Bug 241460 - [PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.3
Summary: [PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Vinícius Zavam
URL:
Keywords: buildisok, patch, security
Depends on: 241456
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-24 11:20 UTC by Vinícius Zavam
Modified: 2020-02-04 11:07 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (dpejesh)


Attachments
[PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.2 (17.83 KB, patch)
2019-10-24 11:20 UTC, Vinícius Zavam
no flags Details | Diff
[PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.3 (21.53 KB, patch)
2019-12-09 16:16 UTC, Vinícius Zavam
no flags Details | Diff
[PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.3 (22.01 KB, patch)
2019-12-10 09:31 UTC, Vinícius Zavam
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vinícius Zavam freebsd_committer 2019-10-24 11:20:40 UTC
Created attachment 208560 [details]
[PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.2

* fixes CVE-2018-16878, CVE-2018-16877, CVE-2019-3885

https://github.com/ClusterLabs/pacemaker/blob/Pacemaker-2.0.2/ChangeLog

- Features added since Pacemaker-2.0.1
  + tools: crm_resource --validate can get resource parameters from command line
  + tools: crm_resource --clear prints out any cleared constraints
  + tools: new crm_rule tool for checking rule expiration (experimental)
  + tools: stonith_admin supports XML output for machine parsing (experimental)
  + resources: new HealthIOWait resource agent for node health tracking

- Changes since Pacemaker-2.0.1
  + Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885
  + build: crm_report bug report URL is now configurable at build time
  + build: private libpengine/libtransitioner libraries combined as libpacemaker
  + controller: avoid memory leak when duplicate monitor is scheduled
  + scheduler: respect order constraints when resources are being probed
  + scheduler: one group stop shouldn't make another required
  + libcrmcommon: handle out-of-range integers in configuration better
  + libcrmcommon: export logfile environment variable if using default
  + libcrmcommon: avoid segmentation fault when beginning formatted text list
  + libcrmservice: fix use-after-free memory error in alert handling
  + libstonithd: handle more than 64KB output from fence agents

- Features added since Pacemaker-2.0.0
  + Pacemaker bundles support podman for container management
  + fencing: SBD may be used in a cluster that has guest nodes or bundles
  + fencing: fencing history is synchronized among all nodes
  + fencing: stonith_admin has option to clear fence history
  + tools: crm_mon can show fencing action failures and history
  + tools: crm_resource --clear supports new --expired option
  + Pacemaker Remote: new options to restrict TLS Diffie-Hellman prime length

- Changes since Pacemaker-2.0.0
  + scheduler: clone notifications could be scheduled for a stopped
    Pacemaker Remote node and block all further cluster actions
    (regression since 2.0.0)
  + libcrmcommon: correct behavior for completing interrupted live migrations
    (regression since 2.0.0)
  + tools: crm_resource -C could fail to clean up all failures in one run
    (regression since 2.0.0)
  + Pacemaker Remote: avoid unnecessary downtime when moving resource to
    Pacemaker Remote node that fails to come up (regression since 1.1.18)
  + tools: restore stonith_admin ability to confirm unseen nodes are down
    (regression since 1.1.12)
  + build: minor logging fixes to allow compatibility with GCC 9 -Werror
  + build: spec file now puts XML schemas in new pacemaker-schemas package
  + build: spec file now provides virtual pcmk-cluster-manager package
  + pacemaker-attrd: wait a short time before re-attempting failed writes
  + pacemaker-attrd: ignore attribute delays when writing after node (re-)join
  + pacemaker-attrd: start new election immediately if writer is lost
  + pacemaker-attrd: clear election dampening when the writer leaves
  + pacemaker-attrd: detect alert configuration changes when CIB is replaced
  + CIB: inform originator of CIB upgrade failure
  + controller: support resource agents that require node name even for meta-data
  + controller: don't record pending clone notifications in CIB
  + controller: DC detects completion of another node's shutdown more accurately
  + controller: shut down DC if unable to update node attributes
  + controller: handle corosync peer/join notifications for new node in any order
  + controller: clear election dampening when DC is lost
  + executor: cancel recurring monitors if fence device registration is lost
  + fencing: check for fence device update when resource defaults change
  + fencing: avoid pacemaker-fenced crash possible with stonith_admin misuse
  + fencing: limit fencing history to 500 entries
  + fencing: stonith_admin now complains if no action option is specified
  + pacemakerd: do not modify kernel.sysrq on Linux
  + scheduler: regression test compatibility with glib 2.59.0
  + scheduler: avoid unnecessary recovery of cleaned guest nodes and bundles
  + scheduler: ensure failures causing fencing not expired until fencing done
  + scheduler: start unique clone instances in numerical order
  + scheduler: convert unique clones to anonymous clones when not supported
  + scheduler: associate pending tasks with correct clone instance
  + scheduler: ensure bundle clone notifications are directed to correct host
  + scheduler: avoid improper bundle monitor rescheduling or fail count clearing
  + scheduler: honor asymmetric orderings even when restarting
  + scheduler: don't order non-DC shutdowns before DC fencing
  + ACLs: assume unprivileged ACL user if can't get user info
  + Pacemaker Remote: get Diffie-Hellman prime bit length from GnuTLS API
  + libcrmservice: cancel DBus call when cancelling systemd/upstart actions
  + libcrmservice: order systemd resources relative to pacemaker_remote
  + libpe_status: add public API constructor/destructor for pe_working_set_t
  + tools: fix crm_resource --clear when lifetime was used with ban/move
  + tools: fix crm_resource --move when lifetime was used with previous move
  + tools: make crm_mon CIB connection errors non-fatal if previously successful
  + tools: improve crm_mon messages when generating HTML output
  + tools: crm_mon cluster connection failure is now "critical" in nagios mode
  + tools: crm_mon listing of standby nodes shows if they have active resources
  + tools: crm_diff now ignores attribute ordering when comparing in CIB mode
  + tools: improve crm_report detection of logs, CIB directory, and processes
  + tools: crm_verify returns reliable exit codes
  + tools: crm_simulate resource history uses same name as live cluster would
Comment 1 Automation User 2019-10-24 12:44:54 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/91239853
Comment 2 Vinícius Zavam freebsd_committer 2019-11-22 11:37:44 UTC
ping? any objections on me getting it committed?
Comment 3 Vinícius Zavam freebsd_committer 2019-12-09 12:30:49 UTC
I'll take this one - maintainer timeout 4+weeks
merging the patch from bug #241456 and updating necessary codes
Comment 4 Vinícius Zavam freebsd_committer 2019-12-09 16:16:55 UTC
Created attachment 209805 [details]
[PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.3
Comment 5 Vinícius Zavam freebsd_committer 2019-12-09 16:17:42 UTC
- Features added since Pacemaker-2.0.2
  + controller: new 'fence-reaction' cluster option specifies whether local node
                should 'stop' or 'panic' if notified of own fencing
  + controller: more cluster properties support ISO 8601 time specifications
  + controller: calculate cluster recheck interval dynamically when possible
  + Pacemaker Remote: allow file for environment variables when used in bundle
  + Pacemaker Remote: allow configurable listen address and TLS priorities
  + tools: crm_mon now supports standard --output-as/--output-to options
  + tools: crm_mon HTML output supports user-defined CSS stylesheet
  + tools: stonith_admin supports HTML output in addition to text and XML
  + tools: crm_simulate supports --repeat option to repeat profiling tests
  + tools: new pcmk_simtimes tool compares crm_simulate profiling output
  + agents: SysInfo supports K, T, and P units in addition to Kb and G

