Synopsis

Important: keepalived security update

Type/Severity

Security Advisory: Important

Topic

An update for keepalived is now available for Red Hat Enterprise Linux 7.5 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The keepalived utility provides simple and robust facilities for load balancing and high availability. The load balancing framework relies on the well-known and widely used IP Virtual Server (IPVS) kernel module providing layer-4 (transport layer) load balancing. Keepalived implements a set of checkers to dynamically and adaptively maintain and manage a load balanced server pool according to the health of the servers. Keepalived also implements the Virtual Router Redundancy Protocol (VRRPv2) to achieve high availability with director failover.

Security Fix(es):

• keepalived: Heap-based buffer overflow when parsing HTTP status codes allows for denial of service or possibly arbitrary code execution (CVE-2018-19115)
  

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server - Extended Update Support 7.5 x86_64
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5 s390x
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5 ppc64
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5 ppc64le

Fixes

• BZ - 1651871 - CVE-2018-19115 keepalived: Heap-based buffer overflow when parsing HTTP status codes allows for denial of service or possibly arbitrary code execution

CVEs

• CVE-2018-19115

References

• https://access.redhat.com/security/updates/classification/#important

Red Hat Enterprise Linux Server - Extended Update Support 7.5

SRPM
keepalived-1.3.5-7.el7_5.2.src.rpm	SHA-256: 24ce26ec50866a656d33d716bfab261cf46739307cc04397a8463e7486f0dfb6
x86_64
keepalived-1.3.5-7.el7_5.2.x86_64.rpm	SHA-256: 726cde55cd9003bb973bd868ff2816520564667944c7af402b534fc37ce092a8
keepalived-debuginfo-1.3.5-7.el7_5.2.x86_64.rpm	SHA-256: 75235e15a01f187357a2d054d6f6bab65cc747c0a6d5ac12aaf18e6f7a72ad87

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5

SRPM
keepalived-1.3.5-7.el7_5.2.src.rpm	SHA-256: 24ce26ec50866a656d33d716bfab261cf46739307cc04397a8463e7486f0dfb6
s390x
keepalived-1.3.5-7.el7_5.2.s390x.rpm	SHA-256: 7a12e42291c5b9ac2f269cf22b7b484b5de2bece6fce5e7fce2bee097ace3b6f
keepalived-debuginfo-1.3.5-7.el7_5.2.s390x.rpm	SHA-256: 7d717d2a3eefacde2e892c751aab7d39acd35571da893cf5c2b78b6784f8512f

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5

SRPM
keepalived-1.3.5-7.el7_5.2.src.rpm	SHA-256: 24ce26ec50866a656d33d716bfab261cf46739307cc04397a8463e7486f0dfb6
ppc64
keepalived-1.3.5-7.el7_5.2.ppc64.rpm	SHA-256: 4af2d86473f886c040b65fccccb553438bfb6d13851cda8fe3a9c01f957e7cdb
keepalived-debuginfo-1.3.5-7.el7_5.2.ppc64.rpm	SHA-256: e3cf485eb648664e5ad425e9f1efad5e7c9f22cacdb96735a1cc97e17415338f

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5

SRPM
keepalived-1.3.5-7.el7_5.2.src.rpm	SHA-256: 24ce26ec50866a656d33d716bfab261cf46739307cc04397a8463e7486f0dfb6
ppc64le
keepalived-1.3.5-7.el7_5.2.ppc64le.rpm	SHA-256: 9a30ed66504a27690b1282ac482273dccaee132df0c4f62f98d7f045bd15e499
keepalived-debuginfo-1.3.5-7.el7_5.2.ppc64le.rpm	SHA-256: 6c9a190f251727a7c3c3736c2503588634d8d72e023ce527e5af8cd0e2b4f2a6