| Summary: | resource-agents new security issues (unsafe tmp usage and default password) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, mageia, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | resource-agents-4.1.1-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-04-24 22:29:08 CEST
This SRPM has no registered maintainer, nor any consistent committer. Hence, assigning it globally. Assignee:
bugsquad =>
pkg-bugs openSUSE has issued an advisory for this on May 2: https://lists.opensuse.org/opensuse-updates/2020-05/msg00031.html These issues definitely apply to us. They were fixed in this commit: https://build.opensuse.org/request/show/798025 We should also update this and sync most of the patches from openSUSE: https://build.opensuse.org/package/show/openSUSE:Leap:15.1:Update/resource-agents Summary:
resource-agents possible new security issues =>
resource-agents new security issues (unsafe tmp usage and default password) fixed on cauldron by updating to latest release ( 4.7.0 ) CC:
(none) =>
mageia Looks like it needs an autoreconf -fi call. Assignee:
qa-bugs =>
mageia Advisory: ======================== Updated resource-agents packages fix security vulnerabilities: Multiple vulnerabilities related to unsafe tempfile usage (bsc#1146690, bsc#1146691, bsc#1146692, bsc#1146766, bsc#1146776, bsc#1146784, bsc#1146785, bsc#1146787). Issues where the ocfmon user was created with a default password (bsc#1021689, bsc#1146687). The resource-agents package has been updated to version 4.7.0, fixing these issues and several other bugs. References: https://lists.opensuse.org/opensuse-updates/2020-05/msg00031.html ======================== Updated packages in core/updates_testing: ======================== resource-agents-4.7.0-1.mga7 ldirectord-4.7.0-1.mga7 resource-agents-devel-4.7.0-1.mga7 from resource-agents-4.7.0-1.mga7.src.rpm CC:
(none) =>
geiger.david68210 Searched Bugzilla for previous updates, found none, no help there. Tried "urpmq --whatrequires resource-agents" and came up with pacemaker. Searched for updates of pacemaker, thinking that a test of that might be a test of resource-agents. Found that previous tests had flirted around the edges, without really understanding what was going on. Hard to tell from those tests if any of them even got far enough to use any of the resource-agents. Started to read some Pacemaker documentation online, became hopelessly lost in the first few minutes. So, deciding that this is really beyond the scope of QA, I installed Pacemaker, which brought in, among other dependencies, resource-agents. Used QA Repo to update resource-agents, no installation issues. That is where I left it. OKing this on the basis of a clean install. Validating. Advisory in Comment 6. Whiteboard:
(none) =>
MGA7-64-OK Advisory pushed to SVN. Source RPM:
resource-agents-4.1.1-3.mga8.src.rpm =>
resource-agents-4.1.1-2.mga7.src.rpm An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0045.html Resolution:
(none) =>
FIXED |