pacemaker (2.0.1-4ubuntu1) eoan; urgency=medium
* Merge from Debian unstable. Remaining changes:
- d/control: Demote fence-agents to Suggests, avoiding main
inclusion.
- debian/patches/pacemaker_is_partof_corosync.patch: Default systemd
unit hard-requires corosync.
+ Debian disagrees in Debian bug 887563 message 36. We could revert back
to Debian's behaviour, but keeping the patch in this merge maintains
existing behaviour for Ubuntu users pending any separate future
decision.
pacemaker (2.0.1-4) unstable; urgency=high
* [54ace53] Fix check for already present statoverride.
When adding flexible modes in 2.0.1-3 (3c7b0b4), I accidentally broke
the check, and the breakage led to piupart failures. (Closes: #928841)
* High urgency due to the security fix in the not yet migrated 2.0.1-3.
pacemaker (2.0.1-3) unstable; urgency=high
* [20ccd21] Shorten and explain the autopkgtest wait
* [3c7b0b4] Ship /var/log/pacemaker, the new default directory of the detail
logs.
Without this directory the default configuration emits errors and the
detail log is simply not written.
The /var/log/pacemaker.log* detail log files from Pacemaker 1 are not
moved automatically on upgrade, but this new /var/log/pacemaker
directory and its contents are removed when purging pacemaker-common.
The owner and mode of the log directory is set to let clients like
crm_resource --force-start running as any user in the haclient group
write their messages into the detail log. The logrotate config relies
on these settings as well.
* [21a4325] Drop a build patch: libtransitioner does not use liblrmd since
092281b
* [920ca93] Apply upstream security pull request #1749.
Cumulative patchset to fix CVE-2019-3885, CVE-2018-16877, CVE-2018-16878
+ additional unmasked null pointer deref
1. CVE-2018-16877: Insufficient local IPC client-server authentication
on the client's side can lead to local privesc. A local attacker
could use this flaw, and combine it with other IPC weaknesses, to
achieve local privilege escalation.
2. CVE-2018-16878: Insufficient verification inflicted preference of
uncontrolled processes can lead to DoS.
3. CVE-2019-3885: A use-after-free defect was discovered in pacemaker
that can possibly lead to unsolicited information disclosure in the
log outputs.
The Travis CI fix also in the GitHub pull request was omitted here.
(Closes: #927714)
* [501e5bb] We've got exactly two daemons
* [c0f7339] Move to debhelper compat level 12.
To avoid #887904: dh_installsystemd will unmask services *after* an
attempt to start them, leaving them stopped upon re-installation.
Pacemaker is not affected by any other changes between compat level 11
and 12, because we disable dh_dwz anyway (currently it isn't compatible
with libqb).
-- Gianfranco Costamagna <email address hidden> Mon, 13 May 2019 12:11:35 +0200