07 November 2016
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2620 Moderate: pcs security, bug fix, and enhancement update 7 November 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pcs Publisher: Red Hat Operating System: Red Hat UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-0721 CVE-2016-0720 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2016-2596.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running pcs check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: pcs security, bug fix, and enhancement update Advisory ID: RHSA-2016:2596-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2596.html Issue date: 2016-11-03 CVE Names: CVE-2016-0720 CVE-2016-0721 ===================================================================== 1. Summary: An update for pcs is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server High Availability (v. 7) - s390x, x86_64 Red Hat Enterprise Linux Server Resilient Storage (v. 7) - s390x, x86_64 3. Description: The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. The following packages have been upgraded to a newer upstream version: pcs (0.9.152). (BZ#1299847) Security Fix(es): * A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. (CVE-2016-0720) * It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. (CVE-2016-0721) These issues were discovered by Martin Prpic (Red Hat Product Security). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1158500 - add support for utilization attributes 1164402 - Support for sbd configuration is needed in pcs 1207405 - RFE: please adjust timeouts for pcsd check (or allow to disable them) 1219581 - [CLI] particular help screens inconsistent in indication of default sub^n-commands 1220512 - pcs resource cleanup improvements 1225423 - pcs should allow to remove a dead node from a cluster 1225946 - [CLI] minor cleanups in built-in documentation 1229822 - [RFE] make "cluster setup --start", "cluster start" and "cluster standby" support --wait as well 1231858 - resource/fence agent options form needs an overhaul 1248990 - Specifying a non-existing id in ACL role permission produces an invalid CIB 1249085 - 'pcs resource delete' doesn't delete resource referenced in acl 1252050 - Rewrite pcsd launch script 1264360 - pcs Web UI doesn't indicate unmanaged resources 1269242 - pcs needs to be able to view status and config on nodes that are not part of any cluster, but have a cib.xml file 1281364 - colocation set constraints missing in web UI 1281371 - Cluster Properties page in web UI needs an overhaul 1281391 - web UI lacks ability to move resources within a resource group 1286664 - pcsd: deleting groups/clones from older cluster returns Internal Server Error 1287320 - When referencing a stonith/resource agent without a provider and the fence/resource agents fails to get metadata causes pcs to traceback 1290512 - pcs doesn't support putting Pacemaker Remote nodes into standby 1298585 - [RFE] pcs status output could be simpler when constraints are in place 1299614 - CVE-2016-0720 pcs: Cross-Site Request Forgery in web UI 1299615 - CVE-2016-0721 pcs: cookies are not invalidated upon logout 1299847 - pcs rebase bug for 7.3 1301993 - [RFE] pcs property list/show could have a --node filter 1302010 - pcs property show <property> shows all node properties unfiltered 1303136 - Cannot create a new resource with the same name of a one failed and deleted before, until cleanup 1305786 - Unsanitized input in username field on login page 1315357 - [packaging] pcsd.service shipped twice (under different locations) 1315652 - Option to disable particular TLS version and ciphers with pcsd 1315743 - [packaging] /etc/sysconfig/pcsd is not marked as a config file 1327739 - Need a way to set expected votes on a live system 1328066 - [cli] pcs makes a disservice to CIB-accumulate-and-push use cases by not coping with "cib --config" file (recommended!) passed as "-f <file>" to cib-modifying commands 1329472 - Cannot recreate remote node resource 1341114 - [packaging] pcs should mark known (existing or not) %config files in the spec (/etc/sysconfig/pcsd, /var/lib/pcsd/tokens, ...) 1346852 - [GUI] Bad Request when resource removal takes longer than pcs expects 1349465 - [bash-completion] put it under $(pkg-config --variable=completionsdir bash-completion) to allow for dynamic loading 1354498 - [cli] pcs should except KeyboardInterrupt at least around raw_input builtin invocation 1357945 - [clufter integration] clufter is distribution-sensitive wrt. new features so pass the current one on cluster.conf/corosync.conf match and allow user's override 1359154 - pcs authentication command does not trigger authentication of nodes against each other 1366307 - [pcsd] Badly designed usage of HTML ID attributes may cause unexpected behavior with certain resource names 6. Package List: Red Hat Enterprise Linux Server High Availability (v. 7): Source: pcs-0.9.152-10.el7.src.rpm s390x: pcs-0.9.152-10.el7.s390x.rpm pcs-debuginfo-0.9.152-10.el7.s390x.rpm x86_64: pcs-0.9.152-10.el7.x86_64.rpm pcs-debuginfo-0.9.152-10.el7.x86_64.rpm Red Hat Enterprise Linux Server Resilient Storage (v. 7): Source: pcs-0.9.152-10.el7.src.rpm s390x: pcs-0.9.152-10.el7.s390x.rpm pcs-debuginfo-0.9.152-10.el7.s390x.rpm x86_64: pcs-0.9.152-10.el7.x86_64.rpm pcs-debuginfo-0.9.152-10.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-0720 https://access.redhat.com/security/cve/CVE-2016-0721 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html 8. Contact: The Red Hat security contact is <email@example.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYGvzpXlSAg2UNWIIRAuvGAJwPAOqaDXO6udOTJCcicum9s+GDPACeIkoy jvX8ozU+LKMBeHINoGc4sbg= =rwc5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWB/UzIx+lLeg9Ub1AQhO9g//a9LaTsge8MDb1tw6lKvowVmgIOoGDmDu JHoI84v0X/LLrTfzZKFP0i9ZDtxMW0XX5BvBWb46/l4zciTtIazrw749jBzzf0EK 2Ma5AfsRXPGwzc0hgbi6GGkbVBPRbCu5zgxeYM5YYOg6oNH+A8VHsg7Ift9FVSwE 1P1+9lJa+TJuEvEBwQqHlxEzkqzdj5IfOhuJFL7q1PbFpyuPXwr0G0kUNr9SBII2 6xXeJIBA9cZrP1RIZ17BiGSzthvtwDwpFVcxKmInAk3czr6UbbgHI00aNdoDTWDK xd23Z+GDDTKyfqEOOwrQY4t7xiFzlMuBHWDE3297qVOziyLhAHwOKlwGS8bl0tOw dqaJCX8wdHrxWB4yqkskuMOKDkATX9UBi+ztX4O/wyFFa22cE8bp92z43UFklG6G yqbNHnwNy5ywqKhUD7c7UfMj01MhmnzEIbIUYGAjvVHnL6IX311tjMhLLxpmGaVZ g76/BLC3nTZ/gIIOZxQBnMHDhkgKi1W0GIYbASvZPXCR2+n5MS0xv0exvpH7sW7j nCHwfxaXRbOHU0dJ5SOjecgNzqMEzYfWQOEmpgDksqtqgsGVgYWLSmV8Gk/BlN48 cutr9VcjHfthea2eXLr+l+9Uwx1r5y+FzlUmvOPCYDVMO4dylbDfAO5I6oXZ3PTP 7G5EVQTI9jo= =02cx -----END PGP SIGNATURE-----