[ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358
Tomas Jelinek
tojeline at redhat.com
Tue Jan 31 03:18:40 EST 2023
Hi A Gunasekar,
These CVEs are fixed in pcs-0.10.9 and newer and pcs-0.11.1 and newer
(the 0.11 branch was never affected).
Regards,
Tomas
Dne 27. 01. 23 v 9:01 A Gunasekar via Users napsal(a):
>
> Hi Tomas/Team,
>
> It would be great if you share in which latest cluster lab version the
> fixed are available for these CVE, so that we will take that version
> for upgrade.
>
> Ericsson <http://www.ericsson.com/>
>
>
> *Gunasekar A ***
>
> Senior Software Engineer
>
> BDGS SA BSS PDU BSS PDG EC CH NGCRS
>
> Mobile: +919894561292
>
> Email ID: a.gunasekar at ericsson.com <mailto:a.gunasekar at ericsson.com>**
>
> Hi A Gunasekar,
>
> The pcs-0.9 branch is unsupported and no longer maintained since
>
> 2021-04-16. There will be no further releases and commits in that
>
> branch. Pcs-0.9 only works with Pacemaker 1.x and Corosync 2.x and those
>
> have been unsupported for quite some time as well.
>
> I recommend updating your cluster stack to newer versions.
>
> Regards,
>
> Tomas
>
> *From:*A Gunasekar
> *Sent:* 20 January 2023 15:55
> *To:* Reid Wahl <nwahl at redhat.com>; Cluster Labs - All topics related
> to open-source clustering welcomed <users at clusterlabs.org>
> *Cc:* M Vasanthakumar <m.vasanthakumar at ericsson.com>; S Sathish S
> <s.s.sathish at ericsson.com>
> *Subject:* RE: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358
>
> Hi Wahl/Team,
>
> The solution Tomas as suggested is from Redhat delivered rpm packages
> “*pcs-0.9.169-3.el7_9.3*”.
>
> But we are using Cluster Lab source packages to build pcs rpms for
> our node.
>
> So it would be good if we get the fixed release details from Cluster
> Lab for the reported CVEs.
>
> Ericsson <http://www.ericsson.com/>
>
>
> *Gunasekar A *
>
> Senior Software Engineer
>
> BDGS SA BSS PDU BSS PDG EC CH NGCRS
>
> Mobile: +919894561292
>
> Email ID: a.gunasekar at ericsson.com <mailto:a.gunasekar at ericsson.com>**
>
> *From:*A Gunasekar
> *Sent:* 20 January 2023 15:12
> *To:* Reid Wahl <nwahl at redhat.com>
> *Cc:* M Vasanthakumar <m.vasanthakumar at ericsson.com>; S Sathish S
> <s.s.sathish at ericsson.com>
> *Subject:* RE: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358
>
> Thanks Wahl for this information
>
> *From:*Reid Wahl <nwahl at redhat.com>
> *Sent:* 20 January 2023 11:57
> *To:* A Gunasekar <a.gunasekar at ericsson.com>
> *Cc:* M Vasanthakumar <m.vasanthakumar at ericsson.com>; S Sathish S
> <s.s.sathish at ericsson.com>
> *Subject:* Re: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358
>
> On Thu, Jan 19, 2023 at 9:19 PM A Gunasekar <a.gunasekar at ericsson.com>
> wrote:
>
> Hi Wahl,
>
> Tomas update was not visible to us and Thanks for sharing it here.
