moderate: libcroco/pacemaker security update
An update for libcroco/pacemaker is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
libcroco: CSS2 parsing and manipulation library for GNOME
pacemaker: Pacemaker is an advanced, scalable High-Availability cluster resource manager for Corosync, CMAN and/or Linux-HA. The pacemaker-cluster-libs package contains cluster-aware shared libraries needed for nodes that will form part of the cluster nodes.
libcroco: A stack overflow flaw was found in libcroco. A service using libcroco's CSS parser could be crashed by a local, authenticated attacker, or an attacker utilizing social engineering, using a crafted input. The highest threat from this vulnerability is to system availability.(CVE-2020-12825)
pacemaker: An ACL bypass flaw was found in Pacemaker. This flaw allows an attacker with a local account on the cluster and in the haclient group to use IPC communication with various daemons to directly perform certain tasks that would be prevented if they had gone through configured ACLs. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-25654)
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Remember the build tag is 5.04.F29B5.