[ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358

A Gunasekar a.gunasekar at ericsson.com
Fri Jan 27 03:01:44 EST 2023


Hi Tomas/Team,

It would be great if you share in which latest cluster lab version the fixed are available for these CVE, so that we will take that version for upgrade.



[Ericsson]<http://www.ericsson.com/>
Gunasekar A
Senior Software Engineer
BDGS SA BSS PDU BSS PDG EC CH NGCRS
Mobile: +919894561292
Email ID: a.gunasekar at ericsson.com<mailto:a.gunasekar at ericsson.com>



Hi A Gunasekar,

The pcs-0.9 branch is unsupported and no longer maintained since
2021-04-16. There will be no further releases and commits in that
branch. Pcs-0.9 only works with Pacemaker 1.x and Corosync 2.x and those
have been unsupported for quite some time as well.

I recommend updating your cluster stack to newer versions.

Regards,
Tomas


From: A Gunasekar
Sent: 20 January 2023 15:55
To: Reid Wahl <nwahl at redhat.com>; Cluster Labs - All topics related to open-source clustering welcomed <users at clusterlabs.org>
Cc: M Vasanthakumar <m.vasanthakumar at ericsson.com>; S Sathish S <s.s.sathish at ericsson.com>
Subject: RE: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358

Hi Wahl/Team,

The solution Tomas  as suggested is from Redhat delivered rpm packages “pcs-0.9.169-3.el7_9.3”.

But we are using Cluster Lab  source packages to build pcs rpms for  our node.

So it would be good if we get the fixed release details from Cluster Lab for the reported CVEs.



[Ericsson]<http://www.ericsson.com/>
Gunasekar A
Senior Software Engineer
BDGS SA BSS PDU BSS PDG EC CH NGCRS
Mobile: +919894561292
Email ID: a.gunasekar at ericsson.com<mailto:a.gunasekar at ericsson.com>




From: A Gunasekar
Sent: 20 January 2023 15:12
To: Reid Wahl <nwahl at redhat.com<mailto:nwahl at redhat.com>>
Cc: M Vasanthakumar <m.vasanthakumar at ericsson.com<mailto:m.vasanthakumar at ericsson.com>>; S Sathish S <s.s.sathish at ericsson.com<mailto:s.s.sathish at ericsson.com>>
Subject: RE: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358

Thanks Wahl for this information



From: Reid Wahl <nwahl at redhat.com<mailto:nwahl at redhat.com>>
Sent: 20 January 2023 11:57
To: A Gunasekar <a.gunasekar at ericsson.com<mailto:a.gunasekar at ericsson.com>>
Cc: M Vasanthakumar <m.vasanthakumar at ericsson.com<mailto:m.vasanthakumar at ericsson.com>>; S Sathish S <s.s.sathish at ericsson.com<mailto:s.s.sathish at ericsson.com>>
Subject: Re: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358



On Thu, Jan 19, 2023 at 9:19 PM A Gunasekar <a.gunasekar at ericsson.com<mailto:a.gunasekar at ericsson.com>> wrote:
Hi Wahl,

Tomas update was not visible to us  and Thanks for sharing it here.
https://lists.clusterlabs.org/pipermail/users/2022-December/030734.html<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-ccdbf0db8445bdb4&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2022-December%2F030734.html>

You're welcome. Unfortunately, the threads are separated by month. So if a reply is sent in a different month, it doesn't appear in the original thread. You sent your original email in December, and Tomas replied in January. See the following links:
https://lists.clusterlabs.org/pipermail/users/2023-January/thread.html<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-8bc25f8cc580c14b&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2023-January%2Fthread.html>
https://lists.clusterlabs.org/pipermail/users/2023-January/030750.html<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-da3abaa3680ed01a&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2023-January%2F030750.html>



[Ericsson]<http://www.ericsson.com/>
Gunasekar A
Senior Software Engineer
BDGS SA BSS PDU BSS PDG EC CH NGCRS
Mobile: +919894561292
Email ID: a.gunasekar at ericsson.com<mailto:a.gunasekar at ericsson.com>
From: Reid Wahl <nwahl at redhat.com<mailto:nwahl at redhat.com>>
Sent: 20 January 2023 03:07
To: Cluster Labs - All topics related to open-source clustering welcomed <users at clusterlabs.org<mailto:users at clusterlabs.org>>
Cc: A Gunasekar <a.gunasekar at ericsson.com<mailto:a.gunasekar at ericsson.com>>; M Vasanthakumar <m.vasanthakumar at ericsson.com<mailto:m.vasanthakumar at ericsson.com>>; S Sathish S <s.s.sathish at ericsson.com<mailto:s.s.sathish at ericsson.com>>
Subject: Re: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358



On Thu, Jan 19, 2023 at 12:54 PM A Gunasekar via Users <users at clusterlabs.org<mailto:users at clusterlabs.org>> wrote:
Hi Team,

Can we get some update on this.

Hi,

What update are you seeking? It looks like Tomas already answered your question. I'll paste his answer again here.

> Hi A Gunasekar,
>
> As far as I can see, updated pcs packages pcs-0.9.169-3.el7_9.3 which
> fix the mentioned CVEs were released on 2022-11-02.
>
> Regards,
> Tomas



[Ericsson]<http://www.ericsson.com/>
Gunasekar A
Senior Software Engineer
BDGS SA BSS PDU BSS PDG EC CH NGCRS
Mobile: +919894561292
Email ID: a.gunasekar at ericsson.com<mailto:a.gunasekar at ericsson.com>
From: A Gunasekar
Sent: 21 December 2022 18:59
To: users at clusterlabs.org<mailto:users at clusterlabs.org>
Cc: S Sathish S <s.s.sathish at ericsson.com<mailto:s.s.sathish at ericsson.com>>; M Vasanthakumar <m.vasanthakumar at ericsson.com<mailto:m.vasanthakumar at ericsson.com>>
Subject: Fix for CVE-2022-30123 and CVE-2019-11358

Hi Team,

Please be informed, we have got notified from our security tool that our pcs version 0.9 is affected by the CVE-2022-30123 and CVE-2019-11358.
It would be great if we help to get answers for the below queries.


  *   We are currently in RHEL 7.9 OS and using pcs 0.9 version, Is there any fix planned/available for this affection version (0.9.x) of pcs ?
  *   Let us know in which release this CVEs fix are planned ?

Our system Details:-
OS Version: RHEL 7.9
Cluster lab PCS  version: 0.9


[Ericsson]<http://www.ericsson.com/>
Gunasekar A
Senior Software Engineer
BDGS SA BSS PDU BSS PDG EC CH NGCRS
Mobile: +919894561292
Email ID: a.gunasekar at ericsson.com<mailto:a.gunasekar at ericsson.com>


_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-d41b18997a64a81a&q=1&e=59a6df80-228c-4bfb-a417-9820eb29ea91&u=https%3A%2F%2Flists.clusterlabs.org%2Fmailman%2Flistinfo%2Fusers>

ClusterLabs home: https://www.clusterlabs.org/<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-b3537e65a3f1def4&q=1&e=59a6df80-228c-4bfb-a417-9820eb29ea91&u=https%3A%2F%2Fwww.clusterlabs.org%2F>


--
Regards,
Reid Wahl (He/Him)
Senior Software Engineer, Red Hat
RHEL High Availability - Pacemaker


--
Regards,
Reid Wahl (He/Him)
Senior Software Engineer, Red Hat
RHEL High Availability - Pacemaker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20230127/4363035c/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 320 bytes
Desc: image001.png
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20230127/4363035c/attachment-0001.png>


More information about the Users mailing list