. The CVE is somehow disputed to be worthwile, because keepalived needs an explicit misconfiguration to be exploited for it. Details in the references. CVE-2024-41184[0]: | In the vrrp_ipsets_handler handler (fglobal_parser.c) of keepalived | through 2.3.1, an integer overflow can occur. NOTE: this CVE Record | might not be worthwhile because an empty ipset name must be | configured by the user. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-41184 https://www.cve.org/CVERecord?id=CVE-2024-41184 [1] https://github.com/acassen/keepalived/commit/e78513fe0ce5d83c226ea2c0bd222f375c2438e7 [2] https://github.com/acassen/keepalived/issues/2447#issuecomment-2231329734 Regards, Salvatore
