The heartbeat subsystem in High-Availability Linux before 1.2.5 and 2.0 before 2.0.7 allows remote attackers to cause a denial of service (crash) via a crafted heartbeat message.
This package is stable only on x86, though unstable vulnerable versions are available for amd64 and ppc. linux-ha.org recommends upgrading to 1.2.5 or 2.0.7. Both fixed versions are unstable on amd64, ppc, and x86. Alternative recommendations include physical network segmentation.
The fix for this vuln also fixes CVE-2006-3815, local DoS of heartbeat.
heartbeat.c in heartbeat before 2.0.6 sets insecure permissions in a shmget call for shared memory, which allows local users to cause an unspecified denial of service via unknown vectors, possibly during a short time window on startup.
Good job, padawan :)
You couldn't know this bug was already filled :)
a few tips to improve :
- fill the Whiteboard appropriately (here, B3 [stable] or C3 [stable]).
- if a bug is already in [stable] status, it indicates that somebody has probably already been handling it :) Ask in IRC. Additionnally, the ChangeLog of the ebuild indicates that it was very recent.
- x86 has to be marked stable, you can add firstname.lastname@example.org in the CC list in this case.
*** This bug has been marked as a duplicate of 141894 ***