-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Linux-HA team proudly announces security and bug-fix release 2.0.7 of the Linux-HA (aka "heartbeat", aka "OpenHA") software.
As usual, you can find it here: http://linux-ha.org/download/index.html#2.0.7 2.0.7 has is a recommended upgrade for anyone running a 2.0 version of heartbeat as it contains a fix for a remote denial of service vulnerability. * Sun Aug 13 2006 Alan Robertson <[EMAIL PROTECTED]> (see doc/AUTHORS file) + Version 2.0.7 - security and bug fix release + Important steps: - Prior to the update, make sure all elements (instance_attributes etc) in the CRM configuration have valid id attributes, or set the ignore_dtd option to true. Otherwise, the new version will refuse to start. + SECURITY FIX: - Remote Denial of Service attack (#195068, CVE-2006-3121). - Local Denial of Service attack (#194444, CVE-2006-3815). (actually fixed in 2.0.6) + Enhancements: - Improved log messages. - ptest can now read compressed XML directly. Do not include optional actions and dependencies in ptest output by default. - crm_resource will now warn and demand exact specification when trying to modify an attribute while several sets are present. + Bugfixes: - Small fix from Serge Dubrouski <[EMAIL PROTECTED]> for one annoying problem when PostgreSQL isn't installed on a box and one tries to run the script. - stonithd log message did not always indicate an error (OSDL 1379) - lrmd now limits itself to a maximum of 4 child processes, to avoid overloading the node and causing too long delays. - Improvements and fixes for Solaris 10. - pengine: Processing of pending probes; should not be treated as if the resource is running or in a known state. - target_role now is only taken into account for managed resources. - cib: Detect more cases where the nodes section needs to be refreshed. - More accurately determine node status. (OSDL 1369) - Filter out stop requests that would require a resource to be added. (OSDL 1369) - Send filtered resource "stops" as successes as to not block waiting for filtered actions. - By default pass the TE graph via IPC until its too large for IPC to deal with, only then fall back to passing via the disk. - Stopping of stonith resources can never require stonith, even if the node its running on failed; prevent graph loop. (OSDL 1376) - STONITH events need to inputs to start events (not stops), to avoid graph loop in combination with "stop before" dependencies (ie, groups). - crmd: Dont stall the FSA if we try to invoke the TE after we've stopped it. - Always unpack the correct part of a diff operation; diffs should now apply in more cases, reducing the need for full refreshs. - Correctly observe --disable-snmp-subagent during build. - In some states the membership is invalid and shouldn't be referenced. (OSDL 1377) - Fix a use-before-null-check issue in lrmd. (Coverity #48) - OCF Resource Agents outside the default path were incorrectly found to be not executable. - ccm: hostcache and delnodecache files should not be authoritative if autojoin is disabled. (OSDL 1226) - With autojoin, llm_get_nodecount() can't return the real max nodes anymore, this may cause memory corruption. (OSDL 1382) - Fix a memory corruption in membership layer, more frequently observed with larger (>5) clusters. - Change the default api-auth for pingd to uid=root - Dummy RA now OCF compliant. - Fix pingd RA metadata to be XML compliant. - Actually use RPMREL in the spec file. + KNOWN BUGS: - When running a cluster of nodes of very different speeds temporary membership anomalies may occasionally be seen. These correct themselves and don't appear to be harmful. They typically include a message something like this: WARN: Ignoring HA message (op=vote) from XXX: not in our membership list - -- Alan Robertson <[EMAIL PROTECTED]> "Openness is the foundation and preservative of friendship... Let me claim from you at all times your undisguised opinions." - William Wilberforce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFE4BA9NkLhYXF6ZA4RAqbSAJ0QXxKtlHIkEtTkCefwPkCUaSnkLQCfbE6C Bl4E128ktdk1GsjYAFybc2E= =ux+h -----END PGP SIGNATURE----- _______________________________________________________ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/