| Summary: | sys-cluster/csync2: Authentication bypass in HELLO command when SSL enabled (CVE-2019-{15522,15523}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | minor | CC: | ajak, cluster |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B3 [glsa? cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
GLSAMaker/CVETool Bot
2020-04-20 00:07:01 UTC
Maintainer(s): Ping. (In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2019-15522 (https://nvd.nist.gov/vuln/detail/CVE-2019-15522): > An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_session > in daemon.c neglects to force a failure of a hello command when the > configuration requires use of SSL. > > > ---- > Patch: > https://github.com/LINBIT/csync2/pull/13/commits/ > 0ecfc333da51575f188dd7cf6ac4974d13a800b1 > > Please note other useful security patches are in this PR too: > https://github.com/LINBIT/csync2/pull/13 > > The PR has not been merged, however. It looks like the three commits in that PR were applied anyway: https://github.com/LINBIT/csync2/commit/416f1de878ef97e27e27508914f7ba8599a0be22 https://github.com/LINBIT/csync2/commit/c0faaf9dda0c8301d46c2145a0bbaccf3de8bb14 https://github.com/LINBIT/csync2/commit/9823c03cfb56beb0703397547ee02ddd4ead8b54 Maintainer, please apply these patches CVE-2019-15523: An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API. Patch: https://github.com/LINBIT/csync2/commit/c0faaf9dda0c8301d46c2145a0bbaccf3de8bb14 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b343026bc5b491bbe824c4f7022a9c340162644 commit 6b343026bc5b491bbe824c4f7022a9c340162644 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-06-15 15:10:48 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-06-15 16:04:08 +0000 profiles: last rite sys-cluster/csync2 Bug: https://bugs.gentoo.org/718550 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) > from package.mask: Open security bug with patches for years. Upstream seems dead since 2020
what vulnerabilities are we talking about? did you notify upstream about it? a repository with no activity is not a strong reason
CVE-2019-15522, an authentication bypass in the HELLO command. Upstream is dead. There has not been any release since 2015 and no activity whatsoever on the github since 2020. I honestly don't know if it is appropriate to last-rite a package due to this but there have been a lot of similar reasons for last-riting as seen in the dev mailing list. If you feel that it's important to keep it in the tree then maybe we could pull patches from upstream and include them? Though you'd have to discuss this with the devs, I'm too unfamiliar with the process to be of any help. :D (In reply to Vladimir Varlamov from comment #5) > > from package.mask: Open security bug with patches for years. Upstream seems dead since 2020 > > what vulnerabilities are we talking about? The vulnerability in this bug. > did you notify upstream about it? a repository with no activity is not a strong reason Correct, however in this particular case there's no release available and the package is unmaintained in Gentoo. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a0f7840e4eacb424e9e45803a18d5142e843ac3 commit 8a0f7840e4eacb424e9e45803a18d5142e843ac3 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-15 07:41:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-15 07:41:30 +0000 sys-cluster/csync2: treeclean Bug: https://bugs.gentoo.org/718550 Bug: https://bugs.gentoo.org/837083 Bug: https://bugs.gentoo.org/830089 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 5 -- sys-cluster/csync2/Manifest | 1 - sys-cluster/csync2/csync2-2.0-r2.ebuild | 113 -------------------------------- sys-cluster/csync2/files/csync2.initd | 25 ------- sys-cluster/csync2/files/csync2.xinetd | 15 ----- sys-cluster/csync2/metadata.xml | 8 --- 6 files changed, 167 deletions(-) Removed.(In reply to Vladimir Varlamov from comment #5) > > from package.mask: Open security bug with patches for years. Upstream seems dead since 2020 > > what vulnerabilities are we talking about? did you notify upstream about it? > a repository with no activity is not a strong reason If you want to keep something in the repository and it is unmaintained, you are free to step up. |
