Summary: | sys-cluster/heartbeat: remote DoS via specially crafted heartbeat message | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Andy Kraut <akraut> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED DUPLICATE | ||
Severity: | minor | CC: | akraut, hp-cluster |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | All | ||
URL: | http://www.linux-ha.org/_cache/SecurityIssues__sec03.txt | ||
Whiteboard: | C3 minor: stable | ||
Package list: | Runtime testing required: | --- |
Description
Andy Kraut
2006-08-17 13:14:57 UTC
This package is stable only on x86, though unstable vulnerable versions are available for amd64 and ppc. linux-ha.org recommends upgrading to 1.2.5 or 2.0.7. Both fixed versions are unstable on amd64, ppc, and x86. Alternative recommendations include physical network segmentation. The fix for this vuln also fixes CVE-2006-3815, local DoS of heartbeat. From CVE: heartbeat.c in heartbeat before 2.0.6 sets insecure permissions in a shmget call for shared memory, which allows local users to cause an unspecified denial of service via unknown vectors, possibly during a short time window on startup. Good job, padawan :) You couldn't know this bug was already filled :) a few tips to improve : - fill the Whiteboard appropriately (here, B3 [stable] or C3 [stable]). - if a bug is already in [stable] status, it indicates that somebody has probably already been handling it :) Ask in IRC. Additionnally, the ChangeLog of the ebuild indicates that it was very recent. - x86 has to be marked stable, you can add x86@gentoo.org in the CC list in this case. *** This bug has been marked as a duplicate of 141894 *** |