Re: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358

[Tomas Jelinek]

Hi A Gunasekar,

These CVEs are fixed in pcs-0.10.9 and newer and pcs-0.11.1 and newer 
(the 0.11 branch was never affected).

Regards,
Tomas


Dne 27. 01. 23 v 9:01 A Gunasekar via Users napsal(a):

Hi Tomas/Team,

It would be great if you share in which latest cluster lab version the 
fixed are available for these CVE, so that we will take that version 
for upgrade.

Ericsson <http://www.ericsson.com/>


*Gunasekar A ***

Senior Software Engineer

BDGS SA BSS PDU BSS PDG EC CH NGCRS

Mobile: +919894561292

Email ID: a.gunase...@ericsson.com <mailto:a.gunase...@ericsson.com>**

Hi A Gunasekar,

The pcs-0.9 branch is unsupported and no longer maintained since

2021-04-16. There will be no further releases and commits in that

branch. Pcs-0.9 only works with Pacemaker 1.x and Corosync 2.x and those

have been unsupported for quite some time as well.

I recommend updating your cluster stack to newer versions.

Regards,

Tomas

*From:*A Gunasekar
*Sent:* 20 January 2023 15:55
*To:* Reid Wahl <nw...@redhat.com>; Cluster Labs - All topics related 
to open-source clustering welcomed <users@clusterlabs.org>
*Cc:* M Vasanthakumar <m.vasanthaku...@ericsson.com>; S Sathish S 
<s.s.sath...@ericsson.com>
*Subject:* RE: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358

Hi Wahl/Team,

The solution Tomas  as suggested is from Redhat delivered rpm packages 
“*pcs-0.9.169-3.el7_9.3*”.

But we are using Cluster Lab  source packages to build pcs rpms for 
 our node.

So it would be good if we get the fixed release details from Cluster 
Lab for the reported CVEs.

Ericsson <http://www.ericsson.com/>


*Gunasekar A *

Senior Software Engineer

BDGS SA BSS PDU BSS PDG EC CH NGCRS

Mobile: +919894561292

Email ID: a.gunase...@ericsson.com <mailto:a.gunase...@ericsson.com>**

*From:*A Gunasekar
*Sent:* 20 January 2023 15:12
*To:* Reid Wahl <nw...@redhat.com>
*Cc:* M Vasanthakumar <m.vasanthaku...@ericsson.com>; S Sathish S 
<s.s.sath...@ericsson.com>
*Subject:* RE: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358

Thanks Wahl for this information

*From:*Reid Wahl <nw...@redhat.com>
*Sent:* 20 January 2023 11:57
*To:* A Gunasekar <a.gunase...@ericsson.com>
*Cc:* M Vasanthakumar <m.vasanthaku...@ericsson.com>; S Sathish S 
<s.s.sath...@ericsson.com>
*Subject:* Re: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358

On Thu, Jan 19, 2023 at 9:19 PM A Gunasekar <a.gunase...@ericsson.com> 
wrote:

    Hi Wahl,

    Tomas update was not visible to us  and Thanks for sharing it here.

    https://lists.clusterlabs.org/pipermail/users/2022-December/030734.html
    
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-ccdbf0db8445bdb4&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2022-December%2F030734.html>

You're welcome. Unfortunately, the threads are separated by month. So 
if a reply is sent in a different month, it doesn't appear in the 
original thread. You sent your original email in December, and Tomas 
replied in January. See the following links:

https://lists.clusterlabs.org/pipermail/users/2023-January/thread.html 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-8bc25f8cc580c14b&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2023-January%2Fthread.html>

https://lists.clusterlabs.org/pipermail/users/2023-January/030750.html 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-da3abaa3680ed01a&q=1&e=a7a59750-e061-4298-8714-ebe38fc95520&u=https%3A%2F%2Flists.clusterlabs.org%2Fpipermail%2Fusers%2F2023-January%2F030750.html>

    Ericsson <http://www.ericsson.com/>


    *Gunasekar A *

    Senior Software Engineer

    BDGS SA BSS PDU BSS PDG EC CH NGCRS

    Mobile: +919894561292

    Email ID: a.gunase...@ericsson.com <mailto:a.gunase...@ericsson.com>

    *From:*Reid Wahl <nw...@redhat.com>
    *Sent:* 20 January 2023 03:07
    *To:* Cluster Labs - All topics related to open-source clustering
    welcomed <users@clusterlabs.org>
    *Cc:* A Gunasekar <a.gunase...@ericsson.com>; M Vasanthakumar
    <m.vasanthaku...@ericsson.com>; S Sathish S <s.s.sath...@ericsson.com>
    *Subject:* Re: [ClusterLabs] Fix for CVE-2022-30123 and CVE-2019-11358

    On Thu, Jan 19, 2023 at 12:54 PM A Gunasekar via Users
    <users@clusterlabs.org> wrote:

        Hi Team,

        Can we get some update on this.

    Hi,

    What update are you seeking? It looks like Tomas already answered
    your question. I'll paste his answer again here.

    > Hi A Gunasekar,
    >
    > As far as I can see, updated pcs packages pcs-0.9.169-3.el7_9.3
    which
    > fix the mentioned CVEs were released on 2022-11-02.
    >
    > Regards,
    > Tomas

        Ericsson <http://www.ericsson.com/>


        *Gunasekar A *

        Senior Software Engineer

        BDGS SA BSS PDU BSS PDG EC CH NGCRS

        Mobile: +919894561292

        Email ID: a.gunase...@ericsson.com

        *From:*A Gunasekar
        *Sent:* 21 December 2022 18:59
        *To:* users@clusterlabs.org
        *Cc:* S Sathish S <s.s.sath...@ericsson.com>; M Vasanthakumar
        <m.vasanthaku...@ericsson.com>
        *Subject:* Fix for CVE-2022-30123 and CVE-2019-11358

        Hi Team,

        Please be informed, we have got notified from our security
        tool that our pcs version 0.9 is affected by the
        *CVE-2022-30123 and CVE-2019-11358*.

        It would be great if we help to get answers for the below queries.

        **

          * We are currently in RHEL 7.9 OS and using pcs 0.9 version,
            Is there any fix planned/available for this affection
            version (0.9.x) of pcs ?
          * Let us know in which release this CVEs fix are planned ?

        **

        *Our system Details:-*

        OS Version: RHEL 7.9

        Cluster lab PCS  version: 0.9

        Ericsson <http://www.ericsson.com/>


        *Gunasekar A *

        Senior Software Engineer

        BDGS SA BSS PDU BSS PDG EC CH NGCRS

        Mobile: +919894561292

        Email ID: a.gunase...@ericsson.com

        _______________________________________________
        Manage your subscription:
        https://lists.clusterlabs.org/mailman/listinfo/users
        
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-d41b18997a64a81a&q=1&e=59a6df80-228c-4bfb-a417-9820eb29ea91&u=https%3A%2F%2Flists.clusterlabs.org%2Fmailman%2Flistinfo%2Fusers>

        ClusterLabs home: https://www.clusterlabs.org/
        
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-b3537e65a3f1def4&q=1&e=59a6df80-228c-4bfb-a417-9820eb29ea91&u=https%3A%2F%2Fwww.clusterlabs.org%2F>



    -- 

    Regards,

    Reid Wahl (He/Him)

    Senior Software Engineer, Red Hat

    RHEL High Availability - Pacemaker



--

Regards,

Reid Wahl (He/Him)

Senior Software Engineer, Red Hat

RHEL High Availability - Pacemaker


_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home:https://www.clusterlabs.org/_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/