Security update for pacemaker

Announcement ID:	SUSE-SU-2019:2268-1
Rating:	important
References:	bsc#1032511 bsc#1127716 bsc#1130122 bsc#1131353 bsc#1131356 bsc#1133866 bsc#1135317 bsc#1136712 bsc#1140519
Cross-References:	CVE-2018-16877 CVE-2018-16878
CVSS scores:	CVE-2018-16877 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2018-16877 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-16877 ( NVD ): 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2018-16878 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-16878 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-16878 ( NVD ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Availability Extension 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Software Development Kit 12 SP4

An update that solves two vulnerabilities and has seven security fixes can now be installed.

Description:

This update for pacemaker fixes the following issues:

Security issues fixed:

• CVE-2018-16877: Fixed insufficient local IPC client-server authentication on the client's side. (bsc#1131356)
• CVE-2018-16878: Fixed insufficient verification inflicted preference of uncontrolled processes (bsc#1131353)

Other issues fixed:

• stonith_admin --help: specify the usage of --cleanup (bsc#1135317)
• scheduler: wait for probe actions to complete to prevent unnecessary restart/re-promote of dependent resources (bsc#1130122, bsc#1032511)
• controller: confirm cancel of failed monitors (bsc#1133866)
• controller: improve failed recurring action messages (bsc#1133866)
• controller: directly acknowledge unrecordable operation results (bsc#1133866)
• controller: be more tolerant of malformed executor events (bsc#1133866)
• libcrmcommon: return error when applying XML diffs containing unknown operations (bsc#1127716)
• libcrmcommon: avoid possible use-of-NULL when applying XML diffs (bsc#1127716)
• libcrmcommon: correctly apply XML diffs with multiple move/create changes (bsc#1127716)
• libcrmcommon: return proper code if testing pid is denied (bsc#1131353, bsc#1131356)
• libcrmcommon: avoid use-of-NULL when checking whether process is active (bsc#1131353, bsc#1131356)
• tools: run main loop for crm_resource clean-up with resource (bsc#1140519)
• contoller,scheduler: guard hash table deletes (bsc#1136712)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12 SP4
  zypper in -t patch SUSE-SLE-HA-12-SP4-2019-2268=1
• SUSE Linux Enterprise High Availability Extension 12 SP4
  zypper in -t patch SUSE-SLE-HA-12-SP4-2019-2268=1
• SUSE Linux Enterprise Software Development Kit 12 SP4
  zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2268=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
  • pacemaker-debugsource-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cli-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cli-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cts-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-remote-1.1.19+20181105.ccd6b5b10-3.13.1
  • libpacemaker3-1.1.19+20181105.ccd6b5b10-3.13.1
  • libpacemaker3-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-remote-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
• SUSE Linux Enterprise High Availability Extension 12 SP4 (ppc64le s390x x86_64)
  • pacemaker-debugsource-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cli-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cli-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cts-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-remote-1.1.19+20181105.ccd6b5b10-3.13.1
  • libpacemaker3-1.1.19+20181105.ccd6b5b10-3.13.1
  • libpacemaker3-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-remote-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
• SUSE Linux Enterprise Software Development Kit 12 SP4 (aarch64 ppc64le s390x x86_64)
  • pacemaker-debugsource-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cts-debuginfo-1.1.19+20181105.ccd6b5b10-3.13.1
  • libpacemaker-devel-1.1.19+20181105.ccd6b5b10-3.13.1
  • pacemaker-cts-1.1.19+20181105.ccd6b5b10-3.13.1

References:

• https://www.suse.com/security/cve/CVE-2018-16877.html
• https://www.suse.com/security/cve/CVE-2018-16878.html
• https://bugzilla.suse.com/show_bug.cgi?id=1032511
• https://bugzilla.suse.com/show_bug.cgi?id=1127716
• https://bugzilla.suse.com/show_bug.cgi?id=1130122
• https://bugzilla.suse.com/show_bug.cgi?id=1131353
• https://bugzilla.suse.com/show_bug.cgi?id=1131356
• https://bugzilla.suse.com/show_bug.cgi?id=1133866
• https://bugzilla.suse.com/show_bug.cgi?id=1135317
• https://bugzilla.suse.com/show_bug.cgi?id=1136712
• https://bugzilla.suse.com/show_bug.cgi?id=1140519