LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

August 2010

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA August 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Moderate: lvm2-cluster,lvm2 for SL5
From:	Connie Sieh <[log in to unmask]>
Reply To:	Connie Sieh <[log in to unmask]>
Date:	Tue, 3 Aug 2010 20:48:52 -0500
Content-Type:	multipart/mixed
Parts/Attachments:	TEXT/PLAIN (2599 bytes)

The following have been uploaded to the security errata area because of 
dependencies of lvm2.

i386:

   device-mapper-1.02.39-1.el5_5.2.i386.rpm
   device-mapper-event-1.02.39-1.el5_5.2.i386.rpm

x86_64:

   device-mapper-1.02.39-1.el5_5.2.i386.rpm
   device-mapper-1.02.39-1.el5_5.2.x86_64.rpm
   device-mapper-event-1.02.39-1.el5_5.2.x86_64.rpm

-Connie Sieh
On Sun, 1 Aug 2010, Hervé Riboulot wrote:

> Hello,
>
> I cannot process the security update due to dependencies issues: 'Error: 
> Missing Dependency: device-mapper >= 1.02.39-1.el5_5.1 is needed by package 
> lvm2-2.02.56-8.el5_5.6.x86_64 (sl-security)'.
>
> Device-mapper (i386 and 86_64) are installed:
>
> rpm -qa device-mapper
> device-mapper-1.02.39-1.el5.x86_64
> device-mapper-1.02.39-1.el5.i386
>
>
> I'm running SL 5.5  on the following configuration:  2.6.18-194.8.1.el5 #1 
> SMP Thu Jul 1 16:05:53 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
>
> Best regards,
>
>
>
>
> Le 01.08.2010 06:29, Connie Sieh a écrit :
>>
>>  Issue date:        2010-07-28
>>  CVE Names:         CVE-2010-2526
>>  Description:
>>
>>  It was discovered that the cluster logical volume manager daemon (clvmd)
>>  did not verify the credentials of clients connecting to its control UNIX
>>  abstract socket, allowing local, unprivileged users to send control
>>  commands that were intended to only be available to the privileged root
>>  user. This could allow a local, unprivileged user to cause clvmd to exit,
>>  or request clvmd to activate, deactivate, or reload any logical volume on
>>  the local system or another system in the cluster. (CVE-2010-2526)
>>
>>  Note: This update changes clvmd to use a pathname-based socket rather than
>>  an abstract socket. As such, the lvm2 update 2010:0569, which changes
>>  LVM to also use this pathname-based socket, must also be installed for LVM
>>  to be able to communicate with the updated clvmd.
>>
>>  All lvm2-cluster users should upgrade to this updated package, which
>>  contains a backported patch to correct this issue. After installing the
>>  updated package, clvmd must be restarted for the update to take effect.
>>
>>  5. Bugs fixed
>>
>>  CVE-2010-2526 lvm2-cluster: insecurity when communicating between lvm2 and
>>  clvmd
>>
>>  6. Package List:
>>
>>  SRPM:
>>    lvm2-cluster-2.02.56-7.el5_5.4.src.rpm
>>
>>  i386:
>>    lvm2-cluster-2.02.56-7.el5_5.4.i386.rpm
>>
>>  x86_64:
>>    lvm2-cluster-2.02.56-7.el5_5.4.x86_64.rpm
>> 
>>
>>  lvm2 update included because of dependency.
>>
>>  i386:
>>    lvm2-2.02.56-8.el5_5.6.i386.rpm
>>  x86_64:
>>    lvm2-2.02.56-8.el5_5.6.x86_64.rpm
>>
>>  -Connie Sieh
>>  -Troy Dawson
>> 
>> 
>
>
>
>
>
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV