Scientific Linux Security Update : pcs on SL7.x x86_64

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

A flaw was found in a way Rack processed parameters of incoming
requests. An attacker could use this flaw to send a crafted request
that would cause an application using Rack to crash. (CVE-2015-3225)

The pcs package has been upgraded to upstream version 0.9.143, which
provides a number of bug fixes and enhancements over the previous
version.

- The pcs resource move and pcs resource ban commands now
display a warning message to clarify the commands'
behavior

- New command to move a Pacemaker resource to its
preferred node

This update also fixes the following bugs :

- Before this update, a bug caused location, ordering, and
colocation constraints related to a resource group to be
removed when removing any resource from that group. This
bug has been fixed, and the constraints are now
preserved until the group has no resources left, and is
removed.

- Previously, when a user disabled a resource clone or
multi-state resource, and then later enabled a primitive
resource within it, the clone or multi-state resource
remained disabled. With this update, enabling a resource
within a disabled clone or multi-state resource enables
it.

- When the web UI displayed a list of resource attributes,
a bug caused the list to be truncated at the first '='
character. This update fixes the bug and now the web UI
displays lists of resource attributes correctly.

- The documentation for the 'pcs stonith confirm' command
was not clear. This could lead to incorrect usage of the
command, which could in turn cause data corruption. With
this update, the documentation has been improved and the
'pcs stonith confirm' command is now more clearly
explained.

- Previously, if there were any unauthenticated nodes,
creating a new cluster, adding a node to an existing
cluster, or adding a cluster to the web UI failed with
the message 'Node is not authenticated'. With this
update, when the web UI detects a problem with
authentication, the web UI displays a dialog to
authenticate nodes as necessary.

- Previously, the web UI displayed only primitive
resources. Thus there was no way to set attributes,
constraints and other properties separately for a parent
resource and a child resource. This has now been fixed,
and resources are displayed in a tree structure, meaning
all resource elements can be viewed and edited
independently.

In addition, this update adds the following enhancements :

- A dashboard has been added which shows the status of
clusters in the web UI. Previously, it was not possible
to view all important information about clusters in one
place. Now, a dashboard showing the status of clusters
has been added to the main page of the web UI.

- With this update, the pcsd daemon automatically
synchronizes pcsd configuration across a cluster. This
enables the web UI to be run from any node, allowing
management even if any particular node is down.

- The web UI can now be used to set permissions for users
and groups on a cluster. This allows users and groups to
have their access restricted to certain operations on
certain clusters.

See also :

http://www.nessus.org/u?482af0a0

Solution :

Update the affected pcs and / or pcs-debuginfo packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 87569 ()

Bugtraq ID:

CVE ID: CVE-2015-3225

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now