Subject: | |
From: | |
Reply To: | |
Date: | Thu, 1 Oct 2009 12:04:18 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Low: cman security, bug fix, and enhancement update
Issue date: 2009-09-02
CVE Names: CVE-2008-4579 CVE-2008-6552
Multiple insecure temporary file use flaws were found in fence_apc_snmp
and ccs_tool. A local attacker could use these flaws to overwrite an
arbitrary file writable by a victim running those utilities (typically
root) with the output of the utilities via a symbolic link attack.
(CVE-2008-4579, CVE-2008-6552)
Bug fixes:
* a buffer could overflow if cluster.conf had more than 52 entries per
block inside the <cman> block. The limit is now 1024.
* the output of the group_tool dump subcommands were NULL padded.
* using device="" instead of label="" no longer causes qdiskd to
incorrectly exit.
* the IPMI fencing agent has been modified to time out after 10 seconds.
It is also now possible to specify a different timeout value with the
'-t' option.
* the IPMI fencing agent now allows punctuation in passwords.
* quickly starting and stopping the cman service no longer causes the
cluster membership to become inconsistent across the cluster.
* an issue with lock syncing caused 'receive_own from' errors to be
logged to '/var/log/messages'.
* an issue which caused gfs_controld to segfault when mounting hundreds
of file systems has been fixed.
* the LPAR fencing agent now properly reports status when an LPAR is in
Open Firmware mode.
* the LPAR fencing agent now works properly with systems using the
Integrated Virtualization Manager (IVM).
* the APC SNMP fencing agent now properly recognizes outletStatusOn and
outletStatusOff return codes from the SNMP agent.
* the WTI fencing agent can now connect to fencing devices with no
password.
* the rps-10 fencing agent now properly performs a reboot when run with
no options.
* the IPMI fencing agent now supports different cipher types with the
'-C' option.
* qdisk now properly scans devices and partitions.
* cman now checks to see if a new node has state to prevent killing the
first node during cluster setup.
* 'service qdiskd start' now works properly.
* the McData fence agent now works properly with the McData Sphereon
4500 Fabric Switch.
* the Egenera fence agent can now specify an SSH login name.
* the APC fence agent now works with non-admin accounts when using the
3.5.x firmware.
* fence_xvmd now tries two methods to reboot a virtual machine.
* connections to OpenAIS are now allowed from unprivileged CPG clients
with the user and group of 'ais'.
* groupd no longer allows the default fence domain to be '0', which
previously caused rgmanager to hang. Now, rgmanager no longer hangs.
* the RSA fence agent now supports SSH enabled RSA II devices.
* the DRAC fence agent now works with the Integrated Dell Remote Access
Controller (iDRAC) on Dell PowerEdge M600 blade servers.
* fixed a memory leak in cman.
* qdisk now displays a warning if more than one label is found with the
same name.
* the DRAC5 fencing agent now shows proper usage instructions for the
'-D' option.
* cman no longer uses the wrong node name when getnameinfo() fails.
* the SCSI fence agent now verifies that sg_persist is installed.
* the DRAC5 fencing agent now properly handles modulename.
* QDisk now logs warning messages if it appears its I/O to shared
storage is hung.
* fence_apc no longer fails with a pexpect exception.
* removing a node from the cluster using 'cman_tool leave remove' now
properly reduces the expected_votes and quorum.
* a semaphore leak in cman has been fixed.
* 'cman_tool nodes -F name' no longer segfaults when a node is out of
membership.
Enhancements:
* support for: ePowerSwitch 8+ and LPAR/HMC v3 devices, Cisco MDS 9124
and MDS 9134 SAN switches, the virsh fencing agent, and broadcast
communication with cman.
* fence_scsi limitations added to fence_scsi man page.
NOTE: openais and pexpect updates are required.
SL 5.x
SRPMS:
cman-2.0.115-1.el5.src.rpm
i386:
cman-2.0.115-1.el5.i386.rpm
cman-devel-2.0.115-1.el5.i386.rpm
openais-0.80.6-8.el5.i386.rpm
openais-devel-0.80.6-8.el5.i386.rpm
pexpect-2.3-1.el5.noarch.rpm
x86_64:
cman-2.0.115-1.el5.x86_64.rpm
cman-devel-2.0.115-1.el5.i386.rpm
cman-devel-2.0.115-1.el5.x86_64.rpm
openais-0.80.6-8.el5.x86_64.rpm
openais-devel-0.80.6-8.el5.i386.rpm
openais-devel-0.80.6-8.el5.x86_64.rpm
pexpect-2.3-1.el5.noarch.rpm
-Connie Sieh
-Troy Dawson
|
|
|