Security update for pacemaker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:1047-1 Final 1 1 2019-04-26T09:09:12Z current 2019-04-26T09:09:12Z 2019-04-26T09:09:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pacemaker This update for pacemaker fixes the following issues: Security issues fixed: - CVE-2019-3885: Fixed an information disclosure in log output. (bsc#1131357) - CVE-2018-16877: Fixed a local privilege escalation through insufficient IPC client-server authentication. (bsc#1131356) - CVE-2018-16878: Fixed a denial of service through insufficient verification inflicted preference of uncontrolled processes. (bsc#1131353) Non-security issue fixed: - scheduler: Respect the order of constraints when relevant resources are being probed. (bsc#1117934, bsc#1128374) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-1047,SUSE-SLE-HA-12-SP4-2019-1047,SUSE-SLE-SDK-12-SP4-2019-1047 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20191047-1/ Link for SUSE-SU-2019:1047-1 https://lists.suse.com/pipermail/sle-security-updates/2019-April/005369.html E-Mail link for SUSE-SU-2019:1047-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1117381 SUSE Bug 1117381 https://bugzilla.suse.com/1117934 SUSE Bug 1117934 https://bugzilla.suse.com/1128374 SUSE Bug 1128374 https://bugzilla.suse.com/1128772 SUSE Bug 1128772 https://bugzilla.suse.com/1131353 SUSE Bug 1131353 https://bugzilla.suse.com/1131356 SUSE Bug 1131356 https://bugzilla.suse.com/1131357 SUSE Bug 1131357 https://www.suse.com/security/cve/CVE-2018-16877/ SUSE CVE CVE-2018-16877 page https://www.suse.com/security/cve/CVE-2018-16878/ SUSE CVE CVE-2018-16878 page https://www.suse.com/security/cve/CVE-2019-3885/ SUSE CVE CVE-2019-3885 page SUSE Linux Enterprise High Availability Extension 12 SP4 SUSE Linux Enterprise Software Development Kit 12 SP4 libpacemaker-devel-1.1.19+20181105.ccd6b5b10-3.10.1 libpacemaker3-1.1.19+20181105.ccd6b5b10-3.10.1 pacemaker-1.1.19+20181105.ccd6b5b10-3.10.1 pacemaker-cli-1.1.19+20181105.ccd6b5b10-3.10.1 pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 pacemaker-remote-1.1.19+20181105.ccd6b5b10-3.10.1 libpacemaker3-1.1.19+20181105.ccd6b5b10-3.10.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 pacemaker-1.1.19+20181105.ccd6b5b10-3.10.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 pacemaker-cli-1.1.19+20181105.ccd6b5b10-3.10.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 pacemaker-remote-1.1.19+20181105.ccd6b5b10-3.10.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 libpacemaker-devel-1.1.19+20181105.ccd6b5b10-3.10.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP4 pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP4 A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. CVE-2018-16877 SUSE Linux Enterprise High Availability Extension 12 SP4:libpacemaker3-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-cli-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-remote-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:libpacemaker-devel-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191047-1/ https://www.suse.com/security/cve/CVE-2018-16877.html CVE-2018-16877 https://bugzilla.suse.com/1131353 SUSE Bug 1131353 https://bugzilla.suse.com/1131356 SUSE Bug 1131356 A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS CVE-2018-16878 SUSE Linux Enterprise High Availability Extension 12 SP4:libpacemaker3-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-cli-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-remote-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:libpacemaker-devel-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 important 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191047-1/ https://www.suse.com/security/cve/CVE-2018-16878.html CVE-2018-16878 https://bugzilla.suse.com/1131353 SUSE Bug 1131353 A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs. CVE-2019-3885 SUSE Linux Enterprise High Availability Extension 12 SP4:libpacemaker3-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-cli-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise High Availability Extension 12 SP4:pacemaker-remote-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:libpacemaker-devel-1.1.19+20181105.ccd6b5b10-3.10.1 SUSE Linux Enterprise Software Development Kit 12 SP4:pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.10.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191047-1/ https://www.suse.com/security/cve/CVE-2019-3885.html CVE-2019-3885 https://bugzilla.suse.com/1131357 SUSE Bug 1131357