[Debian-ha-maintainers] Bug#974563: Security update of pacemaker

Thorsten Rehm thorsten.rehm at ionos.com
Wed Jan 13 09:08:10 GMT 2021 

Hi Markus,

thank you for the effort and the update.
Unfortunately there are still some problems with the updated version.

I've just updated the pacemaker package from 1.1.16-1+deb9u2 to
1.1.24-0+deb9u1. Afterwards parts of the Cluster Resource Manager
(crm) can't be executed due to a library error. TL;DR:
libpe_status.so.10 != libpe_status.so.16 and libpengine.so.10 !=
libpengine.so.16

In Detail:
$ /usr/sbin/crm_mon --version
Pacemaker 1.1.16
Written by Andrew Beekhof

$ apt policy pacemaker
pacemaker:
  Installed: 1.1.16-1+deb9u2
  Candidate: 1.1.24-0+deb9u1
[...]

$ apt install pacemaker
[...]
The following packages will be upgraded:
  libcib4 libcrmcluster4 libcrmcommon3 libcrmservice3 liblrmd1
libpe-rules2 libpe-status10 libpengine10 libstonithd2
  libtransitioner2 pacemaker
[...]

$ apt policy pacemaker
pacemaker:
  Installed: 1.1.24-0+deb9u1
  Candidate: 1.1.24-0+deb9u1
[...]

$ crm_mon --version
crm_mon: error while loading shared libraries: libpe_status.so.10:
cannot open shared object file: No such file or directory

$ crm status
/usr/sbin/crm_mon: error while loading shared libraries:
libpe_status.so.10: cannot open shared object file: No such file or
directory
/usr/sbin/crm_mon: error while loading shared libraries:
libpe_status.so.10: cannot open shared object file: No such file or
directory
ERROR: status: crm_mon (rc=127):

$ ldd /usr/sbin/crm_mon | grep "not found"
libpe_status.so.10 => not found
libpengine.so.10 => not found

$ dpkg -L libpe-status10 | grep so
/usr/lib/x86_64-linux-gnu/libpe_status.so.16.1.0
/usr/lib/x86_64-linux-gnu/libpe_status.so.16

$ dpkg -L libpengine10 | grep so
/usr/lib/x86_64-linux-gnu/libpengine.so.16.1.0
/usr/lib/x86_64-linux-gnu/libpengine.so.16

Can you please investigate again?

Thank you.

Best regards,
Thorsten Rehm


On Mon, 28 Dec 2020 00:24:14 +0100 Markus Koschany <apo at debian.org> wrote:
> Hello,
>
> I have prepared a new security update of pacemaker, the latest version in the
> 1.1.x series. The update will fix CVE-2018-16877, CVE-2018-16878 and CVE-2020-
> 25654. I would appreciate it if you could test this version before it is
> uploaded to stretch-security again. You can find all Debian packages at
>
> https://people.debian.org/~apo/lts/pacemaker/
>
> including the source package if you prefer to compile pacemaker from source.
>
> If I don't get any negative feedback I intend to upload pacemaker 1.1.24-
> 0+deb9u1 on 06.01.2021.
>
> Regards,
>
> Markus

More information about the Debian-ha-maintainers mailing list