Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0296
crmsh security update
27 January 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: crmsh
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-35459
Reference: ESB-2021.0156
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2533
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2533-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
January 25, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : crmsh
Version : 2.3.2-4+deb9u1
CVE ID : CVE-2020-35459
It was discovered that there was an in issue in the command-line tool
for the Pacemaker High Availability stack. Local attackers were able
to execute commands via shell code injection to the "crm history"
command-line tool, potentially allowing escalation of privileges.
For Debian 9 "Stretch", this problem has been fixed in version
2.3.2-4+deb9u1.
We recommend that you upgrade your crmsh packages.
For the detailed security status of crmsh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/crmsh
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAO3r4ACgkQHpU+J9Qx
Hlhn7xAAsa71MV3K3hCzIlxPe8raFcJ815X9VyX3/TSTiOk25sONTIkQZi1MbUxz
VZP9dv87xsdNyOBVY6R7gxXinmM1pdfiOcJ/Na5/UHi4MWbrXO6dTGxJ9qYa1F9t
Bzt5UU2dHiLKlTSHP5WT0QvH0EHMK7ZONdFbpHsNtATsvqSK2anhep7aB+gN4AMI
AVs4Z21282nGPTb3kHSVS/+540wzrTL1WMiA2UH35scPb+NjoZdE+Xn9m77sqPjb
q4LO0ok1aVmcDX/rIXtGB010udxCIMVX2qaUDS+/geF+QdbbW7HeGxABOJegtHys
QyQd5JDPmnt59pRnlmqPvalI84rSPsPEgoh1CGH8Jkesu2G8TxGpRLTLCzL4rDc4
lALO3AH2kb+XyheWOgPPYVqGyTJte5JOu3As4iko6poTKsDjd0vFfZV+v6yomKZu
dlFaLMC8ClOh9r8FREcYLGrjqUKP32qlok1GWoyqtdCHcpXy7RfjuxWWTDZwwOay
VbKkBMesoK5tqFX4BD2pLuxYH/P/2vyWr/FwD+c3AneL9Xk5fX4kEgTNy/63JkbT
dxQDhQKqIzHv6uqH6NZPQvhZkAqOIK/Ch28x/+l1Gm6dYLW/DocVWBX1iTEb8VpD
uvbtoshqxuxoWYBLqsK3Jp+yNCBHi/i+lnV+h7gJU6Wn+o77vs4=
=oVSi
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYBDbvuNLKJtyKPYoAQjsPw//c4ZFyRodRDIhUIirFzNRL8tMLAT9NJbZ
cF8YuY+y/E3zCMO80K8L34SGMh49BF7+5CmaKrBuzzss1wTnDbyH88th/+GHNhvx
+v7C6HPf7hMJaDIxMZoUMGCcLBw6xEWYXTtT0rdBylKkRH8jrKKsvnN+aFG2E1Kv
9+6p9ukrny/wb4awWg2yzYlTvSejSkc24JaoygDyqYEY+HmrxUkfZtqkiWnA589S
V6Ymy14W0c/lgcWJIQCPSiR0R2dBVffIBwvwgs/m/radG6+NnJ/KZ/P6oQoQk7uZ
e3OoDdYdLcQKkfC+cCTi2F8ke97ZJ5Y/pOokUR16Axa4auSCbZY+v+DlDaVXEil+
Hl2Tqy83zYs/HF54YadiLmpCZ51+tPzNIQEbRp6VBTFfuLpdjWqFDRvYbqejAM+/
QegU0iqbvmpG5UZeYFPJNYlxqqQ48yo3gii0ZJXhcat8HtaMX3kOTbWZeqG+ZaeD
Z5VBQtwGlgb/eYTPg9Wi1osYpOG7uFCtILMXkYspO9vMo+LLdzbOha/k3kN3r9kk
W5UVAxBXW93eZ8MQQdyLIcxcu2Lgp42LlugGeTBu1W09SrjgVqsKsJLDcMAhQJjj
s/h0nmIDB6SQFjipsLtKRigUuyUtQN1jffySvtC6AnQEhBr+gL5KtQXl5FqnEBy/
g18XfmEisYw=
=ajg8
-----END PGP SIGNATURE-----