Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 Feb 2013 11:47:47 -0500 (EST)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,
        David Vossel <>,
        Andrew Beekhof <>
Subject: [FYI / CVE assignment notification] CVE-2013-0281 pacemaker: Denial
 of service when remote CIB management enabled due to use of no-timeout
 blocking socket to wait for the arrival of the authentication credentials

Hello vendors,

* A denial of service flaw was found in the way Pacemaker,
an advanced, scalable high-availability cluster resource
manager for Linux-HA (Heartbeat) and/or Corosync, performed
authentication and processing of remote connections in certain
circumstances. In general Pacemaker used a blocking socket
(without a timeout) to wait for authentication credentials
to arrive. When Pacemaker was configured to allow remote
Cluster Information Base (CIB) cluster's configuration /
cluster's resources management, a remote attacker could use
this flaw to cause Pacemaker to block indefinitely
(preventing it from serving another requests).

* The CVE identifier of CVE-2013-0281 has been assigned to this issue.

* This issue was found by David Vossel of Red Hat.

* Relevant upstream patch:

* References:

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