SUSE and openSUSE have issued advisories on October 15 and 17: https://lists.suse.com/pipermail/sle-security-updates/2020-October/007579.html https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html
Hi, thanks for reporting this bug. Assigned to the package maintainer, belong to ennael. All packagers cc'd. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedAssignee: bugsquad => ennael1CC: (none) => pkg-bugs
Anne hasn't been active in packaging for years.
Assignee: ennael1 => pkg-bugs
CC: pkg-bugs => geiger.david68210Status comment: (none) => Fixed in upstream git in September/October 2020Whiteboard: (none) => MGA7TOO
new rpm in cauldron based on latest 4.2.0 git snapshot
Version: Cauldron => 7CC: (none) => mageiaWhiteboard: MGA7TOO => (none)
New rpm in mga7: src: crmsh-4.2.0-0.39d42c2.1.mga7
Assignee: pkg-bugs => qa-bugs
Build failed, saving advisory for later. Advisory: ======================== Updated crmsh packages fix security vulnerabilities: The crm configure and hb_report commands failed to sanitize sensitive information by default (bsc#1163581). The crmsh package has been updated to the latest git snapshot, fixing these issues and several others. References: https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html ======================== Updated packages in core/updates_testing: ======================== crmsh-scripts-4.2.0-0.39d42c2.1.mga7 crmsh-test-4.2.0-0.39d42c2.1.mga7 crmsh-4.2.0-0.39d42c2.1.mga7 from crmsh-4.2.0-0.39d42c2.1.mga7.src.rpm
Assignee: qa-bugs => mageiaStatus comment: Fixed in upstream git in September/October 2020 => Build failed in Mageia 7
Status comment: Build failed in Mageia 7 => (none)
Advisory and package list in Comment 5.
Assignee: mageia => qa-bugs
An additional patch needs to be applied to crmsh, see this message: https://www.openwall.com/lists/oss-security/2021/01/12/3
Summary: crmsh possible new security issues => crmsh possible new security issues (including CVE-2020-35459)Assignee: qa-bugs => mageiaStatus comment: (none) => Patch available to fix CVE-2020-35459Version: 7 => CauldronWhiteboard: (none) => MGA7TOO
fix pushed in cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
fix pushed in mageia 7: src: crmsh-4.2.0-0.39d42c2.1.1.mga7
Advisory: ======================== Updated crmsh packages fix security vulnerabilities: The crm configure and hb_report commands failed to sanitize sensitive information by default (bsc#1163581). An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges (CVE-2020-25459). The crmsh package has been updated to the latest git snapshot, fixing these issues and several others. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35459 https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html ======================== Updated packages in core/updates_testing: ======================== crmsh-scripts-4.2.0-0.39d42c2.1.1.mga7 crmsh-test-4.2.0-0.39d42c2.1.1.mga7 crmsh-4.2.0-0.39d42c2.1.1.mga7 from crmsh-4.2.0-0.39d42c2.1.1.mga7.src.rpm
(In reply to David Walser from comment #7) > An additional patch needs to be applied to crmsh, see this message: > https://www.openwall.com/lists/oss-security/2021/01/12/3 SUSE has issued an advisory for this on January 12: https://lists.suse.com/pipermail/sle-security-updates/2021-January/008178.html
openSUSE has issued an advisory for this on January 13: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RKSUG2OZN3Y2FQVQ55HP5MZIQZXZ5OD6/ Adding reference to the advisory. Advisory: ======================== Updated crmsh packages fix security vulnerabilities: The crm configure and hb_report commands failed to sanitize sensitive information by default (bsc#1163581). An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges (CVE-2020-25459). The crmsh package has been updated to the latest git snapshot and patched for CVE-2020-25459, fixing these issues and several others. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35459 https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RKSUG2OZN3Y2FQVQ55HP5MZIQZXZ5OD6/
No installation issues. The original crmsh installation brought in corosync and some other dependencies. Updating the packages brought in those listed above plus a couple of python3 packages. Crmsh is supposed to be a tool to help with configuration of Pacemaker, so... Pacemaker already installed for another bug. Attempted to use the procedure in Bug 24691 to configure and start the corosync service, but failed miserably. I'm assuming that's because I misinterpreted the instructions for editing the /etc/corosync/corosync.conf file. Undeterred, I tried to follow som commands from a link in bug 11724: http://clusterlabs.org/wiki/Example_configurations I didn't get very far here, either: root@localhost ~]# crm crm(live/localhost.localdomain)# cib new test-conf Signon to CIB failed: Transport endpoint is not connected crm(live/localhost.localdomain)# But then, as I look at Bug 11724, I see that Claire didn't get much farther with her test. At least the "crm" command seems to work OK. That's as far as I can go with this. I'm willing to OK it on a clean install, and the single command that did work. If it needs more, I'll need some help to get there.
CC: (none) => andrewsfarm
I'm sending this on. Validating. Advisory in Comment 12.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
Advisory pushed to SVN.
CC: (none) => ouaurelienSource RPM: crmsh-4.1.0-2.mga8.src.rpm => crmsh-3.0.3-2.mga7.src.rpmStatus comment: Patch available to fix CVE-2020-35459 => (none)Keywords: Triaged => advisoryCVE: (none) => CVE-2020-35459
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0049.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED