pacemaker: CVE-2013-0281

Debian Bug report logs - #700923
pacemaker: CVE-2013-0281

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pacemaker: CVE-2013-0281

Date: Tue, 19 Feb 2013 12:35:43 +0100

Package: pacemaker
Severity: grave
Tags: security
Justification: user security hole

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0281 for details
and a link to the upstream fix.

Due to the Wheezy freeze please apply a minimal fix and request an unblock with
the release managers.

Cheers,
        Moritz

Message #10 received at 700923@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 700923@bugs.debian.org

Subject: Re: [Secure-testing-team] Bug#700923: pacemaker: CVE-2013-0281

Date: Fri, 01 Mar 2013 23:36:13 +0100

[Message part 1 (text/plain, inline)]

On mar., 2013-02-19 at 12:35 +0100, Moritz Muehlenhoff wrote:
> Package: pacemaker
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0281 for details
> and a link to the upstream fix.
> 
> Due to the Wheezy freeze please apply a minimal fix and request an unblock with
> the release managers.
> 

Hi Moritz and HA packagers,

I took a look at this one, Red Hat bug links to the following commit:
https://github.com/ClusterLabs/pacemaker/commit/564f7cc2a51dcd2f28ab12a13394f31be5aa3c93 which has:

> commit 564f7cc2a51dcd2f28ab12a13394f31be5aa3c93
> Author: David Vossel <dvossel@redhat.com>
> Date:   Sat Jan 5 00:19:59 2013 -0600
> 
>     High: core: Internal tls api improvements for reuse with future LRMD tls bac
> 
>  cib/callbacks.c        |   13 +-
>  cib/callbacks.h        |    6 +-
>  cib/notify.c           |    2 +-
>  cib/remote.c           |  326 ++++++++++++++--------
>  include/crm_internal.h |   36 ++-
>  lib/cib/cib_remote.c   |  290 ++++++++++---------
>  lib/common/mainloop.c  |    1 +
>  lib/common/remote.c    |  723 ++++++++++++++++++++++++++++++++++++------------
>  tools/crm_mon.c        |    2 +-
>  9 files changed, 939 insertions(+), 460 deletions(-)
> 
I'm not quite sure something like that can really be accepted by the
release team at that point…

I have no idea if it's possible to only pick the timeout-related
changes, maybe asking upstream would help on this.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 700923@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 700923@bugs.debian.org

Subject: Re: [Secure-testing-team] Bug#700923: pacemaker: CVE-2013-0281

Date: Sat, 2 Mar 2013 12:25:21 +0100

[Message part 1 (text/plain, inline)]

severity 700923 important
thanks

Hi,

I find it unlikely that in serious deployments remote cib management would be 
enabled for untrusted connections. This kind of management usually happens 
over separate networks or is appropriately guarded by other controls. And 
where not, the worst result is a DoS which gets immediately noticed and is 
quickly fixable by adding said controls or disabling remote management.

I believe this to be a low-risk issue and therefore don't think we need to 
issue a DSA for it. If a straightforward patch should surface, it can and 
should be fixed in a spu and for wheezy.


Cheers,
Thijs

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 700923@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 700923@bugs.debian.org

Cc: thijs@debian.org

Subject: Re: Bug#700923: pacemaker: CVE-2013-0281

Date: Wed, 7 Aug 2013 15:52:36 +0200

Hi Martin,

On Tue, Feb 19, 2013 at 12:35:43PM +0100, Moritz Muehlenhoff wrote:
> Package: pacemaker
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0281 for details
> and a link to the upstream fix.

It looks that the referenced commit was applied/is contained in
1.1.10-1 uploaded to unstable. Was this bugreport forgotten to close?
Or have I overseen something regarding the commit?

Thanks in advance,

Regards,
Salvatore

Message #27 received at 700923-close@bugs.debian.org (full text, mbox, reply):

From: Ferenc Wágner <wferi@niif.hu>

To: 700923-close@bugs.debian.org

Subject: Bug#700923: fixed in pacemaker 1.1.13-1

Date: Mon, 04 Jan 2016 12:02:19 +0000

Source: pacemaker
Source-Version: 1.1.13-1

We believe that the bug you reported is fixed in the latest version of
pacemaker, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ferenc Wágner <wferi@niif.hu> (supplier of updated pacemaker package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 23 Dec 2015 23:16:27 +0100
Source: pacemaker
Binary: pacemaker pacemaker-cli-utils pacemaker-remote pacemaker-dbg pacemaker-doc libcib4 libcib-dev libcrmcluster4 libcrmcluster-dev libcrmcommon3 libcrmcommon-dev libcrmservice3 libcrmservice-dev liblrmd1 liblrmd-dev libpe-rules2 libpe-status4 libpengine4 libpengine-dev libstonithd2 libstonithd-dev libtransitioner2
Architecture: source amd64 all
Version: 1.1.13-1
Distribution: unstable
Urgency: medium
Maintainer: Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@niif.hu>
Description:
 libcib-dev - Development file for pacemaker's cib library
 libcib4    - Pacemaker libraries - CIB
 libcrmcluster-dev - Development file for pacemaker's crm library
 libcrmcluster4 - Pacemaker libraries - CRM
 libcrmcommon-dev - Development file for pacemaker's common library
 libcrmcommon3 - Pacemaker libraries - common CRM
 libcrmservice-dev - Development file for pacemaker's crmservice library
 libcrmservice3 - Pacemaker libraries - crmservice
 liblrmd-dev - Development file for pacemaker's lrmd library
 liblrmd1   - Pacemaker libraries - lrmd
 libpe-rules2 - Pacemaker libraries - rules for P-Engine
 libpe-status4 - Pacemaker libraries - status for P-Engine
 libpengine-dev - Development file for pacemaker's pengine library
 libpengine4 - Pacemaker libraries - P-Engine
 libstonithd-dev - Development file for pacemaker's stonith library
 libstonithd2 - Pacemaker libraries - stonith
 libtransitioner2 - Pacemaker libraries - transitioner
 pacemaker  - HA cluster resource manager
 pacemaker-cli-utils - Command line interface utilities for Pacemaker
 pacemaker-dbg - Debugging symbols for Pacemaker
 pacemaker-doc - Pacemaker HTML documentation
 pacemaker-remote - Pacemaker add-on to control virtualized services
Closes: 630719 633963 665591 686342 700923 705191 728431 739731 740324 757514 768618 768922
Changes:
 pacemaker (1.1.13-1) unstable; urgency=medium
 .
   * New upstream version, full repackaging
     (Closes: #633963, #665591, #686342, #700923, #705191, #728431,
              #739731, #757514, #768618, #768922)
   * New patch Library-options-go-into-Libs-not-Cflags.patch
   * Add several patches fixing various typos found by Lintian
   * The upstream init scripts did not trigger dh_installinit
   * New patch Fix-typos-dependan-cies-t-dependen-cies-t.patch
   * Also build the books
   * New patch Don-t-create-doc-775-the-intent-was-setting-the-mode.patch
