Synopsis: Moderate: conga security, bug fix, and enhancement update Issue date: 2007-11-07 CVE Names: CVE-2007-4136 A flaw was found in ricci during a code audit. A remote attacker who is able to connect to ricci could cause ricci to temporarily refuse additional connections, a denial of service (CVE-2007-4136). Fixes in this updated package include: * The nodename is now set for manual fencing. * The node log no longer displays in random order. * A bug that prevented a node from responding when a cluster was deleted is now fixed. * A PAM configuration that incorrectly called the deprecated module pam_stack was removed. * A bug that prevented some quorum disk configurations from being accepted is now fixed. * Setting multicast addresses now works properly. * rpm -V on luci no longer fails. * The user interface rendering time for storage interface is now faster. * An error message that incorrectly appeared when rebooting nodes during cluster creation was removed. * Cluster snaps configuration (an unsupported feature) has been removed altogether to prevent user confusion. * A user permission bug resulting from a luci code error is now fixed. * luci and ricci init script return codes are now LSB-compliant. * VG creation on cluster nodes now defaults to "clustered". * An SELinux AVC bug that prevented users from setting up shared storage on nodes is now fixed. * An access error that occurred when attempting to access a cluster node after its cluster was deleted is now fixed. * IP addresses can now be used to create clusters. * Attempting to configure a fence device no longer results in an AttributeError. * Attempting to create a new fence device to a valid cluster no longer results in a KeyError. * Several minor user interface validation errors have been fixed, such as enforcing cluster name length and fence port, etc. * A browser lock-up that could occur during storage configuration has been fixed. * Virtual service creation now works without error. * The fence_xvm tag is no longer misspelled in the cluster.conf file. * Luci failover forms are complete and working. * Rebooting a fresh cluster install no longer generates an error message. * A bug that prevented failed cluster services from being started is now fixed. * A bug that caused some cluster operations (e.g., node delete) to fail on clusters with mixed-cased cluster names is now fixed. * Global cluster resources can be reused when constructing cluster services. Enhancements in this updated package include: * Users can now access Conga through Internet Explorer 6. * Dead nodes can now be evicted from a cluster. * Shared storage on new clusters is now enabled by default. * The fence user-interface flow is now simpler. * A port number is now shown in ricci error messages. * The kmod-gfs-xen kernel module is now installed when creating a cluster. * Cluster creation status is now shown visually. * User names are now sorted for display. * The fence_xvmd tag can now be added from the dom0 cluster nodes. * The ampersand character (&) can now be used in fence names. * All packaged files are now installed with proper owners and permissions. * New cluster node members are now properly initialized. * Storage operations can now be completed even if an LVM snapshot is present. * Users are now informed via dialog when nodes are rebooted as part of a cluster operation. * Failover domains are now properly listed for virtual services and traditional clustered services. * Luci can now create and distribute keys for fence_xvmd. SL 5.x SRPMS: conga-0.10.0-6.el5.src.rpm i386: luci-0.10.0-6.el5.i386.rpm ricci-0.10.0-6.el5.i386.rpm cluster-cim-0.10.0-5.el5.i386.rpm cluster-snmp-0.10.0-5.el5.i386.rpm modcluster-0.10.0-5.el5.i386.rpm x86_64: luci-0.10.0-6.el5.x86_64.rpm ricci-0.10.0-6.el5.x86_64.rpm cluster-cim-0.10.0-5.el5.x86_64.rpm cluster-snmp-0.10.0-5.el5.x86_64.rpm modcluster-0.10.0-5.el5.x86_64.rpm -Connie Sieh -Troy Dawson