Security update for pacemaker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:3094-1 Final 1 1 2020-10-29T15:44:12Z current 2020-10-29T15:44:12Z 2020-10-29T15:44:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pacemaker This update for pacemaker fixes the following issues: - attrd: handle shutdown more cleanly (bsc#1173668) - executor: restrict certain IPC requests to Pacemaker daemons (CVE-2020-25654, bsc#1177916) - extra: quote shell variables in agent code where appropriate (bsc#1175557) - fencer: restrict certain IPC requests to privileged users (CVE-2020-25654, bsc#1177916) - Fixes for %_libexecdir changing to /usr/libexec - pacemakerd: ignore shutdown requests from unprivileged users (CVE-2020-25654, bsc#1177916) - resources: use ocf_is_true in SysInfo - rpm: use the user/group ID 90 for haclient/hacluster to be consistent with cluster-glue (bsc#1167171) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-3094,SUSE-SLE-HA-12-SP3-2020-3094 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20203094-1/ Link for SUSE-SU-2020:3094-1 https://lists.suse.com/pipermail/sle-security-updates/2020-October/007674.html E-Mail link for SUSE-SU-2020:3094-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1167171 SUSE Bug 1167171 https://bugzilla.suse.com/1173668 SUSE Bug 1173668 https://bugzilla.suse.com/1175557 SUSE Bug 1175557 https://bugzilla.suse.com/1177916 SUSE Bug 1177916 https://www.suse.com/security/cve/CVE-2020-25654/ SUSE CVE CVE-2020-25654 page SUSE Linux Enterprise High Availability Extension 12 SP3 libpacemaker-devel-1.1.16-6.23.1 libpacemaker3-1.1.16-6.23.1 pacemaker-1.1.16-6.23.1 pacemaker-cli-1.1.16-6.23.1 pacemaker-cts-1.1.16-6.23.1 pacemaker-remote-1.1.16-6.23.1 libpacemaker3-1.1.16-6.23.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 pacemaker-1.1.16-6.23.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 pacemaker-cli-1.1.16-6.23.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 pacemaker-cts-1.1.16-6.23.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 pacemaker-remote-1.1.16-6.23.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration. CVE-2020-25654 SUSE Linux Enterprise High Availability Extension 12 SP3:libpacemaker3-1.1.16-6.23.1 SUSE Linux Enterprise High Availability Extension 12 SP3:pacemaker-1.1.16-6.23.1 SUSE Linux Enterprise High Availability Extension 12 SP3:pacemaker-cli-1.1.16-6.23.1 SUSE Linux Enterprise High Availability Extension 12 SP3:pacemaker-cts-1.1.16-6.23.1 SUSE Linux Enterprise High Availability Extension 12 SP3:pacemaker-remote-1.1.16-6.23.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203094-1/ https://www.suse.com/security/cve/CVE-2020-25654.html CVE-2020-25654 https://bugzilla.suse.com/1173668 SUSE Bug 1173668 https://bugzilla.suse.com/1177916 SUSE Bug 1177916 https://bugzilla.suse.com/1196165 SUSE Bug 1196165