RedHat has issued an advisory today (November 21): https://rhn.redhat.com/errata/RHSA-2013-1635.html Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => ennael1, fundawangWhiteboard: (none) => MGA3TOO, MGA2TOO
The upstream patch to fix this is linked in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=891922#c5
Blocks: (none) => 11726
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO
Advisory: ======================== Updated pacemaker packages that fix one security issue A denial of service flaw was found in the way Pacemaker performed authentication and processing of remote connections in certain circumstances. When Pacemaker was configured to allow remote Cluster Information Base (CIB) configuration or resource management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving other requests). (CVE-2013-0281) References https://www.redhat.com/security/data/cve/CVE-2013-0281.html https://bugzilla.redhat.com/show_bug.cgi?id=891922#c5 https://bugs.mageia.org/show_bug.cgi?id=11724 ======================== Updated packages in core/updates_testing: ======================== lib64lrmd1-1.1.8-4.1.mga3 lib64pengine4-1.1.8-4.1.mga3 lib64pacemaker-devel-1.1.8-4.1.mga3 lib64crmcommon3-1.1.8-4.1.mga3 lib64pe_status4-1.1.8-4.1.mga3 lib64stonithd2-1.1.8-4.1.mga3 lib64crmcluster2-1.1.8-4.1.mga3 pacemaker-doc-1.1.8-4.1.mga3.noarch pacemaker-debuginfo-1.1.8-4.1.mga3 pacemaker-cts-1.1.8-4.1.mga3 pacemaker-1.1.8-4.1.mga3 lib64cib2-1.1.8-4.1.mga3 lib64pe_rules2-1.1.8-4.1.mga3 lib64transitioner2-1.1.8-4.1.mga3 lib64crmservice1-1.1.8-4.1.mga3 lib64lrmd1-1.1.8-4.1.mga3 lib64pengine4-1.1.8-4.1.mga3 lib64pacemaker-devel-1.1.8-4.1.mga3 lib64crmcommon3-1.1.8-4.1.mga3 lib64pe_status4-1.1.8-4.1.mga3 lib64stonithd2-1.1.8-4.1.mga3 lib64crmcluster2-1.1.8-4.1.mga3 from pacemaker-1.1.8-4.1.mga3.src Freeze bush asked for Mga4 Cauldron (pacemaker-1.1.8-6.mga4.src)
CC: (none) => makowski.mageiaVersion: Cauldron => 3Assignee: boklm => qa-bugs
Thanks Philippe! Just some minor adjustments to the advisory. Advisory: ======================== Updated pacemaker packages that fix one security issue A denial of service flaw was found in the way Pacemaker performed authentication and processing of remote connections in certain circumstances. When Pacemaker was configured to allow remote Cluster Information Base (CIB) configuration or resource management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving other requests) (CVE-2013-0281). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0281 https://rhn.redhat.com/errata/RHSA-2013-1635.html
Blocks: 11726 => (none)
Possible testing info here: http://clusterlabs.org/wiki/Example_configurations Need to look into it further. Any suggestions for testing this one?
Some duplicates in the package list so adding with a sort -u. $ sort -u pkgs.txt lib64cib2-1.1.8-4.1.mga3 lib64crmcluster2-1.1.8-4.1.mga3 lib64crmcommon3-1.1.8-4.1.mga3 lib64crmservice1-1.1.8-4.1.mga3 lib64lrmd1-1.1.8-4.1.mga3 lib64pacemaker-devel-1.1.8-4.1.mga3 lib64pengine4-1.1.8-4.1.mga3 lib64pe_rules2-1.1.8-4.1.mga3 lib64pe_status4-1.1.8-4.1.mga3 lib64stonithd2-1.1.8-4.1.mga3 lib64transitioner2-1.1.8-4.1.mga3 pacemaker-1.1.8-4.1.mga3 pacemaker-cts-1.1.8-4.1.mga3 pacemaker-debuginfo-1.1.8-4.1.mga3 pacemaker-doc-1.1.8-4.1.mga3.noarch
Only basic testing mga3 64 Installed and updated and also installed crmsh which brought in corosync. (Bug 12765 created for %post script borkiness for crmsh) Copied /etc/corosync/corosync.conf.example to /etc/corosync/corosync.conf Edited /etc/corosync/corosync.conf to add the network IP address, eg. 192.168.1.0 if the computer is 192.168.1.64 for example. Started corosync service followed by pacemaker service Checked the log at /var/log/cluster/corosync.log for errors. Tried to follow the example configuration, without much success, from http://clusterlabs.org/wiki/Example_configurations I found it timed out with 'cib new test-conf' but at least got beyond that step with 'cib new test-conf empty'. I'm a bit lost without digging into this further but it's quite interesting. The service starts ok and seems to talk to corosync ok so I'm happy complete testing on mga3 64, unless there is a better test.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-64-ok
Whiteboard: MGA3TOO has_procedure mga3-64-ok => has_procedure mga3-64-ok
Bug 12769 created for cluster-glue using non existent group 'nobody'.
Testing complete mga3 32 with same procedure.
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok
Validating, advisory has been uploaded. Please push to 3 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0069.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED