Hi Luciano and Moritz On Sat, Feb 02, 2013 at 01:54:32PM +0100, Luciano Bello wrote: > Package: corosync > Severity: important > Tags: security patch > Justification: user security hole > > Hi there, > Please, take a look to this thread: > http://seclists.org/oss-sec/2013/q1/212 > The patch is included there too.
Disclaimer: Did not made a throughout analysis, but upstream mentions in [1], which could help here: [1]: http://www.openwall.com/lists/oss-security/2013/02/01/2 ----cut---------cut---------cut---------cut---------cut---------cut----- No, this version is not correct. corosync >= 2.0 to < 2.3 are affected. corosync 2.3 and higher have the fix. Also, the DoS reason is not correct. The junk filter part is a consequence on how libnss work and should be dropped. Subject should be: "CVE Request -- Corosync (2.0 <= X < 2.3): Remote DoS due improper HMAC initialization" ----cut---------cut---------cut---------cut---------cut---------cut----- But this might still need some checking and/or confirmation with upstream. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
