Hi Connie, Troy,

We are also seeing this dependency failure on both SL5.4 and SL5.5
systems and for both the .i386 and .x86_64 versions of the lvm2
security release.

Our SL5.4 systems have: device-mapper-1.02.32-1.el5
Our SL5.5 systems have: device-mapper-1.02.39-1.el5.i386

Sample email from overnight yum cron:
  --------------------
  YUM - security
  --------------------
lvm2-2.02.56-8.el5_5.6.x86_64 from sl-security has depsolving problems
   --> Missing Dependency: device-mapper >= 1.02.39-1.el5_5.1 is needed 
by package lvm2-2.02.56-8.el5_5.6.x86_64 (sl-security)
Error: Missing Dependency: device-mapper >= 1.02.39-1.el5_5.1 is needed 
by package lvm2-2.02.56-8.el5_5.6.x86_64 (sl-security)
  You could try using --skip-broken to work around the problem
  You could try running: package-cleanup --problems
                         package-cleanup --dupes
                         rpm -Va --nofiles --nodigest
The program package-cleanup is found in the yum-utils package.

- Larry

On 8/1/10 2:21 AM, Hervé Riboulot wrote:
> Hello,
>
> I cannot process the security update due to dependencies issues: 'Error:
> Missing Dependency: device-mapper >= 1.02.39-1.el5_5.1 is needed by
> package lvm2-2.02.56-8.el5_5.6.x86_64 (sl-security)'.
>
> Device-mapper (i386 and 86_64) are installed:
>
> rpm -qa device-mapper
> device-mapper-1.02.39-1.el5.x86_64
> device-mapper-1.02.39-1.el5.i386
>
> Package-cleanup --problems does not report any flaw ...
>
>
> I'm running SL 5.5 on the following configuration: 2.6.18-194.8.1.el5 #1
> SMP Thu Jul 1 16:05:53 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux.
>
>
>
> Best regards,
>
>
>
>
> Le 01.08.2010 06:29, Connie Sieh a écrit :
>>
>> Issue date: 2010-07-28
>> CVE Names: CVE-2010-2526
>> Description:
>>
>> It was discovered that the cluster logical volume manager daemon (clvmd)
>> did not verify the credentials of clients connecting to its control UNIX
>> abstract socket, allowing local, unprivileged users to send control
>> commands that were intended to only be available to the privileged root
>> user. This could allow a local, unprivileged user to cause clvmd to exit,
>> or request clvmd to activate, deactivate, or reload any logical volume on
>> the local system or another system in the cluster. (CVE-2010-2526)
>>
>> Note: This update changes clvmd to use a pathname-based socket rather
>> than
>> an abstract socket. As such, the lvm2 update 2010:0569, which changes
>> LVM to also use this pathname-based socket, must also be installed for
>> LVM
>> to be able to communicate with the updated clvmd.
>>
>> All lvm2-cluster users should upgrade to this updated package, which
>> contains a backported patch to correct this issue. After installing the
>> updated package, clvmd must be restarted for the update to take effect.
>>
>> 5. Bugs fixed
>>
>> CVE-2010-2526 lvm2-cluster: insecurity when communicating between lvm2
>> and clvmd
>>
>> 6. Package List:
>>
>> SRPM:
>> lvm2-cluster-2.02.56-7.el5_5.4.src.rpm
>>
>> i386:
>> lvm2-cluster-2.02.56-7.el5_5.4.i386.rpm
>>
>> x86_64:
>> lvm2-cluster-2.02.56-7.el5_5.4.x86_64.rpm
>>
>>
>> lvm2 update included because of dependency.
>>
>> i386:
>> lvm2-2.02.56-8.el5_5.6.i386.rpm
>> x86_64:
>> lvm2-2.02.56-8.el5_5.6.x86_64.rpm
>>
>> -Connie Sieh
>> -Troy Dawson


-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]        | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson