Heartbeat security alert

A serious, exploitable vulnerability has been found in the heartbeat code 
associated with the Linux-HA project.

Please read the attached security bulletin for details concerning vulnerable
versions and what you should do about it.

Many thanks to Nathan Wallwork for carefully researching and documenting 
this vulnerability!

	Thanks!

	-- Alan Robertson
	   alanr@unix.sh


URL: http://linux-ha.org/security/sec01.txt		14 October, 2002

A serious exploitable security vulnerability has been discovered in
the heartbeat package.  It is recommend that all vulnerable systems
be upgraded as recommended below.

Systems which send heartbeats over networks which might be conceivably
be accessible from the internet are especially vulnerable,
and should be upgraded as soon as it can possibly be arranged.

The following versions are known to be vulnerable:

        0.4.9.1
        0.4.9[a-d]

The following versions do not have the discovered vulnerability:
        all versions <= 0.4.9
        version 0.4.9.2         (the bug fixed stable version)
        all versions >= 0.4.9e  (the bug fixed beta)

It is recommended that sites running version 0.4.9.1 upgrade to 0.4.9.2.

It is recommended that sites running any of the 0.4.9[a-d] beta
versions upgrade to 0.4.9e.

Both 0.4.9.2 and 0.4.9e have been well-tested, and are available from
        http://linux-ha.org/download/

Version 0.4.9.2 was directly created from version 0.4.9.1.  The
only things changed were those necessary to eliminate the discovered
vulnerability.  It should behave exactly as version 0.4.9.1 does.

As an additional precaution, version 0.4.9e also runs network-facing
processes as "nobody".  Version 0.4.9e is a beta release.

Thanks to Nathan Wallwork for finding and reporting this problem! 

Send questions to the linux-ha mailing list:
	linux-ha@muc.de