CentOS Local Security Checks : CentOS Update for lvm2-cluster CESA-2010:0567 centos5 i386

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 146377 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.880581

Kategorie: CentOS Local Security Checks

Titel: CentOS Update for lvm2-cluster CESA-2010:0567 centos5 i386

Zusammenfassung: The remote host is missing an update for the 'lvm2-cluster'; package(s) announced via the referenced advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'lvm2-cluster'
package(s) announced via the referenced advisory.

Vulnerability Insight:
The lvm2-cluster package contains support for Logical Volume Management
(LVM) in a clustered environment.

It was discovered that the cluster logical volume manager daemon (clvmd)
did not verify the credentials of clients connecting to its control UNIX
abstract socket, allowing local, unprivileged users to send control
commands that were intended to only be available to the privileged root
user. This could allow a local, unprivileged user to cause clvmd to exit,
or request clvmd to activate, deactivate, or reload any logical volume on
the local system or another system in the cluster. (CVE-2010-2526)

Note: This update changes clvmd to use a pathname-based socket rather than
an abstract socket. As such, the lvm2 update RHBA-2010:0569, which changes
LVM to also use this pathname-based socket, must also be installed for LVM
to be able to communicate with the updated clvmd.

All lvm2-cluster users should upgrade to this updated package, which
contains a backported patch to correct this issue. After installing the
updated package, clvmd must be restarted for the update to take effect.

Affected Software/OS:
lvm2-cluster on CentOS 5

Solution:
Please install the updated packages.

CVSS Score:
4.6

CVSS Vector:
AV:L/AC:L/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2010-2526
1024258
http://securitytracker.com/id?1024258
40759
http://secunia.com/advisories/40759
66753
http://www.osvdb.org/66753
ADV-2010-1944
http://www.vupen.com/english/advisories/2010/1944
RHSA-2010:0567
https://rhn.redhat.com/errata/RHSA-2010-0567.html
RHSA-2010:0568
https://rhn.redhat.com/errata/RHSA-2010-0568.html
SUSE-SR:2010:017
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
USN-1001-1
http://www.ubuntu.com/usn/USN-1001-1
[linux-lvm] 20100728 lvm2-cluster (clvmd) security fix (Moderate)
https://www.redhat.com/archives/linux-lvm/2010-July/msg00083.html
https://bugzilla.redhat.com/show_bug.cgi?id=614248
lvm2-socket-privilege-escalation(60809)
https://exchange.xforce.ibmcloud.com/vulnerabilities/60809

Copyright Copyright (C) 2011 Greenbone AG

Dies ist nur einer von 146377 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.880581
Kategorie:	CentOS Local Security Checks
Titel:	CentOS Update for lvm2-cluster CESA-2010:0567 centos5 i386
Zusammenfassung:	The remote host is missing an update for the 'lvm2-cluster'; package(s) announced via the referenced advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'lvm2-cluster' package(s) announced via the referenced advisory. Vulnerability Insight: The lvm2-cluster package contains support for Logical Volume Management (LVM) in a clustered environment. It was discovered that the cluster logical volume manager daemon (clvmd) did not verify the credentials of clients connecting to its control UNIX abstract socket, allowing local, unprivileged users to send control commands that were intended to only be available to the privileged root user. This could allow a local, unprivileged user to cause clvmd to exit, or request clvmd to activate, deactivate, or reload any logical volume on the local system or another system in the cluster. (CVE-2010-2526) Note: This update changes clvmd to use a pathname-based socket rather than an abstract socket. As such, the lvm2 update RHBA-2010:0569, which changes LVM to also use this pathname-based socket, must also be installed for LVM to be able to communicate with the updated clvmd. All lvm2-cluster users should upgrade to this updated package, which contains a backported patch to correct this issue. After installing the updated package, clvmd must be restarted for the update to take effect. Affected Software/OS: lvm2-cluster on CentOS 5 Solution: Please install the updated packages. CVSS Score: 4.6 CVSS Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2010-2526 1024258 http://securitytracker.com/id?1024258 40759 http://secunia.com/advisories/40759 66753 http://www.osvdb.org/66753 ADV-2010-1944 http://www.vupen.com/english/advisories/2010/1944 RHSA-2010:0567 https://rhn.redhat.com/errata/RHSA-2010-0567.html RHSA-2010:0568 https://rhn.redhat.com/errata/RHSA-2010-0568.html SUSE-SR:2010:017 http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html USN-1001-1 http://www.ubuntu.com/usn/USN-1001-1 [linux-lvm] 20100728 lvm2-cluster (clvmd) security fix (Moderate) https://www.redhat.com/archives/linux-lvm/2010-July/msg00083.html https://bugzilla.redhat.com/show_bug.cgi?id=614248 lvm2-socket-privilege-escalation(60809) https://exchange.xforce.ibmcloud.com/vulnerabilities/60809
Copyright	Copyright (C) 2011 Greenbone AG