SciLinux: CVE-2008-6552 Low: rgmanager SL5.x i386/x86_64
Summary
Date: Thu, 1 Oct 2009 12:08:33 -0500Reply-To: Troy DawsonSender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Low: rgmanager on SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov" Synopsis: Low: rgmanager security, bug fix, and enhancement updateIssue date: 2009-09-02CVE Names: CVE-2008-6552Multiple insecure temporary file use flaws were discovered in rgmanager and various resource scripts run by rgmanager. A local attacker could use these flaws to overwrite an arbitrary file writable by the rgmanager process (i.e. user root) with the output of rgmanager or a resource agent via a symbolic link attack. (CVE-2008-6552)This update also fixes the following bugs:* clulog now accepts '-' as the first character in messages.* if expire_time is 0, max_restarts is no longer ignored.* the SAP resource agents included in the rgmanager package shipped withScientific Linux 5.3 were outdated. This update includes the most recent SAP resource agents and, consequently, improves SAP failoversupport.* empty PID files no longer cause resource start failures.* recovery policy of type 'restart' now works properly when using aresource based on ra-skelet.sh.* samba.sh has been updated to kill the PID listed in the proper PID file.* handling of the '-F' option has been improved to fix issues causingrgmanager to crash if no members of a restricted failover domain wereonline.* the number of simultaneous status checks can now be limited to preventload spikes.* forking and cloning during status checks has been optimized to reduceload spikes.* rg_test no longer hangs when run with large cluster configuration files.* when rgmanager is used with a restricted failover domain it will nolonger occasionally segfault when some nodes are offline during a failover event.* virtual machine guests no longer restart after a cluster.conf update.* nfsclient.sh no longer leaves temporary files after running.* extra checks from the Oracle agents have been removed.* vm.sh now uses libvirt.* users can now define an explicit service processing order whencentral_processing is enabled.* virtual machine guests can no longer start on 2 nodes at the same time.* in some cases a successfully migrated virtual machine guest could restart when the cluster.conf file was updated.* incorrect reporting of a service being started when it was not startedhas been addressed.As well, this update adds the following enhancements:* a startup_wait option has been added to the MySQL resource agent.* services can now be prioritized.* rgmanager now checks to see if it has been killed by the OOM killer and if so, reboots the node.SL 5.x SRPMS:rgmanager-2.0.52-1.el5.src.rpm i386:rgmanager-2.0.52-1.el5.i386.rpm x86_64:rgmanager-2.0.52-1.el5.x86_64.rpm-Connie Sieh-Troy Dawson