Bug 26538 - resource-agents new security issues (unsafe tmp usage and default password)
Summary: resource-agents new security issues (unsafe tmp usage and default password)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-04-24 22:29 CEST by David Walser
Modified: 2021-01-19 16:41 CET (History)
5 users (show)

See Also:
Source RPM: resource-agents-4.1.1-2.mga7.src.rpm
Status comment:


Description David Walser 2020-04-24 22:29:08 CEST
SUSE has issued advisories on April 23, fixing several security issues:

If we are affected, Mageia 7 would be as well.
Comment 1 Lewis Smith 2020-04-25 09:45:29 CEST
This SRPM has no registered maintainer, nor any consistent committer. Hence, assigning it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-05-04 20:09:43 CEST
openSUSE has issued an advisory for this on May 2:
Comment 3 David Walser 2020-12-27 18:38:30 CET
These issues definitely apply to us.  They were fixed in this commit:

We should also update this and sync most of the patches from openSUSE:

Summary: resource-agents possible new security issues => resource-agents new security issues (unsafe tmp usage and default password)
Status comment: (none) => Patches available from openSUSE

Comment 4 Nicolas Lécureuil 2020-12-28 20:32:15 CET
fixed on cauldron by updating to latest release ( 4.7.0 )

CC: (none) => mageia
Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs

Comment 5 David Walser 2020-12-28 20:34:34 CET
Looks like it needs an autoreconf -fi call.

Assignee: qa-bugs => mageia
Status comment: Patches available from openSUSE => (none)

Comment 6 David Walser 2020-12-29 17:26:44 CET

Updated resource-agents packages fix security vulnerabilities:

Multiple vulnerabilities related to unsafe tempfile usage (bsc#1146690,
bsc#1146691, bsc#1146692, bsc#1146766, bsc#1146776, bsc#1146784, bsc#1146785,

Issues where the ocfmon user was created with a default password (bsc#1021689,

The resource-agents package has been updated to version 4.7.0, fixing these
issues and several other bugs.


Updated packages in core/updates_testing:

from resource-agents-4.7.0-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: mageia => qa-bugs

Comment 7 Thomas Andrews 2021-01-18 22:22:43 CET
Searched Bugzilla for previous updates, found none, no help there.

Tried "urpmq --whatrequires resource-agents" and came up with pacemaker. 

Searched for updates of pacemaker, thinking that a test of that might be a test of resource-agents. Found that previous tests had flirted around the edges, without really understanding what was going on. Hard to tell from those tests if any of them even got far enough to use any of the resource-agents.

Started to read some Pacemaker documentation online, became hopelessly lost in the first few minutes.

So, deciding that this is really beyond the scope of QA, I installed Pacemaker, which brought in, among other dependencies, resource-agents. Used QA Repo to update resource-agents, no installation issues. That is where I left it.

OKing this on the basis of a clean install. Validating. Advisory in Comment 6.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Aurelien Oudelet 2021-01-19 15:30:16 CET
Advisory pushed to SVN.

Source RPM: resource-agents-4.1.1-3.mga8.src.rpm => resource-agents-4.1.1-2.mga7.src.rpm
Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 9 Mageia Robot 2021-01-19 16:41:33 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.