Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2006-3815

Source

Debian Bug report logs - #379904
heartbeat: Local DoS due to world-writable shared memory [CVE-2006-3815]

Package: heartbeat; Maintainer for heartbeat is Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>; Source for heartbeat is src:heartbeat (PTS, buildd, popcon).

Reported by: Martin Pitt <martin.pitt@ubuntu.com>

Date: Wed, 26 Jul 2006 09:33:10 UTC

Severity: grave

Tags: patch, security

Found in versions heartbeat/1.2.4-12, 1.2.3-9sarge4, 1.2.4-11bpo1

Fixed in version heartbeat/1.2.4-13

Done: Simon Horman <horms@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Simon Horman <horms@debian.org>:
Bug#379904; Package heartbeat. (full text, mbox, link).

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Simon Horman <horms@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: heartbeat
Version: 1.2.4-12
Severity: grave
Tags: security patch

Hi!

Recently, a local DoS due to world-writable/readable shared memory
permissions was found and fixed in heartbeat:

Upstream fix:

  http://cvs.linux-ha.org/viewcvs/viewcvs.cgi/linux-ha/heartbeat/heartbeat.c?r1=1.513&r2=1.514

This has been assigned CVE-2006-3815. Please mention this number in
the changelog when you fix this to ease tracking.

Thank you!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Simon Horman <horms@debian.org>:
Bug#379904; Package heartbeat. (full text, mbox, link).

Acknowledgement sent to Horms <horms@verge.net.au>:
Extra info received and forwarded to list. Copy sent to Simon Horman <horms@debian.org>. (full text, mbox, link).

Message #10 received at 379904@bugs.debian.org (full text, mbox, reply):

On Wed, Jul 26, 2006 at 11:18:57AM +0200, Martin Pitt wrote:
> Package: heartbeat
> Version: 1.2.4-12
> Severity: grave
> Tags: security patch
> 
> Hi!
> 
> Recently, a local DoS due to world-writable/readable shared memory
> permissions was found and fixed in heartbeat:
> 
> Upstream fix:
> 
>   http://cvs.linux-ha.org/viewcvs/viewcvs.cgi/linux-ha/heartbeat/heartbeat.c?r1=1.513&r2=1.514
> 
> This has been assigned CVE-2006-3815. Please mention this number in
> the changelog when you fix this to ease tracking.

Thanks, I will get a new relase out for this. Though it probably will
not be until next week.

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

Bug 379904 cloned as bug 380289. Request was from Horms <horms@verge.net.au> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 1.2.3-9sarge5. Request was from Horms <horms@verge.net.au> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 1.2.3-9sarge4. Request was from Horms <horms@verge.net.au> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 1.2.4-11bpo1. Request was from Horms <horms@verge.net.au> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as not found in version 1.2.3-9sarge5. Request was from Horms <horms@verge.net.au> to control@bugs.debian.org. (full text, mbox, link).

Reply sent to Simon Horman <horms@debian.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Martin Pitt <martin.pitt@ubuntu.com>:
Bug acknowledged by developer. (full text, mbox, link).

Message #25 received at 379904-close@bugs.debian.org (full text, mbox, reply):

Source: heartbeat
Source-Version: 1.2.4-13

We believe that the bug you reported is fixed in the latest version of
heartbeat, which is due to be installed in the Debian FTP archive:

