Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4670 booth security update 21 September 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: booth Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2553 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:6580 Comment: CVSS (Max): 6.5 CVE-2022-2553 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: booth security update Advisory ID: RHSA-2022:6580-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:6580 Issue date: 2022-09-20 CVE Names: CVE-2022-2553 ===================================================================== 1. Summary: An update for booth is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux High Availability (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Resilient Storage (v. 9) - noarch, ppc64le, s390x, x86_64 3. Description: The Booth cluster ticket manager is a component to bridge high availability clusters spanning multiple sites, in particular, to provide decision inputs to local Pacemaker cluster resource managers. It operates as a distributed consensus-based service, presumably on a separate physical network. Tickets facilitated by a Booth formation are the units of authorization that can be bound to certain resources. This will ensure that the resources are run at only one (granted) site at a time. Security Fix(es): * booth: authfile directive in booth config file is completely ignored. (CVE-2022-2553) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2109251 - CVE-2022-2553 booth: authfile directive in booth config file is completely ignored. 6. Package List: Red Hat Enterprise Linux High Availability (v. 9): Source: booth-1.0-251.3.bfb2f92.git.el9_0.1.src.rpm aarch64: booth-1.0-251.3.bfb2f92.git.el9_0.1.aarch64.rpm booth-core-1.0-251.3.bfb2f92.git.el9_0.1.aarch64.rpm booth-core-debuginfo-1.0-251.3.bfb2f92.git.el9_0.1.aarch64.rpm booth-debugsource-1.0-251.3.bfb2f92.git.el9_0.1.aarch64.rpm noarch: booth-arbitrator-1.0-251.3.bfb2f92.git.el9_0.1.noarch.rpm booth-site-1.0-251.3.bfb2f92.git.el9_0.1.noarch.rpm booth-test-1.0-251.3.bfb2f92.git.el9_0.1.noarch.rpm ppc64le: booth-1.0-251.3.bfb2f92.git.el9_0.1.ppc64le.rpm booth-core-1.0-251.3.bfb2f92.git.el9_0.1.ppc64le.rpm booth-core-debuginfo-1.0-251.3.bfb2f92.git.el9_0.1.ppc64le.rpm booth-debugsource-1.0-251.3.bfb2f92.git.el9_0.1.ppc64le.rpm s390x: booth-1.0-251.3.bfb2f92.git.el9_0.1.s390x.rpm booth-core-1.0-251.3.bfb2f92.git.el9_0.1.s390x.rpm booth-core-debuginfo-1.0-251.3.bfb2f92.git.el9_0.1.s390x.rpm booth-debugsource-1.0-251.3.bfb2f92.git.el9_0.1.s390x.rpm x86_64: booth-1.0-251.3.bfb2f92.git.el9_0.1.x86_64.rpm booth-core-1.0-251.3.bfb2f92.git.el9_0.1.x86_64.rpm