{"affected":[{"ecosystem_specific":{"binaries":[{"libpacemaker-devel":"1.1.12-18.1","libpacemaker3":"1.1.12-18.1","pacemaker":"1.1.12-18.1","pacemaker-cli":"1.1.12-18.1","pacemaker-remote":"1.1.12-18.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Availability Extension 11 SP4","name":"pacemaker","purl":"pkg:rpm/suse/pacemaker&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2011%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.1.12-18.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"\nThis update for pacemaker fixes one security issue and several non-security issues.\n\nThe following security issue has been fixed:\n\n- libcrmcommon: Fix improper IPC guarding. (bsc#1007433, CVE-2016-7035)\n\nThe following non-security issues have been fixed:\n\n- Add logrotate to reqs of pacemaker-cli.\n- Add $remote_fs dependencies to the init scripts.\n- all: Clarify licensing and copyrights.\n- attrd,ipc: Prevent possible segfault on exit. (bsc#986056)\n- attrd, libcrmcommon: Validate attrd requests better.\n- attrd_updater: Fix usage of HAVE_ATOMIC_ATTRD.\n- cib/fencing: Set status callback before connecting to cluster. (bsc#974108)\n- ClusterMon: Fix to avoid matching other process with the same PID.\n- crmd: Acknowledge cancellation operations for remote connection resources. (bsc#976865)\n- crmd: Avoid timeout on older peers when cancelling a resource operation.\n- crmd: Record pending operations in the CIB before they are performed. (bsc#1003565)\n- crmd: Clear remote node operation history only when it comes up.\n- crmd: Clear remote node transient attributes on disconnect. (bsc#981489)\n- crmd: Don't abort transitions for CIB comment changes.\n- crmd: Ensure the R_SHUTDOWN is set whenever we ask the DC to shut us down.\n- crmd: Get full action information earlier. (bsc#981731)\n- crmd: Graceful proxy shutdown is now tested. (bsc#981489)\n- crmd: Keep a state of LRMD in the DC node latest.\n- crmd,lrmd,liblrmd: Use defined constants for lrmd IPC operations. (bsc#981489)\n- crmd: Mention that graceful remote shutdowns may cause connection failures. (bsc#981489)\n- crmd/pengine: Handle on-fail=ignore properly. (bsc#981731)\n- crmd/pengine: Implement on-fail=ignore without allow-fail. (bsc#981731)\n- crmd: Remove dead code. (bsc#981731)\n- crmd: Rename action number variable in process_graph_event(). (bsc#981731)\n- crmd: Resend the shutdown request if the DC forgets.\n- crmd: Respect start-failure-is-fatal even for artificially injected events. (bsc#981731)\n- crmd: Set remote flag when gracefully shutting down remote nodes. (bsc#981489)\n- crmd: Set the shutdown transient attribute in response to LRMD_IPC_OP_SHUTDOWN_REQ from remote nodes. (bsc#981489)\n- crmd: Support graceful pacemaker_remote stops. (bsc#981489)\n- crmd: Take start-delay into account for the timeout of the action timer. (bsc#977258)\n- crmd: Use defined constant for magic 'direct nack' RC. (bsc#981731)\n- crmd: Use proper resource agent name when caching metadata.\n- crmd: When node load was reduced, crmd carries out a feasible action.\n- crm_mon: Avoid logging errors for any CIB changes that we don't care about. (bsc#986931)\n- crm_mon: Consistently print ms resource state.\n- crm_mon: Do not call setenv with null value.\n- crm_mon: Do not log errors for the known CIB changes that should be ignored. (bsc#986931)\n- crm_mon: Fix time formatting on x32.\n- cts: Avoid kill usage error if DummySD stop called when already stopped.\n- CTS: Get Reattach test working again and up-to-date. (bsc#953192)\n- cts: Simulate pacemaker_remote failure with kill. (bsc#981489)\n- fencing/fence_legacy: Search capable devices by querying them through 'list' action for cluster-glue stonith \n  agents. (bsc#986265)\n- fencing: Record the last known names of nodes to make sure fencing requested with nodeid works. (bsc#974108)\n- libais,libcluster,libcrmcommon,liblrmd: Don't use %z specifier.\n- libcib,libfencing,libtransition: Handle memory allocation errors without CRM_CHECK().\n- lib: Correction of the deletion of the notice registration.\n- libcrmcommon: Correct directory name in log message.\n- libcrmcommon: Ensure crm_time_t structure is fully initialized by API calls.\n- libcrmcommon: Log XML comments correctly.\n- libcrmcommon: Properly handle XML comments when comparing v2 patchset diffs.\n- libcrmcommon: Really ensure crm_time_t structure is fully initialized by API calls.\n- libcrmcommon: Remove extraneous format specifier from log message.\n- libcrmcommon: Report errors consistently when waiting for data on connection. (bsc#986644)\n- libfencing: Report added node ID correctly.\n- liblrmd: Avoid memory leak when closing or deleting lrmd connections.\n- libpengine: Allow pe_order_same_node option for constraints.\n- libpengine: Log message when stonith disabled, not enabled.\n- libpengine: Only log startup-fencing warning once.\n- libtransition: Potential memory leak if unpacking action fails.\n- lrmd: Handle shutdown a little more cleanly. (bsc#981489)\n- lrmd,libcluster: Ensure g_hash_table_foreach() is never passed a null table.\n- lrmd,liblrmd: Add lrmd IPC operations for requesting and acknowledging shutdown. (bsc#981489)\n- lrmd: Make proxied IPC providers/clients opaque. (bsc#981489)\n- mcp: Improve comments for sysconfig options.