- Changes since Pacemaker-2.0.2
  + fencer: do not block concurrent fencing actions on a device
            (regression since 2.0.2)
  + all: avoid Year 2038 issues
  + all: allow ISO 8601 strings of form "<date>T<time> <offset>"
  + rpm: pacemaker-cts package now explicitly requires pacemaker-cli
  + controller: set timeout on scheduler responses to avoid infinite wait
  + controller: confirm cancel of failed monitors, to avoid transition timeout
  + executor: let controller cancel monitors, to avoid transition timeout
  + executor: return error for stonith probes if stonith connection was lost
  + fencer: ensure concurrent fencing commands always get triggered to execute
  + fencer: fail pending actions and re-sync history after crash and restart
  + fencer: don't let command with long delay block other pending commands
  + fencer: allow functioning even if CIB updates arrive unceasingly
  + scheduler: wait for probe actions to complete to prevent unnecessary
               restart/re-promote of dependent resources
  + scheduler: avoid invalid transition when guest node host is not fenceable
  + scheduler: properly detect dangling migrations, to avoid restart loop
  + scheduler: avoid scheduling actions on remote node that is shutting down
  + scheduler: avoid delay in recovery of failed remote connections
  + scheduler: clarify action failure log messages by including failure time
  + scheduler: calculate secure digests for unfencing, for replaying saved CIBs
  + libcrmcommon: avoid possible use-of-NULL when applying XML diffs
  + libcrmcommon: correctly apply XML diffs with multiple move/create changes
  + libcrmcommon: return error when applying XML diffs with unknown operations
  + tools: avoid duplicate lines between nodes in crm_simulate dot graph
  + tools: count disabled/blocked resources correctly in crm_mon/crm_simulate
  + tools: crm_mon --interval now accepts ISO 8601 and has correct help
  + tools: organize crm_mon text output with list headings, indents, bullets
  + tools: crm_report: fail if tar is not available
  + tools: crm_report: correct argument parsing
  + tools: crm_report: don't ignore log if unrelated file is too large
  + tools: stonith_admin --list-targets should show what fencer would use
  + agents: calculate #health_disk correctly in SysInfo
  + agents: handle run-as-user properly in ClusterMon
Comment 6 Vinícius Zavam freebsd_committer 2019-12-10 09:31:36 UTC
Created attachment 209823 [details]
[PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.3

commented that 'socket' on its rc.d script based on reports from flo@ and https://bugs.clusterlabs.org/show_bug.cgi?id=5397
Comment 7 commit-hook freebsd_committer 2020-02-03 14:22:47 UTC
A commit references this bug:

Author: egypcio
Date: Mon Feb  3 14:22:43 UTC 2020
New revision: 525041
URL: https://svnweb.freebsd.org/changeset/ports/525041

Log:
  net/pacemaker2: update 2.0.0-rc4 to 2.0.3

    * fixes CVE-2018-16878, CVE-2018-16877, CVE-2019-3885;
    * implements https://bugs.clusterlabs.org/show_bug.cgi?id=5397#c3

  PR:		241460
  Reviewed by:	flo
  Approved by:	portmgr (maintainer timeout)

Changes:
  head/net/pacemaker2/Makefile
  head/net/pacemaker2/distinfo
  head/net/pacemaker2/files/pacemaker.in
  head/net/pacemaker2/pkg-plist
Comment 8 commit-hook freebsd_committer 2020-02-04 11:07:16 UTC
A commit references this bug:

Author: egypcio
Date: Tue Feb  4 11:06:53 UTC 2020
New revision: 525145
URL: https://svnweb.freebsd.org/changeset/ports/525145

Log:
  reset maintainership after consecutive timeouts (12+ weeks).

    % make -s -C /usr/ports search maint=dpejesh@yahoo.com display=path
    Path:   /usr/ports/devel/kronosnet
    Path:   /usr/ports/devel/libqb
    Path:   /usr/ports/devel/py-parallax
    Path:   /usr/ports/devel/py-tinyrpc
    Path:   /usr/ports/net-mgmt/crmsh
    Path:   /usr/ports/net-mgmt/resource-agents
    Path:   /usr/ports/net/corosync2
    Path:   /usr/ports/net/corosync3
    Path:   /usr/ports/net/pacemaker1
    Path:   /usr/ports/net/pacemaker2

  PR:	230127, 232865, 232866, 232867
  PR:	241431, 241434, 241445, 241456, 241460

Changes:
  head/devel/kronosnet/Makefile
  head/devel/libqb/Makefile
  head/devel/py-parallax/Makefile
  head/devel/py-tinyrpc/Makefile
  head/net/corosync2/Makefile.common
  head/net/pacemaker1/Makefile.common
  head/net-mgmt/crmsh/Makefile
  head/net-mgmt/resource-agents/Makefile