Re: [ClusterLabs] Corosync 2.4.4 is available at corosync.org!
Ferenc Wágner napsal(a): Jan Friesse writes: Ferenc Wágner napsal(a): I wonder if c139255 (totemsrp: Implement sanity checks of received msgs) has direct security relevance as well. Not entirely direct, but quite similar. Should I include that too in the Debian security update? Debian stable has 2.4.2, so I'm cherry picking into that version. Yes, please include all fc1d5418533c1faf21616b282c2559bed7d361c4..b25b029fe186bacf089ab8136da58390945eb35c Hi Honza, Ferenc, I'm confused, the commit I mentioned above is not in the range you provided. Besides, I can only include targeted security fixes for Actually it is. c139255 = master/camelback branch, 50e17ffc736f0052e921c861b6953ba8938e4103 = needle branch. exploitable vulnerabilities in a stable security update. A pre- authentication buffer overflow (CVE-2018-1084) most certainly qualifies, while the msgio cleanup does not. Missing checks for messages being Patch "msgio: Fix reading of msg longer than i32" is not only cleanup. It also fixes real problem when message length > 2^31 . sent (08cb237) are hard to judge for me... wouldn't expoiting this require root privileges to start with? Also, how much of these issues None of these require root privileges can be mitigated by enabling encryption or strict firewalling? All (including the CVE one) can be mitigated by strict firewall. The CVE one and the msgio cannot be mitigated by encryption, other issues can be. Basically, I'll need more ammo to push all these changes through the Security Team. We can probably do CVE for others. Honza (I'll package 2.4.4 for testing/unstable and eventually provide a stable backport of it, but that goes through different channels.) ___ Users mailing list: Users@clusterlabs.org https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
Re: [ClusterLabs] Corosync 2.4.4 is available at corosync.org!
Jan Friesse writes: > Ferenc Wágner napsal(a): > >> I wonder if c139255 (totemsrp: Implement sanity checks of received >> msgs) has direct security relevance as well. > > Not entirely direct, but quite similar. > >> Should I include that too in the Debian security update? Debian >> stable has 2.4.2, so I'm cherry picking into that version. > > Yes, please include all > fc1d5418533c1faf21616b282c2559bed7d361c4..b25b029fe186bacf089ab8136da58390945eb35c Hi Honza, I'm confused, the commit I mentioned above is not in the range you provided. Besides, I can only include targeted security fixes for exploitable vulnerabilities in a stable security update. A pre- authentication buffer overflow (CVE-2018-1084) most certainly qualifies, while the msgio cleanup does not. Missing checks for messages being sent (08cb237) are hard to judge for me... wouldn't expoiting this require root privileges to start with? Also, how much of these issues can be mitigated by enabling encryption or strict firewalling? Basically, I'll need more ammo to push all these changes through the Security Team. (I'll package 2.4.4 for testing/unstable and eventually provide a stable backport of it, but that goes through different channels.) -- Thanks, Feri ___ Users mailing list: Users@clusterlabs.org https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
Re: [ClusterLabs] Corosync 2.4.4 is available at corosync.org!
Ferenc Wágner napsal(a): Jan Pokorný writes: On 12/04/18 14:33 +0200, Jan Friesse wrote: This release contains a lot of fixes, including fix for CVE-2018-1084. Security related updates would preferably provide more context Absolutely, thanks for providing that! Looking at the git log, I wonder if c139255 (totemsrp: Implement sanity checks of received msgs) has direct security relevance as well. Should I include that too in the Not entirely direct, but quite similar. Debian security update? Debian stable has 2.4.2, so I'm cherry picking Yes, please include all fc1d5418533c1faf21616b282c2559bed7d361c4..b25b029fe186bacf089ab8136da58390945eb35c Regards, Honza into that version. ___ Users mailing list: Users@clusterlabs.org https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
Re: [ClusterLabs] Corosync 2.4.4 is available at corosync.org!
Jan Pokorný writes: > On 12/04/18 14:33 +0200, Jan Friesse wrote: > >> This release contains a lot of fixes, including fix for >> CVE-2018-1084. > > Security related updates would preferably provide more context Absolutely, thanks for providing that! Looking at the git log, I wonder if c139255 (totemsrp: Implement sanity checks of received msgs) has direct security relevance as well. Should I include that too in the Debian security update? Debian stable has 2.4.2, so I'm cherry picking into that version. -- Thanks, Feri ___ Users mailing list: Users@clusterlabs.org https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
Re: [ClusterLabs] Corosync 2.4.4 is available at corosync.org!
On 12/04/18 14:33 +0200, Jan Friesse wrote: > I am pleased to announce the latest maintenance release of Corosync > 2.4.4 available immediately from our website at > http://build.clusterlabs.org/corosync/releases/. > > This release contains a lot of fixes, including fix for CVE-2018-1084. Security related updates would preferably provide more context as a cue for users to evaluate urgency of applying the update (or particular patch as denote below) and/or to consider the risks involved. That being said, there was this announcement at the oss-security list earlier today: http://www.openwall.com/lists/oss-security/2018/04/12/2 from which I quote: An integer overflow leading to an out-of-bound read was found in authenticate_nss_2_3() in Corosync. An attacker could craft a malicious packet that would lead to a denial of service. > Complete changelog for 2.4.4: > > [...] > > totemcrypto: Check length of the packet -- Poki pgpv2TzGviVAA.pgp Description: PGP signature ___ Users mailing list: Users@clusterlabs.org https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org