Summary: | <sys-cluster/keepalived-2.0.10: multiple vulnerabilities (CVE-2018-{19044,19045,19046,19115}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | cluster, hydrapolic |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/10422 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
sys-cluster/keepalived-2.0.10-r1
|
Runtime testing required: | --- |
Bug Depends on: | 655300 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2018-11-10 21:16:23 UTC
@ maintainer(s): Can we stabilize =sys-cluster/keepalived-2.0.9? I'll try to give it some more testing next week and report back. Another security bump to 2.0.10: https://github.com/gentoo/gentoo/pull/10415 I've tested on one of our clusters, it works fine, but there are reports that keepalived segfaults when using snmp: https://github.com/acassen/keepalived/issues/1061 I would suggest waiting for an upstream patch and apply it for 2.0.10. Seems like there are no other open bugs for 2.x. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4385f352e5ace4ce12b29e1378f8b70b3bde597f commit 4385f352e5ace4ce12b29e1378f8b70b3bde597f Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2018-11-14 05:17:14 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-11-14 13:25:20 +0000 sys-cluster/keepalived: bump to 2.0.10 Bug: https://bugs.gentoo.org/670856 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> sys-cluster/keepalived/Manifest | 1 + sys-cluster/keepalived/keepalived-2.0.10.ebuild | 72 +++++++++++++++++++++++++ 2 files changed, 73 insertions(+) Adjusting summary, while CVE-2018-19046 was already addresses in 2.0.9 according to changelog, fix was incomplete. From 2.0.10 changelog:
> This should fully resolve CVE-2018-19046.
Upstream added those fixes for snmp crashes, if we can wait until tomorrow, i'll test them and create a pr for a new revision. sparc done SNMP crash fix during shutdown: https://github.com/gentoo/gentoo/pull/10422 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb99b23e3f30a44d4880944ff42731297a0c5e3e commit bb99b23e3f30a44d4880944ff42731297a0c5e3e Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2018-11-15 09:58:16 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-11-15 13:49:01 +0000 sys-cluster/keepalived: fix crash during shutdown Bug: https://bugs.gentoo.org/670856 Bug: https://github.com/acassen/keepalived/issues/1061 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/10422 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> .../files/keepalived-2.0.10-snmp-crash-fix.patch | 122 +++++++++++++++++++++ sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild | 76 +++++++++++++ 2 files changed, 198 insertions(+) I know 2.0.10 was stabilized on sparc yesterday, but please stabilize 2.0.10-r1 instead. Then we'll clean all versions <2.0.10-r1. Thanks. We will move keywords. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efc2e9877ba742c36e2ff5da6f23db956dfad930 commit efc2e9877ba742c36e2ff5da6f23db956dfad930 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-11-15 15:49:48 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-11-15 15:49:48 +0000 sys-cluster/keepalived: move keywords Bug: https://bugs.gentoo.org/670856 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild | 2 +- sys-cluster/keepalived/keepalived-2.0.10.ebuild | 72 ---------------------- 2 files changed, 1 insertion(+), 73 deletions(-) x86 stable I'm still hitting the sandbox issue described in bug 655300 amd64 stable ia64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=824dd937195207bd78b66ed8143bb8441fa4ef36 commit 824dd937195207bd78b66ed8143bb8441fa4ef36 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2018-11-28 21:21:38 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2018-11-28 21:21:38 +0000 sys-cluster/keepalived-2.0.10-r1: alpha stable Bug: http://bugs.gentoo.org/670856 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Stable on alpha. ppc stable ppc64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78694bbb35225a0e2e39d686456563d492bfe81c commit 78694bbb35225a0e2e39d686456563d492bfe81c Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-01-07 16:49:58 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-01-07 16:52:52 +0000 sys-cluster/keepalived: security cleanup Bug: https://bugs.gentoo.org/670856 Package-Manager: Portage-2.3.54, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> sys-cluster/keepalived/Manifest | 2 - sys-cluster/keepalived/files/keepalived.confd | 6 --- sys-cluster/keepalived/files/keepalived.init | 33 ------------ sys-cluster/keepalived/keepalived-1.4.3.ebuild | 69 -------------------------- sys-cluster/keepalived/keepalived-1.4.5.ebuild | 69 -------------------------- 5 files changed, 179 deletions(-) New GLSA request filed. This issue was resolved and addressed in GLSA 201903-01 at https://security.gentoo.org/glsa/201903-01 by GLSA coordinator Aaron Bauman (b-man). |