Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Red Hat: RHSA-2007:0640-04 Moderate: Conga Denial Of Service

red hat
Calendar Grey November 7, 2007
Dist Redhat Esm H88
Red Hat recommends a balanced security patch for conga to resolve a denial of service vulnerability while incorporating further improvements.
Updated conga packages that correct a security flaw and provide bug fixes and add enhancements are now available

Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at


5. Bug IDs fixed (http://bugzilla.redhat.com/):

212006 - create cluster does not show status as cluster is being created 212022 - cannot create cluster using ip addresses 213083 - luci - should display usernames in some logical/sorted order (usability) 218964 - luci - adding node to a cluster - confirm dialog displays cluster name in place of node name (minor) 221899 - Node log displayed in partially random order 222051 - Combining reauthentication/deletion options in one luci display can cause user confusion (usability - post RHEL5 GA) 223162 - Error trying to create a new fence device for a cluster node 224011 - SELinux AVC denied { read } for pid=2390 comm="mdadm" - accessing storage on a node 225164 - Conga allows creation/rename of clusters with name greater than 15 characters 225206 - Cluster cannot be deleted (from 'Manage Systems') - but no error results 225588 - luci web app does not enforce selection of fence port 225747 - Create/delete cluster - then access disk on node = Generic error on host: cluster tools: cman_tool errored 225782 - Need more luci service information on startup - no info written to log about failed start cause 226700 - cman cluster needs restart when going from >=3 to 2 nodes and 2 to >= 3 nodes 227682 - saslauthd[2274]: Deprecated pam_stack module called from service "ricci" 227743 - Intermittent/recurring problem - when cluster is deleted, sometimes a node is not affected 227758 - Entering bad password when creating a new cluster = UnboundLocalError: local variable 'e' referenced before assignment 227852 - Lack of debugging information in logs - support issue 229027 - luci failover domain forms are missing/empty 230447 - fence_xvm is incorrectly listed as "xmv" in virtual cluster 230452 - Advanced options parameters settings don't do anything 230454 - Unable to configure a virtual service 230457 - kmod-gfs-xen not installed with Conga install 230461 - 'enable shared storage' option cleared whenever there is a configuration error 230469 - Must manually edit cluster.conf on the dom0 cluster to add "" 238655 - conga does not set the "nodename" attribute for manual fencing 238726 - Conga provides no way to remove a dead node from a cluster 239327 - Online User Manual needs modification 239388 - conga storage: default VG creation should be clustered if a cluster node 239389 - conga cluster: make 'enable shared storage' the default 240034 - rpm verify fails on luci 240361 - Conga storage UI front-end is too slow rendering storage 241415 - Installation using Conga shows "error" in message during reboot cycle. 241418 - Conga tries to configurage cluster snaps, though they are not available. 241706 - Eliminate confusion in add fence flow 241727 - can't set user permissions in luci 242668 - luci init script can return non-LSB-compliant return codes 243701 - ricci init script can exit with non-LSB-compliant return codes 244146 - Add port number to message when ricci is not started/firewalled on cluster nodes. 244878 - Successful login results in an infinite redirection loop with MSIE 245202 - Conga needs to support Internet Explorer 6.0 and later 248317 - luci sets incorrect permissions on /usr/lib64/luci and /var/lib/luci 249066 - AttributeError when attempting to configure a fence device 249086 - Unable to add a new fence device to cluster 249091 - RFE: tell user they are about to kill all their nodes 249291 - delete node task fails to do all items listed in the help document 249641 - conga is unable to do storage operations if there is an lvm snapshot present 249868 - Use of failover domain not correctly shown 250443 - storage name warning utility produces a storm of warnings which can lock your browser 250834 - ZeroDivisionError when attempting to click an empty lvm volume group 253914 - conga doesn't allow you to reuse nfs export and nfs client resources 253994 - Cannot specify multicast address for a cluster 254038 - Impossible to set many valid quorum disk configurations via conga 336101 - CVE-2007-4136 ricci is vulnerable to a connect DoS attack

6. RPMs required:

RHEL Clustering (v. 5 server):

SRPMS: 533839db60dd93f88e7ec00f0d4ae91d conga-0.10.0-6.el5.src.rpm

i386: b2fd36bf216e77eae3b74a99dde1ea38 conga-debuginfo-0.10.0-6.el5.i386.rpm fec2e53d98cb40a8cd72172de6d1e5b7 luci-0.10.0-6.el5.i386.rpm 617d926686f0b74efae83cc0accd99cf ricci-0.10.0-6.el5.i386.rpm

ia64: 633a4af70f0ed326d3b0cce2bc1990e1 conga-debuginfo-0.10.0-6.el5.ia64.rpm 1f57552ade9a783a026985ab82295709 luci-0.10.0-6.el5.ia64.rpm 856a84b1011e78644defd836e9fa24f0 ricci-0.10.0-6.el5.ia64.rpm

x86_64: b2a92084032dafac79adfd656f88173c conga-debuginfo-0.10.0-6.el5.x86_64.rpm 48ff395dd2205ddb7112bc903cba0d83 luci-0.10.0-6.el5.x86_64.rpm e1aae541e6a564c3f1d1328f93e75708 ricci-0.10.0-6.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package

Summary

References

https://www.cve.org/CVERecord?id=CVE-2007-4136 https://access.redhat.com/security/updates/classification#moderate

Package List


Advisory ID: RHSA-2007:0640-04
Issue date: 2007-11-07
Updated on: 2007-11-07
Product: Red Hat Enterprise Linux

Topic

Relevant Releases Architectures

RHEL Clustering (v. 5 server) - i386, ia64, x86_64

Bugs Fixed

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here