oss-sec mailing list archives
3 pacemaker security flaws
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Wed, 17 Apr 2019 15:10:23 +0530
Hello all, Jan Pokorný from Red Hat has discovered 3 security issues with the pacemaker package. Details and proposed patches are available in this email. Proposed unembargo date/time is: 10th April, 10:00 UTC 1. CVE-2018-16877 pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc: A flaw was found in the way pacemaker's client-server authentication was implemented. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. 2. CVE-2018-16878 pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS: A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS 3. CVE-2019-3885 pacemaker: Information disclosure through use-after-free: A use-after-free defect was discovered in pacemaker that can possibly lead to unsolicited information disclosure in the log outputs. Enclosed are the final patches: (We would like to thank Suse folks who found issues in the initial set of patches we sent to distros) -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Attachment:
master.patch
Description:
Current thread:
- 3 pacemaker security flaws Huzaifa Sidhpurwala (Apr 17)
- Re: 3 pacemaker security flaws Jan Pokorný (Apr 18)