Upstream has issued an advisory on April 12: http://openwall.com/lists/oss-security/2018/04/12/2 The issue is fixed upstream in 2.4.4 and the message above contains a link to the commit that fixed it. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
2.4.4 submitted to mga7.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Patched version also submitted by Shlomi to fix this for Mageia 6. Advisory: ======================== Updated corosync packages fix security vulnerability: An integer overflow leading to an out-of-bound read was found in authenticate_nss_2_3() in Corosync. An attacker could craft a malicious packet that would lead to a denial of service (CVE-2018-1084). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1084 http://openwall.com/lists/oss-security/2018/04/12/2 ======================== Updated packages in core/updates_testing: ======================== corosync-2.3.5-2.1.mga6 libcorosync4-2.3.5-2.1.mga6 libcorosync-devel-2.3.5-2.1.mga6 from corosync-2.3.5-2.1.mga6.src.rpm
Assignee: shlomif => qa-bugsCC: (none) => shlomif
MGA6-32 on Dell Latitude D600 MATE No installation issues. left devel out. This is about "high availability clusters", difficult to apply to this little lappy. Anyway, tried the simpliest commands I found: $ corosync-blackbox /usr/bin/corosync-blackbox: regel 32: corosync-cmapctl: opdracht niet gevonden /usr/bin/corosync-blackbox: regel 33: corosync-cmapctl: opdracht niet gevonden /usr/bin/corosync-blackbox: regel 34: qb-blackbox: opdracht niet gevonden meaning : command not found Something missing ??? and # corosync error [MAIN ] Can't read file /etc/corosync/corosync.conf reason = (No such file or directory) error [MAIN ] Corosync Cluster Engine exiting with status 8 at main.c:1208. File is not there, but a /etc/corosync/corosync.conf.example is, and that needs manual editing to get a valid conf file, according a tutorial I found googling. Giving up here.
CC: (none) => herman.viaene
Debian has issued an advisory for this on April 17: https://www.debian.org/security/2018/dsa-4174
Some more background: http://corosync.github.io/corosync/ "The Corosync Cluster Engine is a Group Communication System with additional features for implementing high availability within applications." The FAQ page was last edited 2012, but there are a couple of presentations from 2017, so the software *is* current. https://github.com/corosync/corosync/wiki/Archive-quickstart-quide is less useful than one might hope. https://github.com/corosync/corosync/wiki/archive-installing-the-software says "The best method is to use Corosync as distributed by one of the Linux vendors that distribute Corosync". Up to us. $ urpmq -i corosync This package contains the Corosync Cluster Engine Executive, several default APIs and libraries, default configuration files, and an init script. $ urpmq -l corosync | grep bin/ | sort -u /usr/bin/corosync-blackbox [has man page] /usr/sbin/corosync [has man page] /usr/sbin/corosync-cfgtool /usr/sbin/corosync-cmapctl /usr/sbin/corosync-cpgtool /usr/sbin/corosync-keygen /usr/sbin/corosync-notifyd /usr/sbin/corosync-quorumtool
M5/64 BEFORE update: corosync-2.3.5-2.mga6 lib64corosync4-2.3.5-2.mga6 # corosync -v Corosync Cluster Engine, version '2.3.5' Copyright (c) 2006-2009 Red Hat, Inc. # corosync -t error [MAIN ] Can't read file /etc/corosync/corosync.conf reason = (No such file or directory) error [MAIN ] Corosync Cluster Engine exiting with status 8 at main.c:1208. Nothing relevant in /usr/share/doc/corosync ; a couple of scripts in /usr/share/corosync . $ ls -l /etc/corosync/ -rw-r--r-- 1 root root 2881 Ion 17 2016 corosync.conf.example -rw-r--r-- 1 root root 767 Ion 17 2016 corosync.conf.example.udpu drwxr-xr-x 2 root root 4096 Ion 17 2016 service.d/ drwxr-xr-x 2 root root 4096 Ion 17 2016 uidgid.d/ Both the first two say "# Please read the corosync.conf.5 manual page" which is indeed instructive. Tried copying the 2 conf files knocking out '.example' to give: -rw-r--r-- 1 root root 2881 Ebr 23 22:07 corosync.conf -rw-r--r-- 1 root root 767 Ebr 23 22:07 corosync.conf.udpu and tried again: # corosync -t parse error in config: Can't open logfile '/var/log/cluster/corosync.log' for reason: No such file or directory (2). which is an advance. Will try more tomorrow, but not optimistic.
Previous comment should start M6/64, *not* M5.
M6/64 continued (still before update) # ls /var/log shows: corosync/ # ls -l /var/log/corosync/ total 0 Edited /etc/corosync/corosync.conf to: logfile: /var/log/corosync/corosync.log where /corosync/ replaces /cluster/ . # corosync -t No output. # corosync # ps ax | grep corosync 8973 ? Ssl 0:00 corosync so it is running. Now can try corosync-blackbox. From its man page: "corosync-blackbox Trigger corosync to write it's "flight data" out to file and then run qb-blackbox which prints it out." # corosync-blackbox /usr/bin/corosync-blackbox: line 34: qb-blackbox: command not found which is consistent. So where is it? Hence the feedback marker. However, in addition to the corosync process: # ps ax | grep corosync 14213 pts/1 S+ 0:00 man corosync-blackbox
Keywords: (none) => feedback
Installed corosync, lib64qb0 and lib64corosync4 from core release. # cp /etc/corosync/corosync.conf.example /etc/corosync/corosync.conf edit corosync.conf. Change bindnetaddr: based on my ip/netmask. 192.168.0.0 This vb guest is set to ip 192.168.10.114 with a /16 netmask (255.255.0.0). Note most systems will use a default of a /24 netmask, so with that ip address the bindnetaddr would be 192.168.10.0 To work with the rest as default config values, created the log dir ... # mkdir /var/log/cluster Started the services ... # systemctl start corosync.service Created the config file for corosync-notifyd and start it ... # echo 'OPTIONS=" -l"'>/etc/sysconfig/corosync-notifyd # systemctl start corosync-notifyd.service Confirmed with systemctl status that both services are running. # corosync-blackbox /usr/bin/corosync-blackbox: line 34: qb-blackbox: command not found urpmf shows qb-blackbox is in the devel package. As it's clearly required, it looks like it should be in the main package, not a devel package. Installing lib64qb-devel to get around this error. corosync-blackbox Dumping the contents of /var/lib/corosync/fdata [debug] shm size:8392717; real_size:8396800; rb->word_size:2099200 [debug] read total of: 8392724 Ringbuffer: ->NORMAL <snip> ERROR: qb_rb_chunk_read failed: Connection timed out [trace] ENTERING qb_rb_close() [debug] Free'ing ringbuffer: /dev/shm/qb-create_from_file-header As the services are running, that's as far as I'm going to dig to get this working for this update. Installed lib64corosync4 and corosync from updates testing. # systemctl restart corosync.service # systemctl restart corosync-notifyd.service Confirmed both services restarted ok, and corosync-blackbox output is same as before the update. Advisory committed to svn. Validating the update.
Keywords: feedback => advisory, has_procedure, validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0275.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED