Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 144244

Summary: sys-cluster/heartbeat: remote DoS via specially crafted heartbeat message
Product: Gentoo Security Reporter: Andy Kraut <akraut>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: akraut, hp-cluster
Priority: High    
Version: unspecified   
Hardware: x86   
OS: All   
Whiteboard: C3 minor: stable
Package list:
Runtime testing required: ---

Description Andy Kraut 2006-08-17 13:14:57 UTC
From CVE:
The heartbeat subsystem in High-Availability Linux before 1.2.5 and 2.0 before 2.0.7 allows remote attackers to cause a denial of service (crash) via a crafted heartbeat message.

Comment 1 Andy Kraut 2006-08-17 13:24:31 UTC
This package is stable only on x86, though unstable vulnerable versions are available for amd64 and ppc. recommends upgrading to 1.2.5 or 2.0.7.  Both fixed versions are unstable on amd64, ppc, and x86.  Alternative recommendations include physical network segmentation.
Comment 2 Andy Kraut 2006-08-17 13:53:00 UTC
The fix for this vuln also fixes CVE-2006-3815, local DoS of heartbeat.

From CVE:
heartbeat.c in heartbeat before 2.0.6 sets insecure permissions in a shmget call for shared memory, which allows local users to cause an unspecified denial of service via unknown vectors, possibly during a short time window on startup.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-18 03:02:16 UTC
Good job, padawan :)
You couldn't know this bug was already filled :)

a few tips to improve :

- fill the Whiteboard appropriately (here, B3 [stable] or C3 [stable]).
- if a bug is already in [stable] status, it indicates that somebody has probably already been handling it :) Ask in IRC.  Additionnally, the ChangeLog of the ebuild indicates that it was very recent.
- x86 has to be marked stable, you can add in the CC list in this case.

*** This bug has been marked as a duplicate of 141894 ***