Debian Package Tracker

From: Ferenc Wágner <wferi@debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted corosync 2.4.2-3+deb9u1 (source) into proposed-updates->stable-new, proposed-updates
Date: Sun, 22 Apr 2018 14:49:54 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Apr 2018 09:05:14 CEST
Source: corosync
Binary: corosync corosync-notifyd corosync-qdevice corosync-qnetd corosync-doc corosync-dev libcfg6 libcmap4 libcorosync-common4 libcpg4 libquorum5 libsam4 libtotem-pg5 libvotequorum8 libcfg-dev libcmap-dev libcorosync-common-dev libcpg-dev libquorum-dev libsam-dev libtotem-pg-dev libvotequorum-dev
Architecture: source
Version: 2.4.2-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
 corosync   - cluster engine daemon and utilities
 corosync-dev - cluster engine generic development (transitional package)
 corosync-doc - cluster engine HTML documentation
 corosync-notifyd - cluster engine notification daemon
 corosync-qdevice - cluster engine quorum device daemon
 corosync-qnetd - cluster engine quorum device network daemon
 libcfg-dev - cluster engine CFG library development
 libcfg6    - cluster engine CFG library
 libcmap-dev - cluster engine CMAP library development
 libcmap4   - cluster engine CMAP library
 libcorosync-common-dev - cluster engine common development
 libcorosync-common4 - cluster engine common library
 libcpg-dev - cluster engine CPG library development
 libcpg4    - cluster engine CPG library
 libquorum-dev - cluster engine Quorum library development
 libquorum5 - cluster engine Quorum library
 libsam-dev - cluster engine SAM library development
 libsam4    - cluster engine SAM library
 libtotem-pg-dev - cluster engine Totem library development
 libtotem-pg5 - cluster engine Totem library
 libvotequorum-dev - cluster engine Votequorum library development
 libvotequorum8 - cluster engine Votequorum library
Changes:
 corosync (2.4.2-3+deb9u1) stretch-security; urgency=high
 .
   * [c2ee7ce] New patch fixing CVE-2018-1084: integer overflow in
     exec/totemcrypto.c.
     An integer overflow leading to an out-of-bound read was found in
     authenticate_nss_2_3() in Corosync. An attacker could craft a malicious
     packet that would lead to a denial of service.
     https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1084
     Thanks to Jan Friesse
   * [cfd0189] New patches fixing other vulnerabilities similar to CVE-2018-1084.
     The msgio patch fixes a real problem when message length > 2^31, which
     can't be mitigated by enabling encryption of the Corosync traffic.
     The other patches fix buffer overflows resulting in stack corruption
     and uses of unallocated memory; these can be mitigated by encryption.
   * [2ce17dc] The security patches introduced a new symbol
Checksums-Sha256: 
 6fc804d8c37e7e56bc01f9b90a1857fe8e0cb1a9abe0b1ada5bcf77ead25c59d 3595 corosync_2.4.2-3+deb9u1.dsc
 63cf0c83a33962304f63af8e14054b624d3b6de52ed214f68002dc4e0397c558 43288 corosync_2.4.2-3+deb9u1.debian.tar.xz
 f26e3011309fe4bcce94b1dc20ea8c462f19483a73f3ca62f13b925d011a4ba9 1152240 corosync_2.4.2.orig.tar.gz
Checksums-Sha1: 
 97e3c0e70b358307985746102a376785090314c1 3595 corosync_2.4.2-3+deb9u1.dsc
 5a4c66fdf10c0ee7ae4998316284d9300c3514ca 43288 corosync_2.4.2-3+deb9u1.debian.tar.xz
 fdb77f06158d0a5fae931ea99e5d146e96f14914 1152240 corosync_2.4.2.orig.tar.gz
Files: 
 23967f0b240cdfbcae9b49768745a70b 3595 admin optional corosync_2.4.2-3+deb9u1.dsc
 67f7242c56ece39e8d03231f11b7a829 43288 admin optional corosync_2.4.2-3+deb9u1.debian.tar.xz
 547fa78704da53aa35912be58d31035f 1152240 admin optional corosync_2.4.2.orig.tar.gz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlrRqLUACgkQOsj3Fkd+
2yMSsRAAnLBZdwjcToghac7CoVdPV749UWMYqK1+mOMok4DFCfYPNmThPDpnPrTb
2QUJJwEojkAnKQZ4ty/CYlFZ+hdKDpoH3krmOlDYgRAVv026NkzHh6KHc8vOwZTr
j1izqe5JKj9uwbVfqjIVyMeTqVpe6h+rX+nzlmFNqPdISXWxKA6gmvLcUJith0Uo
JrHhiA0HgBSfj6UxXb1FgMBpwO1FwqIAi20i95actzusl8Pnh7nCmhhKZXjz15jc
loDA3apezZf5c2cyIXYuLzFATpxY7nRe/qxhyle/HxfeUQb3P/6IoaM2Am8LjO2L
N6nbjK4zgYl5thrkhVZgui8PeLddwUlOAFj3sr2llspL+KM2R7xoF2/CausNwLO5
5B8JvzKkA7v3r9f6Uxzs4SbJed3C+83M5HjzLl1hWUaYmFxMVzutNcIsSwnem343
82P+uTXtgHIVuIjFXr6bksZW5WNvke7/Rwl9jpMPwgrktWIUGgFj9tlUon0lmUTA
T/Cvlz0SmN9cdcVa3hhdRO1CF0+08czimZExNLZqJgS3ut1rpp3QiA1PDuypjuFQ
S2DnJz9bRi/v4kXfSRaqaCboyoogeoOJU2hjvn3dIL/nzvpE6if0S3XGct+gmzjZ
fqyM2fZGWDcABzxoT6yzG8F9Iq2wjPf5gI7F9AijagggkhInoM8=
=FVw7
-----END PGP SIGNATURE-----
News for package corosync
