Alerts This Week
Warning Icon 1 637
Alerts This Week
Warning Icon 1 637

Red Hat Enterprise Linux: RHSA-2016:2578-02 Moderate DoS Attack Fix

Calendar Nov 03, 2016 User Avatar LinuxSecurity Advisories
3 - 6 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory moderate Red Hat bug fix DoS attack pacemaker
An update for pacemaker is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: pacemaker security, bug fix, and enhancement update
Advisory ID:       RHSA-2016:2578-02
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:2578.html
Issue date:        2016-11-03
CVE Names:         CVE-2016-7797 
====================================================================
1. Summary:

An update for pacemaker is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server High Availability (v. 7) - s390x, x86_64
Red Hat Enterprise Linux Server Resilient Storage (v. 7) - s390x, x86_64

3. Description:

The Pacemaker cluster resource manager is a collection of technologies
working together to provide data integrity and the ability to maintain
application availability in the event of a failure.

The following packages have been upgraded to a newer upstream version:
pacemaker (1.1.15). (BZ#1304771)

Security Fix(es):

* It was found that the connection between a pacemaker cluster and a
pacemaker_remote node could be shut down using a new unauthenticated
connection. A remote attacker could use this flaw to cause a denial of
service. (CVE-2016-7797)

Red Hat would like to thank Alain Moulle (ATOS/BULL) for reporting this
issue.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1240330 - fencing adjacent node occurs even if the stonith resource is Stopped
1268313 - clvmd/dlm resource agent monitor action should recognize it is hung
1281450 - stonith_admin strips description from fence agents' metadata
1284069 - Pacemaker's lrmd crashes after certain systemd errors1287315 - Updating a fencing device will sometimes result in it no longer being registered
1288929 - service pacemaker_remote stop causes node to be fenced
1304771 - Rebase Pacemaker for bugfixes and features
1310486 - Pacemaker looses shutdown requests under some conditions
1312094 - crmd can crash after unexpected remote connection takeover
1314157 - crm_report -l does not work correctly
1323544 - Better handling of remote nodes when generating crm_reports
1327469 - pengine wants to start services that should not be started
1338623 - pacemaker does not flush the attrd cache fully after a crm_node -R node removal
1345876 - Restarting a resource in a resource group on a remote node restarts other services instead
1346726 - Backport upstream bug systemd: Return PCMK_OCF_UNKNOWN_ERROR instead of PCMK_OCF_NOT_INSTALLED for uncertain errors on LoadUnit
1361533 - missing header for the resources section in the crm_mon output when called without --inactive flag
1372009 - pacemaker-remote rpm does not properly restart pacemaker_remote during package upgrade, potentially triggering a watchdog fence
1379784 - CVE-2016-7797 pacemaker: pacemaker remote nodes vulnerable to hijacking, resulting in a DoS attack

6. Package List:

Red Hat Enterprise Linux Server High Availability (v. 7):

Source:
pacemaker-1.1.15-11.el7.src.rpm

s390x:
pacemaker-1.1.15-11.el7.s390x.rpm
pacemaker-cli-1.1.15-11.el7.s390x.rpm
pacemaker-cluster-libs-1.1.15-11.el7.s390x.rpm
pacemaker-cts-1.1.15-11.el7.s390x.rpm
pacemaker-debuginfo-1.1.15-11.el7.s390x.rpm
pacemaker-doc-1.1.15-11.el7.s390x.rpm
pacemaker-libs-1.1.15-11.el7.s390x.rpm
pacemaker-libs-devel-1.1.15-11.el7.s390x.rpm
pacemaker-nagios-plugins-metadata-1.1.15-11.el7.s390x.rpm
pacemaker-remote-1.1.15-11.el7.s390x.rpm

