SUSE has issued advisories on April 23, fixing several security issues:
If we are affected, Mageia 7 would be as well.
This SRPM has no registered maintainer, nor any consistent committer. Hence, assigning it globally.
openSUSE has issued an advisory for this on May 2:
These issues definitely apply to us. They were fixed in this commit:
We should also update this and sync most of the patches from openSUSE:
resource-agents possible new security issues =>
resource-agents new security issues (unsafe tmp usage and default password)Status comment:
Patches available from openSUSE
fixed on cauldron by updating to latest release ( 4.7.0 )
Looks like it needs an autoreconf -fi call.
Patches available from openSUSE =>
Updated resource-agents packages fix security vulnerabilities:
Multiple vulnerabilities related to unsafe tempfile usage (bsc#1146690,
bsc#1146691, bsc#1146692, bsc#1146766, bsc#1146776, bsc#1146784, bsc#1146785,
Issues where the ocfmon user was created with a default password (bsc#1021689,
The resource-agents package has been updated to version 4.7.0, fixing these
issues and several other bugs.
Updated packages in core/updates_testing:
Searched Bugzilla for previous updates, found none, no help there.
Tried "urpmq --whatrequires resource-agents" and came up with pacemaker.
Searched for updates of pacemaker, thinking that a test of that might be a test of resource-agents. Found that previous tests had flirted around the edges, without really understanding what was going on. Hard to tell from those tests if any of them even got far enough to use any of the resource-agents.
Started to read some Pacemaker documentation online, became hopelessly lost in the first few minutes.
So, deciding that this is really beyond the scope of QA, I installed Pacemaker, which brought in, among other dependencies, resource-agents. Used QA Repo to update resource-agents, no installation issues. That is where I left it.
OKing this on the basis of a clean install. Validating. Advisory in Comment 6.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.