Heartbeat security alert

Alan Robertson alanr@unix.sh
Mon, 14 Oct 2002 05:29:50 -0600 

This is a multi-part message in MIME format.
--------------050602010109080508040806
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

A serious, exploitable vulnerability has been found in the heartbeat code. 
Please read the attached security bulletin for details concerning vulnerable 
versions and what you should do about it.

	Thanks!

	-- Alan Robertson
	   alanr@unix.sh

--------------050602010109080508040806
Content-Type: text/plain;
 name="sec01.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="sec01.txt"

URL: http://linux-ha.org/security/sec01.txt		14 October, 2002

A serious exploitable security vulnerability has been discovered in
the heartbeat package.  It is recommend that all vulnerable systems
be upgraded as recommended below.

Systems which send heartbeats over networks which might be conceivably
be accessible from the internet are especially vulnerable,
and should be upgraded as soon as it can possibly be arranged.

The following versions are known to be vulnerable:

        0.4.9.1
        0.4.9[a-d]

The following versions do not have the discovered vulnerability:
        all versions <= 0.4.9
        version 0.4.9.2         (the bug fixed stable version)
        all versions >= 0.4.9e  (the bug fixed beta)

It is recommended that sites running version 0.4.9.1 upgrade to 0.4.9.2.

It is recommended that sites running any of the 0.4.9[a-d] beta
versions upgrade to 0.4.9e.

Both 0.4.9.2 and 0.4.9e have been well-tested, and are available from
        http://linux-ha.org/download/

Version 0.4.9.2 was directly created from version 0.4.9.1.  The
only things changed were those necessary to eliminate the discovered
vulnerability.  It should behave exactly as version 0.4.9.1 does.

As an additional precaution, version 0.4.9e also runs network-facing
processes as "nobody".  Version 0.4.9e is a beta release.

Thanks to Nathan Wallwork for finding and reporting this problem! 

Send questions to the linux-ha mailing list:
	linux-ha@muc.de

--------------050602010109080508040806--