==========================================================================
Ubuntu Security Notice USN-3952-1
April 23, 2019

pacemaker vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 19.04
– Ubuntu 18.10
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Pacemaker.

Software Description:
– pacemaker: Cluster resource manager

Details:

Jan Pokorný discovered that Pacemaker incorrectly handled client-server
authentication. A local attacker could possibly use this issue to escalate
privileges. (CVE-2018-16877)

Jan Pokorný discovered that Pacemaker incorrectly handled certain
verifications. A local attacker could possibly use this issue to cause a
denial of service. (CVE-2018-16878)

Jan Pokorný discovered that Pacemaker incorrectly handled certain memory
operations. A local attacker could possibly use this issue to obtain
sensitive information in log outputs. This issue only applied to Ubuntu
18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-3885)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
pacemaker 1.1.18-2ubuntu1.19.04.1

Ubuntu 18.10:
pacemaker 1.1.18-2ubuntu1.18.10.1

Ubuntu 18.04 LTS:
pacemaker 1.1.18-0ubuntu1.1

Ubuntu 16.04 LTS:
pacemaker 1.1.14-2ubuntu1.6

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3952-1
CVE-2018-16877, CVE-2018-16878, CVE-2019-3885

Package Information:
https://launchpad.net/ubuntu/+source/pacemaker/1.1.18-2ubuntu1.19.04.1
https://launchpad.net/ubuntu/+source/pacemaker/1.1.18-2ubuntu1.18.10.1
https://launchpad.net/ubuntu/+source/pacemaker/1.1.18-0ubuntu1.1
https://launchpad.net/ubuntu/+source/pacemaker/1.1.14-2ubuntu1.6

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAly/DkQACgkQZWnYVadE
vpOfmQ//T9P41o5+2B+s7dmqMDw0hA5oBAmh9aZL+QWqVW0jnpqfz0KP6yPYMV4r
//KphbLrma7ZLFrzXlLBt8CUhC7T0etUFvUYbgDEdVkPd3X0DO6BbJ1oDc8d5Zkz
rIpmCEEufoZpFrQO/HBsTq9oyUwoMnTitN+ggO/AHy/eG9kODk/Ua7Qr1evynNXq
XcLnKniB7a5nmyE25md3S93APOtOtAo5wRoR9YknUe3yQ7oTm7EMqmI5o4YpuGvD
BrZDzuyUKLOzAW5UW/nJsh9LD0SXe82aBNCVCMTrTMOPFQ3CkepZk0LQEYjBLDvN
avFlrDfEA+dtuzFXtWAb8g+u2pMB89S8nqsPVLlsHx1eUEH404HG5lY6p5xHLwDF
9L3vfkze48PXIa61P2xG9ItbF5qcjBGVkt0VHJ8vyt4DO/jAHFIE72KJG97k9K4I
qm0ULB92SeDSvBqxNu8qasiMCL1G4VL3r03wjhPJqWVaaa7ONsW1VxiMGH5SjBHE
ozg1g4HSQECXshRc1f9BZzgqOfigb8GGIdhmTAC2WAKwjcXekwKN8/PH8dQ6nSw2
vJCqPCcOvysIcHPej+975FFPtLAmYtgTkW96KuYQDoXspUY497GS45wb7Goi7lGH
AADV8AKSfXwcGl3DIE+ouXoIZlJTJxvJs8Z/qFjj4wri0ukua54=
=TFX5
—–END PGP SIGNATURE—–
—