-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 24 Apr 2018 12:06:51 +0200 Source: corosync Binary: corosync corosync-notifyd corosync-dbg corosync-qdevice corosync-qnetd corosync-doc corosync-dev libcfg6 libcmap4 libcorosync-common4 libcpg4 libquorum5 libsam4 libtotem-pg5 libvotequorum8 libcfg-dev libcmap-dev libcorosync-common-dev libcpg-dev libquorum-dev libsam-dev libtotem-pg-dev libvotequorum-dev Architecture: source i386 all Version: 2.4.2-3+deb9u1~bpo8+1 Distribution: jessie-backports Urgency: high Maintainer: Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org> Changed-By: Ferenc Wágner <wferi@debian.org> Description: corosync - cluster engine daemon and utilities corosync-dbg - cluster engine debugging symbols corosync-dev - cluster engine generic development (transitional package) corosync-doc - cluster engine HTML documentation corosync-notifyd - cluster engine notification daemon corosync-qdevice - cluster engine quorum device daemon corosync-qnetd - cluster engine quorum device network daemon libcfg-dev - cluster engine CFG library development libcfg6 - cluster engine CFG library libcmap-dev - cluster engine CMAP library development libcmap4 - cluster engine CMAP library libcorosync-common-dev - cluster engine common development libcorosync-common4 - cluster engine common library libcpg-dev - cluster engine CPG library development libcpg4 - cluster engine CPG library libquorum-dev - cluster engine Quorum library development libquorum5 - cluster engine Quorum library libsam-dev - cluster engine SAM library development libsam4 - cluster engine SAM library libtotem-pg-dev - cluster engine Totem library development libtotem-pg5 - cluster engine Totem library libvotequorum-dev - cluster engine Votequorum library development libvotequorum8 - cluster engine Votequorum library Closes: 887563 Changes: corosync (2.4.2-3+deb9u1~bpo8+1) jessie-backports; urgency=high . * Rebuild for jessie-backports. * [e44e00f] --restart-after-upgrade instead of stop in prerm and start in postinst. The previous stable security upgrade resulted in user complaints about Pacemaker remaining stopped after the Corosync upgrade. This is what systemd does with dependent services on stop+start. We can afford doing a restart instead, which behaves more like users expect. WARNING: on this upgrade the old prerm will still stop Corosync (and consequently: its dependencies!) for one last time. Pure restart behavior becomes effective for the forthcoming upgrades only. (Closes: #887563) . corosync (2.4.2-3+deb9u1) stretch-security; urgency=high . * [c2ee7ce] New patch fixing CVE-2018-1084: integer overflow in exec/totemcrypto.c. An integer overflow leading to an out-of-bound read was found in authenticate_nss_2_3() in Corosync. An attacker could craft a malicious packet that would lead to a denial of service. