Bug Fix Advisory conga bug fix update

Advisory: RHBA-2007:0331-2
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2007-05-18
Last updated on: 2007-05-18
Affected Products: RHEL Clustering (v. 5 server)
CVEs (cve.mitre.org): CVE-2007-0240


Updated conga packages that provide critical bug fixes are now available.

The Conga package is a web-based administration tool for remote cluster and
storage management.

This erratum applies the following bug fixes:

- The borrowed Zope packages used by Conga have been patched to eliminate
a possibility of XSS attack.
- Passwords are no longer sent back from the server in cleartext for use as
input values.
- A form error was fixed so that Conga no longer allows for cluster
names of over 15 characters.
- An error wherein clusters and systems could not be deleted from the
manage systems interface has been addressed.
- Entering an incorrect password for a system no longer generates an
Unbound Local Reference exception.
- Luci failover domain forms are no longer empty
- The fence_xvm string in cluster.conf for virtual cluster fencing has been
- The advanced options parameters section has been fixed.
- A bug where virtual services were unable for configuration has been
- kmod-gfs-xen is now installed when necessary.
- The 'enable shared storage support' checkbox is now cleared when a
configuration error is encountered.
- When configuring an outer physical cluster, it is no longer necessary to
add the fence_xvmd tag manually.

Users of Conga are advised to upgrade to these updated packages, which
apply these fixes.


Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at

Updated packages

RHEL Clustering (v. 5 server)

File outdated by:  RHSA-2014:1194
    MD5: cb96ea94e412ade7a11a2f790ef8eca5
File outdated by:  RHSA-2014:1194
    MD5: 049a342c4e5e63f1b4b7b178e764f21a
File outdated by:  RHSA-2014:1194
    MD5: 33968467721f6dbf19bf3d6e32b4f575
File outdated by:  RHSA-2014:1194
    MD5: 9a0752d2975fbcc706884166576dbc8d
File outdated by:  RHSA-2014:1194
    MD5: 7f0b080294bfa026f3dcf41d97b5ad97
File outdated by:  RHSA-2014:1194
    MD5: 0da9f315edd0c21a0595717b2a0103b6
File outdated by:  RHSA-2014:1194
    MD5: c9e5216140ea9945dd91bd70aa203aab
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

228637 - CVE-2007-1462 security alert - passwords sent back from server as input value
233326 - CVE-2007-0240 Conga includes version of Zope that is vulnerable to a XSS attack
236020 - Conga allows creation/rename of clusters with name greater than 15 characters
236021 - Cluster cannot be deleted (from 'Manage Systems') - but no error results
236025 - Entering bad password when creating a new cluster = UnboundLocalError: local variable 'e' referenced before assignment
236026 - luci failover domain forms are missing/empty
236027 - fence_xvm is incorrectly listed as "xmv" in virtual cluster
236048 - Advanced options parameters settings don't do anything
236050 - Unable to configure a virtual service
236052 - kmod-gfs-xen not installed with Conga install
236054 - 'enable shared storage' option cleared whenever there is a configuration error
236055 - Must manually edit cluster.conf on the dom0 cluster to add "<fence_xvmd/>"


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/