2019-06-02 - Ferenc Wágner <firstname.lastname@example.org>
pacemaker (2.0.1-5) unstable; urgency=medium
* [17ae230] Backport three more patches from upstream fixing memory safety
Clearing up fallout from the preceding security fixes.
Thanks to Ken Gaillot <email@example.com>
2019-05-12 - Ferenc Wágner <firstname.lastname@example.org>
pacemaker (2.0.1-4) unstable; urgency=high
* [54ace53] Fix check for already present statoverride.
When adding flexible modes in 2.0.1-3 (3c7b0b4), I accidentally broke
the check, and the breakage led to piupart failures. (Closes: #928841)
* High urgency due to the security fix in the not yet migrated 2.0.1-3.
2019-05-07 - Ferenc Wágner <email@example.com>
pacemaker (2.0.1-3) unstable; urgency=high
* [20ccd21] Shorten and explain the autopkgtest wait
* [3c7b0b4] Ship /var/log/pacemaker, the new default directory of the detail
Without this directory the default configuration emits errors and the
detail log is simply not written.
The /var/log/pacemaker.log* detail log files from Pacemaker 1 are not
moved automatically on upgrade, but this new /var/log/pacemaker
directory and its contents are removed when purging pacemaker-common.
The owner and mode of the log directory is set to let clients like
crm_resource --force-start running as any user in the haclient group
write their messages into the detail log. The logrotate config relies
on these settings as well.
* [21a4325] Drop a build patch: libtransitioner does not use liblrmd since
* [920ca93] Apply upstream security pull request #1749.
Cumulative patchset to fix CVE-2019-3885, CVE-2018-16877, CVE-2018-16878
+ additional unmasked null pointer deref
1. CVE-2018-16877: Insufficient local IPC client-server authentication
on the client's side can lead to local privesc. A local attacker
could use this flaw, and combine it with other IPC weaknesses, to
achieve local privilege escalation.
2. CVE-2018-16878: Insufficient verification inflicted preference of
uncontrolled processes can lead to DoS.
3. CVE-2019-3885: A use-after-free defect was discovered in pacemaker
that can possibly lead to unsolicited information disclosure in the
The Travis CI fix also in the GitHub pull request was omitted here.
* [501e5bb] We've got exactly two daemons
* [c0f7339] Move to debhelper compat level 12.
To avoid #887904: dh_installsystemd will unmask services *after* an
attempt to start them, leaving them stopped upon re-installation.
Pacemaker is not affected by any other changes between compat level 11
and 12, because we disable dh_dwz anyway (currently it isn't compatible
2019-04-01 - Ferenc Wágner <firstname.lastname@example.org>
pacemaker (2.0.1-2) unstable; urgency=medium
* [d8939cc] Avoid file conflicts with leftover packages from wheezy.
Pacemaker-dev in wheezy was a metapackage pulling in several -dev
packages. It is removed during the jessie dist-upgrade due to
dependency problems, and jessie does not have pacemaker at all, so these
obsolete -dev packages are left behind, unless replaced by the
renamed -dev packages from jessie-backports or later from stretch, both
of which requires manual action. Lacking that, a manual install of the
reintroduced pacemaker-dev from buster will try to overwrite headers
from those obsolete -dev packages causing file conflicts, because the
old Breaks+Replaces relations weren't carried over from the stretch
packages. (Closes: #925354)
2019-03-04 - Ferenc Wágner <email@example.com>
pacemaker (2.0.1-1) unstable; urgency=medium
* [7d6ff2e] New upstream release (2.0.1)