SUSE has issued advisories on April 23, fixing several security issues: http://lists.suse.com/pipermail/sle-security-updates/2020-April/006735.html http://lists.suse.com/pipermail/sle-security-updates/2020-April/006736.html If we are affected, Mageia 7 would be as well.
This SRPM has no registered maintainer, nor any consistent committer. Hence, assigning it globally.
Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory for this on May 2: https://lists.opensuse.org/opensuse-updates/2020-05/msg00031.html
These issues definitely apply to us. They were fixed in this commit: https://build.opensuse.org/request/show/798025 We should also update this and sync most of the patches from openSUSE: https://build.opensuse.org/package/show/openSUSE:Leap:15.1:Update/resource-agents
Summary: resource-agents possible new security issues => resource-agents new security issues (unsafe tmp usage and default password)Status comment: (none) => Patches available from openSUSE
fixed on cauldron by updating to latest release ( 4.7.0 )
CC: (none) => mageiaVersion: Cauldron => 7Assignee: pkg-bugs => qa-bugs
Looks like it needs an autoreconf -fi call.
Assignee: qa-bugs => mageiaStatus comment: Patches available from openSUSE => (none)
Advisory: ======================== Updated resource-agents packages fix security vulnerabilities: Multiple vulnerabilities related to unsafe tempfile usage (bsc#1146690, bsc#1146691, bsc#1146692, bsc#1146766, bsc#1146776, bsc#1146784, bsc#1146785, bsc#1146787). Issues where the ocfmon user was created with a default password (bsc#1021689, bsc#1146687). The resource-agents package has been updated to version 4.7.0, fixing these issues and several other bugs. References: https://lists.opensuse.org/opensuse-updates/2020-05/msg00031.html ======================== Updated packages in core/updates_testing: ======================== resource-agents-4.7.0-1.mga7 ldirectord-4.7.0-1.mga7 resource-agents-devel-4.7.0-1.mga7 from resource-agents-4.7.0-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: mageia => qa-bugs
Searched Bugzilla for previous updates, found none, no help there. Tried "urpmq --whatrequires resource-agents" and came up with pacemaker. Searched for updates of pacemaker, thinking that a test of that might be a test of resource-agents. Found that previous tests had flirted around the edges, without really understanding what was going on. Hard to tell from those tests if any of them even got far enough to use any of the resource-agents. Started to read some Pacemaker documentation online, became hopelessly lost in the first few minutes. So, deciding that this is really beyond the scope of QA, I installed Pacemaker, which brought in, among other dependencies, resource-agents. Used QA Repo to update resource-agents, no installation issues. That is where I left it. OKing this on the basis of a clean install. Validating. Advisory in Comment 6.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
Source RPM: resource-agents-4.1.1-3.mga8.src.rpm => resource-agents-4.1.1-2.mga7.src.rpmKeywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0045.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED