Heartbeat security alert
Mon, 14 Oct 2002 05:29:50 -0600
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii; format=flowed
A serious, exploitable vulnerability has been found in the heartbeat code.
Please read the attached security bulletin for details concerning vulnerable
versions and what you should do about it.
-- Alan Robertson
URL: http://linux-ha.org/security/sec01.txt 14 October, 2002
A serious exploitable security vulnerability has been discovered in
the heartbeat package. It is recommend that all vulnerable systems
be upgraded as recommended below.
Systems which send heartbeats over networks which might be conceivably
be accessible from the internet are especially vulnerable,
and should be upgraded as soon as it can possibly be arranged.
The following versions are known to be vulnerable:
The following versions do not have the discovered vulnerability:
all versions <= 0.4.9
version 0.4.9.2 (the bug fixed stable version)
all versions >= 0.4.9e (the bug fixed beta)
It is recommended that sites running version 0.4.9.1 upgrade to 0.4.9.2.
It is recommended that sites running any of the 0.4.9[a-d] beta
versions upgrade to 0.4.9e.
Both 0.4.9.2 and 0.4.9e have been well-tested, and are available from
Version 0.4.9.2 was directly created from version 0.4.9.1. The
only things changed were those necessary to eliminate the discovered
vulnerability. It should behave exactly as version 0.4.9.1 does.
As an additional precaution, version 0.4.9e also runs network-facing
processes as "nobody". Version 0.4.9e is a beta release.
Thanks to Nathan Wallwork for finding and reporting this problem!
Send questions to the linux-ha mailing list: