Hi, It would appear from looking at the source of the keepalived package, that Mageia's keepalived will have the same bug as listed here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415 IE: keepalived/check/ipvswrapper.c: char *argv[] = { "/sbin/modprobe", "-s", "-k", "--", "ip_vs", NULL }; shows the -k option used for modprobe.. but -k is not supported for modprobe.
CC: (none) => nelgSource RPM: (none) => keepalived-1.2.2-0.mga1.src.rpm
Hi, thanks for reporting this bug. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => Junior_job, PATCHURL: (none) => http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=37;filename=modprobe-arguments-fix.patch;att=1;bug=619415CC: (none) => ennael1
Still no maintainer @ Glen Would it be something for you to maintain this package?
CC: (none) => marja11
Hi, This bug was filed against cauldron, but we do not have cauldron at the moment. Please report whether this bug is still valid for Mageia 2. Thanks :) Cheers, marja
Keywords: (none) => NEEDINFO
There is also CVE-2011-1784: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281 I've uploaded packages for Mageia 1, Mageia 2, and Cauldron with both patches. Advisory: ======================== Updated keepalived package fixes security vulnerability: The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and earlier uses 0666 permissions for the (1) keepalived.pid, (2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows local users to kill arbitrary processes by writing a PID to one of these files (CVE-2011-1784). Also, keepalived was failing to load the ip_vs kernel module because of an incorrect modprobe option. This has also been corrected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281 ======================== Updated packages in core/updates_testing: ======================== keepalived-1.2.2-0.1.mga1 keepalived-1.2.2-1.1.mga2 from SRPMS: keepalived-1.2.2-0.1.mga1.src.rpm keepalived-1.2.2-1.1.mga2.src.rpm
Version: Cauldron => 2URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=37;filename=modprobe-arguments-fix.patch;att=1;bug=619415 => http://lwn.net/Vulnerabilities/506209/Keywords: Junior_job, NEEDINFO, PATCH => (none)Component: RPM Packages => SecurityCC: (none) => luigiwalserSee Also: (none) => http://bugs.debian.org/619415Assignee: bugsquad => qa-bugsSummary: keepalived possible bug => keepalived new security issue CVE-2011-1784 and modprobe bugWhiteboard: (none) => MGA1TOO
*** Bug 6743 has been marked as a duplicate of this bug. ***
Another security bug was fixed upstream in 1.2.4. Patched package uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated keepalived package fixes security vulnerability: The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and earlier uses 0666 permissions for the (1) keepalived.pid, (2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows local users to kill arbitrary processes by writing a PID to one of these files (CVE-2011-1784). A security issue due to syslog being used inside of sighandlers has also been fixed. Finally, keepalived was failing to load the ip_vs kernel module because of an incorrect modprobe option. This has also been corrected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784 http://www.keepalived.org/changelog.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281 ======================== Updated packages in core/updates_testing: ======================== keepalived-1.2.2-0.2.mga1 keepalived-1.2.2-1.2.mga2 from SRPMS: keepalived-1.2.2-0.2.mga1.src.rpm keepalived-1.2.2-1.2.mga2.src.rpm
Any clues to test this one? Looks like it doesn't have success among QA team, having a small testing procedure would greatly help :)
CC: (none) => stormi
I'm testing Mageia 1 now. For testing, at least three systems are needed. Two servers and a client. I'm using Mageia 2 x86-64 as the client, and two Mageia 1 VirtualBox clients as the servers (one i586 and one x86-64). I've now gotten both servers working, such that I can ssh into either of them from my login on the host. I've installed keepalived on both servers, and once I have it configured, I expect to be able to ssh using the virtual ip, have it go to the primary system, and then with the primary system shutdown, have it go to the secondary system. I'll report back shortly, whether it's working as I think it's supposed to.
