Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2023
pcs security and bug fix update
11 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: pcs
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 8
Red Hat Enterprise Linux WS/Desktop 8
Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-10663
Reference: ESB-2020.1638
ESB-2020.1580
ESB-2020.1467
ESB-2020.1405
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:2462
https://access.redhat.com/errata/RHSA-2020:2473
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: pcs security and bug fix update
Advisory ID: RHSA-2020:2462-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2462
Issue date: 2020-06-10
CVE Names: CVE-2020-10663
=====================================================================
1. Summary:
An update for pcs is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux High Availability (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Resilient Storage (v. 8) - ppc64le, s390x, x86_64
3. Description:
The pcs packages provide a command-line configuration system for the
Pacemaker and Corosync utilities.
Security Fix(es):
* rubygem-json: Unsafe Object Creation Vulnerability in JSON
(CVE-2020-10663)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* pcs status on remotes is not working on rhel8.2 any longer (BZ#1832914)
* pcs cluster stop --all throws errors and doesn't seem to honor the
request-timeout option (BZ#1838084)
* [GUI] Colocation constraint can't be added (BZ#1840158)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1827500 - CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON
1832914 - pcs status on remotes is not working on rhel8.2 any longer [rhel-8.2.0.z]
1838084 - pcs cluster stop --all throws errors and doesn't seem to honor the request-timeout option [rhel-8.2.0.z]
1840158 - [GUI] Colocation constraint can't be added [rhel-8.2.0.z]
6. Package List:
Red Hat Enterprise Linux High Availability (v. 8):
Source:
pcs-0.10.4-6.el8_2.1.src.rpm
aarch64:
pcs-0.10.4-6.el8_2.1.aarch64.rpm
pcs-snmp-0.10.4-6.el8_2.1.aarch64.rpm
ppc64le:
pcs-0.10.4-6.el8_2.1.ppc64le.rpm
pcs-snmp-0.10.4-6.el8_2.1.ppc64le.rpm
s390x:
pcs-0.10.4-6.el8_2.1.s390x.rpm
pcs-snmp-0.10.4-6.el8_2.1.s390x.rpm
x86_64:
pcs-0.10.4-6.el8_2.1.x86_64.rpm
pcs-snmp-0.10.4-6.el8_2.1.x86_64.rpm
Red Hat Enterprise Linux Resilient Storage (v. 8):
Source:
pcs-0.10.4-6.el8_2.1.src.rpm
ppc64le:
pcs-0.10.4-6.el8_2.1.ppc64le.rpm
pcs-snmp-0.10.4-6.el8_2.1.ppc64le.rpm
s390x:
pcs-0.10.4-6.el8_2.1.s390x.rpm
pcs-snmp-0.10.4-6.el8_2.1.s390x.rpm
x86_64:
pcs-0.10.4-6.el8_2.1.x86_64.rpm
pcs-snmp-0.10.4-6.el8_2.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-10663
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXuDv09zjgjWX9erEAQgUgxAAm0rce6jMyGiS7GTKez7wk5utbYzMtEYs
u2muf2yltVhqOF4NnKbQDgMnwNxgWPxSmumCDYwItyvZIyo+rmKU37s75ytdOuZq
1Jn3bcBhHCWV8pAW6VH7bfvAmp9iZV7gZPCalLAHDzgQbB3FZDP3oHS7YRiz47uE
V7+zq3k5yQPHq159PtHUeQcDnMoib48ZFxIJq0jzVMejELPm90rKWBCi92sL+taH
2gRYegaeJ8ApQcAj+VX7KHk00+p8j5tW1W8yU0KVanzQZNtzawOvgIJINJTGdoF5
jePAmuHgZZNmCJJic1NfT8p1a+hViwwfnXl8K99DtnzMRJplwqczLT2GW/IqMKZ4
3aAy7oJGmkcC9hd9+oQppP/Q3IChUHRLy9i8/Uen1b8jBYRxR5D13zbN1WgnNYOV
2Hq/o0CjSMG9yybEEO9+Cfp2YlKIZRUiYgZFr2oTWPjsMc80C+gTZYCijPnd+kE5
foaxMIkIa/Q62ZMdCD//KzPhvAqCRKMcHp/i22mRjeximbIUJlbOxdjJyK1ke8hY
LUETRWSlRcwaLHDzMARj3lD9fJnS9LYsi8n4/L/3HhneJYB5qkqRTlnHU/KUnWLo
IZlDHvVr8jzSZap2hbqGYEy9wun0PjyMP6TLXYSHLZ+1TwRcXwJzCEAMPrfL3Ksp
/2+qGWqFiek=
=lJHU
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: pcs security and bug fix update
Advisory ID: RHSA-2020:2473-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2473
Issue date: 2020-06-10
CVE Names: CVE-2020-10663
=====================================================================
1. Summary:
An update for pcs is now available for Red Hat Enterprise Linux 8.0 Update
Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux High Availability E4S (v. 8.0) - ppc64le, s390x, x86_64
3. Description:
The pcs packages provide a command-line configuration system for the
Pacemaker and Corosync utilities.
