Login
Newsletter
Werbung

Sicherheit: Denial of Service in PCS
Aktuelle Meldungen Distributionen
Name: Denial of Service in PCS
ID: RHSA-2015:2290-01
Distribution: Red Hat
Plattformen: Red Hat Enterprise Linux
Datum: Fr, 20. November 2015, 09:00
Referenzen: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3225
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/High_Availability_Add-On_Reference/
Applikationen: PCS

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: pcs security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2290-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2290.html
Issue date: 2015-11-19
CVE Names: CVE-2015-3225
=====================================================================

1. Summary:

An updated pcs package that fixes one security issue, several bugs, and
add various enhancements is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server High Availability (v. 7) - s390x, x86_64
Red Hat Enterprise Linux Server Resilient Storage (v. 7) - s390x, x86_64

3. Description:

The pcs package provides a configuration tool for Corosync and Pacemaker.
It permits users to easily view, modify and create Pacemaker based
clusters. The pcs package includes Rack, which provides a minimal interface
between webservers that support Ruby and Ruby frameworks.

A flaw was found in a way Rack processed parameters of incoming requests.
An attacker could use this flaw to send a crafted request that would cause
an application using Rack to crash. (CVE-2015-3225)

Red Hat would like to thank Ruby upstream developers for reporting this.
Upstream acknowledges Tomek Rabczak from the NCC Group as the original
reporter.

The pcs package has been upgraded to upstream version 0.9.143, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1198265)

The following enhancements are described in more detail in the Red Hat
Enterprise Linux 7.2 Release Notes, linked to from the References section:

* The pcs resource move and pcs resource ban commands now display a warning
message to clarify the commands' behavior (BZ#1201452)

* New command to move a Pacemaker resource to its preferred node
(BZ#1122818)

This update also fixes the following bugs:

* Before this update, a bug caused location, ordering, and colocation
constraints related to a resource group to be removed when removing any
resource from that group. This bug has been fixed, and the constraints are
now preserved until the group has no resources left, and is removed.
(BZ#1158537)

* Previously, when a user disabled a resource clone or multi-state
resource, and then later enabled a primitive resource within it, the clone
or multi-state resource remained disabled. With this update, enabling a
resource within a disabled clone or multi-state resource enables it.
(BZ#1218979)

* When the web UI displayed a list of resource attributes, a bug caused
the list to be truncated at the first "=" character. This update fixes
the
bug and now the web UI displays lists of resource attributes correctly.
(BZ#1243579)

* The documentation for the "pcs stonith confirm" command was not
clear.
This could lead to incorrect usage of the command, which could in turn
cause data corruption. With this update, the documentation has been
improved and the "pcs stonith confirm" command is now more clearly
explained. (BZ#1245264)

* Previously, if there were any unauthenticated nodes, creating a new
cluster, adding a node to an existing cluster, or adding a cluster to the
web UI failed with the message "Node is not authenticated". With this
update, when the web UI detects a problem with authentication, the web UI
displays a dialog to authenticate nodes as necessary. (BZ#1158569)

* Previously, the web UI displayed only primitive resources. Thus there was
no way to set attributes, constraints and other properties separately for a
parent resource and a child resource. This has now been fixed, and
resources are displayed in a tree structure, meaning all resource elements
can be viewed and edited independently. (BZ#1189857)

In addition, this update adds the following enhancements:

* A dashboard has been added which shows the status of clusters in the web
UI. Previously, it was not possible to view all important information about
clusters in one place. Now, a dashboard showing the status of clusters has
been added to the main page of the web UI. (BZ#1158566)

* With this update, the pcsd daemon automatically synchronizes pcsd
configuration across a cluster. This enables the web UI to be run from any
node, allowing management even if any particular node is down. (BZ#1158577)

* The web UI can now be used to set permissions for users and groups on a
cluster. This allows users and groups to have their access restricted to
certain operations on certain clusters. (BZ#1158571)

All pcs users are advised to upgrade to this updated package, which
corrects these issues and add these enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1121791 - Provide documentation of batch-limit and other pacemaker properties
in man page or pcs help
1134426 - pcs needs a better parser for corosync.conf
1148863 - Pcsd backward/forward compatibility issues
1158491 - 'pcs cluster status' is documented to be an alias to 'pcs
status cluster' but has different output
1158537 - Removing a resource from a group also removes constraints mentioning
that group
1158571 - user and group support in gui - permissions to clusters managed by
pcsd
1163671 - [RFE] Default corosync configuration should log to file
1163682 - nodes authentication stops if failed on one node
1165803 - pcs CLI should recognize and act upon "fail due to lack of
authentication" state if/as suitable (e.g. for "pcs config restore")
1166160 - 'pcs acl role create' does not check syntax properly
1170205 - pcs cluster auth --force doesn't overwrite /var/lib/pcsd/tokens
if its content is corrupt
1175400 - pcs resource op add creates duplicate op entires
1176687 - Pacemaker resource defaults should show up in 'pcs config'
output
1182119 - A cloned resource banned on one of the nodes is shown as Inactive in
GUI
1182793 - When attempting to add a duplicate fence level we get a non-useful
error message
1182986 - Unable to find out value for require-all parameter for ordering
constraint with clones
1183752 - Unable to delete VirtualDomain resource remote-node when it has
configured some constraints
1185096 - debug-promote implementation
1186692 - cluster node removal should verify possible loss of quorum
1187320 - Uncloning a non-cloned resource produces invalid CIB
1187571 - ungrouping a resource from a cloned group produces invalid CIB when
other resources exist in that group
1188571 - The --wait functionality implementation needs an overhaul
1189857 - need a tree view for clones/MS/groups in the resource panel [GUI]
1196412 - pcs cluster start should go to pcsd if user is not root
1197758 - pcs does not inform about incorrect command usage (pcs constraint
order set)
1198222 - pcsd: GUI fails if orphaned resource is present in a cluster
1198265 - PCS Rebase bug for 7.2
1198274 - pcsd: don't automatically use --force everytime a resource is
being removed
1198640 - [WebUI] spaces not allowed in resource agent options fields
1199073 - creating a resource name colliding with an existing
group/clone/master ID needs better error message
1202457 - Referencing a non-existent ACL role should error out more gracefully
1204880 - pcs: stonith level value checking
1205653 - pcsd gui is not able to remove constraints and standby/unstandby
nodes of remote cluster
1206214 - Formatting of longdesc metadata of resource agent is destroyed when
using "pcs resource describe"
1206219 - pcs stonith describe only lists parameters of fence agent, but not
description
1207805 - Need a way for pcs to clear out auth tokens
1212904 - better integration with standalone (unbundled) clufter package for
cluster configuration conversion
1213429 - Cluster request fails on first node if this is not authorized
1215198 - pcsd: GUI ignores timeout value in fence_xvm agent form
1219574 - [gui] resource optional arguments: quoted strings missing
1231987 - pcs ought to require psmisc package (hidden dependency for killall
execution)
1232292 - CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability
in Rack normalize_params()
1235022 - Nagios metadata is missing
1247818 - pcs depends on initscripts
1250720 - traceback when running 'pcs resource enable clvmd --wait'
1253491 - pcs status pcsd shows "Unable to authenticate" on serial
console
1257369 - pcs should print the output of crm_resource from pcs resource cleanup
commands
1258619 - Ruby traceback on pcsd startup - /webrick.rb:48:in `shutdown':
undefined method `shutdown'
1265425 - pcs is not parsing the output of crm_node properly
1268801 - A change in "crm_resource --set-parameter is-managed"
introduces regression for Clone and M/S resources

6. Package List:

Red Hat Enterprise Linux Server High Availability (v. 7):

Source:
pcs-0.9.143-15.el7.src.rpm

s390x:
pcs-0.9.143-15.el7.s390x.rpm
pcs-debuginfo-0.9.143-15.el7.s390x.rpm

x86_64:
pcs-0.9.143-15.el7.x86_64.rpm
pcs-debuginfo-0.9.143-15.el7.x86_64.rpm

Red Hat Enterprise Linux Server Resilient Storage (v. 7):

Source:
pcs-0.9.143-15.el7.src.rpm

s390x:
pcs-0.9.143-15.el7.s390x.rpm
pcs-debuginfo-0.9.143-15.el7.s390x.rpm

x86_64:
pcs-0.9.143-15.el7.x86_64.rpm
pcs-debuginfo-0.9.143-15.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-3225
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/High_Availability_Add-On_Reference/
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWTkHZXlSAg2UNWIIRAuqcAKCBXYt6+iVW1O2dE/D/96QMfxRi2ACfZglv
8U4T/Lbc6FPY10oa290FIqY=
=gMKX
-----END PGP SIGNATURE-----

--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung