A CVE has been assigned for security issue fixed upstream in pacemaker: http://openwall.com/lists/oss-security/2016/10/01/1 The commit to fix the issue is linked in the message above. It is also fixed in 1.1.15.
Whiteboard: (none) => MGA5TOO
looks like our current packages are not affected with this CVE because there isn't any file named "tls_backend.c" in source from 1.1.8 release: https://github.com/ClusterLabs/pacemaker/commit/5ec24a2642bd0854b884d1a9b51d12371373b410
CC: (none) => geiger.david68210
Is the affected code in another source file? That happens sometimes.
Nop, any other source files that contains this affected code.
Cool, thanks.
Status: NEW => RESOLVEDResolution: (none) => INVALID
There's also CVE-2016-7035: http://lwn.net/Vulnerabilities/705571/ which only affects versions 1.1.10 and newer: http://openwall.com/lists/oss-security/2016/11/03/5 So we're also not affected.
URL: (none) => http://lwn.net/Vulnerabilities/705570/