Jan Friesse <[email protected]> writes: > Ferenc Wágner napsal(a): > >> I wonder if c139255 (totemsrp: Implement sanity checks of received >> msgs) has direct security relevance as well. > > Not entirely direct, but quite similar. > >> Should I include that too in the Debian security update? Debian >> stable has 2.4.2, so I'm cherry picking into that version. > > Yes, please include all > fc1d5418533c1faf21616b282c2559bed7d361c4..b25b029fe186bacf089ab8136da58390945eb35c
Hi Honza, I'm confused, the commit I mentioned above is not in the range you provided. Besides, I can only include targeted security fixes for exploitable vulnerabilities in a stable security update. A pre- authentication buffer overflow (CVE-2018-1084) most certainly qualifies, while the msgio cleanup does not. Missing checks for messages being sent (08cb237) are hard to judge for me... wouldn't expoiting this require root privileges to start with? Also, how much of these issues can be mitigated by enabling encryption or strict firewalling? Basically, I'll need more ammo to push all these changes through the Security Team. (I'll package 2.4.4 for testing/unstable and eventually provide a stable backport of it, but that goes through different channels.) -- Thanks, Feri _______________________________________________ Users mailing list: [email protected] https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
