Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3823 pcs security, bug fix, and enhancement update 10 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pcs Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-11023 CVE-2020-7656 Reference: ESB-2021.1703 ESB-2021.0923 ESB-2020.3487 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4142 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: pcs security, bug fix, and enhancement update Advisory ID: RHSA-2021:4142-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4142 Issue date: 2021-11-09 CVE Names: CVE-2020-7656 CVE-2020-11023 ===================================================================== 1. Summary: An update for pcs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux HighAvailability (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux ResilientStorage (v. 8) - ppc64le, s390x, x86_64 3. Description: The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. The following packages have been upgraded to a later upstream version: pcs (0.10.10). (BZ#1935594) Security Fix(es): * jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces (CVE-2020-7656) * jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1290830 - [RFE] pcs command is missing a way to retrieve the status of a single resource 1432097 - pcs status nodes shows incomplete information when both standby and maintenance modes are set for a node 1678273 - Moving the last resource from a group may result in an invalid CIB 1690419 - Improve guest node error message when pacemaker_remote is running 1720221 - [RFE] Add support for corosync option totem.block_unlisted_ips 1759995 - [RFE] Need ability to add/remove storage devices with scsi fencing 1841019 - [TechPreview Exit][RFE] Add a 'local' cluster setup command 1850004 - CVE-2020-11023 jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods 1850119 - CVE-2020-7656 jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces 1854238 - Labeling and Confirmation Dialog for UI Elements start(on)/stop(off)/restart(reboot) 1872378 - [RFE] Provide a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources 1885293 - Support new role terminology in pacemaker 2.1 1885302 - reflect changes in crm_mon --as-xml 1896458 - Default rules with node attributes expressions can be created but are not in effect 1909901 - [RFE] Add --quiet flag to pcs resource disable --safe to only show error messages instead of full output 1922996 - New web UI - add more functionalities to the cluster management 1927384 - New web UI - clone and group settings are not in effect when creating new resource 1927394 - New web UI - cleanup of resource and fence device doesn't work 1930886 - Update help/man pcs to include clone id as an option in 'pcs resource unclone' parameters 1935594 - pcs rebase bz for 8.5 1984901 - sbd can't be enabled via pcs with stopped cluster 1991654 - update-scsi-devices command unfence a node without quorum 1992668 - [RFE] Provide add/remove syntax for command `pcs stonith update-scsi-devices` 1998454 - nginx resource can't be created 6. Package List: Red Hat Enterprise Linux HighAvailability (v. 8): Source: pcs-0.10.10-4.el8.src.rpm aarch64: pcs-0.10.10-4.el8.aarch64.rpm pcs-snmp-0.10.10-4.el8.aarch64.rpm ppc64le: pcs-0.10.10-4.el8.ppc64le.rpm pcs-snmp-0.10.10-4.el8.ppc64le.rpm s390x: pcs-0.10.10-4.el8.s390x.rpm pcs-snmp-0.10.10-4.el8.s390x.rpm x86_64: pcs-0.10.10-4.el8.x86_64.rpm pcs-snmp-0.10.10-4.el8.x86_64.rpm Red Hat Enterprise Linux ResilientStorage (v. 8): Source: pcs-0.10.10-4.el8.src.rpm ppc64le: pcs-0.10.10-4.el8.ppc64le.rpm pcs-snmp-0.10.10-4.el8.ppc64le.rpm s390x: pcs-0.10.10-4.el8.s390x.rpm pcs-snmp-0.10.10-4.el8.s390x.rpm x86_64: pcs-0.10.10-4.el8.x86_64.rpm pcs-snmp-0.10.10-4.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-7656 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYre19zjgjWX9erEAQhbXQ//fpAgz6azVHUidymjlIJ/d65HrM9a+hwU 2c7zeYGKSBUpxWTIo0LzwVn7oQTJpmPdbDZzedS14e3ZijQcMjwImHI6yzlAkDxl hycmu4PakPBE3s7tmOIaUybc8opHPDLGbyBvohe7O3U+5oTvUBWhI35jeX3CTjsE RQFEwII4uqiTJ5pOnVN0TFfkooz5pY6oArGPg3kFb+17T9C0TWXxB/Nbyqg+yLJ3 krjB/aFgcm2RsP+IFB9Rg6RFaovKozXhckhJ+UxC2sQWKehnU8bhLVCf+l5psM6l jnQtZi2LQOXlB8UQsjK3PWtyxVF7/MFmfLK7VX3RStCxukLKDIGc99tYl4zjgrJQ LshNnrn6Lz6iWiMFPFnwDhOAbey5LUrpygQUgVU1t4Mhtlpu5FTPGxiZkSVdPPUe Kg/VCDkxPMVO6Mhnjg6axWYiv3WmvM3DLTL0alqjyShe6BW2E/BB8trt9eaCpoe/ EtDBmrBKwLyK5LnToeLK0GL+HDGQDUjL0eWRNKJox8PVtFEtSkyn7I8jaOVeyTIc F9kOxECcY4tQBFegYaDXCIIBAGJda4eyzZR95zzwRWdl8AxuffV8n7enKfShMeqY L1HtkJq3Twced5fqhHRhqwKHEzWl3nKqTz8/gt5OjjLKNZ0M62oTeUjR918+k7+U OPYd9garVDY= =fv9r - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYYtji+NLKJtyKPYoAQgQvw//TLoI/hXZDcff8R6a1RCp+Ncy8gBPjMqQ azi2ksHeVfjMdnzxQIU3UIq/+FL0GfcMZJackLwliuwZNYZXwpk48xxM1lWyfEjN v2QtDcFitVoLjPx2Y4WosxzziOpoJyzImg1Kj61C2SXL/VI2MGzY8cWXVRvb/JfN mRWrkHvsZIlYXCK0vLzlr9BLOBvmjyp9sIADZ/s8fbVDjW7imObQUwkzvAzRQu5f nKVrWpBldBTAoQsOYQZeFFs5nCVh55Xxmd9wbhzsbFyio493xnWtq/gRPzJhbNbx ZMk2OUEpt8zvHsAlOJM3dbDOqhXHRRCnGhnmsrDRKxct4N6hbGx2KIB8F1Td+aGc RTsYBrjQCi59AxnmfMn+dFiC8x82HLkuUrQf96PMwrOcNkT6CmB2hbYg5q6+stSN 5w6ToN+AxgaTQHf4LmkKjqe+NkvaXYrTp/YKnQdYHs/i74aZCr0JTkJ3IhpZpTkz H4jzX3v0lEtjIZdRxgjPMhS+z4zXtfXY5L7g2H6FHzT+QXtRGQVNp/O9aqLKSw/d ehNogl1uic2l87CFuXu9LIztRFf6iH1k+vFC0IMYDj93zDmqK1KKT0KnDIlb+cJK E6Kog1C+fd25UDhqIOeliW+BOi3pF5a/D68yC9wh9OCGhTo/yK/IJFLVtv31hlzW 7w2oVe0CnpU= =BMs/ -----END PGP SIGNATURE-----