-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3823
               pcs security, bug fix, and enhancement update
                             10 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           pcs
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11023 CVE-2020-7656 

Reference:         ESB-2021.1703
                   ESB-2021.0923
                   ESB-2020.3487

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:4142

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: pcs security, bug fix, and enhancement update
Advisory ID:       RHSA-2021:4142-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:4142
Issue date:        2021-11-09
CVE Names:         CVE-2020-7656 CVE-2020-11023 
=====================================================================

1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux HighAvailability (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux ResilientStorage (v. 8) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the
Pacemaker and Corosync utilities.

The following packages have been upgraded to a later upstream version: pcs
(0.10.10). (BZ#1935594)

Security Fix(es):

* jquery: Cross-site scripting (XSS) via <script> HTML tags containing
whitespaces (CVE-2020-7656)

* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1290830 - [RFE] pcs command is missing a way to retrieve the status of a single resource
1432097 - pcs status nodes shows incomplete information when both standby and maintenance modes are set for a node
1678273 - Moving the last resource from a group may result in an invalid CIB
1690419 - Improve guest node error message when pacemaker_remote is running
1720221 - [RFE] Add support for corosync option totem.block_unlisted_ips
1759995 - [RFE] Need ability to add/remove storage devices with scsi fencing
1841019 - [TechPreview Exit][RFE] Add a 'local' cluster setup command
1850004 - CVE-2020-11023 jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods
1850119 - CVE-2020-7656 jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces
1854238 - Labeling and Confirmation Dialog for UI Elements start(on)/stop(off)/restart(reboot)
1872378 - [RFE] Provide a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources
1885293 - Support new role terminology in pacemaker 2.1
1885302 - reflect changes in crm_mon --as-xml
1896458 - Default rules with node attributes expressions can be created but are not in effect
1909901 - [RFE] Add --quiet flag to pcs resource disable --safe to only show error messages instead of full output
1922996 - New web UI - add more functionalities to the cluster management
1927384 - New web UI - clone and group settings are not in effect when creating new resource
1927394 - New web UI - cleanup of resource and fence device doesn't work
1930886 - Update help/man pcs to include clone id as an option in 'pcs resource unclone' parameters
1935594 - pcs rebase bz for 8.5
1984901 - sbd can't be enabled via pcs with stopped cluster
1991654 - update-scsi-devices command unfence a node without quorum
1992668 - [RFE] Provide add/remove syntax for command `pcs stonith update-scsi-devices`
1998454 - nginx resource can't be created

6. Package List:

Red Hat Enterprise Linux HighAvailability (v. 8):

Source:
pcs-0.10.10-4.el8.src.rpm

aarch64:
pcs-0.10.10-4.el8.aarch64.rpm
pcs-snmp-0.10.10-4.el8.aarch64.rpm

ppc64le:
pcs-0.10.10-4.el8.ppc64le.rpm
pcs-snmp-0.10.10-4.el8.ppc64le.rpm

s390x:
pcs-0.10.10-4.el8.s390x.rpm
pcs-snmp-0.10.10-4.el8.s390x.rpm

x86_64:
pcs-0.10.10-4.el8.x86_64.rpm
pcs-snmp-0.10.10-4.el8.x86_64.rpm

Red Hat Enterprise Linux ResilientStorage (v. 8):

Source:
pcs-0.10.10-4.el8.src.rpm

ppc64le:
pcs-0.10.10-4.el8.ppc64le.rpm
pcs-snmp-0.10.10-4.el8.ppc64le.rpm

s390x:
pcs-0.10.10-4.el8.s390x.rpm
pcs-snmp-0.10.10-4.el8.s390x.rpm

x86_64:
pcs-0.10.10-4.el8.x86_64.rpm
pcs-snmp-0.10.10-4.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-7656
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYYre19zjgjWX9erEAQhbXQ//fpAgz6azVHUidymjlIJ/d65HrM9a+hwU
2c7zeYGKSBUpxWTIo0LzwVn7oQTJpmPdbDZzedS14e3ZijQcMjwImHI6yzlAkDxl
hycmu4PakPBE3s7tmOIaUybc8opHPDLGbyBvohe7O3U+5oTvUBWhI35jeX3CTjsE
RQFEwII4uqiTJ5pOnVN0TFfkooz5pY6oArGPg3kFb+17T9C0TWXxB/Nbyqg+yLJ3
krjB/aFgcm2RsP+IFB9Rg6RFaovKozXhckhJ+UxC2sQWKehnU8bhLVCf+l5psM6l
jnQtZi2LQOXlB8UQsjK3PWtyxVF7/MFmfLK7VX3RStCxukLKDIGc99tYl4zjgrJQ
LshNnrn6Lz6iWiMFPFnwDhOAbey5LUrpygQUgVU1t4Mhtlpu5FTPGxiZkSVdPPUe
Kg/VCDkxPMVO6Mhnjg6axWYiv3WmvM3DLTL0alqjyShe6BW2E/BB8trt9eaCpoe/
EtDBmrBKwLyK5LnToeLK0GL+HDGQDUjL0eWRNKJox8PVtFEtSkyn7I8jaOVeyTIc
F9kOxECcY4tQBFegYaDXCIIBAGJda4eyzZR95zzwRWdl8AxuffV8n7enKfShMeqY
L1HtkJq3Twced5fqhHRhqwKHEzWl3nKqTz8/gt5OjjLKNZ0M62oTeUjR918+k7+U
OPYd9garVDY=
=fv9r
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYYtji+NLKJtyKPYoAQgQvw//TLoI/hXZDcff8R6a1RCp+Ncy8gBPjMqQ
azi2ksHeVfjMdnzxQIU3UIq/+FL0GfcMZJackLwliuwZNYZXwpk48xxM1lWyfEjN
v2QtDcFitVoLjPx2Y4WosxzziOpoJyzImg1Kj61C2SXL/VI2MGzY8cWXVRvb/JfN
mRWrkHvsZIlYXCK0vLzlr9BLOBvmjyp9sIADZ/s8fbVDjW7imObQUwkzvAzRQu5f
nKVrWpBldBTAoQsOYQZeFFs5nCVh55Xxmd9wbhzsbFyio493xnWtq/gRPzJhbNbx
ZMk2OUEpt8zvHsAlOJM3dbDOqhXHRRCnGhnmsrDRKxct4N6hbGx2KIB8F1Td+aGc
RTsYBrjQCi59AxnmfMn+dFiC8x82HLkuUrQf96PMwrOcNkT6CmB2hbYg5q6+stSN
5w6ToN+AxgaTQHf4LmkKjqe+NkvaXYrTp/YKnQdYHs/i74aZCr0JTkJ3IhpZpTkz
H4jzX3v0lEtjIZdRxgjPMhS+z4zXtfXY5L7g2H6FHzT+QXtRGQVNp/O9aqLKSw/d
ehNogl1uic2l87CFuXu9LIztRFf6iH1k+vFC0IMYDj93zDmqK1KKT0KnDIlb+cJK
E6Kog1C+fd25UDhqIOeliW+BOi3pF5a/D68yC9wh9OCGhTo/yK/IJFLVtv31hlzW
7w2oVe0CnpU=
=BMs/
-----END PGP SIGNATURE-----