5 - RHSA-2007:0640

Problem Description:

Updated conga packages that correct a security flaw and provide bug fixes and add enhancements are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Clustering (v. 5 server) - i386, ia64, x86_64

3. Problem description:

The Conga package is a web-based administration tool for remote cluster and storage management.

A flaw was found in ricci during a code audit. A remote attacker who is able to connect to ricci could cause ricci to temporarily refuse additional connections, a denial of service (CVE-2007-4136).

Fixes in this updated package include:

* The nodename is now set for manual fencing.

* The node log no longer displays in random order.

* A bug that prevented a node from responding when a cluster was deleted is now fixed.

* A PAM configuration that incorrectly called the deprecated module pam_stack was removed.

* A bug that prevented some quorum disk configurations from being accepted is now fixed.

* Setting multicast addresses now works properly.

* rpm -V on luci no longer fails.

* The user interface rendering time for storage interface is now faster.

* An error message that incorrectly appeared when rebooting nodes during cluster creation was removed.

* Cluster snaps configuration (an unsupported feature) has been removed altogether to prevent user confusion.

* A user permission bug resulting from a luci code error is now fixed.

* luci and ricci init script return codes are now LSB-compliant.

* VG creation on cluster nodes now defaults to "clustered".

* An SELinux AVC bug that prevented users from setting up shared storage on nodes is now fixed.

* An access error that occurred when attempting to access a cluster node after its cluster was deleted is now fixed.

* IP addresses can now be used to create clusters.

* Attempting to configure a fence device no longer results in an AttributeError.

* Attempting to create a new fence device to a valid cluster no longer results in a KeyError.

* Several minor user interface validation errors have been fixed, such as enforcing cluster name length and fence port, etc.

* A browser lock-up that could occur during storage configuration has been fixed.

* Virtual service creation now works without error.

* The fence_xvm tag is no longer misspelled in the cluster.conf file.

* Luci failover forms are complete and working. * Rebooting a fresh cluster install no longer generates an error message.

* A bug that prevented failed cluster services from being started is now fixed.

* A bug that caused some cluster operations (e.g., node delete) to fail on clusters with mixed-cased cluster names is now fixed.

* Global cluster resources can be reused when constructing cluster services.

Enhancements in this updated package include:

* Users can now access Conga through Internet Explorer 6.

* Dead nodes can now be evicted from a cluster.

* Shared storage on new clusters is now enabled by default.

* The fence user-interface flow is now simpler.

* A port number is now shown in ricci error messages.

* The kmod-gfs-xen kernel module is now installed when creating a cluster.

* Cluster creation status is now shown visually.

* User names are now sorted for display.

* The fence_xvmd tag can now be added from the dom0 cluster nodes.

* The ampersand character (&) can now be used in fence names.

* All packaged files are now installed with proper owners and permissions.

* New cluster node members are now properly initialized.

* Storage operations can now be completed even if an LVM snapshot is present.

* Users are now informed via dialog when nodes are rebooted as part of a cluster operation.

* Failover domains are now properly listed for virtual services and traditional clustered services.

* Luci can now create and distribute keys for fence_xvmd.

All Conga users are advised to upgrade to this update, which applies these fixes and enhancements.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

212006 - create cluster does not show status as cluster is being created 212022 - cannot create cluster using ip addresses 213083 - luci - should display usernames in some logical/sorted order (usability) 218964 - luci - adding node to a cluster - confirm dialog displays cluster name in place of node name (minor) 221899 - Node log displayed in partially random order 222051 - Combining reauthentication/deletion options in one luci display can cause user confusion (usability - post RHEL5 GA) 223162 - Error trying to create a new fence device for a cluster node 224011 - SELinux AVC denied { read } for pid=2390 comm="mdadm" - accessing storage on a node 225164 - Conga allows creation/rename of clusters with name greater than 15 characters 225206 - Cluster cannot be deleted (from 'Manage Systems') - but no error results 225588 - luci web app does not enforce selection of fence port 225747 - Create/delete cluster - then access disk on node = Generic error on host: cluster tools: cman_tool errored 225782 - Need more luci service information on startup - no info written to log about failed start cause 226700 - cman cluster needs restart when going from >=3 to 2 nodes and 2 to >= 3 nodes 227682 - saslauthd[2274]: Deprecated pam_stack module called from service "ricci" 227743 - Intermittent/recurring problem - when cluster is deleted, sometimes a node is not affected 227758 - Entering bad password when creating a new cluster = UnboundLocalError: local variable 'e' referenced before assignment 227852 - Lack of debugging information in logs - support issue 229027 - luci failover domain forms are missing/empty 230447 - fence_xvm is incorrectly listed as "xmv" in virtual cluster 230452 - Advanced options parameters settings don't do anything 230454 - Unable to configure a virtual service 230457 - kmod-gfs-xen not installed with Conga install 230461 - 'enable shared storage' option cleared whenever there is a configuration error 230469 - Must manually edit cluster.conf on the dom0 cluster to add "" 238655 - conga does not set the "nodename" attribute for manual fencing 238726 - Conga provides no way to remove a dead node from a cluster 239327 - Online User Manual needs modification 239388 - conga storage: default VG creation should be clustered if a cluster node 239389 - conga cluster: make 'enable shared storage' the default 240034 - rpm verify fails on luci 240361 - Conga storage UI front-end is too slow rendering storage 241415 - Installation using Conga shows "error" in message during reboot cycle. 241418 - Conga tries to configurage cluster snaps, though they are not available. 241706 - Eliminate confusion in add fence flow 241727 - can't set user permissions in luci 242668 - luci init script can return non-LSB-compliant return codes 243701 - ricci init script can exit with non-LSB-compliant return codes 244146 - Add port number to message when ricci is not started/firewalled on cluster nodes. 244878 - Successful login results in an infinite redirection loop with MSIE 245202 - Conga needs to support Internet Explorer 6.0 and later 248317 - luci sets incorrect permissions on /usr/lib64/luci and /var/lib/luci 249066 - AttributeError when attempting to configure a fence device 249086 - Unable to add a new fence device to cluster 249091 - RFE: tell user they are about to kill all their nodes 249291 - delete node task fails to do all items listed in the help document 249641 - conga is unable to do storage operations if there is an lvm snapshot present 249868 - Use of failover domain not correctly shown 250443 - storage name warning utility produces a storm of warnings which can lock your browser 250834 - ZeroDivisionError when attempting to click an empty lvm volume group 253914 - conga doesn't allow you to reuse nfs export and nfs client resources 253994 - Cannot specify multicast address for a cluster 254038 - Impossible to set many valid quorum disk configurations via conga 336101 - CVE-2007-4136 ricci is vulnerable to a connect DoS attack