\n- pacemaker_remote: Set LSB Provides header to the service name.\n- pacemaker_remote: Support graceful stops. (bsc#981489)\n- PE: Correctly update the dependent actions of un-runnable clones.\n- PE: Honor the shutdown transient attributes for remote nodes. (bsc#981489)\n- pengine: Avoid memory leak when invalid constraint involves set.\n- pengine: Avoid null dereference in new same-node ordering option.\n- pengine: Avoid transition loop for start-then-stop + unfencing.\n- pengine: Avoid use-after-free with location constraint + sets + templates.\n- pengine: Better error handling when unpacking sets in location constraints.\n- pengine: Consider resource failed if any of the configured monitor operations failed. (bsc#972187)\n- pengine: Correction of the record judgment of the failed information.\n- pengine: Do not fence a maintenance node if it shuts down cleanly. (bsc#1000743)\n- pengine: Correctly set the environment variable 'OCF_RESKEY_CRM_meta_timeout' when 'start-delay' is configured. \n  (bsc#977258)\n- pengine: Only set unfencing constraints once.\n- pengine: Organize order of actions for master resources in anti-colocations. (bsc#977800)\n- pengine: Organize order of actions for slave resources in anti-colocations. (bsc#977800)\n- pengine: Properly order stop actions relative to stonith.\n- pengine: Respect asymmetrical ordering when trying to move resources. (bsc#977675)\n- pengine: Set OCF_RESKEY_CRM_meta_notify_active_* for multistate resources.\n- pengine,tools: Display pending resource state by default when it's available. (bsc#986201)\n- ping: Avoid temp files in fping_check. (bsc#987348)\n- ping: Avoid temporary files for fping check. (bsc#987348)\n- ping: Log sensible error when /tmp is full. (bsc#987348)\n- ping resource: Use fping6 for IPv6 hosts. (bsc#976271)\n- RA/SysInfo: Reset the node attribute '#health_disk' to 'green' when there's sufficient free disk. (bsc#975079)\n- remote: Allow cluster and remote LRM API versions to diverge. (bsc#1009076)\n- remote: Correctly calculate the remaining timeouts when receiving messages. (bsc#986644)\n- resources: Use OCF version tagging correctly.\n- services: Correctly clean up service actions for non-dbus case.\n- spec: fence_pcmk only eligible for Pacemaker+CMAN.\n- stonithd: Correction of the wrong connection process name.\n- sysconfig: Minor tweaks (typo, wording).\n- tools: Avoid memory leaks in crm_resource --restart.\n- tools: Avoid memory leak when crm_mon unpacks constraints.\n- tools: Correctly count starting resources when doing crm_resource --restart.\n- tools: crm_resource -T option should not be hidden anymore.\n- tools: crm_standby --version/--help should work without cluster.\n- tools: Do not send command lines to syslog. (bsc#986676)\n- tools: Do not assume all resources restart on same node with crm_resource --restart.\n- tools: Don't require node to be known to crm_resource when deleting attribute.\n- tools: Properly handle crm_resource --restart with a resource in a group.\n- tools: Remember any existing target-role when doing crm_resource --restart.\n- various: Issues discovered via valgrind and coverity.\n\nAdditionally, the following references have been added to the changelog:\n\nbsc#970733, fate#318381, bsc#1002767, CVE-2016-7797, bsc#971129\n","id":"SUSE-SU-2016:3162-1","modified":"2016-12-15T13:52:25Z","published":"2016-12-15T13:52:25Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2016/suse-su-20163162-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1000743"},{"type":"REPORT","url":"https://bugzilla.suse.com/1002767"},{"type":"REPORT","url":"https://bugzilla.suse.com/1003565"},{"type":"REPORT","url":"https://bugzilla.suse.com/1007433"},{"type":"REPORT","url":"https://bugzilla.suse.com/1009076"},{"type":"REPORT","url":"https://bugzilla.suse.com/953192"},{"type":"REPORT","url":"https://bugzilla.suse.com/970733"},{"type":"REPORT","url":"https://bugzilla.suse.com/971129"},{"type":"REPORT","url":"https://bugzilla.suse.com/972187"},{"type":"REPORT","url":"https://bugzilla.suse.com/974108"},{"type":"REPORT","url":"https://bugzilla.suse.com/975079"},{"type":"REPORT","url":"https://bugzilla.suse.com/976271"},{"type":"REPORT","url":"https://bugzilla.suse.com/976865"},{"type":"REPORT","url":"https://bugzilla.suse.com/977258"},{"type":"REPORT","url":"https://bugzilla.suse.com/977675"},{"type":"REPORT","url":"https://bugzilla.suse.com/977800"},{"type":"REPORT","url":"https://bugzilla.suse.com/981489"},{"type":"REPORT","url":"https://bugzilla.suse.com/981731"},{"type":"REPORT","url":"https://bugzilla.suse.com/986056"},{"type":"REPORT","url":"https://bugzilla.suse.com/986201"},{"type":"REPORT","url":"https://bugzilla.suse.com/986265"},{"type":"REPORT","url":"https://bugzilla.suse.com/986644"},{"type":"REPORT","url":"https://bugzilla.suse.com/986676"},{"type":"REPORT","url":"https://bugzilla.suse.com/986931"},{"type":"REPORT","url":"https://bugzilla.suse.com/987348"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-7035"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-7797"}],"related":["CVE-2016-7035","CVE-2016-7797"],"summary":"Security update for pacemaker","upstream":["CVE-2016-7035","CVE-2016-7797"]}