Headline
CVE-2020-25654: [ClusterLabs] FYI: Pacemaker vulnerability CVE-2020-25654
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Ken Gaillot kgaillot at redhat.com
Tue Oct 27 11:06:39 EDT 2020
- Previous message (by thread): [ClusterLabs] Setup Apache virtual IP SSL certificate config
- Next message (by thread): [ClusterLabs] Pacemaker 2.0.5-rc2 now available
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi all,
A vulnerability was found in Pacemaker allowing a user who is in the haclient group but restricted by ACLs to bypass those ACLs. It has been assigned the ID CVE-2020-25654.
This will be fixed in the 2.0 and master branches today, along with a 2.0.5-rc2 release that includes the fix. It will also be fixed in the 1.1 branch along with a 1.1.24-rc1 release that includes just this. I will also post patches for the 2.0.3 and 2.0.4 releases to the developers at clusterlabs.org list. – Ken Gaillot <kgaillot at redhat.com>
- Previous message (by thread): [ClusterLabs] Setup Apache virtual IP SSL certificate config
- Next message (by thread): [ClusterLabs] Pacemaker 2.0.5-rc2 now available
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list
Related news
Gentoo Linux Security Advisory 202309-9 - Multiple vulnerabilities have been found in Pacemaker, the worst of which could result in root privilege escalation. Versions greater than or equal to 2.0.5_rc2 are affected.