[ClusterLabs] Fix for CVE-2022-2735 in pcs 0.9 version

Mon Sep 12 10:32:21 EDT 2022

Hi,

As far as I know, pcs-0.9.x isn't affected by CVE-2022-2735. Therefore, 
no fix for it is planned. Could you explain why you think it is affected?

Both main (pcs-0.11) and pcs-0.10 upstream branches do contain the fix. 
We are working on releasing new versions. In the meantime, you may use 
the top of the branches. Fixed packages have also already been released 
by various Linux distributions.

Regards,
Tomas

Dne 12. 09. 22 v 8:19 A Gunasekar via Users napsal(a):
> Hi Team,
> 
> Please be informed, we have got notified from our security tool that our 
> pcs version 0.9 is affected by the *CVE-2022-2735*.
> 
> It would be great if you help to get answers for the below queries.
> 
> **
> 
>   * We are currently in RHEL 7.9 OS and using pcs 0.9 version, Is there
>     any fix planned/available for this affection version (0.9.x) of pcs ?**
>   *  From Cluster Lab portal, we can see even the pcs 0.10.x (or) the
>     main branch 0.11.x released versions don’t have fix for this CVE. So
>     kindly let us know in which release this CVE fix is planned ?**
> 
> **
> 
> *https://github.com/ClusterLabs/pcs/blob/main/CHANGELOG.md 
> <https://github.com/ClusterLabs/pcs/blob/main/CHANGELOG.md>*
> 
> /Change Log/
> 
> /[Unreleased]/
> 
> /Security/
> 
> */CVE-2022-2735 /*/pcs: obtaining an authentication token for hacluster 
> user could lead to privilege escalation (rhbz#2116841)/
> 
> **
> 
> **
> 
> **
> 
> *Our system Details:-*
> 
> OS Version: RHEL 7.9
> 
> Cluster lab PCS  version: 0.9
> 
> **
> 
> **
> 
> **
> 
> Ericsson <http://www.ericsson.com/>
> 
> *Gunasekar A *
> 
> Senior Software Engineer
> 
> BDGS SA BSS PDU BSS PDG EC CH NGCRS
> 
> Mobile: +919894561292
> 
> Email ID: a.gunasekar at ericsson.com <mailto:gunalan.a.s at ericsson.com>**
> 
> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> ClusterLabs home: https://www.clusterlabs.org/