   * New patch hb2openais-was-removed-by-c2344c9-kill-its-documenta.patch
   * Add Build-Depends-Package info to symbols files
   * generate_location_rule was an inadvertent export, OK to miss it
   * Fill out dependencies of pacemaker-dbg
   * Demote cluster-glue and crmsh | pcs to Suggests
   * The doc-base Files fields don't take directories
   * We do not install CTS Python files, so no need to remove them
     (Closes: #630719)
   * Reproduce the empty directories created by the upstream install target
     (Closes: #740324)
   * Get rid of an adduser warning on install
   * Do not enable crm_mon.service
   * New patch Fix-typo-OPSTIONS-OPTIONS.patch
   * Add my copyright to files under debian/
   * Remove easily regenerated cruft from debian/rules
   * Version 1.23 of init-system-helpers does not start disabled services
   * Recommend fence-agents, they are needed for most clusters
   * New patch Restarting-pacemaker-adds-confusion-only.patch
   * New patch Use-the-clusterlabs-Publican-brand-for-building-the-.patch
   * The books are under CC-BY-SA-3
   * New patch Enable-redirecting-etc-init.d-script-calls-to-system.patch
   * New patch Fix-typo-isnt-isn-t.patch
   * New patch Fix-typo-doesnt-doesn-t.patch
   * New patch Libraries-go-after-linker-flags.patch
   * Use autoreconf almost like autogen.sh
   * New patch Clean-up-generated-files.patch
   * Clean the Doxygen documentation
   * Upload to unstable
Checksums-Sha1:
 a7e09b754c96605f818e662befa00f258ea75c7b 3842 pacemaker_1.1.13-1.dsc
 ad512988e5c09ffaace0cfbd47bb5a22d826825c 10708999 pacemaker_1.1.13.orig.tar.gz
 6edd3151e3890b6c58b3f91540e7b1eb545bfe1d 53524 pacemaker_1.1.13-1.debian.tar.xz
 7ddc8e17db22742d972d99f60462a7886457de2a 77318 libcib-dev_1.1.13-1_amd64.deb
 868a2204d098625626754bd8396eb65e554571ef 117506 libcib4_1.1.13-1_amd64.deb
 066b58c9dd2e8abce7e5df7b65295b55306a7dab 77470 libcrmcluster-dev_1.1.13-1_amd64.deb
 55f32ed2b530c8d8b4ac2c134050a6e00f2fb171 105986 libcrmcluster4_1.1.13-1_amd64.deb
 5b3c276b2a451acbf3cf6d42855f244d504157e6 92228 libcrmcommon-dev_1.1.13-1_amd64.deb
 829caca4b77dfc29b18222f79f4d7a1e6a6638f6 201174 libcrmcommon3_1.1.13-1_amd64.deb
 ad2d98a444c7392c94f7c8220ff064951090b861 78742 libcrmservice-dev_1.1.13-1_amd64.deb
 d87b6c08604fea7c365569bd17ea16368199d2ab 102178 libcrmservice3_1.1.13-1_amd64.deb
 d12563876ff7ee284da55e6ce43eed08bad76ed8 79228 liblrmd-dev_1.1.13-1_amd64.deb
 a2f21e195926c02beb845249baade60f4b858f0b 92504 liblrmd1_1.1.13-1_amd64.deb
 e1019607093e35417352838c7916c36417416ae9 88532 libpe-rules2_1.1.13-1_amd64.deb
 1dd339e0aabed6b00bc865fbe4e8de1e848542b9 164864 libpe-status4_1.1.13-1_amd64.deb
 f26474859efd04854e1b59e2c8ba006b583b1e7d 80562 libpengine-dev_1.1.13-1_amd64.deb
 73c403e17e7b11466df20e7cd64384b5b9ad019f 205530 libpengine4_1.1.13-1_amd64.deb
 e6d2716a1e4d530ec819fa26b161ee395d09b1ac 78204 libstonithd-dev_1.1.13-1_amd64.deb
 2db3380e8e70c881ce8b1db5bc7e00e0916cf4fa 98294 libstonithd2_1.1.13-1_amd64.deb
 c9e8b283a851d9ebca0f6d4601348454ace10113 86572 libtransitioner2_1.1.13-1_amd64.deb
