Lucene search

K
centosCentOS ProjectCESA-2009:1341
HistorySep 15, 2009 - 6:50 p.m.

cman security update

2009-09-1518:50:02
CentOS Project
lists.centos.org
39

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

8.6%

CentOS Errata and Security Advisory CESA-2009:1341

The Cluster Manager (cman) utility provides services for managing a Linux
cluster.

Multiple insecure temporary file use flaws were found in fence_apc_snmp and
ccs_tool. A local attacker could use these flaws to overwrite an arbitrary
file writable by a victim running those utilities (typically root) with
the output of the utilities via a symbolic link attack. (CVE-2008-4579,
CVE-2008-6552)

Bug fixes:

  • a buffer could overflow if cluster.conf had more than 52 entries per
    block inside the <cman> block. The limit is now 1024.

  • the output of the group_tool dump subcommands were NULL padded.

  • using device=“” instead of label=“” no longer causes qdiskd to
    incorrectly exit.

  • the IPMI fencing agent has been modified to time out after 10 seconds. It
    is also now possible to specify a different timeout value with the ‘-t’
    option.

  • the IPMI fencing agent now allows punctuation in passwords.

  • quickly starting and stopping the cman service no longer causes the
    cluster membership to become inconsistent across the cluster.

  • an issue with lock syncing caused ‘receive_own from’ errors to be logged
    to ‘/var/log/messages’.

  • an issue which caused gfs_controld to segfault when mounting hundreds of
    file systems has been fixed.

  • the LPAR fencing agent now properly reports status when an LPAR is in
    Open Firmware mode.

  • the LPAR fencing agent now works properly with systems using the
    Integrated Virtualization Manager (IVM).

  • the APC SNMP fencing agent now properly recognizes outletStatusOn and
    outletStatusOff return codes from the SNMP agent.

  • the WTI fencing agent can now connect to fencing devices with no
    password.

  • the rps-10 fencing agent now properly performs a reboot when run with no
    options.

  • the IPMI fencing agent now supports different cipher types with the ‘-C’
    option.

  • qdisk now properly scans devices and partitions.

  • cman now checks to see if a new node has state to prevent killing the
    first node during cluster setup.

  • ‘service qdiskd start’ now works properly.

  • the McData fence agent now works properly with the McData Sphereon 4500
    Fabric Switch.

  • the Egenera fence agent can now specify an SSH login name.

  • the APC fence agent now works with non-admin accounts when using the
    3.5.x firmware.

  • fence_xvmd now tries two methods to reboot a virtual machine.

  • connections to OpenAIS are now allowed from unprivileged CPG clients with
    the user and group of ‘ais’.

  • groupd no longer allows the default fence domain to be ‘0’, which
    previously caused rgmanager to hang. Now, rgmanager no longer hangs.

  • the RSA fence agent now supports SSH enabled RSA II devices.

  • the DRAC fence agent now works with the Integrated Dell Remote Access
    Controller (iDRAC) on Dell PowerEdge M600 blade servers.

  • fixed a memory leak in cman.

  • qdisk now displays a warning if more than one label is found with the
    same name.

  • the DRAC5 fencing agent now shows proper usage instructions for the ‘-D’
    option.

  • cman no longer uses the wrong node name when getnameinfo() fails.

  • the SCSI fence agent now verifies that sg_persist is installed.

  • the DRAC5 fencing agent now properly handles modulename.

  • QDisk now logs warning messages if it appears its I/O to shared storage
    is hung.

  • fence_apc no longer fails with a pexpect exception.

  • removing a node from the cluster using ‘cman_tool leave remove’ now
    properly reduces the expected_votes and quorum.

  • a semaphore leak in cman has been fixed.

  • ‘cman_tool nodes -F name’ no longer segfaults when a node is out of
    membership.

Enhancements:

  • support for: ePowerSwitch 8+ and LPAR/HMC v3 devices, Cisco MDS 9124 and
    MDS 9134 SAN switches, the virsh fencing agent, and broadcast communication
    with cman.

  • fence_scsi limitations added to fence_scsi man page.

Users of cman are advised to upgrade to these updated packages, which
resolve these issues and add these enhancements.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-September/078317.html
https://lists.centos.org/pipermail/centos-announce/2009-September/078318.html

Affected packages:
cman
cman-devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1341

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

8.6%