Description: "A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs." --- Security notices: https://wiki.clusterlabs.org/wiki/Security Affected versions, as per security page: - 1.1.18 to 1.1.20 resp. 2.0.1
(In reply to sam_c (Security Padawan) from comment #0) > Description: > "A use-after-free flaw was found in pacemaker up to and including version > 2.0.1 which could result in certain sensitive information to be leaked via > the system logs." > > --- > Security notices: https://wiki.clusterlabs.org/wiki/Security > > Affected versions, as per security page: > - 1.1.18 to 1.1.20 resp. 2.0.1 The PR (https://github.com/ClusterLabs/pacemaker/pull/1749) mentions fixes for two other CVEs (CVE-2018-16877, CVE-2018-16878). So changing description and rating based on these (see https://bugzilla.redhat.com/show_bug.cgi?id=1652646#c7). Upstream are unclear about if .16 is affected or not (https://github.com/ClusterLabs/pacemaker/pull/1750#issuecomment-494469643). 2) CVE-2018-16877 Description: "A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation." 3) CVE-2018-16878 Description: "A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS"
@maintainer(s): ping, please bump
Final ping.
will do via https://github.com/gentoo/gentoo/pull/16803
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=694bc6925f5e973d4eda78d9366013dc5974a487 commit 694bc6925f5e973d4eda78d9366013dc5974a487 Author: Timo Rothenpieler <btbn@btbn.de> AuthorDate: 2020-07-24 19:35:49 +0000 Commit: Alexys Jacob <ultrabug@gentoo.org> CommitDate: 2020-10-21 12:58:11 +0000 sys-cluster/pacemaker: bump for 2.0.4 Bug: https://bugs.gentoo.org/711674 Signed-off-by: Timo Rothenpieler <btbn@btbn.de> Signed-off-by: Alexys Jacob <ultrabug@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + .../files/pacemaker-2.0.4-qa-warnings.patch | 16 +++++ sys-cluster/pacemaker/pacemaker-2.0.4.ebuild | 78 ++++++++++++++++++++++ 3 files changed, 95 insertions(+)
Please stable when ready.
Sanity check failed: > sys-cluster/pacemaker-2.0.4 > depend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > rdepend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:=
Sanity check failed: > sys-cluster/pacemaker-2.0.4 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > depend amd64 stable profile default/linux/amd64/17.1 (25 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > rdepend amd64 stable profile default/linux/amd64/17.1 (25 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:=
Unable to check for sanity: > package masked: sys-cluster/pacemaker-2.0.4
>=1.1.21 is also not affected from https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.21-rc1 Changes since Pacemaker-1.1.20 Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f commit 3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-10 23:21:25 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-10 23:22:25 +0000 sys-cluster/pacemaker: bump 2.0 version Bug: https://bugs.gentoo.org/751430 Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ++++++++++++++++++++++++ 2 files changed, 79 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d50a2d60855edd7408b35062cc596e4fca7a3f1 commit 0d50a2d60855edd7408b35062cc596e4fca7a3f1 Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-10 23:19:16 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-10 23:22:21 +0000 sys-cluster/pacemaker: bump 1.1 version Bug: https://bugs.gentoo.org/751430 Bug: https://bugs.gentoo.org/711674 Closes: https://bugs.gentoo.org/728162 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + .../files/pacemaker-1.1.24-python-fixes.patch | 26 +++++++ .../files/pacemaker-1.1.24-qa-warnings.patch | 12 ++++ sys-cluster/pacemaker/pacemaker-1.1.24_rc1.ebuild | 80 ++++++++++++++++++++++ 4 files changed, 119 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0275c17207295dced2f8f1d68f357e443a8f2aaa commit 0275c17207295dced2f8f1d68f357e443a8f2aaa Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2020-11-12 11:06:28 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2020-11-12 11:19:48 +0000 package.mask: Revert last rite of sys-cluster/cluster-glue & revdeps As discussed with Marc Schiffbauer <mschiff@gentoo.org>. This reverts commit f51b83a43a70a06d93851b0fa41f7e6e993e1e6e. Bug #704610 of sys-cluster/cluster-glue turned out to be fixed by commit b5442dd701a9eaaf22fb92808fb0ec93f7a9f1e6 of July 2020. Vulnerable sys-cluster/pacemaker has been bumped yesterday. So the path to stabilization is no longer blocked. Bug: https://bugs.gentoo.org/704610 Bug: https://bugs.gentoo.org/711674 Bug: https://bugs.gentoo.org/751430 Signed-off-by: Sebastian Pipping <sping@gentoo.org> profiles/base/package.use.mask | 4 ---- profiles/package.mask | 14 -------------- 2 files changed, 18 deletions(-)
Sanity check failed: > sys-cluster/pacemaker-2.0.4 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > depend amd64 stable profile default/linux/amd64/17.1 (25 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > rdepend amd64 stable profile default/linux/amd64/17.1 (25 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:=
Sanity check failed: > sys-cluster/pacemaker-2.0.5_rc1 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > depend amd64 stable profile default/linux/amd64/17.1 (25 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:= > rdepend amd64 stable profile default/linux/amd64/17.1 (25 total) > >=sys-cluster/cluster-glue-1.0.12-r1 > >=sys-cluster/libqb-2.0.0:=
All sanity-check issues have been resolved
Do we need to stabilize the 1.1.x branch too?
