Debian Bug report logs -
#379904
heartbeat: Local DoS due to world-writable shared memory [CVE-2006-3815]
Reported by: Martin Pitt <martin.pitt@ubuntu.com>
Date: Wed, 26 Jul 2006 09:33:10 UTC
Severity: grave
Tags: patch, security
Found in versions heartbeat/1.2.4-12, 1.2.3-9sarge4, 1.2.4-11bpo1
Fixed in version heartbeat/1.2.4-13
Done: Simon Horman <horms@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Simon Horman <horms@debian.org>
:
Bug#379904
; Package heartbeat
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>
:
New Bug report received and forwarded. Copy sent to Simon Horman <horms@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: heartbeat
Version: 1.2.4-12
Severity: grave
Tags: security patch
Hi!
Recently, a local DoS due to world-writable/readable shared memory
permissions was found and fixed in heartbeat:
Upstream fix:
http://cvs.linux-ha.org/viewcvs/viewcvs.cgi/linux-ha/heartbeat/heartbeat.c?r1=1.513&r2=1.514
This has been assigned CVE-2006-3815. Please mention this number in
the changelog when you fix this to ease tracking.
Thank you!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Simon Horman <horms@debian.org>
:
Bug#379904
; Package heartbeat
.
(full text, mbox, link).
Acknowledgement sent to Horms <horms@verge.net.au>
:
Extra info received and forwarded to list. Copy sent to Simon Horman <horms@debian.org>
.
(full text, mbox, link).
Message #10 received at 379904@bugs.debian.org (full text, mbox, reply):
On Wed, Jul 26, 2006 at 11:18:57AM +0200, Martin Pitt wrote:
> Package: heartbeat
> Version: 1.2.4-12
> Severity: grave
> Tags: security patch
>
> Hi!
>
> Recently, a local DoS due to world-writable/readable shared memory
> permissions was found and fixed in heartbeat:
>
> Upstream fix:
>
> http://cvs.linux-ha.org/viewcvs/viewcvs.cgi/linux-ha/heartbeat/heartbeat.c?r1=1.513&r2=1.514
>
> This has been assigned CVE-2006-3815. Please mention this number in
> the changelog when you fix this to ease tracking.
Thanks, I will get a new relase out for this. Though it probably will
not be until next week.
--
Horms
H: http://www.vergenet.net/~horms/
W: http://www.valinux.co.jp/en/
Bug marked as found in version 1.2.3-9sarge5.
Request was from Horms <horms@verge.net.au>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as found in version 1.2.3-9sarge4.
Request was from Horms <horms@verge.net.au>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as found in version 1.2.4-11bpo1.
Request was from Horms <horms@verge.net.au>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as not found in version 1.2.3-9sarge5.
Request was from Horms <horms@verge.net.au>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Simon Horman <horms@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Pitt <martin.pitt@ubuntu.com>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 379904-close@bugs.debian.org (full text, mbox, reply):
Source: heartbeat
Source-Version: 1.2.4-13
We believe that the bug you reported is fixed in the latest version of
heartbeat, which is due to be installed in the Debian FTP archive:
heartbeat-dev_1.2.4-13_i386.deb
to pool/main/h/heartbeat/heartbeat-dev_1.2.4-13_i386.deb
heartbeat_1.2.4-13.diff.gz
to pool/main/h/heartbeat/heartbeat_1.2.4-13.diff.gz
heartbeat_1.2.4-13.dsc
to pool/main/h/heartbeat/heartbeat_1.2.4-13.dsc
heartbeat_1.2.4-13_i386.deb
to pool/main/h/heartbeat/heartbeat_1.2.4-13_i386.deb
ldirectord_1.2.4-13_all.deb
to pool/main/h/heartbeat/ldirectord_1.2.4-13_all.deb
libpils-dev_1.2.4-13_i386.deb
to pool/main/h/heartbeat/libpils-dev_1.2.4-13_i386.deb
libpils0_1.2.4-13_i386.deb
to pool/main/h/heartbeat/libpils0_1.2.4-13_i386.deb
libstonith-dev_1.2.4-13_i386.deb
to pool/main/h/heartbeat/libstonith-dev_1.2.4-13_i386.deb
libstonith0_1.2.4-13_i386.deb
to pool/main/h/heartbeat/libstonith0_1.2.4-13_i386.deb
stonith_1.2.4-13_i386.deb
to pool/main/h/heartbeat/stonith_1.2.4-13_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 379904@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated heartbeat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 31 Jul 2006 17:25:03 +0900
Source: heartbeat
Binary: libstonith-dev ldirectord libstonith0 heartbeat libpils-dev libpils0 stonith heartbeat-dev
Architecture: source i386 all
Version: 1.2.4-13
Distribution: unstable
Urgency: low
Maintainer: Simon Horman <horms@debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
heartbeat - Subsystem for High-Availability Linux
heartbeat-dev - Subsystem for High-Availability Linux - development files
ldirectord - Monitors virtual services provided by LVS
libpils-dev - Plugin and Interface Loading System - development files
libpils0 - Plugin and Interface Loading System
libstonith-dev - Interface for remotely powering down a node in the cluster
libstonith0 - Interface for remotely powering down a node in the cluster
stonith - Interface for remotely powering down a node in the cluster
Closes: 379904 380180 380593
Changes:
heartbeat (1.2.4-13) unstable; urgency=low
.
* shmget-perms.patch
Fix local denial of service caused by incorrect permisions
on a shared memory page.
CVE-2006-3815, DSA-1128
(closes: #379904)
* ldirectord-1.141-emailalert-1-quiet.patch
Don't send email alerts if the alert address is not configured
(closes: #380593)
* ldirectord-1.139.patch, ldirectord-1.141-emailalert-2-global.patch
Allow emailalert and emailalertfreq directives to be global
as well as per-virtual service
* ldirectord-1.141-readline_workaround.patch
readline doesn't seem to return lines after Net::FTP
has been called, so split them up by hand.
* Added build dependancy on iptables, as it is needed to
supply the correct path to iptables for the portblock resource
(closes: #380180)
* Added recommends iptables to heartbeat-2, as it is needed
for the portblock resource to function correctly
Files:
2a936ed9d818dd07779649df89462126 895 admin optional heartbeat_1.2.4-13.dsc
d18fb5b8a722cf1316a021cdddebf062 19143 admin optional heartbeat_1.2.4-13.diff.gz
af2f29521f8732e4ffa28f72242b7293 53438 admin optional ldirectord_1.2.4-13_all.deb
500146c88b1db9da5931d50b544d3e51 40628 admin optional stonith_1.2.4-13_i386.deb
36937cff12dfff38abc7f1c18fe21d74 92780 libs optional libstonith0_1.2.4-13_i386.deb
fc83bac0a74ee0a025e96f0988762ab4 33580 libdevel optional libstonith-dev_1.2.4-13_i386.deb
5f3e14e55cfeb2f899f80fa392a87af8 51118 libs optional libpils0_1.2.4-13_i386.deb
1846df0eb7dcc85527d3b0b45dc33bcf 62338 devel optional libpils-dev_1.2.4-13_i386.deb
b331ff1cf809cd60f9e66a252962fde2 495326 admin optional heartbeat_1.2.4-13_i386.deb
f9dd87a2208ff35ff1b9abe761bc1e2f 123920 devel optional heartbeat-dev_1.2.4-13_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEzqSBA8ACPgVBDpcRAkq8AJ4jNv8KSWLU2ZGJjMhTCoTrqZBmrACeKwfF
Ow3vfraTJe3BX+B9+Jz0JtU=
=VgCq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 10:22:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:06:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.