All errata/sisyphus/ALT-PU-2018-2627-1
ALT-PU-2018-2627-1

Package update keepalived in branch sisyphus

Version2.0.9-alt1
Task#216388
Published2018-11-12
Max severityHIGH
Severity:

Closed issues (6)

BDU:2020-05642
MEDIUM4.7

Уязвимость реализации вызовов PrintData или PrintStats системы балансировки сетевого трафика Keepalived, позволяющая нарушителю получить доступ к защищаемой информации

Published: 2020-12-15
CVSS 3.xMEDIUM 4.7
CVSS:3.x/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 4.4
CVSS:2.0/AV:L/AC:M/Au:S/C:C/I:N/A:N
References
BDU:2020-05693
MEDIUM6.3

Уязвимость реализации вызовов PrintData или PrintStats системы балансировки сетевого трафика Keepalived, позволяющая нарушителю перезаписывать произвольные файлы

Published: 2020-12-18
CVSS 3.xMEDIUM 6.3
CVSS:3.x/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:L/AC:H/Au:S/C:N/I:C/A:C
References
BDU:2020-05694
HIGH7.5

Уязвимость реализации вызовов PrintData или PrintStats системы балансировки сетевого трафика Keepalived, позволяющая нарушителю получить доступ к защищаемой информации

Published: 2020-12-18
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
References
CVE-2018-19044
MEDIUM4.7

keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.

Published: 2018-11-08Modified: 2024-11-21
CVSS 2.0LOW 3.3
CVSS:2.0/AV:L/AC:M/Au:N/C:N/I:P/A:P
CVSS 3.xMEDIUM 4.7
CVSS:3.x/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
References
CVE-2018-19045
HIGH7.5

keepalived 2.0.8 used mode 0666 when creating new temporary files upon a call to PrintData or PrintStats, potentially leaking sensitive information.

Published: 2018-11-08Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2018-19046
MEDIUM4.7

keepalived 2.0.8 didn't check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information.

Published: 2018-11-08Modified: 2024-11-21
CVSS 2.0LOW 1.9
CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 4.7
CVSS:3.x/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
References