From ${URL} : A denial of service flaw was found in the way Pacemaker, an advanced, scalable high-availability cluster resource manager for Linux-HA (Heartbeat) and/or Corosync, performed authentication and processing of remote connections in certain circumstances. In general Pacemaker used a blocking socket (without a timeout) to wait for authentication credentials to arrive. When Pacemaker was configured to allow remote Cluster Information Base (CIB) cluster's configuration / cluster's resources management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving another requests).
Upstream patch: https://github.com/ClusterLabs/pacemaker/commit/564f7cc2a51dcd2f28ab12a13394f31be5aa3c93
FYI I'm in discussion with upstream to get a new tag release of pacemaker which would avoid the need to patch this ourselves. <Ultrabug> meaning, this week ? :p <beekhof> highly likely I should be able to fix this soon ;)
Now 1.1.9 is tagged, builds fine but doesn't work... I'm in contact with upstream about this :(
+*pacemaker-1.1.9 (13 Mar 2013) + + 13 Mar 2013; Ultrabug <ultrabug@gentoo.org> +pacemaker-1.1.9.ebuild: + Version bump fix #457572 + NOTE that due to perm issues with newer pacemaker/libqb ACL support, you now need to add root to the haclient group if pacemaker is compiled with USE acl !
Are we okay to stable pacemaker-1.1.10?
(In reply to Chris Reffett from comment #5) > Are we okay to stable pacemaker-1.1.10? By all means, yes !
Arches, please test and mark stable: =sys-cluster/pacemaker-1.1.10; Target keywords : "amd64 hppa x86"
@Jeroen: why bug 455418 is a blocker for this?
(In reply to Agostino Sarubbo from comment #8) > @Jeroen: why bug 455418 is a blocker for this? Because we're being asked to stabilise sys-cluster/libdlm which has the problem pointed out in that bug report.
CVE-2013-0281 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0281): Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configuration or resource management is enabled, does not limit the duration of connections to the blocking sockets, which allows remote attackers to cause a denial of service (connection blocking).
CC back the arch teams when it is ready
All fixed, please proceed with related stabilization. I'll drop all 1.0.x versions afterwards.
Version: 1.1.12-r2 has been stabilized as part of bug #539608. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No
dropped. thx. + 07 Apr 2015; Ultrabug <ultrabug@gentoo.org> -pacemaker-1.0.10.ebuild, + -pacemaker-1.0.12.ebuild, metadata.xml: + drop vulnerable wrt #457572 +
Maintainer(s), Thank you for you for cleanup.
GLSA Vote: No