Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2009:1341 - Security Advisory
Issued:
2009-09-02
Updated:
2009-09-02

RHSA-2009:1341 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: cman security, bug fix, and enhancement update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated cman packages that fix several security issues, various bugs, and
add enhancements are now available for Red Hat Enterprise Linux 5.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

Description

The Cluster Manager (cman) utility provides services for managing a Linux
cluster.

Multiple insecure temporary file use flaws were found in fence_apc_snmp and
ccs_tool. A local attacker could use these flaws to overwrite an arbitrary
file writable by a victim running those utilities (typically root) with
the output of the utilities via a symbolic link attack. (CVE-2008-4579,
CVE-2008-6552)

Bug fixes:

  • a buffer could overflow if cluster.conf had more than 52 entries per

block inside the <cman> block. The limit is now 1024.

  • the output of the group_tool dump subcommands were NULL padded.
  • using device="" instead of label="" no longer causes qdiskd to

incorrectly exit.

  • the IPMI fencing agent has been modified to time out after 10 seconds. It

is also now possible to specify a different timeout value with the '-t'
option.

  • the IPMI fencing agent now allows punctuation in passwords.
  • quickly starting and stopping the cman service no longer causes the

cluster membership to become inconsistent across the cluster.

  • an issue with lock syncing caused 'receive_own from' errors to be logged

to '/var/log/messages'.

  • an issue which caused gfs_controld to segfault when mounting hundreds of

file systems has been fixed.

  • the LPAR fencing agent now properly reports status when an LPAR is in

Open Firmware mode.

  • the LPAR fencing agent now works properly with systems using the

Integrated Virtualization Manager (IVM).

  • the APC SNMP fencing agent now properly recognizes outletStatusOn and

outletStatusOff return codes from the SNMP agent.

  • the WTI fencing agent can now connect to fencing devices with no

password.

  • the rps-10 fencing agent now properly performs a reboot when run with no

options.

  • the IPMI fencing agent now supports different cipher types with the '-C'

option.

  • qdisk now properly scans devices and partitions.
  • cman now checks to see if a new node has state to prevent killing the

first node during cluster setup.

  • 'service qdiskd start' now works properly.
  • the McData fence agent now works properly with the McData Sphereon 4500

Fabric Switch.

  • the Egenera fence agent can now specify an SSH login name.
  • the APC fence agent now works with non-admin accounts when using the

3.5.x firmware.

  • fence_xvmd now tries two methods to reboot a virtual machine.
  • connections to OpenAIS are now allowed from unprivileged CPG clients with

the user and group of 'ais'.

  • groupd no longer allows the default fence domain to be '0', which

previously caused rgmanager to hang. Now, rgmanager no longer hangs.

  • the RSA fence agent now supports SSH enabled RSA II devices.
  • the DRAC fence agent now works with the Integrated Dell Remote Access

Controller (iDRAC) on Dell PowerEdge M600 blade servers.

  • fixed a memory leak in cman.
  • qdisk now displays a warning if more than one label is found with the

same name.

  • the DRAC5 fencing agent now shows proper usage instructions for the '-D'

option.

  • cman no longer uses the wrong node name when getnameinfo() fails.
  • the SCSI fence agent now verifies that sg_persist is installed.
  • the DRAC5 fencing agent now properly handles modulename.
  • QDisk now logs warning messages if it appears its I/O to shared storage

is hung.

  • fence_apc no longer fails with a pexpect exception.
  • removing a node from the cluster using 'cman_tool leave remove' now

properly reduces the expected_votes and quorum.

  • a semaphore leak in cman has been fixed.
  • 'cman_tool nodes -F name' no longer segfaults when a node is out of

membership.

Enhancements:

  • support for: ePowerSwitch 8+ and LPAR/HMC v3 devices, Cisco MDS 9124 and

MDS 9134 SAN switches, the virsh fencing agent, and broadcast communication
with cman.

  • fence_scsi limitations added to fence_scsi man page.

