An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.
Maintainers, I can't find a patch applied to crmsh in Git, so please confirm
if a newer release fixes this issue. There's also a patch at URL which might
work if not.
I dropped the older versions, only 4.2.1 is left in tree !
hmm on a second read, it seems that "through" 4.2.1 means that it's also affected right?
There's no higher release yet.
# crm node status
No module named 'parallax'
in version 4.2.1. ?