安全公告详情

NS-SA-2019-0240

2019-12-27 14:15:32

简介

important: keepalived/jss security update

严重级别

important

主题

An update for keepalived/jss is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

keepalived: Keepalived provides simple and robust facilities for load balancing and high availability. The load balancing framework relies on the well-known and widely used Linux Virtual Server (IPVS) kernel module providing layer-4 (transport layer) load balancing. Keepalived implements a set of checkers to dynamically and adaptively maintain and manage a load balanced server pool according their health. Keepalived also implements the Virtual Router Redundancy Protocol (VRRPv2) to achieve high availability with director failover.
jss: Java Security Services (JSS) is a java native interface which provides a bridge for java-based applications to use native Network Security Services (NSS). This only works with gcj. Other JREs require that JCE providers be signed.


Security Fix(es):
keepalived: 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.(CVE-2018-19044)
keepalived: bugfix
jss: A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.(CVE-2019-14823)
jss: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F7.

影响组件

  • keepalived
  • jss

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["keepalived-1.3.5-16.el7.x86_64.rpm","keepalived-debuginfo-1.3.5-16.el7.x86_64.rpm"],"source":"keepalived-1.3.5-16.el7.src.rpm"},{"binary":["jss-4.4.6-3.el7_7.x86_64.rpm","jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm","jss-javadoc-4.4.6-3.el7_7.x86_64.rpm"],"source":"jss-4.4.6-3.el7_7.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["keepalived-1.3.5-16.el7.x86_64.rpm","keepalived-debuginfo-1.3.5-16.el7.x86_64.rpm"],"source":"keepalived-1.3.5-16.el7.src.rpm"},{"binary":["jss-4.4.6-3.el7_7.x86_64.rpm","jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm","jss-javadoc-4.4.6-3.el7_7.x86_64.rpm"],"source":"jss-4.4.6-3.el7_7.src.rpm"}]}]}

CVE

参考