Security update for crmsh SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1087-1 Final 1 1 2021-07-24T14:05:47Z current 2021-07-24T14:05:47Z 2021-07-24T14:05:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for crmsh This update for crmsh fixes the following issues: Update to version 4.3.1+20210624.67223df2: - Fix: ocfs2: Skip verifying UUID for ocfs2 device on top of raid or lvm on the join node (bsc#1187553) - Fix: history: use Path.mkdir instead of mkdir command(bsc#1179999, CVE-2020-35459) - Dev: crash_test: Add big warnings to have users' attention to potential failover(jsc#SLE-17979) - Dev: crash_test: rename preflight_check as crash_test(jsc#SLE-17979) - Fix: bootstrap: update sbd watchdog timeout when using diskless SBD with qdevice(bsc#1184465) - Dev: utils: allow configure link-local ipv6 address(bsc#1163460) - Fix: parse: shouldn't allow property setting with an empty value(bsc#1185423) - Fix: help: show help message from argparse(bsc#1175982) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1087 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VDCDHUWYXHAR4IFS55R2KWBURUA5HAL7/ E-Mail link for openSUSE-SU-2021:1087-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1163460 SUSE Bug 1163460 https://bugzilla.suse.com/1175982 SUSE Bug 1175982 https://bugzilla.suse.com/1179999 SUSE Bug 1179999 https://bugzilla.suse.com/1184465 SUSE Bug 1184465 https://bugzilla.suse.com/1185423 SUSE Bug 1185423 https://bugzilla.suse.com/1187553 SUSE Bug 1187553 https://www.suse.com/security/cve/CVE-2020-35459/ SUSE CVE CVE-2020-35459 page openSUSE Leap 15.2 crmsh-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 crmsh-scripts-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 crmsh-test-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 crmsh-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 as a component of openSUSE Leap 15.2 crmsh-scripts-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 as a component of openSUSE Leap 15.2 crmsh-test-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 as a component of openSUSE Leap 15.2 An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. CVE-2020-35459 openSUSE Leap 15.2:crmsh-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 openSUSE Leap 15.2:crmsh-scripts-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 openSUSE Leap 15.2:crmsh-test-4.3.1+20210702.4e0ee8fb-lp152.4.59.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VDCDHUWYXHAR4IFS55R2KWBURUA5HAL7/ https://www.suse.com/security/cve/CVE-2020-35459.html CVE-2020-35459 https://bugzilla.suse.com/1179999 SUSE Bug 1179999