Back to bug 1888191

Who When What Removed Added
Michael Kaplan 2020-10-14 10:49:00 UTC CC security-response-team
Michael Kaplan 2020-10-14 10:50:07 UTC Blocks 1887376
Huzaifa S. Sidhpurwala 2020-10-15 03:43:00 UTC Comment 0 updated
Huzaifa S. Sidhpurwala 2020-10-15 03:49:12 UTC Blocks 1887376
Dhananjay Arunesh 2020-10-15 04:13:08 UTC Summary EMBARGOED pacemaker: ACL restrictions bypass EMBARGOED CVE-2020-25654 pacemaker: ACL restrictions bypass
Alias CVE-2020-25654
Huzaifa S. Sidhpurwala 2020-10-15 04:24:42 UTC Blocks 1887376
Huzaifa S. Sidhpurwala 2020-10-15 04:28:07 UTC Flags needinfo?(kgaillot)
Ken Gaillot 2020-10-15 20:22:40 UTC Flags needinfo?(kgaillot)
Huzaifa S. Sidhpurwala 2020-10-19 05:59:20 UTC Flags needinfo?(kgaillot)
Huzaifa S. Sidhpurwala 2020-10-19 06:09:18 UTC Doc Text An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Ken Gaillot 2020-10-19 14:43:09 UTC Flags needinfo?(kgaillot)
Huzaifa S. Sidhpurwala 2020-10-20 04:56:33 UTC Depends On 1889582
Ken Gaillot 2020-10-20 14:12:16 UTC Flags needinfo?(security-response-team)
Yogendra Jog 2020-10-21 08:47:54 UTC Flags needinfo?(security-response-team)
Ken Gaillot 2020-10-21 17:30:11 UTC Flags needinfo?(security-response-team)
Huzaifa S. Sidhpurwala 2020-10-23 04:18:14 UTC Deadline 2020-10-27
Ken Gaillot 2020-10-23 17:50:12 UTC Flags needinfo?(security-response-team)
Yogendra Jog 2020-10-27 07:25:45 UTC CC huzaifas
Flags needinfo?(huzaifas)
Huzaifa S. Sidhpurwala 2020-10-27 07:50:15 UTC Group security, qe_staff
CC andrew, anprice, clumens, cluster-maint, dbecker, fedora, jjoyce, jschluet, kwenning, lhh, lpeer, mburns, sclewis, slinaber
Deadline 2020-10-27
Summary EMBARGOED CVE-2020-25654 pacemaker: ACL restrictions bypass CVE-2020-25654 pacemaker: ACL restrictions bypass
Huzaifa S. Sidhpurwala 2020-10-27 07:51:14 UTC Depends On 1891719, 1891718
Huzaifa S. Sidhpurwala 2020-10-27 08:03:20 UTC Flags needinfo?(security-response-team) needinfo?(security-response-team) needinfo?(huzaifas)
Huzaifa S. Sidhpurwala 2020-10-27 08:06:09 UTC Flags needinfo?(kgaillot)
Ken Gaillot 2020-10-27 14:29:10 UTC Flags needinfo?(kgaillot)
Ken Gaillot 2020-10-27 16:41:41 UTC Flags needinfo?(huzaifas)
Huzaifa S. Sidhpurwala 2020-10-28 02:23:12 UTC Depends On 1892140
Huzaifa S. Sidhpurwala 2020-10-28 02:26:34 UTC Flags needinfo?(huzaifas)
Tomas Hoger 2020-10-28 12:22:18 UTC Summary CVE-2020-25654 pacemaker: ACL restrictions bypass CVE-2020-25654 pacemaker: ACL restrictions bypass
Tomas Hoger 2020-10-28 12:24:01 UTC Depends On 1891528
Tomas Hoger 2020-10-29 08:26:53 UTC Depends On 1891529
Huzaifa S. Sidhpurwala 2020-11-03 09:46:42 UTC Fixed In Version pacemaker 1.1.24-rc1, pacemaker 2.0.5-rc2
errata-xmlrpc 2020-12-15 08:43:13 UTC Link ID Red Hat Product Errata RHSA-2020:5423
errata-xmlrpc 2020-12-15 11:19:23 UTC Link ID Red Hat Product Errata RHSA-2020:5453
Product Security DevOps Team 2020-12-15 12:47:04 UTC Status NEW CLOSED
Resolution --- ERRATA
Last Closed 2020-12-15 12:47:04 UTC
errata-xmlrpc 2020-12-15 17:03:18 UTC Link ID Red Hat Product Errata RHSA-2020:5487
RaTasha Tillery-Smith 2021-02-10 14:38:49 UTC Doc Text An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration. An ACL bypass flaw was found in Pacemaker. This flaw allows an attacker with a local account on the cluster and in the haclient group to use IPC communication with various daemons to directly perform certain tasks that would be prevented if they had gone through configured ACLs. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Back to bug 1888191