|
Message-ID: <1238924710.19834042.1359736012433.JavaMail.root@redhat.com> Date: Fri, 1 Feb 2013 11:26:52 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, Fabio Di Nitto <fdinitto@...hat.com>, Jan Friesse <jfriesse@...hat.com> Subject: CVE Request -- Corosync (X < 2.0.3): Remote DoS due improper HMAC initialization and improper junk filtering when different encryption keys used Hello Kurt, Steve, vendors, Corosync upstream has recently released 2.0.3 version correcting one security issue: A denial of service flaw was found in the way Corosync, the cluster engine and application programming interfaces, performed processing of certain network packets, when different encryption keys were used. Previously the HMAC key was not initialized properly, which allowed certain packets to pass through to the internal phases of the Corosync packet validation process, possibly leading to corosync daemon crash. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=906834 [2] http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097833.html [3] http://lwn.net/Vulnerabilities/535234/ [4] https://bugs.mageia.org/show_bug.cgi?id=8905 The HMAC initialization has been corrected in upstream via: [5] https://github.com/corosync/corosync/commit/b3f456a8ceefac6e9f2e9acc2ea0c159d412b595 but there might be more changes needed (Cc-in Fabio and Jan). Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.