x86_64:
pacemaker-1.1.15-11.el7.x86_64.rpm
pacemaker-cli-1.1.15-11.el7.x86_64.rpm
pacemaker-cluster-libs-1.1.15-11.el7.i686.rpm
pacemaker-cluster-libs-1.1.15-11.el7.x86_64.rpm
pacemaker-cts-1.1.15-11.el7.x86_64.rpm
pacemaker-debuginfo-1.1.15-11.el7.i686.rpm
pacemaker-debuginfo-1.1.15-11.el7.x86_64.rpm
pacemaker-doc-1.1.15-11.el7.x86_64.rpm
pacemaker-libs-1.1.15-11.el7.i686.rpm
pacemaker-libs-1.1.15-11.el7.x86_64.rpm
pacemaker-libs-devel-1.1.15-11.el7.i686.rpm
pacemaker-libs-devel-1.1.15-11.el7.x86_64.rpm
pacemaker-nagios-plugins-metadata-1.1.15-11.el7.x86_64.rpm
pacemaker-remote-1.1.15-11.el7.x86_64.rpm

Red Hat Enterprise Linux Server Resilient Storage (v. 7):

Source:
pacemaker-1.1.15-11.el7.src.rpm

s390x:
pacemaker-1.1.15-11.el7.s390x.rpm
pacemaker-cli-1.1.15-11.el7.s390x.rpm
pacemaker-cluster-libs-1.1.15-11.el7.s390x.rpm
pacemaker-cts-1.1.15-11.el7.s390x.rpm
pacemaker-debuginfo-1.1.15-11.el7.s390x.rpm
pacemaker-doc-1.1.15-11.el7.s390x.rpm
pacemaker-libs-1.1.15-11.el7.s390x.rpm
pacemaker-libs-devel-1.1.15-11.el7.s390x.rpm
pacemaker-nagios-plugins-metadata-1.1.15-11.el7.s390x.rpm
pacemaker-remote-1.1.15-11.el7.s390x.rpm

x86_64:
pacemaker-1.1.15-11.el7.x86_64.rpm
pacemaker-cli-1.1.15-11.el7.x86_64.rpm
pacemaker-cluster-libs-1.1.15-11.el7.i686.rpm
pacemaker-cluster-libs-1.1.15-11.el7.x86_64.rpm
pacemaker-cts-1.1.15-11.el7.x86_64.rpm
pacemaker-debuginfo-1.1.15-11.el7.i686.rpm
pacemaker-debuginfo-1.1.15-11.el7.x86_64.rpm
pacemaker-doc-1.1.15-11.el7.x86_64.rpm
pacemaker-libs-1.1.15-11.el7.i686.rpm
pacemaker-libs-1.1.15-11.el7.x86_64.rpm
pacemaker-libs-devel-1.1.15-11.el7.i686.rpm
pacemaker-libs-devel-1.1.15-11.el7.x86_64.rpm
pacemaker-nagios-plugins-metadata-1.1.15-11.el7.x86_64.rpm
pacemaker-remote-1.1.15-11.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key

7. References:

https://access.redhat.com/security/cve/CVE-2016-7797
https://access.redhat.com/security/updates/classification#moderate
https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYGvr9XlSAg2UNWIIRAkSAAKClCrjnJHVh4pk3rwS10R58qFGrmwCeM/2u
AUd2YR+MqrQBAHElA9bRbDE=vb3F
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Warning: Undefined variable $read_more_added_bug in /var/www/www.linuxsecurity.com-443/html/lsadvisories/lsadvisories.php on line 1148

Red Hat Enterprise Linux: RHSA-2016:2578-02 Moderate DoS Attack Fix

red hat
Calendar Grey November 3, 2016
Dist Redhat Esm H88
SUSE enhances its kubernetes toolkit with essential security patches focusing on a potential DDoS exploit risk.
An update for pacemaker is now available for Red Hat Enterprise Linux 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The Pacemaker cluster resource manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure.
The following packages have been upgraded to a newer upstream version: pacemaker (1.1.15). (BZ#1304771)
Security Fix(es):
* It was found that the connection between a pacemaker cluster and a pacemaker_remote node could be shut down using a new unauthenticated connection. A remote attacker could use this flaw to cause a denial of service. (CVE-2016-7797)
Red Hat would like to thank Alain Moulle (ATOS/BULL) for reporting this issue.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

Topics%20covered

Topics Covered

security advisory moderate Red Hat bug fix DoS attack pacemaker

References

https://access.redhat.com/security/cve/CVE-2016-7797 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html

Package List

Red Hat Enterprise Linux Server High Availability (v. 7):
Source: pacemaker-1.1.15-11.el7.src.rpm
s390x: pacemaker-1.1.15-11.el7.s390x.rpm pacemaker-cli-1.1.15-11.el7.s390x.rpm pacemaker-cluster-libs-1.1.15-11.el7.s390x.rpm pacemaker-cts-1.1.15-11.el7.s390x.rpm pacemaker-debuginfo-1.1.15-11.el7.s390x.rpm pacemaker-doc-1.1.15-11.el7.s390x.rpm pacemaker-libs-1.1.15-11.el7.s390x.rpm pacemaker-libs-devel-1.1.15-11.el7.s390x.rpm pacemaker-nagios-plugins-metadata-1.1.15-11.el7.s390x.rpm pacemaker-remote-1.1.15-11.el7.s390x.rpm
x86_64: pacemaker-1.1.15-11.el7.x86_64.rpm pacemaker-cli-1.1.15-11.el7.x86_64.rpm pacemaker-cluster-libs-1.1.15-11.el7.i686.rpm pacemaker-cluster-libs-1.1.15-11.el7.x86_64.rpm pacemaker-cts-1.1.15-11.el7.x86_64.rpm pacemaker-debuginfo-1.1.15-11.el7.i686.rpm pacemaker-debuginfo-1.1.15-11.el7.x86_64.rpm pacemaker-doc-1.1.15-11.el7.x86_64.rpm pacemaker-libs-1.1.15-11.el7.i686.rpm pacemaker-libs-1.1.15-11.el7.x86_64.rpm pacemaker-libs-devel-1.1.15-11.el7.i686.rpm pacemaker-libs-devel-1.1.15-11.el7.x86_64.rpm pacemaker-nagios-plugins-metadata-1.1.15-11.el7.x86_64.rpm pacemaker-remote-1.1.15-11.el7.x86_64.rpm
Red Hat Enterprise Linux Server Resilient Storage (v. 7):
Source: pacemaker-1.1.15-11.el7.src.rpm
s390x: pacemaker-1.1.15-11.el7.s390x.rpm

Read the Full Advisory


Advisory ID: RHSA-2016:2578-02
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2016:2578.html
Issue date: 2016-11-03

Topic

An update for pacemaker is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory moderate Red Hat bug fix DoS attack pacemaker

Relevant Releases Architectures

Red Hat Enterprise Linux Server High Availability (v. 7) - s390x, x86_64

Red Hat Enterprise Linux Server Resilient Storage (v. 7) - s390x, x86_64

Bugs Fixed

1240330 - fencing adjacent node occurs even if the stonith resource is Stopped

1268313 - clvmd/dlm resource agent monitor action should recognize it is hung

1281450 - stonith_admin strips description from fence agents' metadata

1284069 - Pacemaker's lrmd crashes after certain systemd errors1287315 - Updating a fencing device will sometimes result in it no longer being registered

1288929 - service pacemaker_remote stop causes node to be fenced

1304771 - Rebase Pacemaker for bugfixes and features

1310486 - Pacemaker looses shutdown requests under some conditions

1312094 - crmd can crash after unexpected remote connection takeover

1314157 - crm_report -l does not work correctly

1323544 - Better handling of remote nodes when generating crm_reports

1327469 - pengine wants to start services that should not be started

1338623 - pacemaker does not flush the attrd cache fully after a crm_node -R node removal

1345876 - Restarting a resource in a resource group on a remote node restarts other services instead

1346726 - Backport upstream bug systemd: Return PCMK_OCF_UNKNOWN_ERROR instead of PCMK_OCF_NOT_INSTALLED for uncertain errors on LoadUnit

1361533 - missing header for the resources section in the crm_mon output when called without --inactive flag

1372009 - pacemaker-remote rpm does not properly restart pacemaker_remote during package upgrade, potentially triggering a watchdog fence

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here