Debian Long Term Support / LTS Security Information / 2021 / Security Information -- DLA-2515-1 csync2

Debian Security Advisory

DLA-2515-1 csync2 -- LTS security update

Date Reported:

04 Jan 2021

Affected Packages:

csync2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-15523.

More information:

It was discovered that csync2, a cluster synchronization tool, did not correctly check for the return value from GnuTLS security routines. It neglected to repeatedly call this function as required by the design of the API.

• CVE-2019-15523

  An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API.

For Debian 9 Stretch, these problems have been fixed in version 2.0-8-g175a01c-4+deb9u2.

We recommend that you upgrade your csync2 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS