Security Advisory Low: rgmanager security, bug fix, and enhancement update

Advisory: RHSA-2011:1000-1
Type: Security Advisory
Severity: Low
Issued on: 2011-07-21
Last updated on: 2011-07-21
Affected Products: RHEL Clustering (v. 5 server)
CVEs ( CVE-2010-3389


An updated rgmanager package that fixes one security issue, several bugs,
and adds multiple enhancements is now available for Red Hat Enterprise
Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The rgmanager package contains the Red Hat Resource Group Manager, which
provides the ability to create and manage high-availability server
applications in the event of system downtime.

It was discovered that certain resource agent scripts set the
LD_LIBRARY_PATH environment variable to an insecure value containing empty
path elements. A local user able to trick a user running those scripts to
run them while working from an attacker-writable directory could use this
flaw to escalate their privileges via a specially-crafted dynamic library.

Red Hat would like to thank Raphael Geissert for reporting this issue.

This update also fixes the following bugs:

* The failover domain "nofailback" option was not honored if a service was
in the "starting" state. This bug has been fixed. (BZ#669440)

* PID files with white spaces in the file name are now handled correctly.

* The /usr/sbin/ script can now be used from within Cron.

* The clustat utility now reports the correct version. (BZ#654160)

* The agent now attempts to try the "shutdown immediate"
command instead of using the "shutdown abort" command. (BZ#633992)

* The SAPInstance and SAPDatabase scripts now use proper directory name
quoting so they no longer collide with directory names like "/u".

* The clufindhostname utility now returns the correct value in all cases.

* The nfsclient resource agent now handles paths with trailing slashes
correctly. (BZ#592624)

* The last owner of a service is now reported correctly after a failover.

* The /usr/share/cluster/ script no longer runs the "quotaoff" command
if quotas were not configured. (BZ#637678)

* The "listen" line in the /etc/httpd/conf/httpd.conf file generated by the
Apache resource agent is now correct. (BZ#675739)

* The tomcat-5 resource agent no longer generates incorrect configurations.

* The time required to stop an NFS resource when the server is unavailable
has been reduced. (BZ#678494)

* When using exclusive prioritization, a higher priority service now
preempts a lower priority service after status check failures. (BZ#680256)

* The postgres-8 resource agent now correctly detects failed start
operations. (BZ#663827)

* The handling of reference counts passed by rgmanager to resource agents
now works properly, as expected. (BZ#692771)

As well, this update adds the following enhancements:

* It is now possible to disable updates to static routes by the IP resource
agent. (BZ#620700)

* It is now possible to use XFS as a file system within a cluster service.

* It is now possible to use the "clustat" command as a non-root user, so
long as that user is in the "root" group. (BZ#510300)

* It is now possible to migrate virtual machines when central processing is
enabled. (BZ#525271)

* The rgmanager init script will now delay after stopping services in order
to allow time for other nodes to restart them. (BZ#619468)

* The handling of failed independent subtrees has been corrected.

All users of Red Hat Resource Group Manager are advised to upgrade to this
updated package, which contains backported patches to correct these issues
and add these enhancements.


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

RHEL Clustering (v. 5 server)

File outdated by:  RHBA-2014:1207
    MD5: b677ebb806cb4e07939e3b5a8df0b81d
SHA-256: 601694a9eb82ce246447ac513fbb80daae5ea31cfeb47ddaec84d5afb8867498
File outdated by:  RHBA-2014:1207
    MD5: bb8207847c229d9d53db596af3555178
SHA-256: 0aa3548f765769ca6315919ad7206788d47f1e746fbd989c8bdf49e3d8d16d6b
File outdated by:  RHBA-2014:1207
    MD5: 2141eb3d9ed2debcf22734fc74a37c31
SHA-256: 152be752707fc5b2851c3ba4acea368c9619132c7deb94cf93aa4d0d1ade97a1
File outdated by:  RHBA-2014:1207
    MD5: 96cbae6ce3261329aa5318e2988986c7
SHA-256: 3fb66b7f9bb4e05be3f33b68cb4ddbeba26635dee2b9849e5a89beba7482092c
File outdated by:  RHBA-2014:1207
    MD5: 7eb371c54ac51bf2cec38bc92ef8cff6
SHA-256: 47107019c4274c58032e63b241a274c27e9ed3823aaa99fddcb97de5f589507d
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

592613 - clufindhostname -i returns random value
592624 - nfsclient exports doens't work.
610483 - last_owner is not correctly updated on service reallocarion on failover
632704 - If whitespace in mysql resource name then pid file is not found
634225 - needs /usr/sbin in path
637154 - SAPInstance and SAPDatabase fail to start/stop/status if /u exists
637678 - service failover hangs at quotaoff in /usr/share/cluster/
637802 - Fix problems in generated config file for tomcat-5
639044 - CVE-2010-3389 rgmanager: insecure library loading vulnerability
654160 - clustat -v reports "clustat version DEVEL" on release package
661893 - Support/testing of XFS filesystem as part of RHEL Cluster
663827 - postgres-8 resource agent does not detect a failed start of postgres server
669440 - Service will failback on "nofailback" failover domain if service is in "starting" state
675739 - Listen line in generated httpd.conf incorrect
678494 - patch, when network is lost it takes too long to unmount the NFS filesystems
680256 - Service with highest exclusive prio should be relocated to another node with lower exclusive prio
711521 - Dependencies in independent_tree resources does not work as expected


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at