[ubuntu/disco-security] pacemaker 1.1.18-2ubuntu1.19.04.1 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Tue Apr 23 11:47:46 UTC 2019


pacemaker (1.1.18-2ubuntu1.19.04.1) disco-security; urgency=medium

  * SECURITY UPDATE: DoS and local privilege escalation in client-server
    authentication
    - debian/patches/CVE-2018-1687x-1.patch: make crm_pid_active more
      precise as to when detections fail in include/crm_internal.h,
      lib/common/utils.c.
    - debian/patches/CVE-2018-1687x-2.patch: add new helpers to allow IPC
      client side to authenticate the server in configure.ac,
      include/crm/common/Makefile.am, include/crm/common/ipc.h,
      include/crm/common/ipc_internal.h, lib/common/ipc.c.
    - debian/patches/CVE-2018-1687x-3.patch: pacemakerd to trust
      pre-existing processes via new checks instead in mcp/pacemaker.c.
    - debian/patches/CVE-2018-1687x-4.patch: other daemons to authenticate
      IPC servers of fellow processes in lib/cluster/corosync.c,
      lib/cluster/cpg.c, lib/common/ipc.c, mcp/corosync.c.
    - debian/patches/CVE-2018-1687x-5.patch: CPG users to be careful about
      now-more-probable rival processes in attrd/main.c, cib/main.c,
      crmd/main.c, fencing/main.c, lib/cluster/cpg.c.
    - debian/patches/CVE-2018-1687x-6.patch: fix possible NULL pointer
      dereference in crmd/control.c.
    - debian/libcrmcommon3.symbols: added new symbols.
    - CVE-2018-16877
    - CVE-2018-16878
  * SECURITY UPDATE: information disclosure via use-after-free
    - debian/patches/CVE-2019-3885.patch: fix alert handling in
      lib/services/services.c, lib/services/services_linux.c.
    - CVE-2019-3885

Date: 2019-04-18 13:45:24.255381+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/pacemaker/1.1.18-2ubuntu1.19.04.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Disco-changes mailing list