Updated luci packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Luci is a web-based high availability administration application.
- It was discovered that luci used
eval()on inputs containing strings from the cluster configuration file when generating its web pages. An attacker with privileges to create or edit the cluster configuration could use this flaw to execute arbitrary code as the luci user on a host running luci.This issue was discovered by Jan Pokorný of Red Hat.
- Previously, it was possible to use the following characters in the luci configuration file inside attribute values:
Using such characters inside the attribute values could cause several problems. With this update, when the user attempts to use these special characters inside the attribute value, a warning is returned.
- the less-than sign (<)
- the greater-than sign (>)
- the quotation mark (")
prefer_interfaceparameter was missing from the IP resource in the
luciapplication. This parameter is used for adding an IP address to a particular network interface if a cluster node has multiple active interfaces that have IP addresses on the same subnetwork. The missing parameter has been added to luci with this update.
- Previously, the
window_sizeconfiguration fields were missing from the luci configuration file when it was used in expert mode. This update adds the missing fields.
- The possibility to disable the Red Hat Resource Group Manager (
rgmanager) was missing from the luci configuration. With this update, it is now possible to disable
rgmanagerin luci expert mode.
- Previously, luci was missing the Kdump fencing agent. The agent has been added with this update.
- Zooming the luci web interface in the Chrome and Firefox web browsers could cause the Users and Permissions tab to be displayed incorrectly. This bug has been fixed with this update, and the tab is now displayed properly.
- In previous releases, the luci application has been fixed to parse the cluster resource names with a suffix delimited by the period symbol (
.) correctly. Due to this fix, the suffix was stripped off automatically. However, it is valid to specify a node name by referring to its IP address in the cluster configuration. When this was done, the node names ending with a suffix delimited by the period symbol, such as “.1” or “.sh”, were not shown properly and could not be edited. Also, such a node was indicated as not being a cluster member. This bug has been fixed, and such nodes are now handled properly in the described scenario.
- Previously, the luci application used the
10gtype as the default for the
typeattribute of the
oracledbresource agent. This behavior was incorrect because luci was supposed to use the original configuration and do not set its own. With this update, the type field is not arbitrarily specified by luci.
- Certain configurable parameters for the
fence_xvmagent were missing from the luci application. This update adds the missing attributes, such as
Timeoutfor expert and non-expert mode and
Path to Key File,
Multicast Retransmit Time,
Authentication Type, and
Packet Hash Typefor expert mode.
- When creating a new cluster, the
post_join_delayparameter in the cluster configuration was set to 3 or 6 seconds depending if the cluster was configured using the
cluster.conffile or the cluster software. With this update, this inconsistent approach has been fixed. When no value is specified for
post_join_delay, the value is not set in the
cluster.conffile but the cluster software specifies the value, which is set to 6 seconds.
- The name for the
fence_enegeraagent in the fence list was
Egenera SAN Controller. This name was outdated and thus misleading. With this update, the agent is listed correctly as
- Previously, the
self_fenceparameter was missing from the configuration of the
netfsresource agent. Also in the GUI, there was no checkbox entry for the Self-Fence If Unmount Fails option. This update adds the missing parameter.
- Due to previous changes in the luci application, SELinux no longer labeled the luci process with the confined
piranha_web_tSELinux context type. This behavior was incorrect, thus a new script has been added to the luci packages to address this bug. Also the SELinux policy has been modified accordingly. As a result, the luci process now runs as
- Previously, the luci application did not list virtual machine resource agents in the Resources menu in the web UI. An attempt to manually add a virtual machine resource agent in the configuration file caused the error 500 to be returned. This update provides a patch to fix this bug and virtual machine resource agents are now correctly listed in the Resources menu.
- The luci application has been enhanced to display global cluster resources and sort them alphabetically and numerically by the resource name, IP address, and other significant resource attributes.
- With this update, the luci application validates whether an
nfsclientresource is always associated with an
nfsexportresource. Now, an attempt to create a service with an
nfsclientresource that is not associated with an
nfsexportresource causes the following error to be returned:
nfsclient resources must have a parent nfsexport resource
- With this update, the luci application checks whether the
beaker.session.secretvalue consists of 20 or more characters. Therefore, the use of values containing less characters is not permitted to increase the security of the server-stored session data.
- This update enhances the luci application with the ability to configure the ciphers for SSL/TLS channel between luci and a connecting web browser, providing better security control for administrators.
- This update adds the ability to specify a
httpdbinary in the Apache resource configuration screen. This new feature allows the user to use the Multi-Processing Module (MPM) worker with the
httpddaemon in a cluster.
- With this update, the luci application has been modified to allow the user to set static ports for all NFS-related ports.
- With this enhancement, several changes have been made in the luci application:
- Support for configuring newly-added bind-mount resource agents has been added.
- Support for configuring the
retry_onattributes for the
fence_brocadeagent has been added.
- Support for the newly-added attribute
<rm>tag has been added. This attribute is used in the Red Hat Resource Group Manager (
rgmanager) to allow a service recovery when failing to fork a bash child process with a return code 254.
skip_undefinedattribute was no longer needed and it was removed from the fencing configuration in advanced mode.
- Support for configuring the new
startup_waitparameter for the
postgres-8resource agent has been added. This parameter allows users to configure the sleep time according to their needs.
- Support for the
ssh_optionsattribute for the
fence_rsaagents has been added.
- Support for the newly-added
no_killattribute for the virtual machine (VM) resource agent has been added. This attribute is used to prevent the
rgmanagerutility from killing VMs that did not shut down properly.
All luci users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.