mailing list archives
CVE Request -- Corosync (X < 2.0.3): Remote DoS due improper HMAC initialization and improper junk filtering when different encryption keys used
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 1 Feb 2013 11:26:52 -0500 (EST)
Hello Kurt, Steve, vendors,
Corosync upstream has recently released 2.0.3 version correcting
one security issue:
A denial of service flaw was found in the way Corosync,
the cluster engine and application programming interfaces,
performed processing of certain network packets, when different
encryption keys were used. Previously the HMAC key was not initialized
properly, which allowed certain packets to pass through to the internal
phases of the Corosync packet validation process, possibly leading
to corosync daemon crash.
The HMAC initialization has been corrected in upstream via:
but there might be more changes needed (Cc-in Fabio and Jan).
Could you allocate a CVE id for this?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- CVE Request -- Corosync (X < 2.0.3): Remote DoS due improper HMAC initialization and improper junk filtering when different encryption keys used Jan Lieskovsky (Feb 01)