Hi Connie, Troy,
We are also seeing this dependency failure on both SL5.4 and SL5.5
systems and for both the .i386 and .x86_64 versions of the lvm2
security release.
Our SL5.4 systems have: device-mapper-1.02.32-1.el5
Our SL5.5 systems have: device-mapper-1.02.39-1.el5.i386
Sample email from overnight yum cron:
--------------------
YUM - security
--------------------
lvm2-2.02.56-8.el5_5.6.x86_64 from sl-security has depsolving problems
--> Missing Dependency: device-mapper >= 1.02.39-1.el5_5.1 is needed
by package lvm2-2.02.56-8.el5_5.6.x86_64 (sl-security)
Error: Missing Dependency: device-mapper >= 1.02.39-1.el5_5.1 is needed
by package lvm2-2.02.56-8.el5_5.6.x86_64 (sl-security)
You could try using --skip-broken to work around the problem
You could try running: package-cleanup --problems
package-cleanup --dupes
rpm -Va --nofiles --nodigest
The program package-cleanup is found in the yum-utils package.
- Larry
On 8/1/10 2:21 AM, Hervé Riboulot wrote:
Hello,
I cannot process the security update due to dependencies issues: 'Error:
Missing Dependency: device-mapper >= 1.02.39-1.el5_5.1 is needed by
package lvm2-2.02.56-8.el5_5.6.x86_64 (sl-security)'.
Device-mapper (i386 and 86_64) are installed:
rpm -qa device-mapper
device-mapper-1.02.39-1.el5.x86_64
device-mapper-1.02.39-1.el5.i386
Package-cleanup --problems does not report any flaw ...
I'm running SL 5.5 on the following configuration: 2.6.18-194.8.1.el5 #1
SMP Thu Jul 1 16:05:53 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux.
Best regards,
Le 01.08.2010 06:29, Connie Sieh a écrit :
Issue date: 2010-07-28
CVE Names: CVE-2010-2526
Description:
It was discovered that the cluster logical volume manager daemon (clvmd)
did not verify the credentials of clients connecting to its control UNIX
abstract socket, allowing local, unprivileged users to send control
commands that were intended to only be available to the privileged root
user. This could allow a local, unprivileged user to cause clvmd to exit,
or request clvmd to activate, deactivate, or reload any logical volume on
the local system or another system in the cluster. (CVE-2010-2526)
Note: This update changes clvmd to use a pathname-based socket rather
than
an abstract socket. As such, the lvm2 update 2010:0569, which changes
LVM to also use this pathname-based socket, must also be installed for
LVM
to be able to communicate with the updated clvmd.
All lvm2-cluster users should upgrade to this updated package, which
contains a backported patch to correct this issue. After installing the
updated package, clvmd must be restarted for the update to take effect.
5. Bugs fixed
CVE-2010-2526 lvm2-cluster: insecurity when communicating between lvm2
and clvmd
6. Package List:
SRPM:
lvm2-cluster-2.02.56-7.el5_5.4.src.rpm
i386:
lvm2-cluster-2.02.56-7.el5_5.4.i386.rpm
x86_64:
lvm2-cluster-2.02.56-7.el5_5.4.x86_64.rpm
lvm2 update included because of dependency.
i386:
lvm2-2.02.56-8.el5_5.6.i386.rpm
x86_64:
lvm2-2.02.56-8.el5_5.6.x86_64.rpm
-Connie Sieh
-Troy Dawson
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:lnel...@uiuc.edu | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
