Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3984 resource-agents security and bug fix update 11 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: resource-agents Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-11078 Reference: ESB-2020.3857 ESB-2020.1906 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:5004 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: resource-agents security and bug fix update Advisory ID: RHSA-2020:5004-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5004 Issue date: 2020-11-10 CVE Names: CVE-2020-11078 ===================================================================== 1. Summary: An update for resource-agents is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server High Availability (v. 7) - ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Resilient Storage (v. 7) - ppc64le, s390x, x86_64 Red Hat Enterprise Linux for SAP (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux for SAP HANA (v. 7) - ppc64le, x86_64 3. Description: The resource-agents packages provide the Pacemaker and RGManager service managers with a set of scripts. These scripts interface with several services to allow operating in a high-availability (HA) environment. Security Fix(es): * python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function (CVE-2020-11078) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * gcp-vpc-move-vip: An existing alias IP range is removed when a second alias IP range is added (BZ#1846732) * sybaseASE: Resource fails to complete a probe operation without access to $sybase_home [RHEL 7] (BZ#1848673) * azure-lb: Resource fails intermittently due to nc output redirection to pidfile (BZ#1850779) * azure-events: handle exceptions in urlopen (RHEL7) (BZ#1862121) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1845937 - CVE-2020-11078 python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function 1848673 - sybaseASE: Resource fails to complete a probe operation without access to $sybase_home [RHEL 7] 1862121 - azure-events: handle exceptions in urlopen (RHEL7) 6. Package List: Red Hat Enterprise Linux Server High Availability (v. 7): Source: resource-agents-4.1.1-61.el7_9.4.src.rpm ppc64le: resource-agents-4.1.1-61.el7_9.4.ppc64le.rpm resource-agents-debuginfo-4.1.1-61.el7_9.4.ppc64le.rpm s390x: resource-agents-4.1.1-61.el7_9.4.s390x.rpm resource-agents-debuginfo-4.1.1-61.el7_9.4.s390x.rpm x86_64: resource-agents-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-aliyun-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-debuginfo-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-gcp-4.1.1-61.el7_9.4.x86_64.rpm Red Hat Enterprise Linux Server Resilient Storage (v. 7): Source: resource-agents-4.1.1-61.el7_9.4.src.rpm ppc64le: resource-agents-4.1.1-61.el7_9.4.ppc64le.rpm resource-agents-debuginfo-4.1.1-61.el7_9.4.ppc64le.rpm s390x: resource-agents-4.1.1-61.el7_9.4.s390x.rpm resource-agents-debuginfo-4.1.1-61.el7_9.4.s390x.rpm x86_64: resource-agents-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-aliyun-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-debuginfo-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-gcp-4.1.1-61.el7_9.4.x86_64.rpm Red Hat Enterprise Linux for SAP (v. 7): Source: resource-agents-4.1.1-61.el7_9.4.src.rpm ppc64le: resource-agents-debuginfo-4.1.1-61.el7_9.4.ppc64le.rpm resource-agents-sap-4.1.1-61.el7_9.4.ppc64le.rpm sap-cluster-connector-3.0.1-37.el7_9.4.ppc64le.rpm x86_64: resource-agents-debuginfo-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-sap-4.1.1-61.el7_9.4.x86_64.rpm sap-cluster-connector-3.0.1-37.el7_9.4.x86_64.rpm Red Hat Enterprise Linux for SAP HANA (v. 7): Source: resource-agents-4.1.1-61.el7_9.4.src.rpm ppc64le: resource-agents-debuginfo-4.1.1-61.el7_9.4.ppc64le.rpm resource-agents-sap-hana-4.1.1-61.el7_9.4.ppc64le.rpm resource-agents-sap-hana-scaleout-0.164.0-6.el7_9.4.ppc64le.rpm x86_64: resource-agents-debuginfo-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-sap-hana-4.1.1-61.el7_9.4.x86_64.rpm resource-agents-sap-hana-scaleout-0.164.0-6.el7_9.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-11078 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6qUBNzjgjWX9erEAQitPQ/9HAyFbW2F4KsIRUYzMm31vKTNKTXFraHR Nr2nfsiBlyglaH3oyInIo8POdYwuHEarKhVVA5yjctiEkTuCQH/FZpQGp4QketsS d2B7mTob7CV5munyUfNhAOseJL42WvSHWfhZX3XHaUGCaZiGAKlLlPaOIGKvMeV9 rv1ZLYjMQpGNk2At53ga9gB4lWbBh4BlfU8LtiIbcuLejZFvl3FeGaTNzBfy2Oa1 I0yMtqLTOqVKnNv9vZl441lwIRzKuNIUse/e2FDDXBnB7hJbST7MAd+RVlQ1ohib Y8WcLklcBQ5C3cEj2b8gmcO/cnoXh/nU2T1nrw94VQ12emRXfcpRJpVDyd9cT8Nt RxgBaCOpCJZrOM/ZSRIAj1sjbLFNZ9CYNqLruhqgQvBiwScHgDxqGmMqzz5eSkgl e7+YQBmoL23+eev7ficNh7tmgC6TqVOMFUYqnp4zVyueTthsZ0Xx/no4tNRsm+pX J6rW0d8JykXHKxzDDolzNPB3eZ/o1dVRnaiSlrPJzWH06mcioXmwlTGOTTpnzLag 5cGAyJVIFzZD2m6KU6+wn2UEPxtwNJwOr6PXovPRUmz/qJlf6VQHYiiW6CD/fCaT Ivbg6h9gd9gOuU8pkDga7gde6MgQWRYlwC5fYlKU003WiwyHdhxXVbey4j0wimBe p7wevIiZUnU= =ru0n - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX6tsseNLKJtyKPYoAQie9RAApBwB1M4t2SDBxxvHq/hKdMwtSDjkrH/r 0NLHCyRe8kXDmx/fVWMddQpkKFL/5xZWmw97Zl5pAkmWkRaYlYOn1CeGJEzF5KN5 kl9353z7tz7Ckh25iC33uG6z+GaJdO3/94JPJ9DELz5FKIzF8+IRXa5SfDXU3kTU 7igGNy92Ok2Rt6sKcAsKwq05AmBBB4wc3NdOwjARTcYcAZaBEagry+9n9gvjU/6g JHmkvSSsJRDSYekzVcMxwVTChwNuvI9Kv9CaWCtJDdv8F0JP80PEQwF1WQ1zG6ln tAsGuYuZxzKySaQpJZD21iGCdoDxhv/XDZAiXtrW48BSL9DVcG8J32zi+c+W0I3l 71SQhoXUTnxYb0FcaB8x7HWbTv4ZXVPPdrtIuOFd656gWB9m+0Q0A0XS0aQ0liJp 8btHpGX+sTCClNcoNVSJVDLb2aHmrr/Haia0hoGZEw8/AfBXetN0FuYvKBT5N95J ZHecda1KUULOYLRMShVkgypbih8L/w/H8uqChNDRKfSb+9hqf8rurkOXqonRXtoh KDXhH/r6mN3IuEFxySdbHqjSvndDRybl8BOYQrQH+6sveuAoVCDJ5tSpum8oHQKS OfJ+Bj8Dvnhm2KqtyjzRdYZm3Xg7UHCQLkNdFJqxc4A8YoMjT0U2kTrn9VuHKRz8 5bouTvxztDI= =WDVC -----END PGP SIGNATURE-----