Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718550 (CVE-2019-15522, CVE-2019-15523) - sys-cluster/csync2: Authentication bypass in HELLO command when SSL enabled (CVE-2019-{15522,15523})
Summary: sys-cluster/csync2: Authentication bypass in HELLO command when SSL enabled (...
Status: IN_PROGRESS
Alias: CVE-2019-15522, CVE-2019-15523
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-20 00:07 UTC by GLSAMaker/CVETool Bot
Modified: 2020-12-31 21:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-20 00:07:01 UTC
CVE-2019-15522 (https://nvd.nist.gov/vuln/detail/CVE-2019-15522):
  An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_session
  in daemon.c neglects to force a failure of a hello command when the
  configuration requires use of SSL.


----
Patch: https://github.com/LINBIT/csync2/pull/13/commits/0ecfc333da51575f188dd7cf6ac4974d13a800b1

Please note other useful security patches are in this PR too:
https://github.com/LINBIT/csync2/pull/13

The PR has not been merged, however.
Comment 1 John Helmert III gentoo-dev Security 2020-06-19 03:26:56 UTC
Maintainer(s): Ping.
Comment 2 John Helmert III gentoo-dev Security 2020-10-16 03:18:24 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2019-15522 (https://nvd.nist.gov/vuln/detail/CVE-2019-15522):
>   An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_session
>   in daemon.c neglects to force a failure of a hello command when the
>   configuration requires use of SSL.
> 
> 
> ----
> Patch:
> https://github.com/LINBIT/csync2/pull/13/commits/
> 0ecfc333da51575f188dd7cf6ac4974d13a800b1
> 
> Please note other useful security patches are in this PR too:
> https://github.com/LINBIT/csync2/pull/13
> 
> The PR has not been merged, however.

It looks like the three commits in that PR were applied anyway:

https://github.com/LINBIT/csync2/commit/416f1de878ef97e27e27508914f7ba8599a0be22
https://github.com/LINBIT/csync2/commit/c0faaf9dda0c8301d46c2145a0bbaccf3de8bb14
https://github.com/LINBIT/csync2/commit/9823c03cfb56beb0703397547ee02ddd4ead8b54

Maintainer, please apply these patches
Comment 3 John Helmert III gentoo-dev Security 2020-12-31 21:23:19 UTC
CVE-2019-15523:

An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API.

Patch: https://github.com/LINBIT/csync2/commit/c0faaf9dda0c8301d46c2145a0bbaccf3de8bb14