Hi,
As far as I know, pcs-0.9.x isn't affected by CVE-2022-2735. Therefore,
no fix for it is planned. Could you explain why you think it is affected?
Both main (pcs-0.11) and pcs-0.10 upstream branches do contain the fix.
We are working on releasing new versions. In the meantime, you may use
the top of the branches. Fixed packages have also already been released
by various Linux distributions.
Regards,
Tomas
Dne 12. 09. 22 v 8:19 A Gunasekar via Users napsal(a):
Hi Team,
Please be informed, we have got notified from our security tool that our
pcs version 0.9 is affected by the *CVE-2022-2735*.
It would be great if you help to get answers for the below queries.
**
* We are currently in RHEL 7.9 OS and using pcs 0.9 version, Is there
any fix planned/available for this affection version (0.9.x) of pcs ?**
* From Cluster Lab portal, we can see even the pcs 0.10.x (or) the
main branch 0.11.x released versions don’t have fix for this CVE. So
kindly let us know in which release this CVE fix is planned ?**
**
*https://github.com/ClusterLabs/pcs/blob/main/CHANGELOG.md
<https://github.com/ClusterLabs/pcs/blob/main/CHANGELOG.md>*
/Change Log/
/[Unreleased]/
/Security/
*/CVE-2022-2735 /*/pcs: obtaining an authentication token for hacluster
user could lead to privilege escalation (rhbz#2116841)/
**
**
**
*Our system Details:-*
OS Version: RHEL 7.9
Cluster lab PCS version: 0.9
**
**
**
Ericsson <http://www.ericsson.com/>
*Gunasekar A *
Senior Software Engineer
BDGS SA BSS PDU BSS PDG EC CH NGCRS
Mobile: +919894561292
Email ID: a.gunase...@ericsson.com <mailto:gunalan....@ericsson.com>**
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
