Synopsis: Low: cman security, bug fix, and enhancement update Issue date: 2009-09-02 CVE Names: CVE-2008-4579 CVE-2008-6552 Multiple insecure temporary file use flaws were found in fence_apc_snmp and ccs_tool. A local attacker could use these flaws to overwrite an arbitrary file writable by a victim running those utilities (typically root) with the output of the utilities via a symbolic link attack. (CVE-2008-4579, CVE-2008-6552) Bug fixes: * a buffer could overflow if cluster.conf had more than 52 entries per block inside the <cman> block. The limit is now 1024. * the output of the group_tool dump subcommands were NULL padded. * using device="" instead of label="" no longer causes qdiskd to incorrectly exit. * the IPMI fencing agent has been modified to time out after 10 seconds. It is also now possible to specify a different timeout value with the '-t' option. * the IPMI fencing agent now allows punctuation in passwords. * quickly starting and stopping the cman service no longer causes the cluster membership to become inconsistent across the cluster. * an issue with lock syncing caused 'receive_own from' errors to be logged to '/var/log/messages'. * an issue which caused gfs_controld to segfault when mounting hundreds of file systems has been fixed. * the LPAR fencing agent now properly reports status when an LPAR is in Open Firmware mode. * the LPAR fencing agent now works properly with systems using the Integrated Virtualization Manager (IVM). * the APC SNMP fencing agent now properly recognizes outletStatusOn and outletStatusOff return codes from the SNMP agent. * the WTI fencing agent can now connect to fencing devices with no password. * the rps-10 fencing agent now properly performs a reboot when run with no options. * the IPMI fencing agent now supports different cipher types with the '-C' option. * qdisk now properly scans devices and partitions. * cman now checks to see if a new node has state to prevent killing the first node during cluster setup. * 'service qdiskd start' now works properly. * the McData fence agent now works properly with the McData Sphereon 4500 Fabric Switch. * the Egenera fence agent can now specify an SSH login name. * the APC fence agent now works with non-admin accounts when using the 3.5.x firmware. * fence_xvmd now tries two methods to reboot a virtual machine. * connections to OpenAIS are now allowed from unprivileged CPG clients with the user and group of 'ais'. * groupd no longer allows the default fence domain to be '0', which previously caused rgmanager to hang. Now, rgmanager no longer hangs. * the RSA fence agent now supports SSH enabled RSA II devices. * the DRAC fence agent now works with the Integrated Dell Remote Access Controller (iDRAC) on Dell PowerEdge M600 blade servers. * fixed a memory leak in cman. * qdisk now displays a warning if more than one label is found with the same name. * the DRAC5 fencing agent now shows proper usage instructions for the '-D' option. * cman no longer uses the wrong node name when getnameinfo() fails. * the SCSI fence agent now verifies that sg_persist is installed. * the DRAC5 fencing agent now properly handles modulename. * QDisk now logs warning messages if it appears its I/O to shared storage is hung. * fence_apc no longer fails with a pexpect exception. * removing a node from the cluster using 'cman_tool leave remove' now properly reduces the expected_votes and quorum. * a semaphore leak in cman has been fixed. * 'cman_tool nodes -F name' no longer segfaults when a node is out of membership. Enhancements: * support for: ePowerSwitch 8+ and LPAR/HMC v3 devices, Cisco MDS 9124 and MDS 9134 SAN switches, the virsh fencing agent, and broadcast communication with cman. * fence_scsi limitations added to fence_scsi man page. NOTE: openais and pexpect updates are required. SL 5.x SRPMS: cman-2.0.115-1.el5.src.rpm i386: cman-2.0.115-1.el5.i386.rpm cman-devel-2.0.115-1.el5.i386.rpm openais-0.80.6-8.el5.i386.rpm openais-devel-0.80.6-8.el5.i386.rpm pexpect-2.3-1.el5.noarch.rpm x86_64: cman-2.0.115-1.el5.x86_64.rpm cman-devel-2.0.115-1.el5.i386.rpm cman-devel-2.0.115-1.el5.x86_64.rpm openais-0.80.6-8.el5.x86_64.rpm openais-devel-0.80.6-8.el5.i386.rpm openais-devel-0.80.6-8.el5.x86_64.rpm pexpect-2.3-1.el5.noarch.rpm -Connie Sieh -Troy Dawson