Security Fix(es):
* rubygem-json: Unsafe Object Creation Vulnerability in JSON
(CVE-2020-10663)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* [GUI] Colocation constraint can't be added (BZ#1840156)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1827500 - CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON
1840156 - [GUI] Colocation constraint can't be added [rhel-8.0.0.z]
6. Package List:
Red Hat Enterprise Linux High Availability E4S (v. 8.0):
Source:
pcs-0.10.1-4.el8_0.5.src.rpm
ppc64le:
pcs-0.10.1-4.el8_0.5.ppc64le.rpm
pcs-snmp-0.10.1-4.el8_0.5.ppc64le.rpm
s390x:
pcs-0.10.1-4.el8_0.5.s390x.rpm
pcs-snmp-0.10.1-4.el8_0.5.s390x.rpm
x86_64:
pcs-0.10.1-4.el8_0.5.x86_64.rpm
pcs-snmp-0.10.1-4.el8_0.5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-10663
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXuCnNNzjgjWX9erEAQhn8BAAlJGG3ZwtN4jatsrL6EpJDpvsf8UTyU9I
U7SDnWXCsDMav4YRSrDaU1ehgZPdpc9K1f6mbSMNN3adD6uZrZ8Q+fnER5566Jxd
i6csd3BIpD6woZRV2dt/1gxZBJiPkrYEv2N16lTluYUeLbghM1NoJwMaoX/NYzPF
Posi/hPByJohdWE1ZiKjJAYA8Oh3wflvBD1PgPoDuKcVnaA+MatZUGNKmKSadNQ4
iviBB3tYHhWmTOmc1aQeGPHS1vaViHDxwnJy/V1CgumAn1srZipADz0w/KhArPXA
EBxpiFuDNl5L4+SEE3Bmaw9j06Sl30qIHY/Y+8Q1rPuhDgl/Rp9mAEyO7wkqkJ34
OjLGrGL6VNXY1pUsA2mly1RlG6/c32sfSwanwnk8xXPzNoUGWLaEsCYp0hMkCCH2
0jF9/Cv+ArR6J40RJ/niLF8aeb9b92ti5GDiV/mL1WfWlcmKxftrxH2eCKAAchQO
uCigdSvE/4KEm01WmtDqC+/ww4bayzY85sJYXfpvez8kc+9K03tn5u7WlsJ2kfyq
6XNKvOoaGQK+/lXMjauc4RENGlayP8ozMprxGiwdZafXCTr+FSQ70B7jrK7vrApM
O8hZosYnKBkUWNtw+VaJ9bOcYi94DRz2xHFvJ+myPh4ZsZfLapbeW6dC3OEbpXeD
Xk+WLODdlu0=
=9Dl9
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXuGN5eNLKJtyKPYoAQi3HQ//d+k7Z5OnfjLwRIi+B17SMBAFP3DqeBJr
v0t04rk27vWLC9rxx3Pq9F5ZmFcN0+aBDdkdya3bs7qMcT9ds9aYxHrGn6SThJNv
cZg0uUy49Ft2/XMwCBXYY+xyzJvoRcBQDrOyQQGbrSOhcQpxgmpRgfC8Hb4HP+PT
9lRAaU7ipN7FZYVE3vHhbhSmsKNu/cXmBOAq+lWKtV0/AZ1N3XOiZhUsNU2Oi8y3
K+3JcRqhRMl/SwaU6a9P4Z1X8suUuCnJ+FIpyQ3YlmJLNO0WQQCbBE55fXN775xx
Vvdgr84hqg9W+TaxFJHW7KjnkW/wEHzSCbfI+hbunTmmBCAiGOLU+Ce520mnYaWq
5kXotngNLFNNb2L7a9JLpBP6tQR6rHVazstN2Vsv4QwFRCmAV4UBaMTQgm7YcEiv
arKKOfZElTvsAEvIYLO1jJ8zf+QlxEFQZc+RkK4+F/3cq0Ssf+in+pEQ6GY0LNrr
C3x/kkL6UUu5aksRVAJWaZj/wi543Avd6oz81Z3PakrqcQ+mqMoVAa2su5P4MmQm
nTvAiRdfu7cS/cofiVBX4XFKOS0PhqRsuRdhBMQOUBdh7gJnV+NVM2VpehiCtWGo
vYxCFiwqLOwdygzBOYFCBTt7fb2zK1MH5268LeyLwhXmDBcjZyLocz4IUTTe7rCK
y6L6tBUWiU8=
=M/1C
-----END PGP SIGNATURE-----