Ferenc Wágner napsal(a):
Jan Friesse <jfrie...@redhat.com> writes:

Ferenc Wágner napsal(a):

I wonder if c139255 (totemsrp: Implement sanity checks of received
msgs) has direct security relevance as well.

Not entirely direct, but quite similar.

Should I include that too in the Debian security update?  Debian
stable has 2.4.2, so I'm cherry picking into that version.

Yes, please include all

Hi Honza,


I'm confused, the commit I mentioned above is not in the range you
provided.  Besides, I can only include targeted security fixes for

Actually it is. c139255 = master/camelback branch, 50e17ffc736f0052e921c861b6953ba8938e4103 = needle branch.

exploitable vulnerabilities in a stable security update.  A pre-
authentication buffer overflow (CVE-2018-1084) most certainly qualifies,
while the msgio cleanup does not.  Missing checks for messages being

Patch "msgio: Fix reading of msg longer than i32" is not only cleanup. It also fixes real problem when message length > 2^31 .

sent (08cb237) are hard to judge for me... wouldn't expoiting this
require root privileges to start with?  Also, how much of these issues

None of these require root privileges

can be mitigated by enabling encryption or strict firewalling?

All (including the CVE one) can be mitigated by strict firewall. The CVE one and the msgio cannot be mitigated by encryption, other issues can be.

Basically, I'll need more ammo to push all these changes through the
Security Team.

We can probably do CVE for others.


(I'll package 2.4.4 for testing/unstable and eventually provide a stable
backport of it, but that goes through different channels.)

Users mailing list: Users@clusterlabs.org

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Reply via email to