Red Hat Product Errata RHSA-2013:1295 - Security Advisory

Issued:: 2013-10-01
Updated:: 2013-10-01

RHSA-2013:1295 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: Red Hat Enterprise MRG Grid 2.4 security update

Type/Severity

Security Advisory: Moderate

Topic

Updated Grid component packages that fix one security issue, multiple bugs,
and add various enhancements are now available for Red Hat Enterprise MRG
2.4 for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation
IT infrastructure for enterprise computing. MRG offers increased
performance, reliability, interoperability, and faster computing for
enterprise customers.

MRG Grid provides high-throughput computing and enables enterprises to
achieve higher peak computing capacity as well as improved infrastructure
utilization by leveraging their existing technology to build high
performance grids. MRG Grid provides a job-queueing mechanism, scheduling
policy, and a priority scheme, as well as resource monitoring and resource
management. Users submit their jobs to MRG Grid, where they are placed into
a queue. MRG Grid then chooses when and where to run the jobs based upon a
policy, carefully monitors their progress, and ultimately informs the user
upon completion.

A denial of service flaw was found in the way cumin, a web management
console for MRG, processed certain Ajax update queries. A remote attacker
could use this flaw to issue a specially crafted HTTP request, causing
excessive use of CPU time and memory on the system. (CVE-2013-4284)

The CVE-2013-4284 issue was discovered by Tomas Novacik of Red Hat.

These updated packages for Red Hat Enterprise Linux 5 provide numerous
enhancements and bug fixes for the Grid component of MRG. Some of the most
important enhancements include:

Improved resource utilization with scheduler driven slot partitioning
Enhanced integration with existing user & group management
technology, specifically allowing group and netgroup specifications in
HTCondor security policies
Addition of global job priorities, allowing for priority to span
scaled-out queues
Reduced memory utilization per running job

Space precludes documenting all of these changes in this advisory. Refer to
the Red Hat Enterprise MRG 2 Technical Notes document, available shortly
from the link in the References section, for information on these changes.

All users of the Grid capabilities of Red Hat Enterprise MRG are advised to
upgrade to these updated packages, which correct this issue, and fix the
bugs and add the enhancements noted in the Red Hat Enterprise MRG 2
Technical Notes.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

MRG Grid from RHUI 2 for RHEL 5 x86_64
Red Hat Enterprise MRG Messaging 2 for RHEL 5 x86_64
Red Hat Enterprise MRG Messaging 2 for RHEL 5 i386
MRG Grid 2 for RHEL 5 x86_64
MRG Grid 2 for RHEL 5 i386

Fixes

BZ - 986214 - CVE-2013-4284 cumin: Denial of service due to improper handling of certain Ajax requests
BZ - 990231 - Grid 2.4 RHEL5

CVEs

CVE-2013-4284

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise MRG Messaging 2 for RHEL 5

SRPM
mrg-release-2.4.0-1.el5_9.src.rpm	SHA-256: 3dd11a07c8868efd6014679ef286289761af3acefbee73eaa289547a56a4e1ab
x86_64
mrg-release-2.4.0-1.el5_9.noarch.rpm	SHA-256: bdb470d4b96adfec84a5c58aa420cd4b71b011b5a54d850e509663f7cb292639
i386
mrg-release-2.4.0-1.el5_9.noarch.rpm	SHA-256: bdb470d4b96adfec84a5c58aa420cd4b71b011b5a54d850e509663f7cb292639

MRG Grid 2 for RHEL 5

SRPM
condor-7.8.9-0.5.el5_9.src.rpm	SHA-256: 84c23ca18a838f64867e1cd5d1183aff04c0d97da5c351ba4ac2d4d6fa85335e
cumin-0.1.5786-2.el5_9.src.rpm	SHA-256: f2291ceb845092d2728ef31832be15d659a94947f985cdc562e5496b99f37bb9
mrg-release-2.4.0-1.el5_9.src.rpm	SHA-256: 3dd11a07c8868efd6014679ef286289761af3acefbee73eaa289547a56a4e1ab
x86_64
condor-7.8.9-0.5.el5_9.x86_64.rpm	SHA-256: 9057a4b2229cfc3f1331e64c622221725172e74238268cdd3f87cc273a20ee96
condor-aviary-7.8.9-0.5.el5_9.x86_64.rpm	SHA-256: 796004803f6a2dc7d2e85edfdfb5014820de8fe09cdd4143ffe3cf03ed908188
condor-classads-7.8.9-0.5.el5_9.x86_64.rpm	SHA-256: e488db81d1eb18cb35bdffdca0f57ff67d010ea5699d5bc94119c590c54fe2d1
condor-kbdd-7.8.9-0.5.el5_9.x86_64.rpm	SHA-256: 130c361f80ab4ce6e9379307d2cb94ac260f0af3b5960b0f40bcf35143c52187
condor-qmf-7.8.9-0.5.el5_9.x86_64.rpm	SHA-256: 55982b6d9a1e394d3db1cf713c347a6c5305e87284114f0b7eb6102228216afb
condor-vm-gahp-7.8.9-0.5.el5_9.x86_64.rpm	SHA-256: b387745eb1b6496a2f38430afc739d07b7cdf38a58b7aabadc37076f8159238c
cumin-0.1.5786-2.el5_9.noarch.rpm	SHA-256: 6bfbf559e93b5b65e0cebb89691eec2c734b6d6bd78e0aaabe4fb46620f11f7d
mrg-release-2.4.0-1.el5_9.noarch.rpm	SHA-256: bdb470d4b96adfec84a5c58aa420cd4b71b011b5a54d850e509663f7cb292639
i386
condor-7.8.9-0.5.el5_9.i386.rpm	SHA-256: 9b3a6526034b1e41887d8c8e9edff344e09f483d314b036e6a66ea1117fe5253
condor-aviary-7.8.9-0.5.el5_9.i386.rpm	SHA-256: 84c4921a0c6de26d91d69be9f923adacee4bf68deabf012f8e24d85f0751ac25
condor-classads-7.8.9-0.5.el5_9.i386.rpm	SHA-256: 85ff97211449e0a82335be5dc4f18a5c4eaf0718d26966b90bfc9fb0378697d1
condor-kbdd-7.8.9-0.5.el5_9.i386.rpm	SHA-256: 40b695707ea9f6f6bc0213a255174780abd99c0379ed32c54517e8bb7ac02b15
condor-qmf-7.8.9-0.5.el5_9.i386.rpm	SHA-256: 62bb7d2bee827ab2933ea85174bdfc599c4efd4835bc6f58810e605a4bb0bddb
condor-vm-gahp-7.8.9-0.5.el5_9.i386.rpm	SHA-256: aa5c1ab5c00e3502ef2a8ff57e674502bcdd77a1a095c80ad3ed712c25fd6ddd
cumin-0.1.5786-2.el5_9.noarch.rpm	SHA-256: 6bfbf559e93b5b65e0cebb89691eec2c734b6d6bd78e0aaabe4fb46620f11f7d
mrg-release-2.4.0-1.el5_9.noarch.rpm	SHA-256: bdb470d4b96adfec84a5c58aa420cd4b71b011b5a54d850e509663f7cb292639

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories