Skip to navigation

Security Advisory Moderate: lvm2-cluster security update

Advisory: RHSA-2010:0568-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-07-28
Last updated on: 2010-07-28
Affected Products: Global File System EL4
Global File System EL4.8.z
CVEs (cve.mitre.org): CVE-2010-2526

Details

An updated lvm2-cluster package that fixes one security issue is now
available for Red Hat Global File System for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The lvm2-cluster package contains support for Logical Volume Management
(LVM) in a clustered environment.

It was discovered that the cluster logical volume manager daemon (clvmd)
did not verify the credentials of clients connecting to its control UNIX
abstract socket, allowing local, unprivileged users to send control
commands that were intended to only be available to the privileged root
user. This could allow a local, unprivileged user to cause clvmd to exit,
or request clvmd to activate, deactivate, or reload any logical volume on
the local system or another system in the cluster. (CVE-2010-2526)

Note: This update changes clvmd to use a pathname-based socket rather than
an abstract socket. As such, the lvm2 update RHBA-2010:0569, which changes
LVM to also use this pathname-based socket, must also be installed for LVM
to be able to communicate with the updated clvmd.

All lvm2-cluster users should upgrade to this updated package, which
contains a backported patch to correct this issue. After installing the
updated package, clvmd must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Global File System EL4

SRPMS:
lvm2-cluster-2.02.42-5.el4_8.2.src.rpm
File outdated by:  RHBA-2011:1183
    MD5: fc9b89598bb6c173b77c1aae37bfaca0
SHA-256: 254dde0f2415702eed047892ac56d2bd51fd5b2ebe1c98174456c439062483ff
 
IA-32:
lvm2-cluster-2.02.42-5.el4_8.2.i386.rpm
File outdated by:  RHBA-2011:1183
    MD5: 64b035d8ee66eed19c89a0621c99b00f
SHA-256: dedbe6bfbb3fb29b7217f9ae295cf7572dbdee7e38efbf922eee6aa5a408fc71
 
IA-64:
lvm2-cluster-2.02.42-5.el4_8.2.ia64.rpm
File outdated by:  RHBA-2011:1183
    MD5: ac09e6a0ece1f531ce8a2267c7f16755
SHA-256: ad1a5697add0d3970e858d9a11822b7fc74979b997399185fe2eca212403c6c5
 
PPC:
lvm2-cluster-2.02.42-5.el4_8.2.ppc64.rpm
File outdated by:  RHBA-2011:1183
    MD5: 8f0d408a59dcef04a36b6f60c8041d9f
SHA-256: d3dabee60b69226102a4e391f3c7a8a3260b466d5b371fe77508e926ce5c5b15
 
x86_64:
lvm2-cluster-2.02.42-5.el4_8.2.x86_64.rpm
File outdated by:  RHBA-2011:1183
    MD5: e2b90916399e415fe6ba129ac82592b0
SHA-256: 109d6d0bd930b6c5c572fc0eb6b826122e999c665049ed97b112d002f17e947e
 
Global File System EL4.8.z

SRPMS:
lvm2-cluster-2.02.42-5.el4_8.2.src.rpm
File outdated by:  RHBA-2011:1183
    MD5: fc9b89598bb6c173b77c1aae37bfaca0
SHA-256: 254dde0f2415702eed047892ac56d2bd51fd5b2ebe1c98174456c439062483ff
 
IA-32:
lvm2-cluster-2.02.42-5.el4_8.2.i386.rpm     MD5: 64b035d8ee66eed19c89a0621c99b00f
SHA-256: dedbe6bfbb3fb29b7217f9ae295cf7572dbdee7e38efbf922eee6aa5a408fc71
 
IA-64:
lvm2-cluster-2.02.42-5.el4_8.2.ia64.rpm     MD5: ac09e6a0ece1f531ce8a2267c7f16755
SHA-256: ad1a5697add0d3970e858d9a11822b7fc74979b997399185fe2eca212403c6c5
 
PPC:
lvm2-cluster-2.02.42-5.el4_8.2.ppc64.rpm     MD5: 8f0d408a59dcef04a36b6f60c8041d9f
SHA-256: d3dabee60b69226102a4e391f3c7a8a3260b466d5b371fe77508e926ce5c5b15
 
x86_64:
lvm2-cluster-2.02.42-5.el4_8.2.x86_64.rpm     MD5: e2b90916399e415fe6ba129ac82592b0
SHA-256: 109d6d0bd930b6c5c572fc0eb6b826122e999c665049ed97b112d002f17e947e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

614248 - CVE-2010-2526 lvm2-cluster: insecurity when communicating between lvm2 and clvmd


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/