ELA-834-1 keepalived security update

access-control bypass

2023-04-18
Packagekeepalived
Version1:1.3.2-1+deb9u1 (stretch)
Related CVEs CVE-2018-19115 CVE-2021-44225


Two security vulnerabilities were found in keepalived, a failover and monitoring daemon for LVS clusters.

CVE-2018-19115

keepalived has a heap-based buffer overflow when parsing HTTP
status codes resulting in DoS or possibly unspecified other impact, because
extract_status_code in lib/html.c has no validation of the status code and
instead writes an unlimited amount of data to the heap.

CVE-2021-44225

A flaw was found in keepalived where an improper authentication
vulnerability allows an unprivileged user to change properties that could
lead to an access-control bypass.


For Debian 9 stretch, these problems have been fixed in version 1:1.3.2-1+deb9u1.

We recommend that you upgrade your keepalived packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.