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a68d6fc8efca86e21615ab9aa273386e3da72e7b commit a68d6fc8efca86e21615ab9aa273386e3da72e7b Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-17 18:59:29 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-17 18:59:42 +0000 sys-cluster/pacemaker: remove 2.0.5_rc1 This version was vulnerable to CVE-2020-25654, so stabilize rc3 instead Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 - sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ------------------------ 2 files changed, 79 deletions(-)
> Traceback (most recent call last): > File "/usr/lib/python-exec/python3.7/tatt", line 169, in <module> > myJob.packageList = packageFinder.findPackages(response["cf_stabilisation_atoms"], config['arch'], get_repo_dir(config['repodir']), options.bugnum) > File "/usr/lib/python3.7/site-packages/tatt/packageFinder.py", line 14, in findPackages > output = subprocess.check_output(['nattka', '--repo', repo, 'apply', '-a', arch, '-n', bugnum, '--ignore-sanity-check', '--ignore-dependencies']) > File "/usr/lib/python3.7/subprocess.py", line 411, in check_output > **kwargs).stdout > File "/usr/lib/python3.7/subprocess.py", line 512, in run > output=stdout, stderr=stderr) > subprocess.CalledProcessError: Command '['nattka', '--repo', '/usr/portage/', 'apply', '-a', 'x86', '-n', '711674', '--ignore-sanity-check', '--ignore-dependencies']' returned non-zero exit status 1. >
ppc stable
hppa/ppc64 stable
sys-cluster/corosync which is required for this package doesn't build, bug 743841.
(In reply to Thomas Deutschmann from comment #22) > sys-cluster/corosync which is required for this package doesn't build, bug > 743841. Hi Thomas, thanks for the info, I was not aware of this. I recomment stabilizing sys-cluster/corosync-2.4.5 first then and use that.
I added sys-cluster/corosync-2.4.5 to the package list as this is the minimum version in tree which is compatible with sys-cluster/libqb-2.0.1-r1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25a9a9601046177b2c80702bf4b50541bd6d198f commit 25a9a9601046177b2c80702bf4b50541bd6d198f Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-12-04 00:54:15 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-12-04 00:55:07 +0000 sys-cluster/pacemaker: bump to 1.1.24 final Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 2 +- .../pacemaker/{pacemaker-1.1.24_rc1.ebuild => pacemaker-1.1.24.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f24402dfd6437c52f328fd4f2b4f4412e244ace commit 8f24402dfd6437c52f328fd4f2b4f4412e244ace Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-12-04 00:51:43 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-12-04 00:55:04 +0000 sys-cluster/pacemaker: bump to 2.0.5 final Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 2 +- .../pacemaker/{pacemaker-2.0.5_rc3.ebuild => pacemaker-2.0.5.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
Unable to check for sanity: > no match for package: sys-cluster/pacemaker-2.0.5_rc3
Pacemaker 2.0.5 has been released, package list updated
FWIU, this package has been revived. Please CC treecleaners again if the new 'maintainer' doesn't cope.
*** Bug 762988 has been marked as a duplicate of this bug. ***
amd64 done
pacemaker-1.1.16 dropped from tree, we should be good here
(In reply to Ultrabug from comment #32) > pacemaker-1.1.16 dropped from tree, we should be good here Thanks!
x86 stable
I dropped <pacemaker-2.0.5; I guess we're good here I also dropped <corosync-3.1.0 FYI
Not blocking gcc anymore
