« 改进过滤搜索引擎agent的python代码 | Main | 关于 apache php 的编译和包管理注意事项 »
August 29, 2006
heartbeat Remote Denial of Service
|
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明。 https://windtear.net/archives/2006/08/29/001069.html http://windtear.net/archives/2006/08/29/001069.html heartbeat Remote Denial of Service http://www.linux-ha.org/ http://www.linux-ha.org/_cache/SecurityIssues__sec03.txt 08/13/2006: We have discovered a remote denial of service vulnerability in heartbeat, and also a potential local denial of service vulnerability. Upgrading to 2.0.7 or 1.2.5 is recommended at your earliest convenience. If this is not possible in the short term, it is recommended that you keep attackers of your heartbeat networks through either physical separation or firewalls. - Remote Denial of Service attack (#195068, CVE-2006-3121). - Local Denial of Service attack (#194444, CVE-2006-3815). (this one was actually fixed in 2.0.6) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3121 --- heartbeat-1.2.3/lib/clplumbing/cl_netstring.c +++ heartbeat-1.2.3/lib/clplumbing/cl_netstring.c @@ -257,6 +257,11 @@ *data = sp; sp += (*len); + + if (sp >= smax ){ + return(HA_FAIL); + } + if (*sp != ','){ return(HA_FAIL); } http://www.linux-ha.org/download/heartbeat-2.0.7-1.src.rpm http://www.ultramonkey.org/ http://www.ultramonkey.org/download/3/rh.el.3/RPMS/ |
Posted by windtear at August 29, 2006 11:40 PM
