URL: http://linux-ha.org/security/sec02.txt		25 June, 2003

A vulnerability has been discovered in the heartbeat package which would
allow an attacker to gain (non-privileged) access to the target system.
It is recommended that all vulnerable systems be upgraded as described
below.

There is code which exploits this vulnerability to gain unauthorized
access.

Setups where the heartbeat networks are not adequately secured, and
where an attacker might sent malicious packets to the heartbeat
addresses are vulnerable and should be upgraded as soon as it can be
arranged.

As an additional security measure, it is recommended that the heartbeat
networks are secured to prevent unauthorized access.

The following versions ARE known to be vulnerable:

0.4.9 to 1.0.2

The following versions DO NOT have the discovered vulnerability:
all versions <= 0.4.9
1.0.3

It is recommended that all sites running stable code upgrade to version
1.0.3.

Any sites running the CVS code should pick up the fixes from CVS.

Version 1.0.3 has been well-tested, and is available from
http://linux-ha.org/download/

Version 1.0.3 has important non-security related bug fixes over previous
versions in addition to this security fix. All versions prior to 1.0.3
are deprecated for stable environments.

While 1.0.3 is designed to be a drop-in, fully compatible upgrade for
all previous releases, adequate care should be taken to ensure a smooth
upgrade - please read the changelog for detailed information.


Send questions to the linux-ha mailing list:
linux-ha@muc.de