 e20964f445b93da97bcbada743d9a17b5c91f19b 214860 pacemaker-cli-utils_1.1.13-1_amd64.deb
 43667add4cf3ee95d5492978cd7ac28d98767e51 2359858 pacemaker-dbg_1.1.13-1_amd64.deb
 c8e615ae63d2edd28c9c626b40497f790d450994 36808492 pacemaker-doc_1.1.13-1_all.deb
 40574c11c1ec117703d8c1c0d261fe1d9fa6955c 101260 pacemaker-remote_1.1.13-1_amd64.deb
 6ee0dd1bb6eb793b8fb12f9e8a631715a0cbd214 442258 pacemaker_1.1.13-1_amd64.deb
Checksums-Sha256:
 139c99cbc0e1567add5cc1a4c4be4ed4791ff3eba27d7ef6ca6375db057e4100 3842 pacemaker_1.1.13-1.dsc
 dedeb27ac6e44cec25917802b701c7b60e00e64b6304f42c885fcb923866fc3a 10708999 pacemaker_1.1.13.orig.tar.gz
 c1afbf68afffa27c3a5cdabdb7020cb94c8bade1154884e48b82de2f9a2d74be 53524 pacemaker_1.1.13-1.debian.tar.xz
 3e0de9ea7543e787298a5af3392d2b70910267fbd26790f62e949a09e7ee8df7 77318 libcib-dev_1.1.13-1_amd64.deb
 f8cb161b8d0686b4d5de6537d60ee45c7e01348efc0014b88867b59ad4448511 117506 libcib4_1.1.13-1_amd64.deb
 212b68101aced3685c1089a832d1014a4649c4bc7871a6eee0c343310a475aa7 77470 libcrmcluster-dev_1.1.13-1_amd64.deb
 d75895ffe93d35824e4732d3442b4f18a1db58695a45b3dd131152a5e23e932f 105986 libcrmcluster4_1.1.13-1_amd64.deb
 debb53db70c0c56ac7e448a20c523f91f6695761a7c811e41201c781b27b63fa 92228 libcrmcommon-dev_1.1.13-1_amd64.deb
 fe15ffe741fefe1704fd03c07924f38aa226fb9c2676eccd5217d7494a798423 201174 libcrmcommon3_1.1.13-1_amd64.deb
 a1e0ee920e91e0e8675cf7c7416341fa7e0ea90ed7d5acda34f628b7abfd0f30 78742 libcrmservice-dev_1.1.13-1_amd64.deb
 6694b196fb46cae151bdb950fc6b80795ed8e61cb1875cfc32628c193b17bdd5 102178 libcrmservice3_1.1.13-1_amd64.deb
 2c2ba0e0684ba3268fca155c10f71c590dfdd99de403b970332cba50ba316af1 79228 liblrmd-dev_1.1.13-1_amd64.deb
 491c0d55ccfab7ca5818134d5fa7bec4e3c74392f95822d9e54eede87f54f333 92504 liblrmd1_1.1.13-1_amd64.deb
 0ebb612eea71a85f23155f07ad2befe5253f4b656f2dbab1180e0d8e4e4035e0 88532 libpe-rules2_1.1.13-1_amd64.deb
 aad13ae4e8334f1787a967b4a2b4df8549978c67cbed611b3a452ac64b29ee12 164864 libpe-status4_1.1.13-1_amd64.deb
 c1581ff0ad56760ec14f8df88f7219782be0c287d69da2f3d1d48e51dac9e21b 80562 libpengine-dev_1.1.13-1_amd64.deb
 b08d30d1aa659dee923c5e1538b12617d88ab77534bef9af791b7206c17ac3d9 205530 libpengine4_1.1.13-1_amd64.deb
 12dc6a2ae8dcf190f432c534aa768151bbf0e710c7dd51bc03bb9f8ea7cd9292 78204 libstonithd-dev_1.1.13-1_amd64.deb
 25410a6d8d2c2e5433e92ab91d6d0077ea4e14804a088a80b2ee85c972e19067 98294 libstonithd2_1.1.13-1_amd64.deb
 42d9d375db903567a6cc198fb59a29ed0ff967851634e51d60f8c6a223e8b4dd 86572 libtransitioner2_1.1.13-1_amd64.deb
 31e8eb8e41333301244eb7533658e576f07efb0ee15dbb01fea9e8b4c9a7ebf6 214860 pacemaker-cli-utils_1.1.13-1_amd64.deb
 014ba5c4f70214d433a20c61d2cd23d8e3a8169973c64bb8ab65101b5ed6a32e 2359858 pacemaker-dbg_1.1.13-1_amd64.deb
 e38cbbc803e6cb0a502cc9f41fbe509597f3db4a2d97197f21a7d353743882ed 36808492 pacemaker-doc_1.1.13-1_all.deb
 10d60ed389aac11df52d1a6760a466a43f31b3e201d759a545e502ccc5b57f4b 101260 pacemaker-remote_1.1.13-1_amd64.deb
 907fda96d2342d35d4a8c6462c8149deb80d84988d88c3a88b3e68b12132db52 442258 pacemaker_1.1.13-1_amd64.deb
