Bug 13294

Summary:	[CVE 21] pcs 0.10.7 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	critical
Priority:	High	CC:	a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	2021.1 Fresh R12
Hardware:	All
OS:	Linux
URL:	CVE-2022-2735,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-05-03 18:01:42 MSK

Please patch CVEs for package pcs version 0.10.7
  
INFO (CVEs are): pcs 0.10.7
 cves found
CVE-2022-2735
Desc: A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" token, this flaw allows an attacker to have complete control over the cluster managed by PCS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-2735
Severity: HIGH

Comment 1 Svyatoslav Matveev 2023-05-24 16:57:43 MSK

********** QA ADVISORY **********

Cve закрыто патчем.

*** pcs
https://abf.io/build_lists/4443665
https://abf.io/build_lists/4443666
https://abf.io/build_lists/4443664
https://abf.io/build_lists/4443668

Comment 2 Dmitry Postnikov 2023-05-25 13:55:38 MSK

***************************
The update sent to testings

Comment 3 Vladimir Potapov 2023-05-30 18:26:34 MSK

pcs-0.10.7-3
https://abf.io/build_lists/4443665
https://abf.io/build_lists/4443666
https://abf.io/build_lists/4443664
https://abf.io/build_lists/4443668
************************* Advisory ***********************
CVE-2022-2735 fix
**********************************************************
QA Verified

Comment 4 Yury 2023-07-25 16:29:08 MSK

Secteam Verified