CC: (none) => davidwhodgins
I used the following as a guide for the keepalived setup. http://www.cyberciti.biz/faq/rhel-centos-fedora-keepalived-lvs-cluster-configuration/ # cat keepalived.conf vrrp_instance VI_1 { interface eth0 state MASTER virtual_router_id 51 priority 100 authentication { auth_type PASS auth_pass mungedforposting } virtual_ipaddress { 192.168.10.110/29 dev eth0 } } Same config on the secondary, except priority 101. The primary (i1) is on 192.168.10.103 and the secondary (x1) is on 192.168.10.105. After starting keepalived on both systems, I can ping 192.168.10.110 from the host, which is on 192.168.10.102. In my ~/.ssh/config on the host, I have Host vip Hostname 192.168.10.110 Port 22 User dave Compression yes CompressionLevel 9 ServerAliveInterval 120 [dave@x2 ~]$ ssh vip Warning: Permanently added '192.168.10.110' (RSA) to the list of known hosts. Last login: Tue Jul 31 15:28:29 2012 from x2.hodgins.homeip.net [dave@i1 ~]$ exit logout Connection to 192.168.10.110 closed. <shutdown the i1 (Mageia 1 i586 system)> [dave@x2 ~]$ ssh vip @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is a2:42:2e:8b:61:be:61:c8:d7:93:b4:65:00:02:61:d6. Please contact your system administrator. Add correct host key in /home/dave/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/dave/.ssh/known_hosts:79 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. X11 forwarding is disabled to avoid man-in-the-middle attacks. Last login: Tue Jul 31 15:28:35 2012 from x2.hodgins.homeip.net [dave@x1 ~]$ exit logout Connection to 192.168.10.110 closed. Looks like I forgot to copy the host keys. :-) Testing complete on Mageia 1 i586 and x86-64. I'll test Mageia 2 once I get the virtualbox servers setup.
Whiteboard: MGA1TOO => MGA1TOO MGA1-32-OK MGA1-64-OK
Whoops!. Not ok on Mageia 1 # ll /var/run/vrrp.pid /var/run/keepalived.pid -rw-rw-rw- 1 root root 5 Jul 31 16:03 /var/run/keepalived.pid -rw-rw-rw- 1 root root 5 Jul 31 16:03 /var/run/vrrp.pid The files are still other writable. # rpm -qa|grep keepalived keepalived-1.2.2-0.2.mga1
Whiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK => MGA1TOO
Whiteboard: MGA1TOO => MGA1TOO has_procedure
Thanks for testing, the patches weren't applied in the Mageia 1 packaged. Fixed package uploaded. Advisory: ======================== Updated keepalived package fixes security vulnerability: The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and earlier uses 0666 permissions for the (1) keepalived.pid, (2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows local users to kill arbitrary processes by writing a PID to one of these files (CVE-2011-1784). A security issue due to syslog being used inside of sighandlers has also been fixed. Finally, keepalived was failing to load the ip_vs kernel module because of an incorrect modprobe option. This has also been corrected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784 http://www.keepalived.org/changelog.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281 ======================== Updated packages in core/updates_testing: ======================== keepalived-1.2.2-0.3.mga1 keepalived-1.2.2-1.2.mga2 from SRPMS: keepalived-1.2.2-0.3.mga1.src.rpm keepalived-1.2.2-1.2.mga2.src.rpm
With keepalived-1.2.2-0.3.mga1 installed I'm still getting -rw-rw-rw- 1 root root 5 Jul 31 18:01 vrrp.pid -rw-rw-rw- 1 root root 5 Jul 31 18:01 keepalived.pid on both i586 and x86-64.
Sorry, this spec file was all messed up. It's really fixed now. Advisory: ======================== Updated keepalived package fixes security vulnerability: The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and earlier uses 0666 permissions for the (1) keepalived.pid, (2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows local users to kill arbitrary processes by writing a PID to one of these files (CVE-2011-1784). A security issue due to syslog being used inside of sighandlers has also been fixed. Finally, keepalived was failing to load the ip_vs kernel module because of an incorrect modprobe option. This has also been corrected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784 http://www.keepalived.org/changelog.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281 ======================== Updated packages in core/updates_testing: ======================== keepalived-1.2.2-0.4.mga1 keepalived-1.2.2-1.2.mga2 from SRPMS: keepalived-1.2.2-0.4.mga1.src.rpm keepalived-1.2.2-1.2.mga2.src.rpm
-rw-r--r-- 1 root root 5 Jul 31 18:53 vrrp.pid -rw-r--r-- 1 root root 5 Jul 31 18:53 keepalived.pid Confirmed fixed, and package is working. Testing complete on Mageia 1.
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK
Testing complete on Mageia 2. Could someone from the sysadmin team push the srpm keepalived-1.2.2-1.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm keepalived-1.2.2-0.4.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated keepalived package fixes security vulnerability: The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and earlier uses 0666 permissions for the (1) keepalived.pid, (2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows local users to kill arbitrary processes by writing a PID to one of these files (CVE-2011-1784). A security issue due to syslog being used inside of sighandlers has also been fixed. Finally, keepalived was failing to load the ip_vs kernel module because of an incorrect modprobe option. This has also been corrected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784 http://www.keepalived.org/changelog.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281 https://bugs.mageia.org/show_bug.cgi?id=4084
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK => MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0188
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED