Summary: | <sys-cluster/pacemaker-1.1.12-r2: Denial of service (CVE-2013-0281) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cluster |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=891922 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 455418, 490908, 539608 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-02-14 18:43:39 UTC
Upstream patch: https://github.com/ClusterLabs/pacemaker/commit/564f7cc2a51dcd2f28ab12a13394f31be5aa3c93 FYI I'm in discussion with upstream to get a new tag release of pacemaker which would avoid the need to patch this ourselves. <Ultrabug> meaning, this week ? :p <beekhof> highly likely I should be able to fix this soon ;) Now 1.1.9 is tagged, builds fine but doesn't work... I'm in contact with upstream about this :( +*pacemaker-1.1.9 (13 Mar 2013) + + 13 Mar 2013; Ultrabug <ultrabug@gentoo.org> +pacemaker-1.1.9.ebuild: + Version bump fix #457572 + NOTE that due to perm issues with newer pacemaker/libqb ACL support, you now need to add root to the haclient group if pacemaker is compiled with USE acl ! Are we okay to stable pacemaker-1.1.10? (In reply to Chris Reffett from comment #5) > Are we okay to stable pacemaker-1.1.10? By all means, yes ! Arches, please test and mark stable: =sys-cluster/pacemaker-1.1.10; Target keywords : "amd64 hppa x86" @Jeroen: why bug 455418 is a blocker for this? (In reply to Agostino Sarubbo from comment #8) > @Jeroen: why bug 455418 is a blocker for this? Because we're being asked to stabilise sys-cluster/libdlm which has the problem pointed out in that bug report. CVE-2013-0281 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0281): Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configuration or resource management is enabled, does not limit the duration of connections to the blocking sockets, which allows remote attackers to cause a denial of service (connection blocking). CC back the arch teams when it is ready All fixed, please proceed with related stabilization. I'll drop all 1.0.x versions afterwards. Version: 1.1.12-r2 has been stabilized as part of bug #539608. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No dropped. thx. + 07 Apr 2015; Ultrabug <ultrabug@gentoo.org> -pacemaker-1.0.10.ebuild, + -pacemaker-1.0.12.ebuild, metadata.xml: + drop vulnerable wrt #457572 + Maintainer(s), Thank you for you for cleanup. GLSA Vote: No |