[RHSA-2007:0640-04] Moderate: conga security, bug fix, and enhancement update

bugzilla at redhat.com bugzilla at redhat.com
Wed Nov 7 16:26:31 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: conga security, bug fix, and enhancement update
Advisory ID:       RHSA-2007:0640-04
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0640.html
Issue date:        2007-11-07
Updated on:        2007-11-07
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-4136 
- ---------------------------------------------------------------------

1. Summary:

Updated conga packages that correct a security flaw and provide bug fixes
and add enhancements are now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Clustering (v. 5 server) - i386, ia64, x86_64

3. Problem description:

The Conga package is a web-based administration tool for remote cluster and
storage management.

A flaw was found in ricci during a code audit.  A remote attacker who is
able to connect to ricci could cause ricci to temporarily refuse additional
connections, a denial of service (CVE-2007-4136).

Fixes in this updated package include:

* The nodename is now set for manual fencing.

* The node log no longer displays in random order.

* A bug that prevented a node from responding when a cluster was deleted is
now fixed.

* A PAM configuration that incorrectly called the deprecated module
pam_stack was removed.

* A bug that prevented some quorum disk configurations from being accepted
is now fixed.

* Setting multicast addresses now works properly.

* rpm -V on luci no longer fails. 

* The user interface rendering time for storage interface is now faster.

* An error message that incorrectly appeared when rebooting nodes during
cluster creation was removed.

* Cluster snaps configuration (an unsupported feature) has been removed
altogether to prevent user confusion. 

* A user permission bug resulting from a luci code error is now fixed.

* luci and ricci init script return codes are now LSB-compliant.

* VG creation on cluster nodes now defaults to "clustered".

* An SELinux AVC bug that prevented users from setting up shared storage on
nodes is now fixed.

* An access error that occurred when attempting to access a cluster node
after its cluster was deleted is now fixed.

* IP addresses can now be used to create clusters. 

* Attempting to configure a fence device no longer results in an
AttributeError.

* Attempting to create a new fence device to a valid cluster no longer
results in a KeyError.

* Several minor user interface validation errors have been fixed, such as
enforcing cluster name length and fence port, etc.

* A browser lock-up that could occur during storage configuration has been
fixed.

* Virtual service creation now works without error.

* The fence_xvm tag is no longer misspelled in the cluster.conf file.

* Luci failover forms are complete and working.
* Rebooting a fresh cluster install no longer generates an error message.

* A bug that prevented failed cluster services from being started is now
fixed.

* A bug that caused some cluster operations (e.g., node delete) to fail on
clusters with mixed-cased cluster names is now fixed.

* Global cluster resources can be reused when constructing cluster
services.

Enhancements in this updated package include:

* Users can now access Conga through Internet Explorer 6.

* Dead nodes can now be evicted from a cluster.

* Shared storage on new clusters is now enabled by default.

* The fence user-interface flow is now simpler.

* A port number is now shown in ricci error messages.

* The kmod-gfs-xen kernel module is now installed when creating a cluster.

* Cluster creation status is now shown visually.

* User names are now sorted for display.

* The fence_xvmd tag can now be added from the dom0 cluster nodes.

* The ampersand character (&) can now be used in fence names.

* All packaged files are now installed with proper owners and permissions.

* New cluster node members are now properly initialized.

* Storage operations can now be completed even if an LVM snapshot is present.

* Users are now informed via dialog when nodes are rebooted as part of a
cluster operation.

* Failover domains are now properly listed for virtual services and
traditional clustered services.

* Luci can now create and distribute keys for fence_xvmd.

All Conga users are advised to upgrade to this update, which applies these
fixes and enhancements.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188