booth-core-debuginfo-1.0-251.3.bfb2f92.git.el9_0.1.x86_64.rpm booth-debugsource-1.0-251.3.bfb2f92.git.el9_0.1.x86_64.rpm Red Hat Enterprise Linux Resilient Storage (v. 9): Source: booth-1.0-251.3.bfb2f92.git.el9_0.1.src.rpm noarch: booth-arbitrator-1.0-251.3.bfb2f92.git.el9_0.1.noarch.rpm booth-site-1.0-251.3.bfb2f92.git.el9_0.1.noarch.rpm booth-test-1.0-251.3.bfb2f92.git.el9_0.1.noarch.rpm ppc64le: booth-1.0-251.3.bfb2f92.git.el9_0.1.ppc64le.rpm booth-core-1.0-251.3.bfb2f92.git.el9_0.1.ppc64le.rpm booth-core-debuginfo-1.0-251.3.bfb2f92.git.el9_0.1.ppc64le.rpm booth-debugsource-1.0-251.3.bfb2f92.git.el9_0.1.ppc64le.rpm s390x: booth-1.0-251.3.bfb2f92.git.el9_0.1.s390x.rpm booth-core-1.0-251.3.bfb2f92.git.el9_0.1.s390x.rpm booth-core-debuginfo-1.0-251.3.bfb2f92.git.el9_0.1.s390x.rpm booth-debugsource-1.0-251.3.bfb2f92.git.el9_0.1.s390x.rpm x86_64: booth-1.0-251.3.bfb2f92.git.el9_0.1.x86_64.rpm booth-core-1.0-251.3.bfb2f92.git.el9_0.1.x86_64.rpm booth-core-debuginfo-1.0-251.3.bfb2f92.git.el9_0.1.x86_64.rpm booth-debugsource-1.0-251.3.bfb2f92.git.el9_0.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2553 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYypf0tzjgjWX9erEAQgNKg//cJPN6hZJSZYVNbjxoL6EkkZLNPdy+tU7 TKf6sW0pS/+QTX04Y4vxTk0wIuRG8vSpZdEfPbKfXLaOlJLEhJZdyBajEfEBR/Ot lyvdmIxqG3/Doczmcp+jKE3eWxjTJZ9vextlNEhlHgadOjpvbeVm2IodCRyAaO5Q mfHiTh6nPbXD9cinF0yAkYHigcnvrbLvgYx8jNTPBE0BF0dxjsBRRItdKtAphHau OVV6bNfO2i/iTJC6GyBstHrgyXpwo4qoICx9QMlpllYbv06y5cO7r7KxVPz4rX8j m93zhRaDVvez40fpWKhzaUI0om+c5Fg6ATWO694GrQiz8KvG4Cki9b9kH2S0a0gB TXk1jhWAxkrvsbielWiqoLQxuKq/slkMb7ckaV6cq4XWzpO3LlUKM/ApqU6Svy2X 6SrE++UKSqe4xdoA+H6Erzsa8iSvih9T3n0jNtaBQaFWM/GgWrNQJGhrwqpkIU9J TDYN0/WIpRJQCjU5yuS1I+1W5AIhty/Y1F0I5LgIUz3j01KrqDkBYQxbYvzCgnx7 erUWFzOqfG5ePskdEi6SMXSWlhuQIHQ/uTD5xlPTLSRoR6OCGiCaL8oYBXFzxpbS qOGd03PnY5mP5GBG3OAdflaOziA9TCuXgTqsq5nTrRo/R58EjS+Vf4oS9cjWBnbN BzQkQWH8WfU= =23dE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYyp/c8kNZI30y1K9AQiSqA//ZJrZT4PANRjHbdP+pYCFJoFAHpAzESzz ti/zpApGjP3YKBZC6hR0NUaaph55WgWMl8c98M7TOsP+zhnj8gn5MfSByhpeSBY+ TOR2G34fhRj7S15/svpSHSFJww+mu92z6k/JGMYlZP0I5FklUKtE6u2BjV5mZW5Z cvs0gRVmazVRLA+mOGmG5FCSPWc0tA0jlLifOtIn4SOOiY488Re1COAN2NmdW7lP 3OJb1Cl0f3zNIHBXLbRs+Nwnwh/ik9U0duSMyNsFEx2LKVyjuKcz5K6/AO0bNZoC JPI8rOnCxIH1xzNjfevCi/Q0FdogStDzke8QVZA6FYHhrTZaL8jogmTv4J70cE+0 HFt3FWQTi9x3wmC8uZTxlVRu8tLoajuZGgPCnHcOPsPw0Niy4B4EBoP4RtVnSEUW MEaba105YXBSDocNhawxvj9h/dMuft4WcEDljDlTuO66jYDp81jTYEFeimWu7Vy8 ZQIFpcDRuH8VNndd75VOyhSXN0DN28rEPBJVxgMz4zA48GrdQpJfmfp3mkkx4BaT CVi9MB1sqpSKLZBatKKZlcQtpzNnx/RdUsbDWkzPoYL0WQZuwcBU3aZyMPkZP361 Z2mYhMD5cGph7H4ExdQUd6w0YeO5IBmDGsd8kGIknDdcEi6JBhvvGDUL3VyVacER wwHUpKJhbA4= =0M28 -----END PGP SIGNATURE-----