Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3984
resource-agents security and bug fix update
11 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: resource-agents
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-11078
Reference: ESB-2020.3857
ESB-2020.1906
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:5004
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: resource-agents security and bug fix update
Advisory ID: RHSA-2020:5004-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5004
Issue date: 2020-11-10
CVE Names: CVE-2020-11078
=====================================================================
1. Summary:
An update for resource-agents is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Server High Availability (v. 7) - ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Resilient Storage (v. 7) - ppc64le, s390x, x86_64
Red Hat Enterprise Linux for SAP (v. 7) - ppc64le, x86_64
Red Hat Enterprise Linux for SAP HANA (v. 7) - ppc64le, x86_64
3. Description:
The resource-agents packages provide the Pacemaker and RGManager service
managers with a set of scripts. These scripts interface with several
services to allow operating in a high-availability (HA) environment.
Security Fix(es):
* python-httplib2: CRLF injection via an attacker controlled unescaped part
of uri for httplib2.Http.request function (CVE-2020-11078)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* gcp-vpc-move-vip: An existing alias IP range is removed when a second
alias IP range is added (BZ#1846732)
* sybaseASE: Resource fails to complete a probe operation without access to
$sybase_home [RHEL 7] (BZ#1848673)
* azure-lb: Resource fails intermittently due to nc output redirection to
pidfile (BZ#1850779)
* azure-events: handle exceptions in urlopen (RHEL7) (BZ#1862121)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1845937 - CVE-2020-11078 python-httplib2: CRLF injection via an attacker controlled
unescaped part of uri for httplib2.Http.request function
1848673 - sybaseASE: Resource fails to complete a probe operation without access to
$sybase_home [RHEL 7]
1862121 - azure-events: handle exceptions in urlopen (RHEL7)
6. Package List:
Red Hat Enterprise Linux Server High Availability (v. 7):
Source:
resource-agents-4.1.1-61.el7_9.4.src.rpm
ppc64le:
resource-agents-4.1.1-61.el7_9.4.ppc64le.rpm
resource-agents-debuginfo-4.1.1-61.el7_9.4.ppc64le.rpm
s390x:
resource-agents-4.1.1-61.el7_9.4.s390x.rpm
resource-agents-debuginfo-4.1.1-61.el7_9.4.s390x.rpm
x86_64:
resource-agents-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-aliyun-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-debuginfo-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-gcp-4.1.1-61.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Server Resilient Storage (v. 7):
Source:
resource-agents-4.1.1-61.el7_9.4.src.rpm
ppc64le:
resource-agents-4.1.1-61.el7_9.4.ppc64le.rpm
resource-agents-debuginfo-4.1.1-61.el7_9.4.ppc64le.rpm
