Package csync2 updated to version 2.0-alt3 for branch sisyphus in task 335202.

Published: 2020-03-21
Modified: 2024-11-21

CVE-2019-15522

An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_session in daemon.c neglects to force a failure of a hello command when the configuration requires use of SSL.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

https://github.com/LINBIT/csync2/commit/416f1de878ef97e27e27508914f7ba8599a0be22
https://github.com/LINBIT/csync2/commit/416f1de878ef97e27e27508914f7ba8599a0be22

Published: 2020-12-31
Modified: 2024-11-21

CVE-2019-15523

An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

https://github.com/LINBIT/csync2/pull/13/commits/92742544a56bcbcd9ec99ca15f898b31797e39e2
https://github.com/LINBIT/csync2/pull/13/commits/92742544a56bcbcd9ec99ca15f898b31797e39e2
[debian-lts-announce] 20210104 [SECURITY] [DLA 2515-1] csync2 security update
[debian-lts-announce] 20210104 [SECURITY] [DLA 2515-1] csync2 security update

Version: 2.1.0

Package csync2 update in sisyphus on 2023-11-27

ALT-PU-2023-7630-2

Closed vulnerabilities

CVE-2019-15522

CVE-2019-15523