Your message dated Thu, 19 Nov 2020 18:48:05 +0000
with message-id <[email protected]>
and subject line Bug#973254: fixed in pacemaker 2.0.1-5+deb10u1
has caused the Debian Bug report #973254,
regarding pacemaker: CVE-2020-25654
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
973254: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973254
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pacemaker
Version: 2.0.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.0.1-5
Hi,
The following vulnerability was published for pacemaker.
CVE-2020-25654[0]:
| ACL restrictions bypass
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-25654
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25654
[1] https://www.openwall.com/lists/oss-security/2020/10/27/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1888191
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pacemaker
Source-Version: 2.0.1-5+deb10u1
Done: =?utf-8?q?Ferenc_W=C3=A1gner?= <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pacemaker, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated pacemaker package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Nov 2020 17:28:32 CET
Source: pacemaker
Architecture: source
Version: 2.0.1-5+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian HA Maintainers
<[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Closes: 973254
Changes:
pacemaker (2.0.1-5+deb10u1) buster-security; urgency=high
.
* [bf23450] Apply patch series fixing CVE-2020-25654: ACL bypass.
A vulnerability was found in Pacemaker allowing a user who is in the
haclient group but restricted by ACLs to bypass those ACLs, providing
cluster-wide arbitrary code execution with root privileges. When the
enable-acl cluster option isn't set to true, members of the haclient
group (and root) can modify Pacemaker's CIB without restriction, which
already gives them these capabilities, so there is no additional
exposure in that case.
More info: https://www.openwall.com/lists/oss-security/2020/10/27/1
Patches:
https://lists.clusterlabs.org/pipermail/developers/2020-October/002324.html
Thanks to Ken Gaillot (Closes: #973254)
Checksums-Sha256:
b431335b401e527c89aa2f606cd6db8518778358a16db84850d9e624f9899712 3948
pacemaker_2.0.1-5+deb10u1.dsc
2ac55117708be304f1c57df9c72d7346733d8429be69c9aabe77ea7f71cfb4f8 69108
pacemaker_2.0.1-5+deb10u1.debian.tar.xz
a2e22eff1f17a27931ade4d5470baba66aa7f14188383dac9e382036df2880c7 31494
pacemaker_2.0.1-5+deb10u1_amd64.buildinfo
4f0040e5c80b108900a019d9033e8bb5d4fb4bc26c6f6fd6397bd846c6461864 5506340
pacemaker_2.0.1.orig.tar.gz
Checksums-Sha1:
fd8da29aff9af7cf67e796cc3d4f98b59df437ef 3948 pacemaker_2.0.1-5+deb10u1.dsc
7a20e62e960c80e928e92978bc4dae32eb36b970 69108
pacemaker_2.0.1-5+deb10u1.debian.tar.xz
89ef418c7b6a769b51c120b39bdcd79e9dc165d5 31494
pacemaker_2.0.1-5+deb10u1_amd64.buildinfo
e2825bf6cb0c581f8336daa50babe95b52179c60 5506340 pacemaker_2.0.1.orig.tar.gz
Files:
05083707664422aa00b5c45b6fc75e07 3948 admin optional
pacemaker_2.0.1-5+deb10u1.dsc
a70f5b4fc74a3861f215b346ee58e2e1 69108 admin optional
pacemaker_2.0.1-5+deb10u1.debian.tar.xz
08693a4832267f5ddf7203a138ec3cd1 31494 admin optional
pacemaker_2.0.1-5+deb10u1_amd64.buildinfo
ef93d59f2dd7974963e7e0c4c9aad2ed 5506340 admin optional
pacemaker_2.0.1.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAl+tYs8ACgkQOsj3Fkd+
2yP+uBAAim8IBae+R42wk8SEcRdE0iQ2sbUFyuu6MQB84tqnpsyF9NXy0OeYQMyU
wJ83cXhSTM8YL+sT/w9q8emV4bu5zReYH45ThBmC4f9Fois4LT3eI8sekRcQNZSf
0nFZPbJFV5z4TF5N0+B2IX/1n0C1ZN2YIzsMEMe8v0b5WzSJH9aL2jo86/OEq8iV
g8mV9Bl9Tu2A2UWRYFWjJSa0TXGc9E34r4Nrvc/cf5aOEOHfcJXJ+ywMQMDjB5Bo
hXzcqx7NSPvN1o8P5z8uMH58EnF93ax40nUskhaOYo6qj+UvnMPgVBKdRGhZOtv6
b8jU/01Kv3MQu2OjwDSjxKrLf+STPWF6sd7lnb8FHBAmmNl1b1KmXUwMS/btnDxF
CXSWB9oe4G5mYbe9yqUB5VynVaWqKfEaoPCttFXxJBy0ryOVKwJWKVCtrwWJUGx2
ijqjgu4/b5flszMnxefDDvOW4U4E3Y9oxZXqey6fMpMTRX5aqzCLgi7GeGWuHXTr
J2vxBLEm5WJRgYbNAEYs7gYY4wmvNec43SbNXUvKcEL1hAxNQhXvrd8Rjxg8/YYp
bOnhGzrDP3bk0eFDZ0ybonjJRimaSO8i5R+azida7oZH//T73iCQ0VelHNV4UFPF
q4+evX52tVMDbALRtZqKUn1EQFNvZAqaorI3FcEMmaTNi/WIE1Q=
=jQPg
-----END PGP SIGNATURE-----
--- End Message ---