This page is to provide an overview of past security sensitive findings in some software packages under ClusterLabs umbrella. Currently, only pacemaker is tracked here. The page also provides guidance on various related points.
Note that currently there is no standardized process of reporting the new findings to us in the responsible manner. Contacting the particular vendor privately (via encrypted email if possible) seems currently best what you can do. This recommendation can be revisited in the future, so please always consult this page for up-to-date instructions first (we will never ask you to contact us on suspicious-looking email addresses, just in case this page gets unathorized modifications).
|CVE-2018-1084||corosync||2.0.0 - 2.4.3||rhbz, oss-security, users|
|CVE-2011-5271||pacemaker||[unknown] - 1.1.5||bdo, fix, oss-security|
|CVE-2013-0281||pacemaker||[unknown] - 1.1.9||oss-security|
|CVE-2015-1867||pacemaker||1.1.12-rc1 (2014-05-05) - 1.1.13-rc1 (2015-03-26)||oss-security|
|CVE-2016-7035||pacemaker||1.1.10-rc1 (2013-04-17) - 1.1.15||oss-security, users|
|CVE-2016-7797||pacemaker||1.1.9 - 1.1.14||bco, oss-security, users|
|CVE-2018-16877||pacemaker||1.1.8 - 1.1.20 resp. 2.0.1||oss-security, users|
|CVE-2018-16878||pacemaker||1.1.8 - 1.1.20 resp. 2.0.1||oss-security, users|
|CVE-2019-3885||pacemaker||1.1.18 - 1.1.20 resp. 2.0.1||oss-security, users|
|CVE-2017-2661||pcs||? - 0.9.157||rhbz, oss-security, users|
|CVE-2018-1079||pcs||0.9.157 - 0.9.164||rhbz, oss-security, users|
|CVE-2018-1086||pcs||0.9.140 - 0.9.164||rhbz, oss-security, users|
|CVE-2018-1000119||pcs (rack-protection 3rd party component)||? - 0.9.164||rhbz, users|
Other notable commits and notes
These fix weaknesses that can be harmful only in combination with "bad surrounding" or under "bad conditions". This is mostly for developers' own reference of what to be careful about.
- pacemaker: fixes to infinite blocking/loops
These are some tangential notes:
- weak, fragile grip on processes in the light of relevant vulnerabilities