RHBA-2007:0331 - Bug Fix Advisory

Topic

Updated conga packages that provide critical bug fixes are now available.

Description

The Conga package is a web-based administration tool for remote cluster and
storage management.

This erratum applies the following bug fixes:

• The borrowed Zope packages used by Conga have been patched to eliminate

a possibility of XSS attack.

• Passwords are no longer sent back from the server in cleartext for use as

input values.

• A form error was fixed so that Conga no longer allows for cluster

names of over 15 characters.

• An error wherein clusters and systems could not be deleted from the

manage systems interface has been addressed.

• Entering an incorrect password for a system no longer generates an

Unbound Local Reference exception.

• Luci failover domain forms are no longer empty
• The fence_xvm string in cluster.conf for virtual cluster fencing has been

corrected.

• The advanced options parameters section has been fixed.
• A bug where virtual services were unable for configuration has been

addressed.

• kmod-gfs-xen is now installed when necessary.
• The 'enable shared storage support' checkbox is now cleared when a

configuration error is encountered.

• When configuring an outer physical cluster, it is no longer necessary to

add the fence_xvmd tag manually.

Users of Conga are advised to upgrade to these updated packages, which
apply these fixes.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux High Availability for x86_64 5 x86_64
• Red Hat Enterprise Linux High Availability for x86_64 5 ia64
• Red Hat Enterprise Linux High Availability for x86_64 5 i386
• Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI 5 x86_64
• Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI 5 i386

Fixes

• BZ - 228637 - CVE-2007-1462 security alert - passwords sent back from server as input value
• BZ - 233326 - CVE-2007-0240 Conga includes version of Zope that is vulnerable to a XSS attack
• BZ - 236020 - Conga allows creation/rename of clusters with name greater than 15 characters
• BZ - 236021 - Cluster cannot be deleted (from 'Manage Systems') - but no error results
• BZ - 236025 - Entering bad password when creating a new cluster = UnboundLocalError: local variable 'e' referenced before assignment
• BZ - 236026 - luci failover domain forms are missing/empty
• BZ - 236027 - fence_xvm is incorrectly listed as "xmv" in virtual cluster
• BZ - 236048 - Advanced options parameters settings don't do anything
• BZ - 236050 - Unable to configure a virtual service
• BZ - 236052 - kmod-gfs-xen not installed with Conga install
• BZ - 236054 - 'enable shared storage' option cleared whenever there is a configuration error
• BZ - 236055 - Must manually edit cluster.conf on the dom0 cluster to add "<fence_xvmd/>"

CVEs

• CVE-2007-1462
• CVE-2007-0240

References

(none)