On 12/04/18 14:33 +0200, Jan Friesse wrote:
> I am pleased to announce the latest maintenance release of Corosync
> 2.4.4 available immediately from our website at
> http://build.clusterlabs.org/corosync/releases/.
> This release contains a lot of fixes, including fix for CVE-2018-1084.

Security related updates would preferably provide more context
as a cue for users to evaluate urgency of applying the update
(or particular patch as denote below) and/or to consider the
risks involved.

That being said, there was this announcement at the oss-security list
earlier today: http://www.openwall.com/lists/oss-security/2018/04/12/2
from which I quote:

  An integer overflow leading to an out-of-bound read was found
  in authenticate_nss_2_3() in Corosync. An attacker could craft
  a malicious packet that would lead to a denial of service.

> Complete changelog for 2.4.4:
> [...]
>       totemcrypto: Check length of the packet


Attachment: pgpv2TzGviVAA.pgp
Description: PGP signature

Users mailing list: Users@clusterlabs.org

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Reply via email to