Bug 19502

Summary: pacemaker new security issue CVE-2016-7797
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Anne Nicolas <ennael1>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/705570/
Whiteboard: MGA5TOO
Source RPM: pacemaker-1.1.8-10.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-10-01 16:29:19 CEST 
A CVE has been assigned for security issue fixed upstream in pacemaker:
http://openwall.com/lists/oss-security/2016/10/01/1

The commit to fix the issue is linked in the message above.  It is also fixed in 1.1.15.
David Walser 2016-10-01 16:29:30 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David GEIGER 2016-10-29 19:13:09 CEST 
looks like our current packages are not affected with this CVE because there isn't any file named "tls_backend.c" in source from 1.1.8 release:

https://github.com/ClusterLabs/pacemaker/commit/5ec24a2642bd0854b884d1a9b51d12371373b410

CC: (none) => geiger.david68210

Comment 2 David Walser 2016-10-29 19:27:41 CEST 
Is the affected code in another source file?  That happens sometimes.
Comment 3 David GEIGER 2016-10-29 19:37:54 CEST 
Nop, any other source files that contains this affected code.
Comment 4 David Walser 2016-10-29 19:39:10 CEST 
Cool, thanks.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 5 David Walser 2016-11-04 15:59:13 CET 
There's also CVE-2016-7035:
http://lwn.net/Vulnerabilities/705571/

which only affects versions 1.1.10 and newer:
http://openwall.com/lists/oss-security/2016/11/03/5

So we're also not affected.

URL: (none) => http://lwn.net/Vulnerabilities/705570/