Files:
 e7596619dedfd78c99bd29928f36b913 3842 admin optional pacemaker_1.1.13-1.dsc
 219a1b5864013101dae3f9977f342b87 10708999 admin optional pacemaker_1.1.13.orig.tar.gz
 9b68b23ad7127bc45e5e10ed08b78443 53524 admin optional pacemaker_1.1.13-1.debian.tar.xz
 13ac5b19f11b4a8264dda5f5be6fb9af 77318 libdevel optional libcib-dev_1.1.13-1_amd64.deb
 fc5ebbf725e82e9cb59ff5aefbf0fa1e 117506 libs optional libcib4_1.1.13-1_amd64.deb
 d39f51e14ec014ca43c0f2551685455a 77470 libdevel optional libcrmcluster-dev_1.1.13-1_amd64.deb
 d5c967dd109beee601abb1a991b470e4 105986 libs optional libcrmcluster4_1.1.13-1_amd64.deb
 512c537e15f526630b2518c7c405e3de 92228 libdevel optional libcrmcommon-dev_1.1.13-1_amd64.deb
 99828e9d3350582dd0676ba3339d7afe 201174 libs optional libcrmcommon3_1.1.13-1_amd64.deb
 f056908430e789d77d74a57b3c8e4fbe 78742 libdevel optional libcrmservice-dev_1.1.13-1_amd64.deb
 d0e08499e298140b0d02035e7dcfd4cc 102178 libs optional libcrmservice3_1.1.13-1_amd64.deb
 01a9abe9bb7f83734bc43ffac74f53af 79228 libdevel optional liblrmd-dev_1.1.13-1_amd64.deb
 62c1412ffd32995111775596fe75fd21 92504 libs optional liblrmd1_1.1.13-1_amd64.deb
 0fae5fa5e94cedd929bcf460020a1a30 88532 libs optional libpe-rules2_1.1.13-1_amd64.deb
 3ba5f0667bf0a05735185e45ee1c99c3 164864 libs optional libpe-status4_1.1.13-1_amd64.deb
 3516cc6d18a43714f8ee6309e3bcb5d2 80562 libdevel optional libpengine-dev_1.1.13-1_amd64.deb
 b1afca875ba86e31c71f4b1fbf0e9930 205530 libs optional libpengine4_1.1.13-1_amd64.deb
 d09f3af3bf5a4b7915e52c1d52f3e2e9 78204 libdevel optional libstonithd-dev_1.1.13-1_amd64.deb
 606f19f4d7d88301f6093f753b4ed955 98294 libs optional libstonithd2_1.1.13-1_amd64.deb
 b706b809c4167faa6e5fff17ad922c9f 86572 libs optional libtransitioner2_1.1.13-1_amd64.deb
 9f64340096f927e62e549e934bff5e28 214860 admin optional pacemaker-cli-utils_1.1.13-1_amd64.deb
 8d0721414f8e02e673ad6015273ac23d 2359858 debug extra pacemaker-dbg_1.1.13-1_amd64.deb
 aed7ca6369e17fa530b1bfcd011d1243 36808492 doc optional pacemaker-doc_1.1.13-1_all.deb
 0ccd63220e3eeb8f88e65a2b8c21e1a6 101260 admin optional pacemaker-remote_1.1.13-1_amd64.deb
 9d3d68585b4db7477f8c25c071fbe5bd 442258 admin optional pacemaker_1.1.13-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWe7NOAAoJEExaa6sS0qeublwP/1Gew8Bh497Tfs9TDc5pPZrj
H9ZddgqzsTSPGfI0XWHAfz0fkeYlOtYEgkA4cs42Y1aBerJL2+tkxZld+dh/neyQ
FNMmVlKD8fz2nMQN87AMrY/ljmE9BcJSE6g5N29mWZqZKjc3cl6DCMnP03cvKM6n
wShJr9q+/WVeaDSLclHTs4HiZNCr0IIFOwMxKgVUjywLeiL/fYshIDI3iI3kqofz
3Jjih/07QGDV/3GMU/sBgGHuqV5BaxJt5wtswAyodxzMWzYXdCgD7DKk6aVvcR1y
OyUm8IhtECNJnB7S4SUbk+lmMaVbZxBADD2mQwdkxzVA1Y1jtJ26b4mNFMm9iqMs
spZguhLfqhXlj276u6YPhQifTp9EFTAN0sURbfsOJFW7/5CjpRbPboRYTdRNRxoB
2bXkcjn3lZcm2v3cxPtqIKgPjku2NOEIfID5brnTCGROrBuKCaKn6PjSoOHI/kKY
KtBnFm5aPqwfUFqsutMsH3numH4ek4yvauqFJxGT8KnJggoRzvcw0b71GUXwT0RK
LkMcuUoBwNoXzwu6O7HA7FOwpOvoJ0i+aRjbAF9TZq43zUb4rWoeCd7rXBOFKvLR
flRxXyjUyb0aeupovn0307YIXi/ZujBpIGEg37q62g4Wu/dEfY0keshKrE7rxb0/
iC3VGXPoeLC44CdQcaJg
=I8Ap
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.