heartbeat-dev_1.2.4-13_i386.deb
  to pool/main/h/heartbeat/heartbeat-dev_1.2.4-13_i386.deb
heartbeat_1.2.4-13.diff.gz
  to pool/main/h/heartbeat/heartbeat_1.2.4-13.diff.gz
heartbeat_1.2.4-13.dsc
  to pool/main/h/heartbeat/heartbeat_1.2.4-13.dsc
heartbeat_1.2.4-13_i386.deb
  to pool/main/h/heartbeat/heartbeat_1.2.4-13_i386.deb
ldirectord_1.2.4-13_all.deb
  to pool/main/h/heartbeat/ldirectord_1.2.4-13_all.deb
libpils-dev_1.2.4-13_i386.deb
  to pool/main/h/heartbeat/libpils-dev_1.2.4-13_i386.deb
libpils0_1.2.4-13_i386.deb
  to pool/main/h/heartbeat/libpils0_1.2.4-13_i386.deb
libstonith-dev_1.2.4-13_i386.deb
  to pool/main/h/heartbeat/libstonith-dev_1.2.4-13_i386.deb
libstonith0_1.2.4-13_i386.deb
  to pool/main/h/heartbeat/libstonith0_1.2.4-13_i386.deb
stonith_1.2.4-13_i386.deb
  to pool/main/h/heartbeat/stonith_1.2.4-13_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 379904@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated heartbeat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 31 Jul 2006 17:25:03 +0900
Source: heartbeat
Binary: libstonith-dev ldirectord libstonith0 heartbeat libpils-dev libpils0 stonith heartbeat-dev
Architecture: source i386 all
Version: 1.2.4-13
Distribution: unstable
Urgency: low
Maintainer: Simon Horman <horms@debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description: 
 heartbeat  - Subsystem for High-Availability Linux
 heartbeat-dev - Subsystem for High-Availability Linux - development files
 ldirectord - Monitors virtual services provided by LVS
 libpils-dev - Plugin and Interface Loading System - development files
 libpils0   - Plugin and Interface Loading System
 libstonith-dev - Interface for remotely powering down a node in the cluster
 libstonith0 - Interface for remotely powering down a node in the cluster
 stonith    - Interface for remotely powering down a node in the cluster
Closes: 379904 380180 380593
Changes: 
 heartbeat (1.2.4-13) unstable; urgency=low
 .
   * shmget-perms.patch
     Fix local denial of service caused by incorrect permisions
     on a shared memory page.
     CVE-2006-3815, DSA-1128
     (closes: #379904)
   * ldirectord-1.141-emailalert-1-quiet.patch
     Don't send email alerts if the alert address is not configured
     (closes: #380593)
   * ldirectord-1.139.patch, ldirectord-1.141-emailalert-2-global.patch
     Allow emailalert and emailalertfreq directives to be global
     as well as per-virtual service
   * ldirectord-1.141-readline_workaround.patch
     readline doesn't seem to return lines after Net::FTP
     has been called, so split them up by hand.
   * Added build dependancy on iptables, as it is needed to
     supply the correct path to iptables for the portblock resource
     (closes: #380180)
   * Added recommends iptables to heartbeat-2, as it is needed
     for the portblock resource to function correctly
Files: 
 2a936ed9d818dd07779649df89462126 895 admin optional heartbeat_1.2.4-13.dsc
 d18fb5b8a722cf1316a021cdddebf062 19143 admin optional heartbeat_1.2.4-13.diff.gz
 af2f29521f8732e4ffa28f72242b7293 53438 admin optional ldirectord_1.2.4-13_all.deb
 500146c88b1db9da5931d50b544d3e51 40628 admin optional stonith_1.2.4-13_i386.deb
 36937cff12dfff38abc7f1c18fe21d74 92780 libs optional libstonith0_1.2.4-13_i386.deb
 fc83bac0a74ee0a025e96f0988762ab4 33580 libdevel optional libstonith-dev_1.2.4-13_i386.deb
 5f3e14e55cfeb2f899f80fa392a87af8 51118 libs optional libpils0_1.2.4-13_i386.deb
 1846df0eb7dcc85527d3b0b45dc33bcf 62338 devel optional libpils-dev_1.2.4-13_i386.deb
 b331ff1cf809cd60f9e66a252962fde2 495326 admin optional heartbeat_1.2.4-13_i386.deb
 f9dd87a2208ff35ff1b9abe761bc1e2f 123920 devel optional heartbeat-dev_1.2.4-13_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEzqSBA8ACPgVBDpcRAkq8AJ4jNv8KSWLU2ZGJjMhTCoTrqZBmrACeKwfF
Ow3vfraTJe3BX+B9+Jz0JtU=
=VgCq
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 10:22:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:06:08 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

heartbeat: Local DoS due to world-writable shared memory [CVE-2006-3815]

Debian Bug report logs - #379904
heartbeat: Local DoS due to world-writable shared memory [CVE-2006-3815]

Vulmon Search

About

Products

Connect

heartbeat: Local DoS due to world-writable shared memory [CVE-2006-3815]

Debian Bug report logs - #379904 heartbeat: Local DoS due to world-writable shared memory [CVE-2006-3815]

Vulmon Search

About

Products

Connect

Debian Bug report logs - #379904
heartbeat: Local DoS due to world-writable shared memory [CVE-2006-3815]