CVE-2018-19115 (https://nvd.nist.gov/vuln/detail/CVE-2018-19115): keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. CVE-2018-19046 (https://nvd.nist.gov/vuln/detail/CVE-2018-19046): keepalived 2.0.8 didn't check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information. CVE-2018-19045 (https://nvd.nist.gov/vuln/detail/CVE-2018-19045): keepalived 2.0.8 used mode 0666 when creating new temporary files upon a call to PrintData or PrintStats, potentially leaking sensitive information. CVE-2018-19044 (https://nvd.nist.gov/vuln/detail/CVE-2018-19044): keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.
@ maintainer(s): Can we stabilize =sys-cluster/keepalived-2.0.9?
I'll try to give it some more testing next week and report back.
Another security bump to 2.0.10: https://github.com/gentoo/gentoo/pull/10415 I've tested on one of our clusters, it works fine, but there are reports that keepalived segfaults when using snmp: https://github.com/acassen/keepalived/issues/1061 I would suggest waiting for an upstream patch and apply it for 2.0.10. Seems like there are no other open bugs for 2.x.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4385f352e5ace4ce12b29e1378f8b70b3bde597f commit 4385f352e5ace4ce12b29e1378f8b70b3bde597f Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2018-11-14 05:17:14 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-11-14 13:25:20 +0000 sys-cluster/keepalived: bump to 2.0.10 Bug: https://bugs.gentoo.org/670856 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> sys-cluster/keepalived/Manifest | 1 + sys-cluster/keepalived/keepalived-2.0.10.ebuild | 72 +++++++++++++++++++++++++ 2 files changed, 73 insertions(+)
Adjusting summary, while CVE-2018-19046 was already addresses in 2.0.9 according to changelog, fix was incomplete. From 2.0.10 changelog: > This should fully resolve CVE-2018-19046.
Upstream added those fixes for snmp crashes, if we can wait until tomorrow, i'll test them and create a pr for a new revision.
sparc done
SNMP crash fix during shutdown: https://github.com/gentoo/gentoo/pull/10422
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb99b23e3f30a44d4880944ff42731297a0c5e3e commit bb99b23e3f30a44d4880944ff42731297a0c5e3e Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2018-11-15 09:58:16 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-11-15 13:49:01 +0000 sys-cluster/keepalived: fix crash during shutdown Bug: https://bugs.gentoo.org/670856 Bug: https://github.com/acassen/keepalived/issues/1061 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/10422 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> .../files/keepalived-2.0.10-snmp-crash-fix.patch | 122 +++++++++++++++++++++ sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild | 76 +++++++++++++ 2 files changed, 198 insertions(+)
I know 2.0.10 was stabilized on sparc yesterday, but please stabilize 2.0.10-r1 instead. Then we'll clean all versions <2.0.10-r1. Thanks.
We will move keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efc2e9877ba742c36e2ff5da6f23db956dfad930 commit efc2e9877ba742c36e2ff5da6f23db956dfad930 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-11-15 15:49:48 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-11-15 15:49:48 +0000 sys-cluster/keepalived: move keywords Bug: https://bugs.gentoo.org/670856 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild | 2 +- sys-cluster/keepalived/keepalived-2.0.10.ebuild | 72 ---------------------- 2 files changed, 1 insertion(+), 73 deletions(-)
x86 stable
I'm still hitting the sandbox issue described in bug 655300
amd64 stable
ia64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=824dd937195207bd78b66ed8143bb8441fa4ef36 commit 824dd937195207bd78b66ed8143bb8441fa4ef36 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2018-11-28 21:21:38 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2018-11-28 21:21:38 +0000 sys-cluster/keepalived-2.0.10-r1: alpha stable Bug: http://bugs.gentoo.org/670856 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Stable on alpha.
ppc stable
ppc64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78694bbb35225a0e2e39d686456563d492bfe81c commit 78694bbb35225a0e2e39d686456563d492bfe81c Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-01-07 16:49:58 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-01-07 16:52:52 +0000 sys-cluster/keepalived: security cleanup Bug: https://bugs.gentoo.org/670856 Package-Manager: Portage-2.3.54, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> sys-cluster/keepalived/Manifest | 2 - sys-cluster/keepalived/files/keepalived.confd | 6 --- sys-cluster/keepalived/files/keepalived.init | 33 ------------ sys-cluster/keepalived/keepalived-1.4.3.ebuild | 69 -------------------------- sys-cluster/keepalived/keepalived-1.4.5.ebuild | 69 -------------------------- 5 files changed, 179 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 201903-01 at https://security.gentoo.org/glsa/201903-01 by GLSA coordinator Aaron Bauman (b-man).
