Scientific Linux Security Update : conga on SL5.x i386/x86_64

medium Nessus Plugin ID 60284

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

A flaw was found in ricci during a code audit. A remote attacker who is able to connect to ricci could cause ricci to temporarily refuse additional connections, a denial of service (CVE-2007-4136).

Fixes in this updated package include :

- The nodename is now set for manual fencing.

- The node log no longer displays in random order.

- A bug that prevented a node from responding when a cluster was deleted is now fixed.

- A PAM configuration that incorrectly called the deprecated module pam_stack was removed.

- A bug that prevented some quorum disk configurations from being accepted is now fixed.

- Setting multicast addresses now works properly.

- rpm -V on luci no longer fails.

- The user interface rendering time for storage interface is now faster.

- An error message that incorrectly appeared when rebooting nodes during cluster creation was removed.

- Cluster snaps configuration (an unsupported feature) has been removed altogether to prevent user confusion.

- A user permission bug resulting from a luci code error is now fixed.

- luci and ricci init script return codes are now LSB-compliant.

- VG creation on cluster nodes now defaults to 'clustered'.

- An SELinux AVC bug that prevented users from setting up shared storage on nodes is now fixed.

- An access error that occurred when attempting to access a cluster node after its cluster was deleted is now fixed.

- IP addresses can now be used to create clusters.

- Attempting to configure a fence device no longer results in an AttributeError.

- Attempting to create a new fence device to a valid cluster no longer results in a KeyError.

- Several minor user interface validation errors have been fixed, such as enforcing cluster name length and fence port, etc.

- A browser lock-up that could occur during storage configuration has been fixed.

- Virtual service creation now works without error.

- The fence_xvm tag is no longer misspelled in the cluster.conf file.

- Luci failover forms are complete and working.

- Rebooting a fresh cluster install no longer generates an error message.

- A bug that prevented failed cluster services from being started is now fixed.

- A bug that caused some cluster operations (e.g., node delete) to fail on clusters with mixed-cased cluster names is now fixed.

- Global cluster resources can be reused when constructing cluster services.

Enhancements in this updated package include :

- Users can now access Conga through Internet Explorer 6.

- Dead nodes can now be evicted from a cluster.

- Shared storage on new clusters is now enabled by default.

- The fence user-interface flow is now simpler.

- A port number is now shown in ricci error messages.

- The kmod-gfs-xen kernel module is now installed when creating a cluster.

- Cluster creation status is now shown visually.

- User names are now sorted for display.

- The fence_xvmd tag can now be added from the dom0 cluster nodes.

- The ampersand character (&) can now be used in fence names.

- All packaged files are now installed with proper owners and permissions.

- New cluster node members are now properly initialized.

- Storage operations can now be completed even if an LVM snapshot is present.

- Users are now informed via dialog when nodes are rebooted as part of a cluster operation.

- Failover domains are now properly listed for virtual services and traditional clustered services.

- Luci can now create and distribute keys for fence_xvmd.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?ce6a3f67

Plugin Details

Severity: Medium

ID: 60284

File Name: sl_20071107_conga_on_SL5_x.nasl

Version: 1.6

Type: local

Agent: unix

Published: 8/1/2012

Updated: 1/14/2021

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 11/7/2007

Vulnerability Publication Date: 11/13/2007

Reference Information

CVE: CVE-2007-4136