[ubuntu/eoan-proposed] pacemaker 2.0.1-4ubuntu1 (Accepted)

[Gianfranco Costamagna]

pacemaker (2.0.1-4ubuntu1) eoan; urgency=medium

   * Merge from Debian unstable.  Remaining changes:
    - d/control: Demote fence-agents to Suggests, avoiding main
      inclusion.
    - debian/patches/pacemaker_is_partof_corosync.patch: Default systemd
      unit hard-requires corosync.
      + Debian disagrees in Debian bug 887563 message 36. We could revert back
        to Debian's behaviour, but keeping the patch in this merge maintains
        existing behaviour for Ubuntu users pending any separate future
        decision.

pacemaker (2.0.1-4) unstable; urgency=high

  * [54ace53] Fix check for already present statoverride.
    When adding flexible modes in 2.0.1-3 (3c7b0b4), I accidentally broke
    the check, and the breakage led to piupart failures.  (Closes: #928841)
  * High urgency due to the security fix in the not yet migrated 2.0.1-3.

pacemaker (2.0.1-3) unstable; urgency=high

  * [20ccd21] Shorten and explain the autopkgtest wait
  * [3c7b0b4] Ship /var/log/pacemaker, the new default directory of the detail
    logs.
    Without this directory the default configuration emits errors and the
    detail log is simply not written.
    The /var/log/pacemaker.log* detail log files from Pacemaker 1 are not
    moved automatically on upgrade, but this new /var/log/pacemaker
    directory and its contents are removed when purging pacemaker-common.
    The owner and mode of the log directory is set to let clients like
    crm_resource --force-start running as any user in the haclient group
    write their messages into the detail log.  The logrotate config relies
    on these settings as well.
  * [21a4325] Drop a build patch: libtransitioner does not use liblrmd since
    092281b
  * [920ca93] Apply upstream security pull request #1749.
    Cumulative patchset to fix CVE-2019-3885, CVE-2018-16877, CVE-2018-16878
    + additional unmasked null pointer deref
    1. CVE-2018-16877: Insufficient local IPC client-server authentication
       on the client's side can lead to local privesc.  A local attacker
       could use this flaw, and combine it with other IPC weaknesses, to
       achieve local privilege escalation.
    2. CVE-2018-16878: Insufficient verification inflicted preference of
       uncontrolled processes can lead to DoS.
    3. CVE-2019-3885: A use-after-free defect was discovered in pacemaker
       that can possibly lead to unsolicited information disclosure in the
       log outputs.
    The Travis CI fix also in the GitHub pull request was omitted here.
    (Closes: #927714)
  * [501e5bb] We've got exactly two daemons
  * [c0f7339] Move to debhelper compat level 12.
    To avoid #887904: dh_installsystemd will unmask services *after* an
    attempt to start them, leaving them stopped upon re-installation.
    Pacemaker is not affected by any other changes between compat level 11
    and 12, because we disable dh_dwz anyway (currently it isn't compatible
    with libqb).

