Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2620
Moderate: pcs security, bug fix, and enhancement update
7 November 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: pcs
Publisher: Red Hat
Operating System: Red Hat
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-0721 CVE-2016-0720
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2016-2596.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running pcs check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: pcs security, bug fix, and enhancement update
Advisory ID: RHSA-2016:2596-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2596.html
Issue date: 2016-11-03
CVE Names: CVE-2016-0720 CVE-2016-0721
=====================================================================
1. Summary:
An update for pcs is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Server High Availability (v. 7) - s390x, x86_64
Red Hat Enterprise Linux Server Resilient Storage (v. 7) - s390x, x86_64
3. Description:
The pcs packages provide a command-line configuration system for the
Pacemaker and Corosync utilities.
The following packages have been upgraded to a newer upstream version: pcs
(0.9.152). (BZ#1299847)
Security Fix(es):
* A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A
remote attacker could provide a specially crafted web page that, when
visited by a user with a valid pcsd session, would allow the attacker to
trigger requests on behalf of the user, for example removing resources or
restarting/removing nodes. (CVE-2016-0720)
* It was found that pcsd did not invalidate cookies on the server side when
a user logged out. This could potentially allow an attacker to perform
session fixation attacks on pcsd. (CVE-2016-0721)
These issues were discovered by Martin Prpic (Red Hat Product Security).
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1158500 - add support for utilization attributes
1164402 - Support for sbd configuration is needed in pcs
1207405 - RFE: please adjust timeouts for pcsd check (or allow to disable them)
1219581 - [CLI] particular help screens inconsistent in indication of default sub^n-commands
1220512 - pcs resource cleanup improvements
1225423 - pcs should allow to remove a dead node from a cluster
1225946 - [CLI] minor cleanups in built-in documentation
1229822 - [RFE] make "cluster setup --start", "cluster start" and "cluster standby" support --wait as well
1231858 - resource/fence agent options form needs an overhaul
1248990 - Specifying a non-existing id in ACL role permission produces an invalid CIB
1249085 - 'pcs resource delete' doesn't delete resource referenced in acl
1252050 - Rewrite pcsd launch script
1264360 - pcs Web UI doesn't indicate unmanaged resources
1269242 - pcs needs to be able to view status and config on nodes that are not part of any cluster, but have a cib.xml file
1281364 - colocation set constraints missing in web UI
1281371 - Cluster Properties page in web UI needs an overhaul
1281391 - web UI lacks ability to move resources within a resource group
1286664 - pcsd: deleting groups/clones from older cluster returns Internal Server Error
1287320 - When referencing a stonith/resource agent without a provider and the fence/resource agents fails to get metadata causes pcs to traceback
1290512 - pcs doesn't support putting Pacemaker Remote nodes into standby
1298585 - [RFE] pcs status output could be simpler when constraints are in place
1299614 - CVE-2016-0720 pcs: Cross-Site Request Forgery in web UI
1299615 - CVE-2016-0721 pcs: cookies are not invalidated upon logout
1299847 - pcs rebase bug for 7.3
1301993 - [RFE] pcs property list/show could have a --node filter
1302010 - pcs property show <property> shows all node properties unfiltered
1303136 - Cannot create a new resource with the same name of a one failed and deleted before, until cleanup
1305786 - Unsanitized input in username field on login page
1315357 - [packaging] pcsd.service shipped twice (under different locations)
1315652 - Option to disable particular TLS version and ciphers with pcsd
1315743 - [packaging] /etc/sysconfig/pcsd is not marked as a config file
1327739 - Need a way to set expected votes on a live system
1328066 - [cli] pcs makes a disservice to CIB-accumulate-and-push use cases by not coping with "cib --config" file (recommended!) passed as "-f <file>" to cib-modifying commands
1329472 - Cannot recreate remote node resource
1341114 - [packaging] pcs should mark known (existing or not) %config files in the spec (/etc/sysconfig/pcsd, /var/lib/pcsd/tokens, ...)
1346852 - [GUI] Bad Request when resource removal takes longer than pcs expects
1349465 - [bash-completion] put it under $(pkg-config --variable=completionsdir bash-completion) to allow for dynamic loading
1354498 - [cli] pcs should except KeyboardInterrupt at least around raw_input builtin invocation
1357945 - [clufter integration] clufter is distribution-sensitive wrt. new features so pass the current one on cluster.conf/corosync.conf match and allow user's override
1359154 - pcs authentication command does not trigger authentication of nodes against each other
1366307 - [pcsd] Badly designed usage of HTML ID attributes may cause unexpected behavior with certain resource names
6. Package List:
Red Hat Enterprise Linux Server High Availability (v. 7):
Source:
pcs-0.9.152-10.el7.src.rpm
s390x:
pcs-0.9.152-10.el7.s390x.rpm
pcs-debuginfo-0.9.152-10.el7.s390x.rpm
x86_64:
pcs-0.9.152-10.el7.x86_64.rpm
pcs-debuginfo-0.9.152-10.el7.x86_64.rpm
Red Hat Enterprise Linux Server Resilient Storage (v. 7):
Source:
pcs-0.9.152-10.el7.src.rpm
s390x:
pcs-0.9.152-10.el7.s390x.rpm
pcs-debuginfo-0.9.152-10.el7.s390x.rpm
x86_64:
pcs-0.9.152-10.el7.x86_64.rpm
pcs-debuginfo-0.9.152-10.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-0720
https://access.redhat.com/security/cve/CVE-2016-0721
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFYGvzpXlSAg2UNWIIRAuvGAJwPAOqaDXO6udOTJCcicum9s+GDPACeIkoy
jvX8ozU+LKMBeHINoGc4sbg=
=rwc5
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWB/UzIx+lLeg9Ub1AQhO9g//a9LaTsge8MDb1tw6lKvowVmgIOoGDmDu
JHoI84v0X/LLrTfzZKFP0i9ZDtxMW0XX5BvBWb46/l4zciTtIazrw749jBzzf0EK
2Ma5AfsRXPGwzc0hgbi6GGkbVBPRbCu5zgxeYM5YYOg6oNH+A8VHsg7Ift9FVSwE
1P1+9lJa+TJuEvEBwQqHlxEzkqzdj5IfOhuJFL7q1PbFpyuPXwr0G0kUNr9SBII2
6xXeJIBA9cZrP1RIZ17BiGSzthvtwDwpFVcxKmInAk3czr6UbbgHI00aNdoDTWDK
xd23Z+GDDTKyfqEOOwrQY4t7xiFzlMuBHWDE3297qVOziyLhAHwOKlwGS8bl0tOw
dqaJCX8wdHrxWB4yqkskuMOKDkATX9UBi+ztX4O/wyFFa22cE8bp92z43UFklG6G
yqbNHnwNy5ywqKhUD7c7UfMj01MhmnzEIbIUYGAjvVHnL6IX311tjMhLLxpmGaVZ
g76/BLC3nTZ/gIIOZxQBnMHDhkgKi1W0GIYbASvZPXCR2+n5MS0xv0exvpH7sW7j
nCHwfxaXRbOHU0dJ5SOjecgNzqMEzYfWQOEmpgDksqtqgsGVgYWLSmV8Gk/BlN48
cutr9VcjHfthea2eXLr+l+9Uwx1r5y+FzlUmvOPCYDVMO4dylbDfAO5I6oXZ3PTP
7G5EVQTI9jo=
=02cx
-----END PGP SIGNATURE-----