CentOS ProjectCESA-2015:1424pacemaker security update
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.01 Low
EPSS
Percentile
83.5%
CentOS Errata and Security Advisory CESA-2015:1424
The Pacemaker Resource Manager is a collection of technologies working
together to provide data integrity and the ability to maintain application
availability in the event of a failure.
A flaw was found in the way pacemaker, a cluster resource manager,
evaluated added nodes in certain situations. A user with read-only access
could potentially assign any other existing roles to themselves and then
add privileges to other users as well. (CVE-2015-1867)
This update also fixes the following bugs:
-
Due to a race condition, nodes that gracefully shut down occasionally had
difficulty rejoining the cluster. As a consequence, nodes could come online
and be shut down again immediately by the cluster. This bug has been fixed,
and the “shutdown” attribute is now cleared properly. (BZ#1198638) -
Prior to this update, the pacemaker utility caused an unexpected
termination of the attrd daemon after a system update to Red Hat Enterprise
Linux 6.6. The bug has been fixed so that attrd no longer crashes when
pacemaker starts. (BZ#1205292) -
Previously, the access control list (ACL) of the pacemaker utility
allowed a role assignment to the Cluster Information Base (CIB) with a
read-only permission. With this update, ACL is enforced and can no longer
be bypassed by the user without the write permission, thus fixing this bug.
(BZ#1207621) -
Prior to this update, the ClusterMon (crm_mon) utility did not trigger an
external agent script with the “-E” parameter to monitor the Cluster
Information Base (CIB) when the pacemaker utility was used. A patch has
been provided to fix this bug, and crm_mon now calls the agent script when
the “-E” parameter is used. (BZ#1208896)
Users of pacemaker are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2015-July/028304.html
Affected packages:
pacemaker
pacemaker-cli
pacemaker-cluster-libs
pacemaker-cts
pacemaker-doc
pacemaker-libs
pacemaker-libs-devel
pacemaker-remote
Upstream details at:
https://access.redhat.com/errata/RHSA-2015:1424
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| CentOS | 6 | i686 | pacemaker | < 1.1.12-8.el6 | pacemaker-1.1.12-8.el6.i686.rpm |
| CentOS | 6 | i686 | pacemaker-cli | < 1.1.12-8.el6 | pacemaker-cli-1.1.12-8.el6.i686.rpm |
| CentOS | 6 | i686 | pacemaker-cluster-libs | < 1.1.12-8.el6 | pacemaker-cluster-libs-1.1.12-8.el6.i686.rpm |
| CentOS | 6 | i686 | pacemaker-cts | < 1.1.12-8.el6 | pacemaker-cts-1.1.12-8.el6.i686.rpm |
| CentOS | 6 | i686 | pacemaker-doc | < 1.1.12-8.el6 | pacemaker-doc-1.1.12-8.el6.i686.rpm |
| CentOS | 6 | i686 | pacemaker-libs | < 1.1.12-8.el6 | pacemaker-libs-1.1.12-8.el6.i686.rpm |
| CentOS | 6 | i686 | pacemaker-libs-devel | < 1.1.12-8.el6 | pacemaker-libs-devel-1.1.12-8.el6.i686.rpm |
| CentOS | 6 | i686 | pacemaker-remote | < 1.1.12-8.el6 | pacemaker-remote-1.1.12-8.el6.i686.rpm |
| CentOS | 6 | x86_64 | pacemaker | < 1.1.12-8.el6 | pacemaker-1.1.12-8.el6.x86_64.rpm |
| CentOS | 6 | x86_64 | pacemaker-cli | < 1.1.12-8.el6 | pacemaker-cli-1.1.12-8.el6.x86_64.rpm |
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.01 Low
EPSS
Percentile
83.5%