Hi @ysf,

Thank you for reaching out and reporting this issue. I have contacted our internal security team to review it and assess its severity. I'll get back to you and confirm the vulnerability when I hear from them.

Regards, Tomas

Hey, will do when github works again. Currently my repository throws 500 errors back and forth.

@admin I can't choose the repository since it is named differently (pcs-1) than the original project name.

Hello @ysf 👋

Are you trying to submit a fix?

@Yes - It's already in my branch pcs-1 and a PR in the clusterlabs/pcs repository. @maintainer will you assign a CVE through redhat to this issue?

Gna. I meant @admin of course.

@ysf I'm not in charge of the CVE process, but I forwarded your question to Red Hat Security team.

@maintainer - with regards to the CVE, we are happy to assign and publish a CVE on your behalf if you would like?

@ysf - with regards to the fix, it seems like a bug in our UI preventing you from selecting a differently named fork.

Can you please confirm the name of the branch, and I will deal with patch submission on my end on your behalf? 👍

@admin it's https://github.com/ysf/pcs-1/tree/fix_pam_authorization

Thank you

It doesn't look like there is a diff yet?

https://github.com/ClusterLabs/pcs/compare/main...ysf:fix_pam_authorization

@admin I just merged the fix by @ysf

Exactly, there is no diff because it already has been merged. You can see the reference to huntr.dev in the CHANGELOG.md

In any case, it doesn't actually matter, as we just request the patch to be able to share the diff URL with the maintainer in the comments section.

@maintainer - you can still proceed to confirm fix and select @ysf as the fixer in the dropdown as a patch has still been submitted and recorded 👍

We will just need to address this minor bug :)

Would you like us to assign and publish a CVE for this report?

CVE-2022-1049 has been assigned for this issue.

I have added the CVE to the report 👍