Detections
Analytics

Oracle Linux 5 : conga (ELSA-2007-0640)

high Nessus Plugin ID 180618

Language:

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 5 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2007-0640 advisory.

 [0.10.0-6.el5.0.1]
 - Replaced Redhat copyrighted and trademarked images in the conga-0.10.0 tarball.

 [0.10.0-6]

 - Fixed bz253783
 - Fixed bz253914 (conga doesn't allow you to reuse nfs export and nfs client resources)
 - Fixed bz254038 (Impossible to set many valid quorum disk configurations via conga)
 - Fixed bz253994 (Cannot specify multicast address for a cluster)
 - Resolves: bz253783, bz253914, bz254038, bz253994

 [0.10.0-5]

 - Fixed bz249291 (delete node task fails to do all items listed in the help document)
 - Fixed bz253341 (failure to start cluster service which had been modifed for correction)
 - Related: bz253341
 - Resolves: bz249291

 [0.10.0-4]

 - Fixed bz230451 (fence_xvm.key file is not automatically created. Should have a least a default)
 - Fixed bz249097 (allow a space as a valid password char)
 - Fixed bz250834 (ZeroDivisionError when attempting to click an empty lvm volume group)
 - Fixed bz250443 (storage name warning utility produces a storm of warnings which can lock your browser)
 - Resolves: bz249097, bz250443, bz250834
 - Related: bz230451

 [0.10.0-3]

 - Fixed bz245947 (luci/Conga cluster configuration tool not initializing cluster node members)
 - Fixed bz249641 (conga is unable to do storage operations if there is an lvm snapshot present)
 - Fixed bz249342 (unknown ricci error when adding new node to cluster)
 - Fixed bz249291 (delete node task fails to do all items listed in the help document)
 - Fixed bz249091 (RFE: tell user they are about to kill all their nodes)
 - Fixed bz249066 (AttributeError when attempting to configure a fence device)
 - Fixed bz249086 (Unable to add a new fence device to cluster)
 - Fixed bz249868 (Use of failover domain not correctly shown)
 - Resolves bz245947, bz249641, bz249342, bz249291, bz249091,
 - Resolves bz249066, bz249086, bz249868
 - Related: bz249351

 [0.10.0-2]

 - Fixed bz245202 (Conga needs to support Internet Explorer 6.0 and later)
 - Fixed bz248317 (luci sets incorrect permissions on /usr/lib64/luci and /var/lib/luci)
 - Resolves: bz245202 bz248317

 [0.10.0-1]
 - Fixed bz238655 (conga does not set the 'nodename' attribute for manual fencing)
 - Fixed bz221899 (Node log displayed in partially random order)
 - Fixed bz225782 (Need more luci service information on startup - no info written to log about failed start cause)
 - Fixed bz227743 (Intermittent/recurring problem - when cluster is deleted, sometimes a node is not affected)
 - Fixed bz227682 (saslauthd[2274]: Deprecated pam_stack module called from service 'ricci')
 - Fixed bz238726 (Conga provides no way to remove a dead node from a cluster)
 - Fixed bz239389 (conga cluster: make 'enable shared storage' the default)
 - Fixed bz239596
 - Fixed bz240034 (rpm verify fails on luci)
 - Fixed bz240361 (Conga storage UI front-end is too slow rendering storage)
 - Fixed bz241415 (Installation using Conga shows 'error' in message during reboot cycle.)
 - Fixed bz241418 (Conga tries to configurage cluster snaps, though they are not available.)
 - Fixed bz241706 (Eliminate confusion in add fence flow)
 - Fixed bz241727 (can't set user permissions in luci)
 - Fixed bz242668 (luci init script can return non-LSB-compliant return codes)
 - Fixed bz243701 (ricci init script can exit with non-LSB-compliant return codes)
 - Fixed bz244146 (Add port number to message when ricci is not started/firewalled on cluster nodes.)
 - Fixed bz244878 (Successful login results in an infinite redirection loop with MSIE)
 - Fixed bz239388 (conga storage: default VG creation should be clustered if a cluster node)
 - Fixed bz239327 (Online User Manual needs modification)
 - Fixed bz227852 (Lack of debugging information in logs - support issue)
 - Fixed bz245025 (Conga does not accept '&' character in password field for Fence configuration)
 - Fixed bz225588 (luci web app does not enforce selection of fence port)
 - Fixed bz212022 (cannot create cluster using ip addresses)
 - Fixed bz223162 (Error trying to create a new fence device for a cluster node)
 - Upgraded to the latest Plone (2.5.3)
 - Added a 'reprobe storage' button that invalidates cached storage reports and forces a new probe.
 - Resolves: bz238655, bz221899, bz225782, bz227682, bz227743, bz239389,
 - Resolves: bz239596, bz240034, bz240361, bz241415, bz241418, bz241706,
 - Resolves: bz241727, bz242668, bz243701, bz244146, bz244878, bz238726,
 - Resolves: bz239388, bz239327, bz227852, bz245025, bz225588, bz212022

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected luci and / or ricci packages.

See Also

https://linux.oracle.com/errata/ELSA-2007-0640.html

Plugin Details

Severity: High

ID: 180618

File Name: oraclelinux_ELSA-2007-0640.nasl

Version: 1.2

Type: local

Agent: unix

Published: 9/7/2023

Updated: 10/22/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2007-4136

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:ricci, cpe:/o:oracle:linux:5, p-cpe:/a:oracle:linux:luci

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 11/19/2007

Vulnerability Publication Date: 11/9/2007

Reference Information

CVE: CVE-2007-4136