s390x:
resource-agents-4.1.1-61.el7_9.4.s390x.rpm
resource-agents-debuginfo-4.1.1-61.el7_9.4.s390x.rpm
x86_64:
resource-agents-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-aliyun-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-debuginfo-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-gcp-4.1.1-61.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux for SAP (v. 7):
Source:
resource-agents-4.1.1-61.el7_9.4.src.rpm
ppc64le:
resource-agents-debuginfo-4.1.1-61.el7_9.4.ppc64le.rpm
resource-agents-sap-4.1.1-61.el7_9.4.ppc64le.rpm
sap-cluster-connector-3.0.1-37.el7_9.4.ppc64le.rpm
x86_64:
resource-agents-debuginfo-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-sap-4.1.1-61.el7_9.4.x86_64.rpm
sap-cluster-connector-3.0.1-37.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux for SAP HANA (v. 7):
Source:
resource-agents-4.1.1-61.el7_9.4.src.rpm
ppc64le:
resource-agents-debuginfo-4.1.1-61.el7_9.4.ppc64le.rpm
resource-agents-sap-hana-4.1.1-61.el7_9.4.ppc64le.rpm
resource-agents-sap-hana-scaleout-0.164.0-6.el7_9.4.ppc64le.rpm
x86_64:
resource-agents-debuginfo-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-sap-hana-4.1.1-61.el7_9.4.x86_64.rpm
resource-agents-sap-hana-scaleout-0.164.0-6.el7_9.4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-11078
https://access.redhat.com/security/updates/classification/#low
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX6qUBNzjgjWX9erEAQitPQ/9HAyFbW2F4KsIRUYzMm31vKTNKTXFraHR
Nr2nfsiBlyglaH3oyInIo8POdYwuHEarKhVVA5yjctiEkTuCQH/FZpQGp4QketsS
d2B7mTob7CV5munyUfNhAOseJL42WvSHWfhZX3XHaUGCaZiGAKlLlPaOIGKvMeV9
rv1ZLYjMQpGNk2At53ga9gB4lWbBh4BlfU8LtiIbcuLejZFvl3FeGaTNzBfy2Oa1
I0yMtqLTOqVKnNv9vZl441lwIRzKuNIUse/e2FDDXBnB7hJbST7MAd+RVlQ1ohib
Y8WcLklcBQ5C3cEj2b8gmcO/cnoXh/nU2T1nrw94VQ12emRXfcpRJpVDyd9cT8Nt
RxgBaCOpCJZrOM/ZSRIAj1sjbLFNZ9CYNqLruhqgQvBiwScHgDxqGmMqzz5eSkgl
e7+YQBmoL23+eev7ficNh7tmgC6TqVOMFUYqnp4zVyueTthsZ0Xx/no4tNRsm+pX
J6rW0d8JykXHKxzDDolzNPB3eZ/o1dVRnaiSlrPJzWH06mcioXmwlTGOTTpnzLag
5cGAyJVIFzZD2m6KU6+wn2UEPxtwNJwOr6PXovPRUmz/qJlf6VQHYiiW6CD/fCaT
Ivbg6h9gd9gOuU8pkDga7gde6MgQWRYlwC5fYlKU003WiwyHdhxXVbey4j0wimBe
p7wevIiZUnU=
=ru0n
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX6tsseNLKJtyKPYoAQie9RAApBwB1M4t2SDBxxvHq/hKdMwtSDjkrH/r
0NLHCyRe8kXDmx/fVWMddQpkKFL/5xZWmw97Zl5pAkmWkRaYlYOn1CeGJEzF5KN5
kl9353z7tz7Ckh25iC33uG6z+GaJdO3/94JPJ9DELz5FKIzF8+IRXa5SfDXU3kTU
7igGNy92Ok2Rt6sKcAsKwq05AmBBB4wc3NdOwjARTcYcAZaBEagry+9n9gvjU/6g
JHmkvSSsJRDSYekzVcMxwVTChwNuvI9Kv9CaWCtJDdv8F0JP80PEQwF1WQ1zG6ln
tAsGuYuZxzKySaQpJZD21iGCdoDxhv/XDZAiXtrW48BSL9DVcG8J32zi+c+W0I3l
71SQhoXUTnxYb0FcaB8x7HWbTv4ZXVPPdrtIuOFd656gWB9m+0Q0A0XS0aQ0liJp
8btHpGX+sTCClNcoNVSJVDLb2aHmrr/Haia0hoGZEw8/AfBXetN0FuYvKBT5N95J
ZHecda1KUULOYLRMShVkgypbih8L/w/H8uqChNDRKfSb+9hqf8rurkOXqonRXtoh
KDXhH/r6mN3IuEFxySdbHqjSvndDRybl8BOYQrQH+6sveuAoVCDJ5tSpum8oHQKS
OfJ+Bj8Dvnhm2KqtyjzRdYZm3Xg7UHCQLkNdFJqxc4A8YoMjT0U2kTrn9VuHKRz8
5bouTvxztDI=
=WDVC
-----END PGP SIGNATURE-----