LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

October 2009

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA October 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Low: cman on SL5.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Thu, 1 Oct 2009 12:04:18 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (140 lines)

Synopsis:	Low: cman security, bug fix, and enhancement update
Issue date:	2009-09-02
CVE Names:	CVE-2008-4579 CVE-2008-6552

Multiple insecure temporary file use flaws were found in fence_apc_snmp 
and ccs_tool. A local attacker could use these flaws to overwrite an 
arbitrary file writable by a victim running those utilities (typically 
root) with the output of the utilities via a symbolic link attack. 
(CVE-2008-4579, CVE-2008-6552)

Bug fixes:

* a buffer could overflow if cluster.conf had more than 52 entries per
block inside the <cman> block. The limit is now 1024.

* the output of the group_tool dump subcommands were NULL padded.

* using device="" instead of label="" no longer causes qdiskd to
incorrectly exit.

* the IPMI fencing agent has been modified to time out after 10 seconds. 
It is also now possible to specify a different timeout value with the 
'-t' option.

* the IPMI fencing agent now allows punctuation in passwords.

* quickly starting and stopping the cman service no longer causes the
cluster membership to become inconsistent across the cluster.

* an issue with lock syncing caused 'receive_own from' errors to be 
logged to '/var/log/messages'.

* an issue which caused gfs_controld to segfault when mounting hundreds 
of file systems has been fixed.

* the LPAR fencing agent now properly reports status when an LPAR is in
Open Firmware mode.

* the LPAR fencing agent now works properly with systems using the
Integrated Virtualization Manager (IVM).

* the APC SNMP fencing agent now properly recognizes outletStatusOn and
outletStatusOff return codes from the SNMP agent.

* the WTI fencing agent can now connect to fencing devices with no
password.

* the rps-10 fencing agent now properly performs a reboot when run with 
no options.

* the IPMI fencing agent now supports different cipher types with the 
'-C' option.

* qdisk now properly scans devices and partitions.

* cman now checks to see if a new node has state to prevent killing the
first node during cluster setup.

* 'service qdiskd start' now works properly.

* the McData fence agent now works properly with the McData Sphereon 
4500 Fabric Switch.

* the Egenera fence agent can now specify an SSH login name.

* the APC fence agent now works with non-admin accounts when using the
3.5.x firmware.

* fence_xvmd now tries two methods to reboot a virtual machine.

* connections to OpenAIS are now allowed from unprivileged CPG clients 
with the user and group of 'ais'.

* groupd no longer allows the default fence domain to be '0', which
previously caused rgmanager to hang. Now, rgmanager no longer hangs.

* the RSA fence agent now supports SSH enabled RSA II devices.

* the DRAC fence agent now works with the Integrated Dell Remote Access
Controller (iDRAC) on Dell PowerEdge M600 blade servers.

* fixed a memory leak in cman.

* qdisk now displays a warning if more than one label is found with the
same name.

* the DRAC5 fencing agent now shows proper usage instructions for the 
'-D' option.

* cman no longer uses the wrong node name when getnameinfo() fails.

* the SCSI fence agent now verifies that sg_persist is installed.

* the DRAC5 fencing agent now properly handles modulename.

* QDisk now logs warning messages if it appears its I/O to shared 
storage is hung.

* fence_apc no longer fails with a pexpect exception.

* removing a node from the cluster using 'cman_tool leave remove' now
properly reduces the expected_votes and quorum.

* a semaphore leak in cman has been fixed.

* 'cman_tool nodes -F name' no longer segfaults when a node is out of
membership.

Enhancements:

* support for: ePowerSwitch 8+ and LPAR/HMC v3 devices, Cisco MDS 9124 
and MDS 9134 SAN switches, the virsh fencing agent, and broadcast 
communication with cman.

* fence_scsi limitations added to fence_scsi man page.

NOTE: openais and pexpect updates are required.

SL 5.x

     SRPMS:
cman-2.0.115-1.el5.src.rpm
     i386:
cman-2.0.115-1.el5.i386.rpm
cman-devel-2.0.115-1.el5.i386.rpm
openais-0.80.6-8.el5.i386.rpm
openais-devel-0.80.6-8.el5.i386.rpm
pexpect-2.3-1.el5.noarch.rpm
     x86_64:
cman-2.0.115-1.el5.x86_64.rpm
cman-devel-2.0.115-1.el5.i386.rpm
cman-devel-2.0.115-1.el5.x86_64.rpm
openais-0.80.6-8.el5.x86_64.rpm
openais-devel-0.80.6-8.el5.i386.rpm
openais-devel-0.80.6-8.el5.x86_64.rpm
pexpect-2.3-1.el5.noarch.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV