Fedora has issued an advisory on December 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YQ7NS6S7B7V2X5NEUJKMTNXL3YPD7H3/ The issues are fixed upstream in 2.0.10.
Fixed for mga6!
CC: (none) => geiger.david68210
Assigning to the registered maintainer
Assignee: bugsquad => mageiaCC: (none) => marja11
Advisory: ======================== Updated keepalived package fixes security vulnerabilities: keepalived before version 2.0.9 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd (CVE-2018-19044). keepalived before version 2.0.9 used mode 0666 when creating new temporary files upon a call to PrintData or PrintStats, potentially leaking sensitive information (CVE-2018-19045). keepalived before version 2.0.10 didn't check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information (CVE-2018-19046). keepalived before version 2.0.9 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap (CVE-2018-19115). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19044 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19045 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19115 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YQ7NS6S7B7V2X5NEUJKMTNXL3YPD7H3/ ======================== Updated packages in core/updates_testing: ======================== keepalived-2.0.10-1.mga6 from keepalived-2.0.10-1.mga6.src.rpm
Assignee: mageia => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Only previous update I find is bug4084, I quote from it: "For testing, at least three systems are needed. Two servers and a client." I don't have that many systems available (laptops not fit for Vbox either), so I assured that no network connections are affected by the installation (NFS-mount, internet connection). Leaving at that.
CC: (none) => herman.viaene
@David In the light of Herman's comment above, would you agree 'clean update' for this one?
CC: (none) => lewyssmith
That's probably fine. Checking for the security issues could be done by just running it on one computer, but since we updated rather than patched it, I think we can trust that they're fixed.
Thanks David. This is a big thing to drive, and the CVEs are several. It is a major version update. Testing M6/64 clean update only BEFORE update: keepalived-1.2.24-1.mga6 After installation: # systemctl status keepalived ● keepalived.service - LVS and VRRP High Availability Monitor Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor p Active: inactive (dead) since Sad 2018-12-29 20:53:17 CET; 3s ago Process: 4021 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, Main PID: 4022 (code=exited, status=0/SUCCESS) Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: IPVS: Pro Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: IPVS: Pro Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Using Lin Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin Rha 29 20:53:11 localhost.localdomain Keepalived_healthcheckers[4023]: Activatin Rha 29 20:53:12 localhost.localdomain Keepalived[4022]: pid 4024 exited with per Rha 29 20:53:12 localhost.localdomain Keepalived[4022]: Stopping # systemctl stop keepalived UPDATED without problem to: keepalived-2.0.10-1.mga6 # systemctl status keepalived O/P same as above except that here, the Process line is absent. OKing & validating.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0494.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED