이 콘텐츠는 선택한 언어로 제공되지 않습니다.
8.131. luci
Updated luci packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Luci is a web-based high availability administration application.
Security Fix
- CVE-2014-3593
- It was discovered that luci used
eval()
on inputs containing strings from the cluster configuration file when generating its web pages. An attacker with privileges to create or edit the cluster configuration could use this flaw to execute arbitrary code as the luci user on a host running luci.This issue was discovered by Jan Pokorný of Red Hat.
Bug Fixes
- BZ#855112
- Previously, it was possible to use the following characters in the luci configuration file inside attribute values:
- the less-than sign (<)
- the greater-than sign (>)
- the quotation mark (")
Using such characters inside the attribute values could cause several problems. With this update, when the user attempts to use these special characters inside the attribute value, a warning is returned. - BZ#917738
- The
prefer_interface
parameter was missing from the IP resource in theluci
application. This parameter is used for adding an IP address to a particular network interface if a cluster node has multiple active interfaces that have IP addresses on the same subnetwork. The missing parameter has been added to luci with this update. - BZ#917771
- Previously, the
max_messages
,netmtu
,seqno_unchanged_const
, andwindow_size
configuration fields were missing from the luci configuration file when it was used in expert mode. This update adds the missing fields. - BZ#917780
- The possibility to disable the Red Hat Resource Group Manager (
rgmanager
) was missing from the luci configuration. With this update, it is now possible to disablergmanager
in luci expert mode. - BZ#918795
- Previously, luci was missing the Kdump fencing agent. The agent has been added with this update.
- BZ#988446
- Zooming the luci web interface in the Chrome and Firefox web browsers could cause the Users and Permissions tab to be displayed incorrectly. This bug has been fixed with this update, and the tab is now displayed properly.
- BZ#999324
- In previous releases, the luci application has been fixed to parse the cluster resource names with a suffix delimited by the period symbol (
.
) correctly. Due to this fix, the suffix was stripped off automatically. However, it is valid to specify a node name by referring to its IP address in the cluster configuration. When this was done, the node names ending with a suffix delimited by the period symbol, such as “.1” or “.sh”, were not shown properly and could not be edited. Also, such a node was indicated as not being a cluster member. This bug has been fixed, and such nodes are now handled properly in the described scenario. - BZ#1003062
- Previously, the luci application used the
10g
type as the default for thetype
attribute of theoracledb
resource agent. This behavior was incorrect because luci was supposed to use the original configuration and do not set its own. With this update, the type field is not arbitrarily specified by luci. - BZ#1004011
- Certain configurable parameters for the
fence_xvm
agent were missing from the luci application. This update adds the missing attributes, such asTimeout
for expert and non-expert mode andPath to Key File
,IP Port
,Multicast Address
,Multicast Retransmit Time
,IP Family
,Authentication Type
, andPacket Hash Type
for expert mode. - BZ#1004922
- When creating a new cluster, the
post_join_delay
parameter in the cluster configuration was set to 3 or 6 seconds depending if the cluster was configured using thecluster.conf
file or the cluster software. With this update, this inconsistent approach has been fixed. When no value is specified forpost_join_delay
, the value is not set in thecluster.conf
file but the cluster software specifies the value, which is set to 6 seconds. - BZ#1008510
- The name for the
fence_enegera
agent in the fence list wasEgenera SAN Controller
. This name was outdated and thus misleading. With this update, the agent is listed correctly asEgenera BladeFrame
. - BZ#1019853
- Previously, the
self_fence
parameter was missing from the configuration of thenetfs
resource agent. Also in the GUI, there was no checkbox entry for the Self-Fence If Unmount Fails option. This update adds the missing parameter. - BZ#1026374
- Due to previous changes in the luci application, SELinux no longer labeled the luci process with the confined
piranha_web_t
SELinux context type. This behavior was incorrect, thus a new script has been added to the luci packages to address this bug. Also the SELinux policy has been modified accordingly. As a result, the luci process now runs aspiranha_web_t
as expected. - BZ#1100817
- Previously, the luci application did not list virtual machine resource agents in the menu in the web UI. An attempt to manually add a virtual machine resource agent in the configuration file caused the error 500 to be returned. This update provides a patch to fix this bug and virtual machine resource agents are now correctly listed in the menu.
Enhancements
- BZ#919225
- The luci application has been enhanced to display global cluster resources and sort them alphabetically and numerically by the resource name, IP address, and other significant resource attributes.
- BZ#919243
- With this update, the luci application validates whether an
nfsclient
resource is always associated with annfsexport
resource. Now, an attempt to create a service with annfsclient
resource that is not associated with annfsexport
resource causes the following error to be returned:nfsclient resources must have a parent nfsexport resource
- BZ#982771
- With this update, the luci application checks whether the
beaker.session.secret
value consists of 20 or more characters. Therefore, the use of values containing less characters is not permitted to increase the security of the server-stored session data. - BZ#991575
- This update enhances the luci application with the ability to configure the ciphers for SSL/TLS channel between luci and a connecting web browser, providing better security control for administrators.
- BZ#1061786
- This update adds the ability to specify a
httpd
binary in the Apache resource configuration screen. This new feature allows the user to use the Multi-Processing Module (MPM) worker with thehttpd
daemon in a cluster. - BZ#1070760
- With this update, the luci application has been modified to allow the user to set static ports for all NFS-related ports.
- BZ#1117398
- With this enhancement, several changes have been made in the luci application:
- Support for configuring newly-added bind-mount resource agents has been added.
- Support for configuring the
power_timeout
,shell_timeout
,login_timeout
, andretry_on
attributes for thefence_brocade
agent has been added. - Support for the newly-added attribute
reboot_on_pid_exhaustion
for the<rm>
tag has been added. This attribute is used in the Red Hat Resource Group Manager (rgmanager
) to allow a service recovery when failing to fork a bash child process with a return code 254. - The
skip_undefined
attribute was no longer needed and it was removed from the fencing configuration in advanced mode. - Support for configuring the new
startup_wait
parameter for thepostgres-8
resource agent has been added. This parameter allows users to configure the sleep time according to their needs. - Support for the
ssh_options
attribute for thefence_apc
,fence_virsh
, andfence_rsa
agents has been added. - Support for the newly-added
no_kill
attribute for the virtual machine (VM) resource agent has been added. This attribute is used to prevent thergmanager
utility from killing VMs that did not shut down properly.
All luci users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.