Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 906834 - (CVE-2013-0250) corosync 2.x: Remote DoS due improper HMAC initialization
corosync 2.x: Remote DoS due improper HMAC initialization
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130118,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-01 11:17 EST by Jan Lieskovsky
Modified: 2013-02-02 07:52 EST (History)
5 users (show)

See Also:
Fixed In Version: Corosync 2.3.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-02 07:52:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jan Lieskovsky 2013-02-01 11:17:43 EST 
A remote denial of service flaw was found in the way Corosync, the cluster engine and application programming interfaces, performed processing of network packets. Previously the HMAC key was not initialized properly, which allowed random targeted packets to be processed by the internal process of corosync and possibly leading to a daemon crash.

References:
[1] http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097833.html
[2] http://lwn.net/Vulnerabilities/535234/
[3] https://bugs.mageia.org/show_bug.cgi?id=8905

Relevant upstream patch (might not be complete set):
[4] https://github.com/corosync/corosync/commit/b3f456a8ceefac6e9f2e9acc2ea0c159d412b595
Comment 4 Fabio Massimo Di Nitto 2013-02-01 11:26:55 EST 
> Relevant upstream patch (might not be complete set):
> [4]
> https://github.com/corosync/corosync/commit/
> b3f456a8ceefac6e9f2e9acc2ea0c159d412b595


https://github.com/corosync/corosync/commit/55dc09ea237482f827333759fd45608bc9518d64

https://github.com/corosync/corosync/commit/ebb007a16c6a8d9e6f783ed82b324cb232c64be5

complete set is 3 patches.
Comment 5 Jan Lieskovsky 2013-02-01 11:28:51 EST 
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/02/01/1
Comment 7 Jan Lieskovsky 2013-02-01 11:33:03 EST 
This issue did NOT affect the version of the corosync package, as shipped with Red Hat Enterprise Linux 6.
Comment 8 Jan Lieskovsky 2013-02-01 11:37:12 EST 
Statement:

Not vulnerable. This issue did not affect the version of corosync as shipped with Red Hat Enterprise Linux 6.
Comment 11 Jan Lieskovsky 2013-02-02 07:52:49 EST 
The CVE identifier of CVE-2013-0250 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/02/01/3
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.