MGASA-2012-0188
| Date: | August 2nd, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated keepalived package fixes security vulnerability:
The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and
earlier uses 0666 permissions for the (1) keepalived.pid,
(2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows
local users to kill arbitrary processes by writing a PID to one of
these files (CVE-2011-1784).
A security issue due to syslog being used inside of sighandlers has
also been fixed.
Finally, keepalived was failing to load the ip_vs kernel module
because of an incorrect modprobe option. This has also been corrected.
Updated Packages:
Mageia 1:
keepalived-1.2.2-0.4.mga1
Mageia 2:
keepalived-1.2.2-1.2.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784
http://www.keepalived.org/changelog.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281
https://bugs.mageia.org/show_bug.cgi?id=4084