>
> https://lists.clusterlabs.org/pipermail/users/2022-December/030734.html
> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-ccdbf0db8445bdb4&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2022-December%2F030734.html>
>
> You're welcome. Unfortunately, the threads are separated by month. So
> if a reply is sent in a different month, it doesn't appear in the
> original thread. You sent your original email in December, and Tomas
> replied in January. See the following links:
>
> https://lists.clusterlabs.org/pipermail/users/2023-January/thread.html
> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-8bc25f8cc580c14b&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2023-January%2Fthread.html>
>
> https://lists.clusterlabs.org/pipermail/users/2023-January/030750.html
> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-da3abaa3680ed01a&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2023-January%2F030750.html>
>
> Ericsson <http://www.ericsson.com/>
>
>
> *Gunasekar A *
>
> Senior Software Engineer
>
> BDGS SA BSS PDU BSS PDG EC CH NGCRS
>
> Mobile: +919894561292
>
> Email ID: a.gunasekar at ericsson.com <mailto:a.gunasekar at ericsson.com>
>
> *From:*Reid Wahl <nwahl at redhat.com>
> *Sent:* 20 January 2023 03:07
> *To:* Cluster Labs - All topics related to open-source clustering
> welcomed <users at clusterlabs.org>
> *Cc:* A Gunasekar <a.gunasekar at ericsson.com>; M Vasanthakumar
> <m.vasanthakumar at ericsson.com>; S Sathish S <s.s.sathish at ericsson.com>
> *Subject:* Re: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358
>
> On Thu, Jan 19, 2023 at 12:54 PM A Gunasekar via Users
> <users at clusterlabs.org> wrote:
>
> Hi Team,
>
> Can we get some update on this.
>
> Hi,
>
> What update are you seeking? It looks like Tomas already answered
> your question. I'll paste his answer again here.
>
> > Hi A Gunasekar,
> >
> > As far as I can see, updated pcs packages pcs-0.9.169-3.el7_9.3
> which
> > fix the mentioned CVEs were released on 2022-11-02.
> >
> > Regards,
> > Tomas
>
> Ericsson <http://www.ericsson.com/>
>
>
> *Gunasekar A *
>
> Senior Software Engineer
>
> BDGS SA BSS PDU BSS PDG EC CH NGCRS
>
> Mobile: +919894561292
>
> Email ID: a.gunasekar at ericsson.com
>
> *From:*A Gunasekar
> *Sent:* 21 December 2022 18:59
> *To:* users at clusterlabs.org
> *Cc:* S Sathish S <s.s.sathish at ericsson.com>; M Vasanthakumar
> <m.vasanthakumar at ericsson.com>
> *Subject:* Fix for CVE-2022-30123 and CVE-2019-11358
>
> Hi Team,
>
> Please be informed, we have got notified from our security
> tool that our pcs version 0.9 is affected by the
> *CVE-2022-30123 and CVE-2019-11358*.
>
> It would be great if we help to get answers for the below queries.
>
> **
>
> * We are currently in RHEL 7.9 OS and using pcs 0.9 version,
> Is there any fix planned/available for this affection
> version (0.9.x) of pcs ?
> * Let us know in which release this CVEs fix are planned ?
>
> **
>
> *Our system Details:-*
>
> OS Version: RHEL 7.9
>
> Cluster lab PCS version: 0.9
>
> Ericsson <http://www.ericsson.com/>
>
>
> *Gunasekar A *
>
> Senior Software Engineer
>
> BDGS SA BSS PDU BSS PDG EC CH NGCRS
>
> Mobile: +919894561292
>
> Email ID: a.gunasekar at ericsson.com
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-d41b18997a64a81a&q=1&e=59a6df80-228c-4bfb-a417-9820eb29ea91&u=https%3A%2F%2Flists.clusterlabs.org%2Fmailman%2Flistinfo%2Fusers>
>
> ClusterLabs home: https://www.clusterlabs.org/
> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-b3537e65a3f1def4&q=1&e=59a6df80-228c-4bfb-a417-9820eb29ea91&u=https%3A%2F%2Fwww.clusterlabs.org%2F>
>
>
>
> --
>
> Regards,
>
> Reid Wahl (He/Him)
>
> Senior Software Engineer, Red Hat
>
> RHEL High Availability - Pacemaker
>
>
>
> --
>
> Regards,
>
> Reid Wahl (He/Him)
>
> Senior Software Engineer, Red Hat
>
> RHEL High Availability - Pacemaker
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home:https://www.clusterlabs.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20230131/99a1f2f2/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 320 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20230131/99a1f2f2/attachment-0001.png>
More information about the Users
mailing list