Scientific Linux Security Update : pcs on SL7.x x86_64 (20151119)

medium Nessus Plugin ID 87569

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash. (CVE-2015-3225)

The pcs package has been upgraded to upstream version 0.9.143, which provides a number of bug fixes and enhancements over the previous version.

- The pcs resource move and pcs resource ban commands now display a warning message to clarify the commands' behavior

- New command to move a Pacemaker resource to its preferred node

This update also fixes the following bugs :

- Before this update, a bug caused location, ordering, and colocation constraints related to a resource group to be removed when removing any resource from that group. This bug has been fixed, and the constraints are now preserved until the group has no resources left, and is removed.

- Previously, when a user disabled a resource clone or multi-state resource, and then later enabled a primitive resource within it, the clone or multi-state resource remained disabled. With this update, enabling a resource within a disabled clone or multi-state resource enables it.

- When the web UI displayed a list of resource attributes, a bug caused the list to be truncated at the first '=' character. This update fixes the bug and now the web UI displays lists of resource attributes correctly.

- The documentation for the 'pcs stonith confirm' command was not clear. This could lead to incorrect usage of the command, which could in turn cause data corruption. With this update, the documentation has been improved and the 'pcs stonith confirm' command is now more clearly explained.

- Previously, if there were any unauthenticated nodes, creating a new cluster, adding a node to an existing cluster, or adding a cluster to the web UI failed with the message 'Node is not authenticated'. With this update, when the web UI detects a problem with authentication, the web UI displays a dialog to authenticate nodes as necessary.

- Previously, the web UI displayed only primitive resources. Thus there was no way to set attributes, constraints and other properties separately for a parent resource and a child resource. This has now been fixed, and resources are displayed in a tree structure, meaning all resource elements can be viewed and edited independently.

In addition, this update adds the following enhancements :

- A dashboard has been added which shows the status of clusters in the web UI. Previously, it was not possible to view all important information about clusters in one place. Now, a dashboard showing the status of clusters has been added to the main page of the web UI.

- With this update, the pcsd daemon automatically synchronizes pcsd configuration across a cluster. This enables the web UI to be run from any node, allowing management even if any particular node is down.

- The web UI can now be used to set permissions for users and groups on a cluster. This allows users and groups to have their access restricted to certain operations on certain clusters.

Solution

Update the affected pcs and / or pcs-debuginfo packages.

See Also

http://www.nessus.org/u?bdc49286

Plugin Details

Severity: Medium

ID: 87569

File Name: sl_20151119_pcs_on_SL7_x.nasl

Version: 2.5

Type: local

Agent: unix

Published: 12/22/2015

Updated: 1/14/2021

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:fermilab:scientific_linux:pcs, p-cpe:/a:fermilab:scientific_linux:pcs-debuginfo, x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 11/19/2015

Vulnerability Publication Date: 7/26/2015

Reference Information

CVE: CVE-2015-3225