Users of cman are advised to upgrade to these updated packages, which
resolve these issues and add these enhancements.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 276541 - fence_impilan blocks alternative fencing agents when connectivity to IPMI fails.
  • BZ - 322291 - rps-10 fence agent does not perform default reboot action
  • BZ - 447497 - RFE: support for IPMI v2.0 ciphersuites in fence_ipmilan
  • BZ - 447964 - fence_ipmilan does not handle punctuation in password
  • BZ - 467386 - CVE-2008-4579 cman/fence: insecure temporary file usage in the apc fence agents
  • BZ - 468966 - Possible buffer overflow in cman config loader can lead to memory corruption
  • BZ - 472460 - cman_tool nodes -F name segfaults when a node is out of membership
  • BZ - 472786 - cluster view inconsistent after "service cman stop; service cman start"
  • BZ - 473961 - clvmd memory leak
  • BZ - 474163 - gfs_controld: receive_own from N messages with plock_ownership enabled
  • BZ - 480178 - fence_xvmd Fails to Reboot VM
  • BZ - 480401 - gfs_controld segfault during multiple mount attempt
  • BZ - 480836 - [RFE] Add support for Cisco 9124 and 9134 SAN switches as fence devices
  • BZ - 481566 - [PATCH] /sbin/fence_lpar - properly report status on systems in Open Firmware
  • BZ - 481664 - fence_wti is unable to connect to (password-less) fencing device
  • BZ - 484095 - fence_apc_snmp: invalid status outletStatusOff
  • BZ - 484956 - qdiskd does not prune partitions mapped to dm-mpio devices
  • BZ - 485026 - Cman kills first node in initial cluster setup
  • BZ - 485199 - 'service qdiskd restart' doesn't work
  • BZ - 485469 - Normal users cannot run CPG clients if openais is started by cman.
  • BZ - 485700 - fence_lpar doesn't work with hmc version 3
  • BZ - 487436 - Qdisk should choose first disk if multiple disks containing same label exist
  • BZ - 487501 - Exceptions in fencing agents
  • BZ - 488565 - cman uses local node name for lookup during start up
  • BZ - 488958 - GFS: Allow fence_egenera to specify ssh login name
  • BZ - 491640 - APC Fence Agent does not work with non-admin account
  • BZ - 493165 - group_tool ls fence returns one for fence id ZERO
  • BZ - 493207 - groupd assigns zero group id
  • BZ - 493802 - [RFE] Providing support for ssh enabled RSA II fence devices
  • BZ - 496629 - [RFE] Include fence_virsh along with the present agents
  • BZ - 496724 - fence_drac5 uses module_name instead of modulename
  • BZ - 498329 - fence_drac5 help output shows incorrect usage
  • BZ - 499767 - groupd segfaults on start
  • BZ - 500450 - qdiskd I/O hang reporting
  • BZ - 500567 - Flag added to openais to report security errors causes cman not to build
  • BZ - 501586 - fence agents (fence_apc, fence_wti) fails with pexpect exception
  • BZ - 502674 - fence_lpar can't log in to IVM systems
  • BZ - 504705 - fence_lpar: lssyscfg command on HMC can take longer than SHELL_TIMEOUT
  • BZ - 505258 - cman_tool leave remove does not reduce quorum
  • BZ - 505594 - semaphore leak during cluster startup/shutdown cycle
  • BZ - 512998 - Fence_scsi limitations man page fix needed
  • BZ - 514758 - [RHEL5][cman] fence_apc_snmp: local variable 'verbose_filename' referenced before assignment
  • BZ - 519436 - CVE-2008-6552 cman, gfs2-utils, rgmanager: multiple insecure temporary file use issues

CVEs

  • CVE-2008-6552
  • CVE-2008-4579

References

  • http://www.redhat.com/security/updates/classification/#low
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
cman-2.0.115-1.el5.src.rpm SHA-256: 4c0133cb38457e5135f6a117de2e13e023f926ab18f5e0333b9c0bea699abf10
x86_64
cman-2.0.115-1.el5.x86_64.rpm SHA-256: 8fe573672b682b26c295a2f67f9663effbbc84495357bbe0bd5494196f134620
cman-devel-2.0.115-1.el5.i386.rpm SHA-256: 3b17e31059a6d481721917943e9186b358c22996a75000a9932e808610dcf3fa
cman-devel-2.0.115-1.el5.x86_64.rpm SHA-256: d50272f589e271d9c74f9b33c1e5d58457bae3feb4d73c119c06d966059b45f0
ia64
cman-2.0.115-1.el5.ia64.rpm SHA-256: d46602e54e864dc38e1ce12a8bc2a7a291508364a34c095dac7189ca5c634854
cman-devel-2.0.115-1.el5.ia64.rpm SHA-256: 1664cad7509e919b8ba88f116e385aa67772dd2ab91edec4445cc4f2e5a7c671
i386
cman-2.0.115-1.el5.i386.rpm SHA-256: 0fcfe4f99a9226519577046c5c11c59cfd5d8c30c8e1150a3263be6208ca26a7
cman-devel-2.0.115-1.el5.i386.rpm SHA-256: 3b17e31059a6d481721917943e9186b358c22996a75000a9932e808610dcf3fa

