Security

From ClusterLabs
Jump to: navigation, search

This page is to provide an overview of past security sensitive findings in some software packages under ClusterLabs umbrella. Currently, only pacemaker is tracked here. The page also provides guidance on various related points.

Reporting

Note that currently there is no standardized process of reporting the new findings to us in the responsible manner. Contacting the particular vendor privately (via encrypted e-mail if possible) seems currently best what you can do. This recommendation can be revisited in the future, so please always consult this page for up-to-date instructions first (we will never ask you to contact us on suspicious-looking e-mail addresses, just in case this page gets unauthorized modifications).

2019-04-17: this has been further refined that posting to a dedicated distros mailing list is currently the most optimal way of a general disclosure (seconded with contacting particular vendors, all preferably in an encrypted e-mail form).

CVEs

Overview of CVE-ranked issues, ordered by CVE ID
CVE Component Affected versions Disclosure/tracking
CVE-2018-1084 corosync 2.0.0 - 2.4.3 rhbz, oss-security, users
CVE-2019-12779 libqb  ? - 1.0.4 (effectively 1.0.5) report
CVE-2011-5271 pacemaker [unknown] - 1.1.5 bdo, fix, oss-security
CVE-2013-0281 pacemaker [unknown] - 1.1.9 oss-security
CVE-2015-1867 pacemaker 1.1.12-rc1 (2014-05-05) - 1.1.13-rc1 (2015-03-26) oss-security
CVE-2016-7035 pacemaker 1.1.10-rc1 (2013-04-17) - 1.1.15 oss-security, users
CVE-2016-7797 pacemaker 1.1.9 - 1.1.14 bco, oss-security, users
CVE-2018-16877 pacemaker 1.1.8 - 1.1.20 resp. 2.0.1 oss-security, users
CVE-2018-16878 pacemaker 1.1.8 - 1.1.20 resp. 2.0.1 oss-security, users
CVE-2019-3885 pacemaker 1.1.18 - 1.1.20 resp. 2.0.1 oss-security, users
CVE-2017-2661 pcs  ? - 0.9.157 rhbz, oss-security, users
CVE-2018-1079 pcs 0.9.157 - 0.9.164 rhbz, oss-security, users
CVE-2018-1086 pcs 0.9.140 - 0.9.164 rhbz, oss-security, users
CVE-2018-1000119 pcs (rack-protection 3rd party component)  ? - 0.9.164 rhbz, users

Other notable commits and notes

These fix weaknesses that can be harmful only in combination with "bad surrounding" or under "bad conditions". This is mostly for developers' own reference of what to be careful about.

These are some tangential notes: