USN-875-1: Red Hat Cluster Suite vulnerabilities

18 December 2009

redhat-cluster, redhat-cluster-suite vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software Description

  • redhat-cluster
  • redhat-cluster-suite

Details

Multiple insecure temporary file handling vulnerabilities were discovered in Red Hat Cluster. A local attacker could exploit these to overwrite arbitrary local files via symlinks. (CVE-2008-4192, CVE-2008-4579, CVE-2008-4580, CVE-2008-6552)

It was discovered that CMAN did not properly handle malformed configuration files. An attacker could cause a denial of service (via CPU consumption and memory corruption) in a node if the attacker were able to modify the cluster configuration for the node. (CVE-2008-6560)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.10
cman - 2.20080826-0ubuntu1.3
gfs2-tools - 2.20080826-0ubuntu1.3
rgmanager - 2.20080826-0ubuntu1.3
Ubuntu 8.04 LTS
cman - 2.20080227-0ubuntu1.3
gfs2-tools - 2.20080227-0ubuntu1.3
rgmanager - 2.20080227-0ubuntu1.3
Ubuntu 6.06 LTS
ccs - 1.20060222-0ubuntu6.3
cman - 1.20060222-0ubuntu6.3
fence - 1.20060222-0ubuntu6.3
libcman1 - 1.20060222-0ubuntu6.3
rgmanager - 1.20060222-0ubuntu6.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References