Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

          Moderate: pcs security, bug fix, and enhancement update
                              7 November 2016


        AusCERT Security Bulletin Summary

Product:           pcs
Publisher:         Red Hat
Operating System:  Red Hat
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
                   Unauthorised Access        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-0721 CVE-2016-0720 

Original Bulletin: 

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running pcs check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Moderate: pcs security, bug fix, and enhancement update
Advisory ID:       RHSA-2016:2596-02
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2596.html
Issue date:        2016-11-03
CVE Names:         CVE-2016-0720 CVE-2016-0721 

1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server High Availability (v. 7) - s390x, x86_64
Red Hat Enterprise Linux Server Resilient Storage (v. 7) - s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the
Pacemaker and Corosync utilities.

The following packages have been upgraded to a newer upstream version: pcs
(0.9.152). (BZ#1299847)

Security Fix(es):

* A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A
remote attacker could provide a specially crafted web page that, when
visited by a user with a valid pcsd session, would allow the attacker to
trigger requests on behalf of the user, for example removing resources or
restarting/removing nodes. (CVE-2016-0720)

* It was found that pcsd did not invalidate cookies on the server side when
a user logged out. This could potentially allow an attacker to perform
session fixation attacks on pcsd. (CVE-2016-0721)

These issues were discovered by Martin Prpic (Red Hat Product Security).

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

1158500 - add support for utilization attributes
1164402 - Support for sbd configuration is needed in pcs
1207405 - RFE: please adjust timeouts for pcsd check (or allow to disable them)
1219581 - [CLI] particular help screens inconsistent in indication of default sub^n-commands
1220512 - pcs resource cleanup improvements
1225423 - pcs should allow to remove a dead node from a cluster
1225946 - [CLI] minor cleanups in built-in documentation
1229822 - [RFE] make "cluster setup --start", "cluster start" and "cluster standby" support --wait as well
1231858 - resource/fence agent options form needs an overhaul
1248990 - Specifying a non-existing id in ACL role permission produces an invalid CIB
1249085 - 'pcs resource delete' doesn't delete resource referenced in acl
1252050 - Rewrite pcsd launch script
1264360 - pcs Web UI doesn't indicate unmanaged resources
1269242 - pcs needs to be able to view status and config on nodes that are not part of any cluster, but have a cib.xml file
1281364 - colocation set constraints missing in web UI
1281371 - Cluster Properties page in web UI needs an overhaul
1281391 - web UI lacks ability to move resources within a resource group
1286664 - pcsd: deleting groups/clones from older cluster returns Internal Server Error
1287320 - When referencing a stonith/resource agent without a provider and the fence/resource agents fails to get metadata causes pcs to traceback
1290512 - pcs doesn't support putting Pacemaker Remote nodes into standby
1298585 - [RFE] pcs status output could be simpler when constraints are in place
1299614 - CVE-2016-0720 pcs: Cross-Site Request Forgery in web UI
1299615 - CVE-2016-0721 pcs: cookies are not invalidated upon logout
1299847 - pcs rebase bug for 7.3
1301993 - [RFE] pcs property list/show could have a --node filter
1302010 - pcs property show <property> shows all node properties unfiltered
1303136 - Cannot create a new resource with the same name of a one failed and deleted before, until cleanup
1305786 - Unsanitized input in username field on login page
1315357 - [packaging] pcsd.service shipped twice (under different locations)
1315652 - Option to disable particular TLS version and ciphers with pcsd
1315743 - [packaging] /etc/sysconfig/pcsd is not marked as a config file
1327739 - Need a way to set expected votes on a live system
1328066 - [cli] pcs makes a disservice to CIB-accumulate-and-push use cases by not coping with "cib --config" file (recommended!) passed as "-f <file>" to cib-modifying commands
1329472 - Cannot recreate remote node resource
1341114 - [packaging] pcs should mark known (existing or not) %config files in the spec (/etc/sysconfig/pcsd, /var/lib/pcsd/tokens, ...)
1346852 - [GUI] Bad Request when resource removal takes longer than pcs expects
1349465 - [bash-completion] put it under $(pkg-config --variable=completionsdir bash-completion) to allow for dynamic loading
1354498 - [cli] pcs should except KeyboardInterrupt at least around raw_input builtin invocation
1357945 - [clufter integration] clufter is distribution-sensitive wrt. new features so pass the current one on cluster.conf/corosync.conf match and allow user's override
1359154 - pcs authentication command does not trigger authentication of nodes against each other
1366307 - [pcsd] Badly designed usage of HTML ID attributes may cause unexpected behavior with certain resource names

6. Package List:

Red Hat Enterprise Linux Server High Availability (v. 7):




Red Hat Enterprise Linux Server Resilient Storage (v. 7):




These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967