[Debian-ha-maintainers] Bug#700923: [Secure-testing-team] Bug#700923: pacemaker: CVE-2013-0281

[Yves-Alexis Perez]

On mar., 2013-02-19 at 12:35 +0100, Moritz Muehlenhoff wrote:
> Package: pacemaker
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0281 for details
> and a link to the upstream fix.
> 
> Due to the Wheezy freeze please apply a minimal fix and request an unblock with
> the release managers.
> 

Hi Moritz and HA packagers,

I took a look at this one, Red Hat bug links to the following commit:
https://github.com/ClusterLabs/pacemaker/commit/564f7cc2a51dcd2f28ab12a13394f31be5aa3c93 which has:

> commit 564f7cc2a51dcd2f28ab12a13394f31be5aa3c93
> Author: David Vossel <dvossel at redhat.com>
> Date:   Sat Jan 5 00:19:59 2013 -0600
> 
>     High: core: Internal tls api improvements for reuse with future LRMD tls bac
> 
>  cib/callbacks.c        |   13 +-
>  cib/callbacks.h        |    6 +-
>  cib/notify.c           |    2 +-
>  cib/remote.c           |  326 ++++++++++++++--------
>  include/crm_internal.h |   36 ++-
>  lib/cib/cib_remote.c   |  290 ++++++++++---------
>  lib/common/mainloop.c  |    1 +
>  lib/common/remote.c    |  723 ++++++++++++++++++++++++++++++++++++------------
>  tools/crm_mon.c        |    2 +-
>  9 files changed, 939 insertions(+), 460 deletions(-)
> 
I'm not quite sure something like that can really be accepted by the
release team at that point…

I have no idea if it's possible to only pick the timeout-related
changes, maybe asking upstream would help on this.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/debian-ha-maintainers/attachments/20130301/8b09de83/attachment.pgp>