Bugzilla – Bug 1147137
VUL-1: CVE-2019-15522: csync2: daemon fails to enforce TLS
Last modified: 2024-07-26 21:00:10 UTC
> An issue was discovered in LINBIT csync2 through 2.0. > The daemon accepts connections without TLS > protection even when TLS is required by the configuration, allowing > remote attackers to authenticate without a client certificate. > (Attackers still need knowledge of a group key to perform sensitive > commands.) suggested patch: https://github.com/LINBIT/csync2/pull/13/commits/0ecfc333da51575f188dd7cf6ac4974d13a800b1
Tracked all versions as affected. That are: SLE11-SP4 SLE12 SLE15
This is an autogenerated message for OBS integration: This bug (1147137) was mentioned in https://build.opensuse.org/request/show/883592 Factory / csync2
This is an autogenerated message for OBS integration: This bug (1147137) was mentioned in https://build.opensuse.org/request/show/883618 Factory / csync2
This is an autogenerated message for OBS integration: This bug (1147137) was mentioned in https://build.opensuse.org/request/show/883676 Factory / csync2
This is an autogenerated message for OBS integration: This bug (1147137) was mentioned in https://build.opensuse.org/request/show/883785 Factory / csync2
SUSE-SU-2021:1858-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1147137,1147139 CVE References: CVE-2019-15522,CVE-2019-15523 JIRA References: Sources used: SUSE Linux Enterprise High Availability 15-SP2 (src): csync2-2.0+git.1461714863.10636a4-4.6.1 SUSE Linux Enterprise High Availability 15-SP1 (src): csync2-2.0+git.1461714863.10636a4-4.6.1 SUSE Linux Enterprise High Availability 15 (src): csync2-2.0+git.1461714863.10636a4-4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0853-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1147137,1147139 CVE References: CVE-2019-15522,CVE-2019-15523 JIRA References: Sources used: openSUSE Leap 15.2 (src): csync2-2.0+git.1461714863.10636a4-lp152.5.3.1
SUSE-SU-2021:1952-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1147137,1147139 CVE References: CVE-2019-15522,CVE-2019-15523 JIRA References: Sources used: SUSE Linux Enterprise High Availability 12-SP5 (src): csync2-2.0+git.1368794815.cf835a7-3.9.5 SUSE Linux Enterprise High Availability 12-SP4 (src): csync2-2.0+git.1368794815.cf835a7-3.9.5 SUSE Linux Enterprise High Availability 12-SP3 (src): csync2-2.0+git.1368794815.cf835a7-3.9.5 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
fixes landed to MU. Security team please check.
SUSE-SU-2021:14763-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1145032,1147137 CVE References: CVE-2019-15522 JIRA References: Sources used: SUSE Linux Enterprise High Availability Extension 11-SP4 (src): csync2-1.34-0.13.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.