5. Bug IDs fixed (http://bugzilla.redhat.com/):

212006 - create cluster does not show status as cluster is being created
212022 - cannot create cluster using ip addresses
213083 - luci - should display usernames in some logical/sorted order (usability)
218964 - luci - adding node to a cluster - confirm dialog displays cluster name in place of node name (minor)
221899 - Node log displayed in partially random order
222051 - Combining reauthentication/deletion options in one luci display can cause user confusion (usability - post RHEL5 GA)
223162 - Error trying to create a new fence device for a cluster node
224011 - SELinux AVC denied  { read } for  pid=2390 comm="mdadm" - accessing storage on a node
225164 - Conga allows creation/rename of clusters with name greater than 15 characters
225206 - Cluster cannot be deleted (from 'Manage Systems') - but no error results
225588 - luci web app does not enforce selection of fence port
225747 - Create/delete cluster - then access disk on node = Generic error on host: cluster tools: cman_tool errored
225782 - Need more luci service information on startup - no info written to log about failed start cause
226700 - cman cluster needs restart when going from >=3 to 2 nodes and 2 to >= 3 nodes
227682 - saslauthd[2274]: Deprecated pam_stack module called from service "ricci"
227743 - Intermittent/recurring problem - when cluster is deleted, sometimes a node is not affected
227758 - Entering bad password when creating a new cluster = UnboundLocalError: local variable 'e' referenced before assignment
227852 - Lack of debugging information in logs - support issue
229027 - luci failover domain forms are missing/empty
230447 - fence_xvm is incorrectly listed as "xmv" in virtual cluster
230452 - Advanced options parameters settings don't do anything
230454 - Unable to configure a virtual service
230457 - kmod-gfs-xen not installed with Conga install
230461 - 'enable shared storage' option cleared whenever there is a configuration error
230469 - Must manually edit cluster.conf on the dom0 cluster to add "<fence_xvmd/>"
238655 - conga does not set the "nodename" attribute for manual fencing
238726 - Conga provides no way to remove a dead node from a cluster
239327 - Online User Manual needs modification
239388 - conga storage: default VG creation should be clustered if a cluster node
239389 - conga cluster: make 'enable shared storage' the default
240034 - rpm verify fails on luci
240361 - Conga storage UI front-end is too slow rendering storage
241415 - Installation using Conga shows "error" in message during reboot cycle.
241418 - Conga tries to configurage cluster snaps, though they are not available.
241706 - Eliminate confusion in add fence flow
241727 - can't set user permissions in luci
242668 - luci init script can return non-LSB-compliant return codes
243701 - ricci init script can exit with non-LSB-compliant return codes
244146 - Add port number to message when ricci is not started/firewalled on cluster nodes.
244878 - Successful login results in an infinite redirection loop with MSIE
245202 - Conga needs to support Internet Explorer 6.0 and later
248317 - luci sets incorrect permissions on /usr/lib64/luci and /var/lib/luci
249066 - AttributeError when attempting to configure a fence device
249086 - Unable to add a new fence device to cluster
249091 - RFE: tell user they are about to kill all their nodes
249291 - delete node task fails to do all items listed in the help document
249641 - conga is unable to do storage operations if there is an lvm snapshot present
249868 - Use of failover domain not correctly shown
250443 - storage name warning utility produces a storm of warnings which can lock your browser
250834 - ZeroDivisionError when attempting to click an empty lvm volume group
253914 - conga doesn't allow you to reuse nfs export and nfs client resources
253994 - Cannot specify multicast address for a cluster
254038 - Impossible to set many valid quorum disk configurations via conga
336101 - CVE-2007-4136 ricci is vulnerable to a connect DoS attack

6. RPMs required:

RHEL Clustering (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/conga-0.10.0-6.el5.src.rpm
533839db60dd93f88e7ec00f0d4ae91d  conga-0.10.0-6.el5.src.rpm

i386:
b2fd36bf216e77eae3b74a99dde1ea38  conga-debuginfo-0.10.0-6.el5.i386.rpm
fec2e53d98cb40a8cd72172de6d1e5b7  luci-0.10.0-6.el5.i386.rpm
617d926686f0b74efae83cc0accd99cf  ricci-0.10.0-6.el5.i386.rpm

ia64:
633a4af70f0ed326d3b0cce2bc1990e1  conga-debuginfo-0.10.0-6.el5.ia64.rpm
1f57552ade9a783a026985ab82295709  luci-0.10.0-6.el5.ia64.rpm
856a84b1011e78644defd836e9fa24f0  ricci-0.10.0-6.el5.ia64.rpm

x86_64:
b2a92084032dafac79adfd656f88173c  conga-debuginfo-0.10.0-6.el5.x86_64.rpm
48ff395dd2205ddb7112bc903cba0d83  luci-0.10.0-6.el5.x86_64.rpm
e1aae541e6a564c3f1d1328f93e75708  ricci-0.10.0-6.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4136
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHMecyXlSAg2UNWIIRAkAoAKCvfQYmyws/aeG141t8VkJ1MBvjBwCdFvFU
UabUAzNRWw+CYUexTev2XAs=
=JH75
-----END PGP SIGNATURE-----

More information about the Enterprise-watch-list mailing list