(RHSA-2013:0691) Important: Red Hat Storage 2.0 security, bug fix, and enhancement update #4

Red Hat Storage is a software only, scale-out storage solution that
provides flexible and agile unstructured data storage for the enterprise.

A flaw was found in the way the Swift component used Python pickle. This
could lead to arbitrary code execution. With this update, the JSON
(JavaScript Object Notation) format is used. (CVE-2012-4406)

Multiple insecure temporary file creation flaws were found in Red Hat
Storage. A local user on the Red Hat Storage server could use these flaws
to cause arbitrary files to be overwritten as the root user via a symbolic
link attack. (CVE-2012-5635)

It was found that sanlock created “/var/run/sanlock/sanlock.pid” with
world-writable permissions. A local user could use this flaw to make the
sanlock init script kill an arbitrary process when the sanlock daemon is
stopped or restarted. Additionally, “/var/log/sanlock.log” was also
world-writable, allowing local users to modify the contents of the log
file, or store data within it (bypassing any quotas applied to their
account). (CVE-2012-5638)

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for
reporting CVE-2012-4406. The CVE-2012-5635 issues were discovered by Kurt
Seifried of the Red Hat Security Response Team and Michael Scherer of the
Red Hat Regional IT team, and CVE-2012-5638 was discovered by David
Teigland of Red Hat.

Bug fixes and enhancements:

• Options to provide POSIX behavior when the O_DIRECT flag is used with
  the open() system call across many translators. (BZ#856156)

• A mount time option provided to make the FUSE module’s request queue
  length configurable. (BZ#856206)

• Various fixes in the FUSE module to ensure the ‘read-only’ (-o ro) mount
  option works. (BZ#858499)

• Various fixes in GlusterFS’s rebalance code to handle failures while
  replica pairs are getting connected and disconnected in quick succession.
  (BZ#859387)

• NFS code fixed to ensure proper inode transformation logic when the
  ‘enable-ino32’ option is set. (BZ#864222)

• Fixed the behavior of the posix-locks module per POSIX locking
  semantics. As a result, smb-torture’s ping-pong tests now run smoothly on
  top of GlusterFS mounts. (BZ#869724)

• FUSE module enhanced with the enable-ino32 mount option, required by any
  32-bit applications running on top of a GlusterFS mount. (BZ#876679)

• Corrections were made to fd table behavior when both NFS and
  geo-replication are in progress. (BZ#880193)

• With this update, disconnections are now handled better in the
  geo-replication ‘gsyncd’ process. (BZ#880308)

• With this update, the ‘gluster volume geo-replication config checkpoint’
  command returns the output value properly. (BZ#881736)

• With this enhancement, it is possible to set the ‘root-squash’ volume
  option with Gluster CLI. Red Hat Storage volumes now support NFS’s
  root-squashing behavior. (BZ#883590)

• NFS POSIX lock issue fixed when ‘root-squash’ option is enabled on the
  volume. (BZ#906884)

• Fixed an issue in tracking the changes of Geo-replication when an
  unprivileged user accesses the file system. (BZ#883827)

• Fixed NFS locking manager (NLM) code to handle IP failover successfully.
  (BZ#888286)

• Fixed issue in rebalance code to handle proper pointer dereference.
  (BZ#894237)

• POSIX module made more robust to handle backend brick failures better.
  (BZ#895841)

• Fixed the ‘gluster volume geo-replication’ command to provide a
  meaningful message when a wrong hostname is entered. (BZ#902213)

• Fixed Console Configuration Script where it added invalid ‘security’
  configuration for ENGINEDataSource in JBoss. (BZ#922572)

• Fixed rhsc-setup failure where it does not check for SELinux before
  running setsebool. (BZ#923674)

• Provided an update to the rhn-client-tools package to ensure setup
  defaults to the correct base Red Hat Enterprise Linux (6.2 Extended Update
  Support). (BZ#911777)

Refer to the Release Notes, available shortly from the link in the
References section, for further information.