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1084 Thanks to Jan Friesse * [cfd0189] New patches fixing other vulnerabilities similar to CVE-2018-1084. The msgio patch fixes a real problem when message length > 2^31, which can't be mitigated by enabling encryption of the Corosync traffic. The other patches fix buffer overflows resulting in stack corruption and uses of unallocated memory; these can be mitigated by encryption. * [2ce17dc] The security patches introduced a new symbol Checksums-Sha1: d6951a8a48cc6a8ca119dbe0aea65ac3166f06cd 3676 corosync_2.4.2-3+deb9u1~bpo8+1.dsc 659d7fe9a811e95ef971ce5be1a025b9c1fe2f40 43832 corosync_2.4.2-3+deb9u1~bpo8+1.debian.tar.xz 9c29bc912b13443acc065f61cf9140c58b00d96c 383468 corosync_2.4.2-3+deb9u1~bpo8+1_i386.deb b99698d0a0e5cb82b5c1c7f089ceb2fec94d7ceb 225778 corosync-notifyd_2.4.2-3+deb9u1~bpo8+1_i386.deb 87a11466f625aac08db81b46f860892e497ab4bf 2025530 corosync-dbg_2.4.2-3+deb9u1~bpo8+1_i386.deb 0096d2eab40401aed511d1aaabe23ea9883b579e 275474 corosync-qdevice_2.4.2-3+deb9u1~bpo8+1_i386.deb 89975ebaed635b0123bd2fc9afb415e1c93215a3 266090 corosync-qnetd_2.4.2-3+deb9u1~bpo8+1_i386.deb e68ff7c6f4977c353dd9f32c281e0da392186f41 10148694 corosync-doc_2.4.2-3+deb9u1~bpo8+1_all.deb 3cfb104fc9dd40b6a1d455bfbcc7fcacbe2584d4 210872 corosync-dev_2.4.2-3+deb9u1~bpo8+1_all.deb b0519cefc67ffcd372fe26f83e3d950e554fb83c 216192 libcfg6_2.4.2-3+deb9u1~bpo8+1_i386.deb 2691a0df689e963cd2046ac6e0362cbf36ca4a90 218690 libcmap4_2.4.2-3+deb9u1~bpo8+1_i386.deb 717b749d4f52e9afe48bb355ca8bf5653a5a57e6 213120 libcorosync-common4_2.4.2-3+deb9u1~bpo8+1_i386.deb ec60a43415bbd0a5ee69aa12499c23fad26423ae 219322 libcpg4_2.4.2-3+deb9u1~bpo8+1_i386.deb 3efe1ba4b644953e9eafd4d7d9455d352f6dc93e 214710 libquorum5_2.4.2-3+deb9u1~bpo8+1_i386.deb 29caffaae4cc921e9ec4c9e6a0ffd65c11fef43f 219724 libsam4_2.4.2-3+deb9u1~bpo8+1_i386.deb 49e80a3e6d32adbb5c36f07c058cde818e0ba28f 275546 libtotem-pg5_2.4.2-3+deb9u1~bpo8+1_i386.deb 3e09477bcf2858a95f15431f15e6896976027c41 216278 libvotequorum8_2.4.2-3+deb9u1~bpo8+1_i386.deb 1a6023bb26c1d475ad251a7b50d607f69b483017 212410 libcfg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb b2e9b6ad690c60a607d568b8e23dece36ec41491 243414 libcmap-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 52891bda11d2e03b9171f3a03dd9e1f0e2c18b09 213428 libcorosync-common-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 0c3bc0fac76ecca2869930f59f8fc2cb68358207 248650 libcpg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 3ba10ad95735ea3aaf7eed220f05cd278326a0e4 228850 libquorum-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb dcde7aca1d45df8f29f49355b64fb2cbd062ac47 238178 libsam-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 5cd53f60484e896970a1ba0bb2e5a07a3467bb43 215070 libtotem-pg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb fcf189055771b19ffc47924015dca2d7487ebb36 243800 libvotequorum-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb Checksums-Sha256: 66d6c8f7602c6cb2f3cc9e14220ee98346acdf716ea6fd1e488204b4e9783838 3676 corosync_2.4.2-3+deb9u1~bpo8+1.dsc e4a3c09c9520e15a117259843dea6fdfc26d1d5882289247c63b3a298c91c58e 43832 corosync_2.4.2-3+deb9u1~bpo8+1.debian.tar.xz f1aa331b7f42ca61d3154e3d434bdd1085c429847403d959ca37542d5587f8d3 383468 corosync_2.4.2-3+deb9u1~bpo8+1_i386.deb 2980ac61657a3341fcf7d7508c72c834622043c621bfdcc0cf2ab1e4503dd704 225778 corosync-notifyd_2.4.2-3+deb9u1~bpo8+1_i386.deb 2fe985851030b9f0ceb1e7d30629706ca76bb0cf6b372203fb9eb030c402457f 2025530 corosync-dbg_2.4.2-3+deb9u1~bpo8+1_i386.deb 151944f649f4a7bd4c3fc3ce99efd4be71187dfc7092dfae7e00d9ad651eb64e 275474 corosync-qdevice_2.4.2-3+deb9u1~bpo8+1_i386.deb c72ec424e769b93de55f52f71a8f2c148f10349081f1f470ec910cb313e17b9d 266090 corosync-qnetd_2.4.2-3+deb9u1~bpo8+1_i386.deb 2f97614e3fd2834f2e96b014c681f837ce59c73a8fffaaab5f4a7fe50e310b11 10148694 corosync-doc_2.4.2-3+deb9u1~bpo8+1_all.deb e94121e09c5661f2bc10212768ae8f25df75778db872261c90e90f1587d41a5a 210872 corosync-dev_2.4.2-3+deb9u1~bpo8+1_all.deb 8b0538fec62185e07daf24d2aa4c42b096bc9df1051ad535bcf4c2916220e14e 216192 libcfg6_2.4.2-3+deb9u1~bpo8+1_i386.deb b0e8a499a8543d45156c87b976d7c551171be3906bb9caa81ef6e70616d4f2d5 218690 libcmap4_2.4.2-3+deb9u1~bpo8+1_i386.deb fdb085f7ad30186f9dbd5364871f9b4ef789ae3a00b545fdcf408e83dd178e4b 213120 libcorosync-common4_2.4.2-3+deb9u1~bpo8+1_i386.deb 94a286d202bdedc60d190bd8c31b756254ecfc3ac0698a0859e05c51642db7b6 219322 libcpg4_2.4.2-3+deb9u1~bpo8+1_i386.deb 39e7409eaefe8a79b43be092189c4daadeb42701adb33dc69b455bdf76040e6a 214710 libquorum5_2.4.2-3+deb9u1~bpo8+1_i386.deb 96dad03c0f6fdc794a13991bb5903bc092625ec67538de94b0f354d51889da1e 219724 libsam4_2.4.2-3+deb9u1~bpo8+1_i386.deb 242747e217b5039475e1ef0d10d723472d9a6280e4024e707926070c9e939642 275546 libtotem-pg5_2.4.2-3+deb9u1~bpo8+1_i386.deb 5a39bbcacd6057d057559bd65220c5f7f81b68e30f237946a31c323845563e30 216278 libvotequorum8_2.4.2-3+deb9u1~bpo8+1_i386.deb 597b6e65a23fef514b09e329840135d2a1fc48bdaa1841edf5db731d37ee9499 212410 libcfg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 62903d4f64a65441181a4951d12fa2a001c0cdb5ded1f56dab12a4243614f23e 243414 libcmap-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 67fc1a666e167476e993d9185aaac9842856619e9446af9392b63bfbf56a4a00 213428 libcorosync-common-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 8434c0d738da881508004575f86d35cc2dad20a4f8a4a262ad34cfa9290c3a3e 248650 libcpg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb c9bc78e38cc4f47d48f94742e6cc64ea219dacc6093ff033ade3241bbc64997d 228850 libquorum-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 80879cef1a9c8c0381a629f93c0682985f666578bf411c0fd7fcf0e1ef6adcb9 238178 libsam-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 4c5a72a294b6353103464390715fdb54bc4024d34c7163ee7f5441b175bc687d 215070 libtotem-pg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb e86d8d0b2b265fd47c26bbd0383b3a19a0af56a5709489349f0d13c849545d21 243800 libvotequorum-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb Files: b65d8c97efd769b08b1f3829c5e69460 3676 admin optional corosync_2.4.2-3+deb9u1~bpo8+1.dsc 6fe4bed9d1e1b91efaa2805758434d69 43832 admin optional corosync_2.4.2-3+deb9u1~bpo8+1.debian.tar.xz bb276c3b2fe12dbd66f49c50db7d5df9 383468 admin optional corosync_2.4.2-3+deb9u1~bpo8+1_i386.deb d69f367c0d1776a8432acded1965dc96 225778 admin optional