[USN-165-1] heartbeat vulnerability

Martin Pitt martin.pitt at canonical.com
Thu Aug 11 13:13:20 UTC 2005 

===========================================================
Ubuntu Security Notice USN-165-1	    August 11, 2005
heartbeat vulnerability
CAN-2005-2231
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

heartbeat

The problem can be corrected by upgrading the affected package to
version 1.2.2-8ubuntu0.1 (for Ubuntu 4.10), or 1.2.3-3ubuntu1.1 (for
Ubuntu 5.04).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

Eric Romang discovered that heartbeat created temporary files in an
insecure manner. This could allow a symlink attack to create or
overwrite arbitrary files with root privileges as soon as heartbeat is
started.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1.diff.gz
      Size/MD5:     7876 1f219e99881df0996134000f855d9339
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1.dsc
      Size/MD5:      862 9960ee62482cf244096c1601c34165b9
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2.orig.tar.gz
      Size/MD5:  1565941 2f6f177c7aebba34ba45a68deac41e37

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/ldirectord_1.2.2-8ubuntu0.1_all.deb
      Size/MD5:    42844 3b756503c8d809836c42b3c970169395

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.2-8ubuntu0.1_amd64.deb
      Size/MD5:   123274 c7329aa36efadfe9999182454564dafb
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1_amd64.deb
      Size/MD5:   531238 c51bea450bb848ca9defb2a600cbf0b5
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.2-8ubuntu0.1_amd64.deb
      Size/MD5:    59356 bfa043d078ed4bb91dc5e1b3ad693bb1
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.2-8ubuntu0.1_amd64.deb
      Size/MD5:    49984 84e9798bbd2aa172f36d77aeaac40ac2
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.2-8ubuntu0.1_amd64.deb
      Size/MD5:    27500 fd0da8672d36b78f07bd774fbb7205c1
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.2-8ubuntu0.1_amd64.deb
      Size/MD5:    77628 b139b2a9b9c67cc4e4b0f7eea86dbc2d
    http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.2-8ubuntu0.1_amd64.deb
      Size/MD5:    28552 50c25e035a9afac9b95e54407aca8694

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.2-8ubuntu0.1_i386.deb
      Size/MD5:   112756 d0df067b1a8bc319b533a1f1fb94a13e
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1_i386.deb
      Size/MD5:   488994 fae2904a2a8cba2452c2e12ae705c3bd
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.2-8ubuntu0.1_i386.deb
      Size/MD5:    55508 3a9f5a7add62fc072e1647fe18452e54
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.2-8ubuntu0.1_i386.deb
      Size/MD5:    44938 11a6e9877e2e4d409eaece584681a9d5
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.2-8ubuntu0.1_i386.deb
      Size/MD5:    27100 a470eea4e239627cb26a47c67d0a206f
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.2-8ubuntu0.1_i386.deb
      Size/MD5:    67248 4b98f735c006d4c348d0a258a16b1dc8
    http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.2-8ubuntu0.1_i386.deb
      Size/MD5:    28028 92d2b0b2eb1219940782828cb37e16be

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.2-8ubuntu0.1_powerpc.deb
      Size/MD5:   124626 5509ddf56e9651daa3cee6885e759ca0
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1_powerpc.deb
      Size/MD5:   554794 99075d036528f230cee341f10d4a35be
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.2-8ubuntu0.1_powerpc.deb
      Size/MD5:    59420 1fb7f8ac2320ffd7ffc5e2b2b79452f2
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.2-8ubuntu0.1_powerpc.deb
      Size/MD5:    50962 d314814467eb35380d11b9664314511b
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.2-8ubuntu0.1_powerpc.deb
      Size/MD5:    27662 c4a076b92af1479307d3b76c6d4d7d01
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.2-8ubuntu0.1_powerpc.deb
      Size/MD5:    86594 083e5c9a268a7583b8993be9188f6afc
    http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.2-8ubuntu0.1_powerpc.deb
      Size/MD5:    30830 7355d8b04d7e795009393cb8b569dc6f

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1.diff.gz
      Size/MD5:   245407 99c109587b63f09e215e959ba9f5e95b
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1.dsc
      Size/MD5:      847 396906a893ee422a2af0232315c654fa
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3.orig.tar.gz
      Size/MD5:  1772513 9fd126e5dff51cc8c1eee223c252a4af

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/ldirectord_1.2.3-3ubuntu1.1_all.deb
      Size/MD5:    44484 77c0b44340fbca9ecb65d55028325c4e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.3-3ubuntu1.1_amd64.deb
      Size/MD5:   125228 ca0d487242ea6e86f8a846727e6de55a
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1_amd64.deb
      Size/MD5:   532922 8a5c3db33bea01d6c39bb0a011d63099
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.3-3ubuntu1.1_amd64.deb
      Size/MD5:    60900 4f423088204ee30724343bfdf8980026
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.3-3ubuntu1.1_amd64.deb
      Size/MD5:    51590 15d3138654f905058b3eb97b3e0c600a
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.3-3ubuntu1.1_amd64.deb
      Size/MD5:    29080 c9a1f9dae5b6a68af490648c3bda9e98
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.3-3ubuntu1.1_amd64.deb
      Size/MD5:    79356 92971fe256772e7d22bbab96aebe0739
    http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.3-3ubuntu1.1_amd64.deb
      Size/MD5:    30104 ea892aca4dbcab2e0bb0463e659c15d3

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.3-3ubuntu1.1_i386.deb
      Size/MD5:   114652 2f43f3c91dca4c8146e0ded33a1987d0
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1_i386.deb
      Size/MD5:   489472 7b0e97cfaa9ec04a4f0ef1d73c152739
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.3-3ubuntu1.1_i386.deb
      Size/MD5:    57054 94ed42ccdd478566639b313c1bd3e89e
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.3-3ubuntu1.1_i386.deb
      Size/MD5:    46570 1d8dd224a5404345991e9ca2b8a91f88
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.3-3ubuntu1.1_i386.deb
      Size/MD5:    28662 88444bfcfbc3a2b9e1775b024f4c54cd
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.3-3ubuntu1.1_i386.deb
      Size/MD5:    69064 10e1b3e16c7109003e9818ebde63f190
    http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.3-3ubuntu1.1_i386.deb
      Size/MD5:    29504 3d8dd26a1fd9c9de1dea642149d69b34

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.3-3ubuntu1.1_powerpc.deb
      Size/MD5:   126700 e620900665670a81d4207aeac7f22884
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1_powerpc.deb
      Size/MD5:   556882 5113b635cf969850b3d93eac7c1d8569
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.3-3ubuntu1.1_powerpc.deb
      Size/MD5:    60954 97e504b49ee9f55e8d9303d044556ee6
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.3-3ubuntu1.1_powerpc.deb
      Size/MD5:    52598 d8a41f8b60a0f8dc9b6c2c9300b0ba7d
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.3-3ubuntu1.1_powerpc.deb
      Size/MD5:    29228 24ec82b2761d1d0561a0fe1b58adf4a3
    http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.3-3ubuntu1.1_powerpc.deb
      Size/MD5:    88814 5547291ce0b56e1683425136b22b6934
    http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.3-3ubuntu1.1_powerpc.deb
      Size/MD5:    32386 0613b29df54ab3a4f2e41e492de58f82
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20050811/2f27655d/attachment.sig>

More information about the ubuntu-security-announce mailing list