Updated pacemaker packages fix security vulnerabilities
Publication date: 19 Dec 2019Modification date: 19 Dec 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-3885 , CVE-2018-16877 , CVE-2018-16878
Description
The updated packages fix security vulnerabilities:
A use-after-free flaw was found in pacemaker up to and including version
2.0.1 which could result in certain sensitive information to be leaked
via the system logs. (CVE-2019-3885)
A flaw was found in the way pacemaker's client-server authentication was
implemented in versions up to and including 2.0.0. A local attacker could
use this flaw, and combine it with other IPC weaknesses, to achieve local
privilege escalation. (CVE-2018-16877)
A flaw was found in pacemaker up to and including version 2.0.1. An
insufficient verification inflicted preference of uncontrolled processes
can lead to DoS. (CVE-2018-16878)
References
- https://bugs.mageia.org/show_bug.cgi?id=24691
- https://www.openwall.com/lists/oss-security/2019/04/17/1
- https://www.openwall.com/lists/oss-security/2019/04/18/2
- http://lists.suse.com/pipermail/sle-security-updates/2019-April/005369.html
- https://access.redhat.com/errata/RHSA-2019:1278
- https://usn.ubuntu.com/3952-1/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3885
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16877
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16878
SRPMS
7/core
- pacemaker-1.1.19-2.1.mga7