Scientific Linux Security Update : conga on SL5.x i386/x86_64

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

A flaw was found in ricci during a code audit. A remote attacker who
is able to connect to ricci could cause ricci to temporarily refuse
additional connections, a denial of service (CVE-2007-4136).

Fixes in this updated package include :

- The nodename is now set for manual fencing.

- The node log no longer displays in random order.

- A bug that prevented a node from responding when a
cluster was deleted is now fixed.

- A PAM configuration that incorrectly called the
deprecated module pam_stack was removed.

- A bug that prevented some quorum disk configurations
from being accepted is now fixed.

- Setting multicast addresses now works properly.

- rpm -V on luci no longer fails.

- The user interface rendering time for storage interface
is now faster.

- An error message that incorrectly appeared when
rebooting nodes during cluster creation was removed.

- Cluster snaps configuration (an unsupported feature) has
been removed altogether to prevent user confusion.

- A user permission bug resulting from a luci code error
is now fixed.

- luci and ricci init script return codes are now
LSB-compliant.

- VG creation on cluster nodes now defaults to
'clustered'.

- An SELinux AVC bug that prevented users from setting up
shared storage on nodes is now fixed.

- An access error that occurred when attempting to access
a cluster node after its cluster was deleted is now
fixed.

- IP addresses can now be used to create clusters.

- Attempting to configure a fence device no longer results
in an AttributeError.

- Attempting to create a new fence device to a valid
cluster no longer results in a KeyError.

- Several minor user interface validation errors have been
fixed, such as enforcing cluster name length and fence
port, etc.

- A browser lock-up that could occur during storage
configuration has been fixed.

- Virtual service creation now works without error.

- The fence_xvm tag is no longer misspelled in the
cluster.conf file.

- Luci failover forms are complete and working.

- Rebooting a fresh cluster install no longer generates an
error message.

- A bug that prevented failed cluster services from being
started is now fixed.

- A bug that caused some cluster operations (e.g., node
delete) to fail on clusters with mixed-cased cluster
names is now fixed.

- Global cluster resources can be reused when constructing
cluster services.

Enhancements in this updated package include :

- Users can now access Conga through Internet Explorer 6.

- Dead nodes can now be evicted from a cluster.

- Shared storage on new clusters is now enabled by
default.

- The fence user-interface flow is now simpler.

- A port number is now shown in ricci error messages.

- The kmod-gfs-xen kernel module is now installed when
creating a cluster.

- Cluster creation status is now shown visually.

- User names are now sorted for display.

- The fence_xvmd tag can now be added from the dom0
cluster nodes.

- The ampersand character (&amp
) can now be used in fence
names.

- All packaged files are now installed with proper owners
and permissions.

- New cluster node members are now properly initialized.

- Storage operations can now be completed even if an LVM
snapshot is present.

- Users are now informed via dialog when nodes are
rebooted as part of a cluster operation.

- Failover domains are now properly listed for virtual
services and traditional clustered services.

- Luci can now create and distribute keys for fence_xvmd.

See also :

http://www.nessus.org/u?7efb037c

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60284 ()

Bugtraq ID:

CVE ID: CVE-2007-4136