Security update for pacemaker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:2974-1 Final 1 1 2016-12-02T10:41:08Z current 2016-12-02T10:41:08Z 2016-12-02T10:41:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pacemaker This update for pacemaker fixes the following issues: - remote: Allow cluster and remote LRM API versions to diverge (bsc#1009076) - libcrmcommon: fix CVE-2016-7035 (improper IPC guarding) (bsc#1007433) - sysconfig: minor tweaks (typo, wording) - spec: more robust check for systemd being in use - spec: defines instead of some globals + error suppression - various: issues discovered via valgrind and coverity - attrd_updater: fix usage of HAVE_ATOMIC_ATTRD - crmd: cl#5185 - Record pending operations in the CIB before they are performed (bsc#1003565) - ClusterMon: fix to avoid matching other process with the same PID - mcp: improve comments for sysconfig options - remove openssl-devel and libselinux-devel as build dependencies - tools: crm_standby --version/--help should work without cluster - libpengine: only log startup-fencing warning once - pacemaker.service: do not mistakenly suggest killing fenced - libcrmcommon: report errors consistently when waiting for data on connection (bsc#986644) - remote: Correctly calculate the remaining timeouts when receiving messages (bsc#986644) - libfencing: report added node ID correctly - crm_mon: Do not call setenv with null value - pengine: Do not fence a maintenance node if it shuts down cleanly (bsc#1000743) - ping: Avoid temporary files for fping check (bsc#987348) - all: clarify licensing and copyrights - crmd: Resend the shutdown request if the DC forgets - ping: Avoid temp files in fping_check (bsc#987348) - crmd: Ensure the R_SHUTDOWN is set whenever we ask the DC to shut us down - crmd: clear remote node operation history only when it comes up - libcib,libfencing,libtransition: handle memory allocation errors without CRM_CHECK() - tools: make crm_mon XML schema handle resources with multiple active - pengine: set OCF_RESKEY_CRM_meta_notify_active_* for multistate resources - pengine: avoid null dereference in new same-node ordering option - lrmd,libcluster: ensure g_hash_table_foreach() is never passed a null table - crmd: don't log warning if abort_unless_down() can't find down event - lib: Correction of the deletion of the notice registration. - stonithd: Correction of the wrong connection process name. - crmd: Keep a state of LRMD in the DC node latest. - pengine: avoid transition loop for start-then-stop + unfencing - libpengine: allow pe_order_same_node option for constraints - cts: Restart systemd-journald with 'systemctl restart systemd-journald.socket' (bsc#995365) - libcrmcommon: properly handle XML comments when comparing v2 patchset diffs - crmd: don't abort transitions for CIB comment changes - libcrmcommon: log XML comments correctly - libcrmcommon: remove extraneous format specifier from log message - remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388, bsc#1002767, CVE-2016-7797) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-HA-12-SP1-2016-1742,SUSE-SLE-SDK-12-SP1-2016-1742 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20162974-1/ Link for SUSE-SU-2016:2974-1 https://lists.suse.com/pipermail/sle-security-updates/2016-December/002437.html E-Mail link for SUSE-SU-2016:2974-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1000743 SUSE Bug 1000743 https://bugzilla.suse.com/1002767 SUSE Bug 1002767 https://bugzilla.suse.com/1003565 SUSE Bug 1003565 https://bugzilla.suse.com/1007433 SUSE Bug 1007433 https://bugzilla.suse.com/1009076 SUSE Bug 1009076 https://bugzilla.suse.com/967388 SUSE Bug 967388 https://bugzilla.suse.com/986644 SUSE Bug 986644 https://bugzilla.suse.com/987348 SUSE Bug 987348 https://bugzilla.suse.com/995365 SUSE Bug 995365 https://www.suse.com/security/cve/CVE-2016-7035/ SUSE CVE CVE-2016-7035 page https://www.suse.com/security/cve/CVE-2016-7797/ SUSE CVE CVE-2016-7797 page SUSE Linux Enterprise High Availability Extension 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP1 libpacemaker3-1.1.13-20.1 pacemaker-1.1.13-20.1 pacemaker-cli-1.1.13-20.1 pacemaker-cts-1.1.13-20.1 pacemaker-remote-1.1.13-20.1 libpacemaker-devel-1.1.13-20.1 libpacemaker3-1.1.13-20.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP1 pacemaker-1.1.13-20.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP1 pacemaker-cli-1.1.13-20.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP1 pacemaker-cts-1.1.13-20.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP1 pacemaker-remote-1.1.13-20.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP1 libpacemaker-devel-1.1.13-20.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 pacemaker-cts-1.1.13-20.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine. CVE-2016-7035 SUSE Linux Enterprise High Availability Extension 12 SP1:libpacemaker3-1.1.13-20.1 SUSE Linux Enterprise High Availability Extension 12 SP1:pacemaker-1.1.13-20.1 SUSE Linux Enterprise High Availability Extension 12 SP1:pacemaker-cli-1.1.13-20.1 SUSE Linux Enterprise High Availability Extension 12 SP1:pacemaker-cts-1.1.13-20.1 SUSE Linux Enterprise High Availability Extension 12 SP1:pacemaker-remote-1.1.13-20.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libpacemaker-devel-1.1.13-20.1 SUSE Linux Enterprise Software Development Kit 12 SP1:pacemaker-cts-1.1.13-20.1 moderate 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162974-1/ https://www.suse.com/security/cve/CVE-2016-7035.html CVE-2016-7035 https://bugzilla.suse.com/1007433 SUSE Bug 1007433 Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection. CVE-2016-7797 SUSE Linux Enterprise High Availability Extension 12 SP1:libpacemaker3-1.1.13-20.1 SUSE Linux Enterprise High Availability Extension 12 SP1:pacemaker-1.1.13-20.1 SUSE Linux Enterprise High Availability Extension 12 SP1:pacemaker-cli-1.1.13-20.1 SUSE Linux Enterprise High Availability Extension 12 SP1:pacemaker-cts-1.1.13-20.1 SUSE Linux Enterprise High Availability Extension 12 SP1:pacemaker-remote-1.1.13-20.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libpacemaker-devel-1.1.13-20.1 SUSE Linux Enterprise Software Development Kit 12 SP1:pacemaker-cts-1.1.13-20.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162974-1/ https://www.suse.com/security/cve/CVE-2016-7797.html CVE-2016-7797 https://bugzilla.suse.com/1002767 SUSE Bug 1002767