| Summary: | pacemaker new security issue CVE-2013-0281 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | ennael1, fundawang, makowski.mageia, rverschelde, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/574620/ | ||
| Whiteboard: | has_procedure mga3-32-ok mga3-64-ok advisory | ||
| Source RPM: | pacemaker-1.1.8-4.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-11-21 19:39:04 CET
David Walser
2013-11-21 19:39:19 CET
CC:
(none) =>
ennael1, fundawang The upstream patch to fix this is linked in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=891922#c5
David Walser
2013-11-21 23:05:17 CET
Blocks:
(none) =>
11726 Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/ Whiteboard:
MGA3TOO, MGA2TOO =>
MGA3TOO Advisory: ======================== Updated pacemaker packages that fix one security issue A denial of service flaw was found in the way Pacemaker performed authentication and processing of remote connections in certain circumstances. When Pacemaker was configured to allow remote Cluster Information Base (CIB) configuration or resource management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving other requests). (CVE-2013-0281) References https://www.redhat.com/security/data/cve/CVE-2013-0281.html https://bugzilla.redhat.com/show_bug.cgi?id=891922#c5 https://bugs.mageia.org/show_bug.cgi?id=11724 ======================== Updated packages in core/updates_testing: ======================== lib64lrmd1-1.1.8-4.1.mga3 lib64pengine4-1.1.8-4.1.mga3 lib64pacemaker-devel-1.1.8-4.1.mga3 lib64crmcommon3-1.1.8-4.1.mga3 lib64pe_status4-1.1.8-4.1.mga3 lib64stonithd2-1.1.8-4.1.mga3 lib64crmcluster2-1.1.8-4.1.mga3 pacemaker-doc-1.1.8-4.1.mga3.noarch pacemaker-debuginfo-1.1.8-4.1.mga3 pacemaker-cts-1.1.8-4.1.mga3 pacemaker-1.1.8-4.1.mga3 lib64cib2-1.1.8-4.1.mga3 lib64pe_rules2-1.1.8-4.1.mga3 lib64transitioner2-1.1.8-4.1.mga3 lib64crmservice1-1.1.8-4.1.mga3 lib64lrmd1-1.1.8-4.1.mga3 lib64pengine4-1.1.8-4.1.mga3 lib64pacemaker-devel-1.1.8-4.1.mga3 lib64crmcommon3-1.1.8-4.1.mga3 lib64pe_status4-1.1.8-4.1.mga3 lib64stonithd2-1.1.8-4.1.mga3 lib64crmcluster2-1.1.8-4.1.mga3 from pacemaker-1.1.8-4.1.mga3.src Freeze bush asked for Mga4 Cauldron (pacemaker-1.1.8-6.mga4.src) CC:
(none) =>
makowski.mageia Thanks Philippe! Just some minor adjustments to the advisory. Advisory: ======================== Updated pacemaker packages that fix one security issue A denial of service flaw was found in the way Pacemaker performed authentication and processing of remote connections in certain circumstances. When Pacemaker was configured to allow remote Cluster Information Base (CIB) configuration or resource management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving other requests) (CVE-2013-0281). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0281 https://rhn.redhat.com/errata/RHSA-2013-1635.html
David Walser
2014-01-12 21:57:23 CET
Blocks:
11726 =>
(none) Possible testing info here: http://clusterlabs.org/wiki/Example_configurations Need to look into it further. Any suggestions for testing this one? Some duplicates in the package list so adding with a sort -u. $ sort -u pkgs.txt lib64cib2-1.1.8-4.1.mga3 lib64crmcluster2-1.1.8-4.1.mga3 lib64crmcommon3-1.1.8-4.1.mga3 lib64crmservice1-1.1.8-4.1.mga3 lib64lrmd1-1.1.8-4.1.mga3 lib64pacemaker-devel-1.1.8-4.1.mga3 lib64pengine4-1.1.8-4.1.mga3 lib64pe_rules2-1.1.8-4.1.mga3 lib64pe_status4-1.1.8-4.1.mga3 lib64stonithd2-1.1.8-4.1.mga3 lib64transitioner2-1.1.8-4.1.mga3 pacemaker-1.1.8-4.1.mga3 pacemaker-cts-1.1.8-4.1.mga3 pacemaker-debuginfo-1.1.8-4.1.mga3 pacemaker-doc-1.1.8-4.1.mga3.noarch Only basic testing mga3 64 Installed and updated and also installed crmsh which brought in corosync. (Bug 12765 created for %post script borkiness for crmsh) Copied /etc/corosync/corosync.conf.example to /etc/corosync/corosync.conf Edited /etc/corosync/corosync.conf to add the network IP address, eg. 192.168.1.0 if the computer is 192.168.1.64 for example. Started corosync service followed by pacemaker service Checked the log at /var/log/cluster/corosync.log for errors. Tried to follow the example configuration, without much success, from http://clusterlabs.org/wiki/Example_configurations I found it timed out with 'cib new test-conf' but at least got beyond that step with 'cib new test-conf empty'. I'm a bit lost without digging into this further but it's quite interesting. The service starts ok and seems to talk to corosync ok so I'm happy complete testing on mga3 64, unless there is a better test. Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure mga3-64-ok
claire robinson
2014-02-14 16:38:01 CET
Whiteboard:
MGA3TOO has_procedure mga3-64-ok =>
has_procedure mga3-64-ok Bug 12769 created for cluster-glue using non existent group 'nobody'. Testing complete mga3 32 with same procedure. Whiteboard:
has_procedure mga3-64-ok =>
has_procedure mga3-32-ok mga3-64-ok Validating, advisory has been uploaded. Please push to 3 core/updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0069.html Status:
NEW =>
RESOLVED |