Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 144244 - sys-cluster/heartbeat: remote DoS via specially crafted heartbeat message
Summary: sys-cluster/heartbeat: remote DoS via specially crafted heartbeat message
Status: RESOLVED DUPLICATE of bug 141894
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: C3 minor: stable
Depends on:
Reported: 2006-08-17 13:14 UTC by Andy Kraut
Modified: 2006-08-18 03:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andy Kraut 2006-08-17 13:14:57 UTC
From CVE:
The heartbeat subsystem in High-Availability Linux before 1.2.5 and 2.0 before 2.0.7 allows remote attackers to cause a denial of service (crash) via a crafted heartbeat message.

Comment 1 Andy Kraut 2006-08-17 13:24:31 UTC
This package is stable only on x86, though unstable vulnerable versions are available for amd64 and ppc. recommends upgrading to 1.2.5 or 2.0.7.  Both fixed versions are unstable on amd64, ppc, and x86.  Alternative recommendations include physical network segmentation.
Comment 2 Andy Kraut 2006-08-17 13:53:00 UTC
The fix for this vuln also fixes CVE-2006-3815, local DoS of heartbeat.

From CVE:
heartbeat.c in heartbeat before 2.0.6 sets insecure permissions in a shmget call for shared memory, which allows local users to cause an unspecified denial of service via unknown vectors, possibly during a short time window on startup.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-18 03:02:16 UTC
Good job, padawan :)
You couldn't know this bug was already filled :)

a few tips to improve :

- fill the Whiteboard appropriately (here, B3 [stable] or C3 [stable]).
- if a bug is already in [stable] status, it indicates that somebody has probably already been handling it :) Ask in IRC.  Additionnally, the ChangeLog of the ebuild indicates that it was very recent.
- x86 has to be marked stable, you can add in the CC list in this case.

*** This bug has been marked as a duplicate of 141894 ***