Описание
Security update for pacemaker
This update for pacemaker fixes the following issues:
-
remote: Allow cluster and remote LRM API versions to diverge (bsc#1009076)
-
libcrmcommon: fix CVE-2016-7035 (improper IPC guarding) (bsc#1007433)
-
sysconfig: minor tweaks (typo, wording)
-
spec: more robust check for systemd being in use
-
spec: defines instead of some globals + error suppression
-
various: issues discovered via valgrind and coverity
-
attrd_updater: fix usage of HAVE_ATOMIC_ATTRD
-
crmd: cl#5185 - Record pending operations in the CIB before they are performed (bsc#1003565)
-
ClusterMon: fix to avoid matching other process with the same PID
-
mcp: improve comments for sysconfig options
-
remove openssl-devel and libselinux-devel as build dependencies
-
tools: crm_standby --version/--help should work without cluster
-
libpengine: only log startup-fencing warning once
-
pacemaker.service: do not mistakenly suggest killing fenced
-
libcrmcommon: report errors consistently when waiting for data on connection (bsc#986644)
-
remote: Correctly calculate the remaining timeouts when receiving messages (bsc#986644)
-
libfencing: report added node ID correctly
-
crm_mon: Do not call setenv with null value
-
pengine: Do not fence a maintenance node if it shuts down cleanly (bsc#1000743)
-
ping: Avoid temporary files for fping check (bsc#987348)
-
all: clarify licensing and copyrights
-
crmd: Resend the shutdown request if the DC forgets
-
ping: Avoid temp files in fping_check (bsc#987348)
-
crmd: Ensure the R_SHUTDOWN is set whenever we ask the DC to shut us down
-
crmd: clear remote node operation history only when it comes up
-
libcib,libfencing,libtransition: handle memory allocation errors without CRM_CHECK()
-
tools: make crm_mon XML schema handle resources with multiple active
-
pengine: set OCF_RESKEY_CRM_meta_notify_active_* for multistate resources
-
pengine: avoid null dereference in new same-node ordering option
-
lrmd,libcluster: ensure g_hash_table_foreach() is never passed a null table
-
crmd: don't log warning if abort_unless_down() can't find down event
-
lib: Correction of the deletion of the notice registration.
-
stonithd: Correction of the wrong connection process name.
-
crmd: Keep a state of LRMD in the DC node latest.
-
pengine: avoid transition loop for start-then-stop + unfencing
-
libpengine: allow pe_order_same_node option for constraints
-
cts: Restart systemd-journald with 'systemctl restart systemd-journald.socket' (bsc#995365)
-
libcrmcommon: properly handle XML comments when comparing v2 patchset diffs
-
crmd: don't abort transitions for CIB comment changes
-
libcrmcommon: log XML comments correctly
-
libcrmcommon: remove extraneous format specifier from log message
-
remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388, bsc#1002767, CVE-2016-7797)
Список пакетов
SUSE Linux Enterprise High Availability Extension 12 SP1
SUSE Linux Enterprise Software Development Kit 12 SP1
Ссылки
- Link for SUSE-SU-2016:2974-1
- E-Mail link for SUSE-SU-2016:2974-1
- SUSE Security Ratings
- SUSE Bug 1000743
- SUSE Bug 1002767
- SUSE Bug 1003565
- SUSE Bug 1007433
- SUSE Bug 1009076
- SUSE Bug 967388
- SUSE Bug 986644
- SUSE Bug 987348
- SUSE Bug 995365
- SUSE CVE CVE-2016-7035 page
- SUSE CVE CVE-2016-7797 page
Описание
An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
Затронутые продукты
Ссылки
- CVE-2016-7035
- SUSE Bug 1007433
Описание
Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection.
Затронутые продукты
Ссылки
- CVE-2016-7797
- SUSE Bug 1002767