Bug 11724 - pacemaker new security issue CVE-2013-0281
: pacemaker new security issue CVE-2013-0281
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/574620/
: has_procedure mga3-32-ok mga3-64-ok a...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-21 19:39 CET by David Walser
Modified: 2014-02-14 21:57 CET (History)
6 users (show)

See Also:
Source RPM: pacemaker-1.1.8-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-21 19:39:04 CET
RedHat has issued an advisory today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1635.html

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-21 19:39:57 CET
The upstream patch to fix this is linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=891922#c5
Comment 2 David Walser 2013-11-22 16:06:05 CET
Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Comment 3 Philippe Makowski 2014-01-12 16:18:44 CET
Advisory:
========================

Updated pacemaker packages that fix one security issue

A denial of service flaw was found in the way Pacemaker performed
authentication and processing of remote connections in certain
circumstances. When Pacemaker was configured to allow remote Cluster
Information Base (CIB) configuration or resource management, a remote
attacker could use this flaw to cause Pacemaker to block indefinitely
(preventing it from serving other requests). (CVE-2013-0281)

References
https://www.redhat.com/security/data/cve/CVE-2013-0281.html
https://bugzilla.redhat.com/show_bug.cgi?id=891922#c5
https://bugs.mageia.org/show_bug.cgi?id=11724

========================

Updated packages in core/updates_testing:
========================
lib64lrmd1-1.1.8-4.1.mga3
lib64pengine4-1.1.8-4.1.mga3
lib64pacemaker-devel-1.1.8-4.1.mga3
lib64crmcommon3-1.1.8-4.1.mga3
lib64pe_status4-1.1.8-4.1.mga3
lib64stonithd2-1.1.8-4.1.mga3
lib64crmcluster2-1.1.8-4.1.mga3
pacemaker-doc-1.1.8-4.1.mga3.noarch
pacemaker-debuginfo-1.1.8-4.1.mga3
pacemaker-cts-1.1.8-4.1.mga3
pacemaker-1.1.8-4.1.mga3
lib64cib2-1.1.8-4.1.mga3
lib64pe_rules2-1.1.8-4.1.mga3
lib64transitioner2-1.1.8-4.1.mga3
lib64crmservice1-1.1.8-4.1.mga3
lib64lrmd1-1.1.8-4.1.mga3
lib64pengine4-1.1.8-4.1.mga3
lib64pacemaker-devel-1.1.8-4.1.mga3
lib64crmcommon3-1.1.8-4.1.mga3
lib64pe_status4-1.1.8-4.1.mga3
lib64stonithd2-1.1.8-4.1.mga3
lib64crmcluster2-1.1.8-4.1.mga3

from pacemaker-1.1.8-4.1.mga3.src

Freeze bush asked for Mga4 Cauldron (pacemaker-1.1.8-6.mga4.src)
Comment 4 David Walser 2014-01-12 16:35:47 CET
Thanks Philippe!  Just some minor adjustments to the advisory.

Advisory:
========================

Updated pacemaker packages that fix one security issue

A denial of service flaw was found in the way Pacemaker performed
authentication and processing of remote connections in certain
circumstances. When Pacemaker was configured to allow remote Cluster
Information Base (CIB) configuration or resource management, a remote
attacker could use this flaw to cause Pacemaker to block indefinitely
(preventing it from serving other requests) (CVE-2013-0281).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0281
https://rhn.redhat.com/errata/RHSA-2013-1635.html
Comment 5 claire robinson 2014-02-13 18:46:39 CET
Possible testing info here: http://clusterlabs.org/wiki/Example_configurations

Need to look into it further. Any suggestions for testing this one?
Comment 6 claire robinson 2014-02-14 14:16:20 CET
Some duplicates in the package list so adding with a sort -u.

$ sort -u pkgs.txt 
lib64cib2-1.1.8-4.1.mga3
lib64crmcluster2-1.1.8-4.1.mga3
lib64crmcommon3-1.1.8-4.1.mga3
lib64crmservice1-1.1.8-4.1.mga3
lib64lrmd1-1.1.8-4.1.mga3
lib64pacemaker-devel-1.1.8-4.1.mga3
lib64pengine4-1.1.8-4.1.mga3
lib64pe_rules2-1.1.8-4.1.mga3
lib64pe_status4-1.1.8-4.1.mga3
lib64stonithd2-1.1.8-4.1.mga3
lib64transitioner2-1.1.8-4.1.mga3
pacemaker-1.1.8-4.1.mga3
pacemaker-cts-1.1.8-4.1.mga3
pacemaker-debuginfo-1.1.8-4.1.mga3
pacemaker-doc-1.1.8-4.1.mga3.noarch
Comment 7 claire robinson 2014-02-14 16:16:54 CET
Only basic testing mga3 64

Installed and updated and also installed crmsh which brought in corosync.
(Bug 12765 created for %post script borkiness for crmsh)

Copied /etc/corosync/corosync.conf.example to /etc/corosync/corosync.conf

Edited /etc/corosync/corosync.conf to add the network IP address, eg. 192.168.1.0 if the computer is 192.168.1.64 for example.

Started corosync service followed by pacemaker service

Checked the log at /var/log/cluster/corosync.log for errors.

Tried to follow the example configuration, without much success, from
http://clusterlabs.org/wiki/Example_configurations

I found it timed out with 'cib new test-conf' but at least got beyond that step with 'cib new test-conf empty'.

I'm a bit lost without digging into this further but it's quite interesting.

The service starts ok and seems to talk to corosync ok so I'm happy complete testing on mga3 64, unless there is a better test.
Comment 8 claire robinson 2014-02-14 17:08:14 CET
Bug 12769 created for cluster-glue using non existent group 'nobody'.
Comment 9 claire robinson 2014-02-14 17:38:13 CET
Testing complete mga3 32 with same procedure.
Comment 10 Rémi Verschelde 2014-02-14 21:08:44 CET
Validating, advisory has been uploaded. Please push to 3 core/updates.
Comment 11 Thomas Backlund 2014-02-14 21:57:35 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0069.html

Note You need to log in before you can comment on or make changes to this bug.