Date: Mon, 13 May 2019 12:11:35 +0200
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Maintainer: Debian HA Maintainers <debian-ha-maintainers at lists.alioth.debian.org>
https://launchpad.net/ubuntu/+source/pacemaker/2.0.1-4ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 13 May 2019 12:11:35 +0200
Source: pacemaker
Binary: pacemaker-common pacemaker-resource-agents pacemaker pacemaker-cli-utils pacemaker-remote pacemaker-doc libcib27 libcrmcluster29 libcrmcommon34 libcrmservice28 liblrmd28 libpe-rules26 libpe-status28 libpengine27 libstonithd26 libtransitioner25 pacemaker-dev libcib-dev libcrmcluster-dev libcrmcommon-dev libcrmservice-dev liblrmd-dev libpengine-dev libstonithd-dev
Architecture: source
Version: 2.0.1-4ubuntu1
Distribution: eoan
Urgency: high
Maintainer: Debian HA Maintainers <debian-ha-maintainers at lists.alioth.debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Description:
 libcib-dev - transitional package
 libcib27   - cluster resource manager CIB library
 libcrmcluster-dev - transitional package
 libcrmcluster29 - cluster resource manager cluster library
 libcrmcommon-dev - transitional package
 libcrmcommon34 - cluster resource manager common library
 libcrmservice-dev - transitional package
 libcrmservice28 - cluster resource manager service library
 liblrmd-dev - transitional package
 liblrmd28  - cluster resource manager LRMD library
 libpe-rules26 - cluster resource manager Policy Engine rules library
 libpe-status28 - cluster resource manager Policy Engine status library
 libpengine-dev - transitional package
 libpengine27 - cluster resource manager Policy Engine library
 libstonithd-dev - transitional package
 libstonithd26 - cluster resource manager STONITH daemon library
 libtransitioner25 - cluster resource manager transitioner library
 pacemaker  - cluster resource manager
 pacemaker-cli-utils - cluster resource manager command line utilities
 pacemaker-common - cluster resource manager common files
 pacemaker-dev - cluster resource manager development
 pacemaker-doc - cluster resource manager HTML documentation
 pacemaker-remote - cluster resource manager proxy daemon for remote nodes
 pacemaker-resource-agents - cluster resource manager general resource agents
Closes: 927714 928841
Changes:
 pacemaker (2.0.1-4ubuntu1) eoan; urgency=medium
 .
    * Merge from Debian unstable.  Remaining changes:
     - d/control: Demote fence-agents to Suggests, avoiding main
       inclusion.
     - debian/patches/pacemaker_is_partof_corosync.patch: Default systemd
       unit hard-requires corosync.
       + Debian disagrees in Debian bug 887563 message 36. We could revert back
         to Debian's behaviour, but keeping the patch in this merge maintains
         existing behaviour for Ubuntu users pending any separate future
         decision.
 .
 pacemaker (2.0.1-4) unstable; urgency=high
 .
   * [54ace53] Fix check for already present statoverride.
     When adding flexible modes in 2.0.1-3 (3c7b0b4), I accidentally broke
     the check, and the breakage led to piupart failures.  (Closes: #928841)
   * High urgency due to the security fix in the not yet migrated 2.0.1-3.
 .
 pacemaker (2.0.1-3) unstable; urgency=high
 .
   * [20ccd21] Shorten and explain the autopkgtest wait
   * [3c7b0b4] Ship /var/log/pacemaker, the new default directory of the detail
     logs.
     Without this directory the default configuration emits errors and the
     detail log is simply not written.
     The /var/log/pacemaker.log* detail log files from Pacemaker 1 are not
     moved automatically on upgrade, but this new /var/log/pacemaker
     directory and its contents are removed when purging pacemaker-common.
     The owner and mode of the log directory is set to let clients like
     crm_resource --force-start running as any user in the haclient group
     write their messages into the detail log.  The logrotate config relies
     on these settings as well.
   * [21a4325] Drop a build patch: libtransitioner does not use liblrmd since
     092281b
   * [920ca93] Apply upstream security pull request #1749.
     Cumulative patchset to fix CVE-2019-3885, CVE-2018-16877, CVE-2018-16878
     + additional unmasked null pointer deref
     1. CVE-2018-16877: Insufficient local IPC client-server authentication
        on the client's side can lead to local privesc.  A local attacker
        could use this flaw, and combine it with other IPC weaknesses, to
        achieve local privilege escalation.
     2. CVE-2018-16878: Insufficient verification inflicted preference of
        uncontrolled processes can lead to DoS.
     3. CVE-2019-3885: A use-after-free defect was discovered in pacemaker
        that can possibly lead to unsolicited information disclosure in the
        log outputs.
     The Travis CI fix also in the GitHub pull request was omitted here.
     (Closes: #927714)
   * [501e5bb] We've got exactly two daemons
   * [c0f7339] Move to debhelper compat level 12.
     To avoid #887904: dh_installsystemd will unmask services *after* an
     attempt to start them, leaving them stopped upon re-installation.
     Pacemaker is not affected by any other changes between compat level 11
     and 12, because we disable dh_dwz anyway (currently it isn't compatible
     with libqb).
Checksums-Sha1:
 c11afb7d1b68acff716e4ee0f780006a35787396 3944 pacemaker_2.0.1-4ubuntu1.dsc
 f6c003f7f48eaca0ad9727c4dbc65b78f83690a9 66108 pacemaker_2.0.1-4ubuntu1.debian.tar.xz
 23e727e384b29a84b7205dece4674855beba8ec1 10674 pacemaker_2.0.1-4ubuntu1_source.buildinfo
Checksums-Sha256:
 e139ffc3628a200642621834debf807ee0ec223c77d772778b3b189848df06c0 3944 pacemaker_2.0.1-4ubuntu1.dsc
 ef327a52bdf831704ec9d3967991655e3d4cbce45aaa19d3da7fbcdbce27b2bf 66108 pacemaker_2.0.1-4ubuntu1.debian.tar.xz
 0f43eb80a428436ba6434b69766689e791dd3d35d520cfe6f4a307786841bc6c 10674 pacemaker_2.0.1-4ubuntu1_source.buildinfo
Files:
 2e9133a9a681fd07c633ec3af8f8d05b 3944 admin optional pacemaker_2.0.1-4ubuntu1.dsc
 a4b8972e4fa879988b62c63c05ee495c 66108 admin optional pacemaker_2.0.1-4ubuntu1.debian.tar.xz
 35d631ba57910bdf543d04d187c0d308 10674 admin optional pacemaker_2.0.1-4ubuntu1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAlzZQvwACgkQ808JdE6f
XdmlwxAAr5l1YPl8ut5zHzk8VVDDugvTDSoavZBevZclxbwm2lczXvcwbQnESOta
IwFu2gHTiAOHu/mlGcvDgOZ6syIAnSgLW19sjtiRj12j4BXh7GtVwQCx71RzxoNC
VHD7LgjzsncuNPMJFVmiuIs7lbNidWqarwzFd5K2I7Qf8j8EE1xnJRofNXiRKerl
LfmPof2aXN0+KjOk4Da3ql2tZGYOYIMAr2Q4qX4ceckeGtv+zHfw8p8hV7f/Bzts
hh5T7c/rq7IvshNEUhhCyS5aUaWrmz3bt8ItFOTs+gSHHI80NGQ8TgLqIhG1/bnw
cXhKioprepYZRYYVL9pXQWD6OzsJU1uGszDP9dP6htNMDZl5tOEgUFhIMEWViyjE
9WVQPjVFodocrKmzaPlL/FAjt5CBHi3NIloqj5/Y7Y5nwai+tcuqMMfYIiHTFxy1
yNM8FbKt4Qlg8blQnzpVXXq+Xk1Nl81SDmNnD2RHXOF7mKhwNnBG1T6LouwabREz
LN4zGxZdldHc4zJrexgkc3sroRZF3D4Z6VURgPtlGNg1VJdwKE6/i5CNH2ELwTqk
aVnGXh4OqK4l3AGMXMEiIl+gwEfHKpCPbC7r8uEplm81cpBAIj+qODkl1QQwqWbs
wE2ptHxWMaKzn3zjwjTMuo1gCsKYO8RAtb4Niy1goJW7J//RRjA=
=y+tv
-----END PGP SIGNATURE-----