Debian Security Advisory
DSA-4791-1 pacemaker -- security update
- Date Reported:
- 13 Nov 2020
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 973254.
In Mitre's CVE dictionary: CVE-2020-25654.
- More information:
Ken Gaillot discovered a vulnerability in the Pacemaker cluster resource manager: If ACLs were configured for users in the
haclientgroup, the ACL restrictions could be bypassed via unrestricted IPC communication, resulting in cluster-wide arbitrary code execution with root privileges.
enable-aclcluster option isn't enabled, members of the
haclientgroup can modify Pacemaker's Cluster Information Base without restriction, which already gives them these capabilities, so there is no additional exposure in such a setup.
For the stable distribution (buster), this problem has been fixed in version 2.0.1-5+deb10u1.
We recommend that you upgrade your pacemaker packages.
For the detailed security status of pacemaker please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pacemaker