Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1238924710.19834042.1359736012433.JavaMail.root@redhat.com>
Date: Fri, 1 Feb 2013 11:26:52 -0500 (EST)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Fabio Di Nitto <fdinitto@...hat.com>,
        Jan Friesse <jfriesse@...hat.com>
Subject: CVE Request -- Corosync (X < 2.0.3): Remote DoS due improper HMAC
 initialization and improper junk filtering when different encryption keys
 used

Hello Kurt, Steve, vendors,

  Corosync upstream has recently released 2.0.3 version correcting
one security issue:

A denial of service flaw was found in the way Corosync,
the cluster engine and application programming interfaces,
performed processing of certain network packets, when different
encryption keys were used. Previously the HMAC key was not initialized
properly, which allowed certain packets to pass through to the internal
phases of the Corosync packet validation process, possibly leading
to corosync daemon crash.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=906834
[2] http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097833.html
[3] http://lwn.net/Vulnerabilities/535234/
[4] https://bugs.mageia.org/show_bug.cgi?id=8905

The HMAC initialization has been corrected in upstream via:
[5] https://github.com/corosync/corosync/commit/b3f456a8ceefac6e9f2e9acc2ea0c159d412b595

but there might be more changes needed (Cc-in Fabio and Jan).

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.