corosync-notifyd_2.4.2-3+deb9u1~bpo8+1_i386.deb a92c2fca89ec1da72397b1b56c368286 2025530 debug extra corosync-dbg_2.4.2-3+deb9u1~bpo8+1_i386.deb 6fd83da875ab0db96f1fbedfebf5f529 275474 admin optional corosync-qdevice_2.4.2-3+deb9u1~bpo8+1_i386.deb afe1b19db15a098b40ac9ed884616926 266090 admin optional corosync-qnetd_2.4.2-3+deb9u1~bpo8+1_i386.deb a949d48fa5edb5cb7c2f9f504da5479c 10148694 doc optional corosync-doc_2.4.2-3+deb9u1~bpo8+1_all.deb c0639fb4f2e225a678a6773d64e9117f 210872 oldlibs extra corosync-dev_2.4.2-3+deb9u1~bpo8+1_all.deb 4539f234c051a312fdbfb137cc546c8c 216192 libs optional libcfg6_2.4.2-3+deb9u1~bpo8+1_i386.deb 3e95eee0514228c79d171ccad7a1b54c 218690 libs optional libcmap4_2.4.2-3+deb9u1~bpo8+1_i386.deb 92cba185b38578f38ba368c9b4bcbacc 213120 libs optional libcorosync-common4_2.4.2-3+deb9u1~bpo8+1_i386.deb 0f749165dfce8d298b3601133b5cc501 219322 libs optional libcpg4_2.4.2-3+deb9u1~bpo8+1_i386.deb bb2dc5e6eb641eba4d4500a682c36fc8 214710 libs optional libquorum5_2.4.2-3+deb9u1~bpo8+1_i386.deb f10d818fa833f9fed1fe24e633b67e5f 219724 libs optional libsam4_2.4.2-3+deb9u1~bpo8+1_i386.deb b36232364064d7ed7ac0e583c1bc1d44 275546 libs optional libtotem-pg5_2.4.2-3+deb9u1~bpo8+1_i386.deb b4fc5b07021aa7e793ee0591c8529476 216278 libs optional libvotequorum8_2.4.2-3+deb9u1~bpo8+1_i386.deb 4b71a321f30f28a7e8936744031d30f3 212410 libdevel optional libcfg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb fb932606d9854775ea051b57db3949e4 243414 libdevel optional libcmap-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb b543980b6fdc41e9ccf9251f714b05e8 213428 libdevel optional libcorosync-common-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 7be6dbae5a53ae2ce319e379ae29f0fa 248650 libdevel optional libcpg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 63db254cca4a8817e57105ea00b8342e 228850 libdevel optional libquorum-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb e17d11d8084bc696c036c247c3cf1253 238178 libdevel optional libsam-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb dadfcb443d0b94e9ac343077b3299e1b 215070 libdevel optional libtotem-pg-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb 533a9dc5ab277beaa9f149e0c4affa6b 243800 libdevel optional libvotequorum-dev_2.4.2-3+deb9u1~bpo8+1_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlrfEVAACgkQOsj3Fkd+ 2yPrgw/+JX7YxrvtM+s0MqRDop88TLvF87zl9ZfwSQQsAtr5Sd4WpeUbXMI4vG0d agb7yIdiC9AMwSkFdh3YIKYlqIlbj5JdkgmdZAdcE5BiRB8SV51ffp/Rx7JtN9T/ r8M7B46p5C+QkggaeNMeD9l9XXLll7c0sxa4BRd/+9EdIHR4qx4oHjXFC2zn5eVq n5oy9iQxxB1moUHTu3/82ngNvYK/3SZ7VNgf6WfZrE/Vfgs6WmQ9hxfn5rUpjajd rsF6k/ldWffRv1kwht1SYi04uf5XZHrNGpxoBJx1dsCi3QhzLZodzIPuMfc6F91o Ci9WkGFbi8uUOfZWqdVRlwywZU56j34VSDYPErxBMMgF7D4tg/z4x7wS13RHhI1L bZ323GXecxOYm6ZDged+7M5ZiRjD6ledWj1VHwzz2VJumWv42UmS1gNuRkFW26H0 XQJAdQfgOur7UB5xOAjEcpNfQxvjVM1oaXHdR8Aw7LoBtF1/NKFjiRuMzL5kGMGA Wr4xoD6dxnfZC+h9A2yotnJRyRkJOFEZHLPT1mQ2JHYjR0/L9cuM029i+3Bq52Tm TrxPKn8nZ8C2chiH3UjaXkQbJIcH+oDffuDm/HhYsycoq0ZYGZTxCGWjHLJ6LBdp MyJkskJlS1jNYN8Yrn/7YupKNLBUyuwuceVpqsy4BMgE8cbGJDI= =UDgV -----END PGP SIGNATURE-----