Red Hat Enterprise Linux Workstation 5

SRPM
cman-2.0.115-1.el5.src.rpm SHA-256: 4c0133cb38457e5135f6a117de2e13e023f926ab18f5e0333b9c0bea699abf10
x86_64
cman-2.0.115-1.el5.x86_64.rpm SHA-256: 8fe573672b682b26c295a2f67f9663effbbc84495357bbe0bd5494196f134620
cman-devel-2.0.115-1.el5.i386.rpm SHA-256: 3b17e31059a6d481721917943e9186b358c22996a75000a9932e808610dcf3fa
cman-devel-2.0.115-1.el5.x86_64.rpm SHA-256: d50272f589e271d9c74f9b33c1e5d58457bae3feb4d73c119c06d966059b45f0
i386
cman-2.0.115-1.el5.i386.rpm SHA-256: 0fcfe4f99a9226519577046c5c11c59cfd5d8c30c8e1150a3263be6208ca26a7
cman-devel-2.0.115-1.el5.i386.rpm SHA-256: 3b17e31059a6d481721917943e9186b358c22996a75000a9932e808610dcf3fa

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
cman-2.0.115-1.el5.src.rpm SHA-256: 4c0133cb38457e5135f6a117de2e13e023f926ab18f5e0333b9c0bea699abf10
s390x
cman-2.0.115-1.el5.s390x.rpm SHA-256: a08447af884b2fcce6d439a864cbc1ec55214471e22b5ff02630689885e8afec
cman-devel-2.0.115-1.el5.s390.rpm SHA-256: 3251d1df6b953e40902a0a6e4c7f9dd38291ef554e3e462e7f90c0363a91cf48
cman-devel-2.0.115-1.el5.s390x.rpm SHA-256: 517e1420ae9fdb26365ce498330c1740a25afacae2cae80f990ffa5ae07b8c83

Red Hat Enterprise Linux for Power, big endian 5

SRPM
cman-2.0.115-1.el5.src.rpm SHA-256: 4c0133cb38457e5135f6a117de2e13e023f926ab18f5e0333b9c0bea699abf10
ppc
cman-2.0.115-1.el5.ppc.rpm SHA-256: 8aac30172fdac47754b5b26586e844c107532518c513cf1a9d6cde8bebdcebac
cman-devel-2.0.115-1.el5.ppc.rpm SHA-256: 36434a07ada2b06aca76ca85eba244f021307b640893f6c78a71050e788c39a7
cman-devel-2.0.115-1.el5.ppc64.rpm SHA-256: 098575430b3f1da6da3ade6c2639f15567d12bffed0ee4051a5565699b116468

Red Hat Enterprise Linux Server from RHUI 5

SRPM
cman-2.0.115-1.el5.src.rpm SHA-256: 4c0133cb38457e5135f6a117de2e13e023f926ab18f5e0333b9c0bea699abf10
x86_64
cman-2.0.115-1.el5.x86_64.rpm SHA-256: 8fe573672b682b26c295a2f67f9663effbbc84495357bbe0bd5494196f134620
cman-devel-2.0.115-1.el5.i386.rpm SHA-256: 3b17e31059a6d481721917943e9186b358c22996a75000a9932e808610dcf3fa
cman-devel-2.0.115-1.el5.x86_64.rpm SHA-256: d50272f589e271d9c74f9b33c1e5d58457bae3feb4d73c119c06d966059b45f0
i386
cman-2.0.115-1.el5.i386.rpm SHA-256: 0fcfe4f99a9226519577046c5c11c59cfd5d8c30c8e1150a3263be6208ca26a7
cman-devel-2.0.115-1.el5.i386.rpm SHA-256: 3b17e31059a6d481721917943e9186b358c22996a75000a9932e808610dcf3fa

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility