|Summary:||sys-cluster/heartbeat: remote DoS via specially crafted heartbeat message|
|Product:||Gentoo Security||Reporter:||Andy Kraut <akraut>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||C3 minor: stable|
|Package list:||Runtime testing required:||---|
Description Andy Kraut 2006-08-17 13:14:57 UTC
From CVE: The heartbeat subsystem in High-Availability Linux before 1.2.5 and 2.0 before 2.0.7 allows remote attackers to cause a denial of service (crash) via a crafted heartbeat message. CVE-2006-3121
Comment 1 Andy Kraut 2006-08-17 13:24:31 UTC
This package is stable only on x86, though unstable vulnerable versions are available for amd64 and ppc. linux-ha.org recommends upgrading to 1.2.5 or 2.0.7. Both fixed versions are unstable on amd64, ppc, and x86. Alternative recommendations include physical network segmentation.
Comment 2 Andy Kraut 2006-08-17 13:53:00 UTC
The fix for this vuln also fixes CVE-2006-3815, local DoS of heartbeat. From CVE: heartbeat.c in heartbeat before 2.0.6 sets insecure permissions in a shmget call for shared memory, which allows local users to cause an unspecified denial of service via unknown vectors, possibly during a short time window on startup.
Comment 3 Raphael Marichez (Falco) (RETIRED) 2006-08-18 03:02:16 UTC
Good job, padawan :) You couldn't know this bug was already filled :) a few tips to improve : - fill the Whiteboard appropriately (here, B3 [stable] or C3 [stable]). - if a bug is already in [stable] status, it indicates that somebody has probably already been handling it :) Ask in IRC. Additionnally, the ChangeLog of the ebuild indicates that it was very recent. - x86 has to be marked stable, you can add email@example.com in the CC list in this case. *** This bug has been marked as a duplicate of 141894 ***