Security update for pacemaker

Announcement ID:	SUSE-SU-2016:2974-1
Rating:	moderate
References:	bsc#1000743 bsc#1002767 bsc#1003565 bsc#1007433 bsc#1009076 bsc#967388 bsc#986644 bsc#987348 bsc#995365
Cross-References:	CVE-2016-7035 CVE-2016-7797
CVSS scores:	CVE-2016-7035 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-7797 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise High Availability Extension 12 SP1 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP1

An update that solves two vulnerabilities and has seven security fixes can now be installed.

Description:

This update for pacemaker fixes the following issues:

• remote: Allow cluster and remote LRM API versions to diverge (bsc#1009076)
• libcrmcommon: fix CVE-2016-7035 (improper IPC guarding) (bsc#1007433)
• sysconfig: minor tweaks (typo, wording)
• spec: more robust check for systemd being in use
• spec: defines instead of some globals + error suppression
• various: issues discovered via valgrind and coverity

• attrd_updater: fix usage of HAVE_ATOMIC_ATTRD

• crmd: cl#5185 - Record pending operations in the CIB before they are performed (bsc#1003565)

• ClusterMon: fix to avoid matching other process with the same PID
• mcp: improve comments for sysconfig options
• remove openssl-devel and libselinux-devel as build dependencies
• tools: crm_standby --version/--help should work without cluster
• libpengine: only log startup-fencing warning once
• pacemaker.service: do not mistakenly suggest killing fenced
• libcrmcommon: report errors consistently when waiting for data on connection (bsc#986644)
• remote: Correctly calculate the remaining timeouts when receiving messages (bsc#986644)
• libfencing: report added node ID correctly
• crm_mon: Do not call setenv with null value
• pengine: Do not fence a maintenance node if it shuts down cleanly (bsc#1000743)
• ping: Avoid temporary files for fping check (bsc#987348)
• all: clarify licensing and copyrights
• crmd: Resend the shutdown request if the DC forgets
• ping: Avoid temp files in fping_check (bsc#987348)
• crmd: Ensure the R_SHUTDOWN is set whenever we ask the DC to shut us down
• crmd: clear remote node operation history only when it comes up
• libcib,libfencing,libtransition: handle memory allocation errors without CRM_CHECK()
• tools: make crm_mon XML schema handle resources with multiple active
• pengine: set OCF_RESKEY_CRM_meta_notify_active_* for multistate resources
• pengine: avoid null dereference in new same-node ordering option
• lrmd,libcluster: ensure g_hash_table_foreach() is never passed a null table
• crmd: don't log warning if abort_unless_down() can't find down event
• lib: Correction of the deletion of the notice registration.
• stonithd: Correction of the wrong connection process name.
• crmd: Keep a state of LRMD in the DC node latest.
• pengine: avoid transition loop for start-then-stop + unfencing

• libpengine: allow pe_order_same_node option for constraints

• cts: Restart systemd-journald with "systemctl restart systemd-journald.socket" (bsc#995365)

• libcrmcommon: properly handle XML comments when comparing v2 patchset diffs
• crmd: don't abort transitions for CIB comment changes
• libcrmcommon: log XML comments correctly

• libcrmcommon: remove extraneous format specifier from log message

• remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388, bsc#1002767, CVE-2016-7797)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Availability Extension 12 SP1
  zypper in -t patch SUSE-SLE-HA-12-SP1-2016-1742=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-HA-12-SP1-2016-1742=1
• SUSE Linux Enterprise Software Development Kit 12 SP1
  zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1742=1

Package List:

• SUSE Linux Enterprise High Availability Extension 12 SP1 (ppc64le s390x x86_64)
  • pacemaker-remote-1.1.13-20.1
  • pacemaker-cli-debuginfo-1.1.13-20.1
  • pacemaker-cts-1.1.13-20.1
  • pacemaker-1.1.13-20.1
  • pacemaker-debuginfo-1.1.13-20.1
  • libpacemaker3-debuginfo-1.1.13-20.1
  • pacemaker-remote-debuginfo-1.1.13-20.1
  • pacemaker-debugsource-1.1.13-20.1
  • libpacemaker3-1.1.13-20.1
  • pacemaker-cli-1.1.13-20.1
  • pacemaker-cts-debuginfo-1.1.13-20.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • pacemaker-remote-1.1.13-20.1
  • pacemaker-cli-debuginfo-1.1.13-20.1
  • pacemaker-cts-1.1.13-20.1
  • pacemaker-1.1.13-20.1
  • pacemaker-debuginfo-1.1.13-20.1
  • libpacemaker3-debuginfo-1.1.13-20.1
  • pacemaker-remote-debuginfo-1.1.13-20.1
  • pacemaker-debugsource-1.1.13-20.1
  • libpacemaker3-1.1.13-20.1
  • pacemaker-cli-1.1.13-20.1
  • pacemaker-cts-debuginfo-1.1.13-20.1
• SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
  • libpacemaker-devel-1.1.13-20.1
  • pacemaker-cts-1.1.13-20.1
  • pacemaker-debuginfo-1.1.13-20.1
  • pacemaker-debugsource-1.1.13-20.1
  • pacemaker-cts-debuginfo-1.1.13-20.1

References:

• https://www.suse.com/security/cve/CVE-2016-7035.html
• https://www.suse.com/security/cve/CVE-2016-7797.html
• https://bugzilla.suse.com/show_bug.cgi?id=1000743
• https://bugzilla.suse.com/show_bug.cgi?id=1002767
• https://bugzilla.suse.com/show_bug.cgi?id=1003565
• https://bugzilla.suse.com/show_bug.cgi?id=1007433
• https://bugzilla.suse.com/show_bug.cgi?id=1009076
• https://bugzilla.suse.com/show_bug.cgi?id=967388
• https://bugzilla.suse.com/show_bug.cgi?id=986644
• https://bugzilla.suse.com/show_bug.cgi?id=987348
• https://bugzilla.suse.com/show_bug.cgi?id=995365