Fedora has issued an advisory on July 17: http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084202.html Patch is available from Fedora. Note we also have critical Bug 6520 filed against this package.
CC: (none) => pterjan
Whiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => johnny
CC: (none) => guillomovitch
I just submitted 3.1.7-7.1.mga2 in update_testing, fixing both #6520 and #6874 at once.
Thanks Guillaume. Mageia 1's package needs an update as well. I'll push this to QA once that's ready.
Was this fixed upstream in 3.4.0, which you recently submitted to Cauldron?
Saving package list for later... ganglia-core-3.1.7-7.1.mga2 ganglia-gmetad-3.1.7-7.1.mga2 libganglia1-devel-3.1.7-7.1.mga2 libganglia1-3.1.7-7.1.mga2 ganglia-script-3.1.7-7.1.mga2 ganglia-webfrontend-3.1.7-7.1.mga2 from ganglia-3.1.7-7.1.mga2.src.rpm
Blocks: (none) => 6520
Patched package uploaded for Mageia 1 and Mageia 2, fixing this and Bug 6520. Advisory: ======================== Updated ganglia packages fix security vulnerability: There is a security issue in Ganglia Web going back to at least 3.1.7 which can lead to arbitrary script being executed with web user privileges possibly leading to a machine compromise. Additionally, an issue where active NFS mounts caused gmond to not start has also been corrected. References: http://ganglia.info/?p=549 https://bugs.launchpad.net/ubuntu/+source/ganglia/+bug/910678 http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084202.html ======================== Updated packages in core/updates_testing: ======================== ganglia-core-3.1.7-5.1.mga1 ganglia-gmetad-3.1.7-5.1.mga1 libganglia1-devel-3.1.7-5.1.mga1 libganglia1-3.1.7-5.1.mga1 ganglia-script-3.1.7-5.1.mga1 ganglia-webfrontend-3.1.7-5.1.mga1 ganglia-core-3.1.7-7.1.mga2 ganglia-gmetad-3.1.7-7.1.mga2 libganglia1-devel-3.1.7-7.1.mga2 libganglia1-3.1.7-7.1.mga2 ganglia-script-3.1.7-7.1.mga2 ganglia-webfrontend-3.1.7-7.1.mga2 from SRPMS: ganglia-3.1.7-5.1.mga1.src.rpm ganglia-3.1.7-7.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Possibly useful link for testing.. http://acidborg.wordpress.com/2010/10/08/how-to-install-and-configure-ganglia-on-red-hat-enterprise-linux-5/
Testing Mga1 32 Before ------ An error when installing. I think this is is probably a typo for chown nobody:nobody but we don't have a group called nobody. nogroup maybe. 6/32: ganglia-gmetad ###########################################warning: group nobody does not exist - using root # gmetad is launched as nobody users now, changing /var/lib/ganglia/rrds permissions to nobody.nobody chown: invalid user: `nobody.nobody' warning: %post(ganglia-gmetad-3.1.7-5.mga1.i586) scriptlet failed, exit status 1 # ll -d /var/lib/ganglia/rrds drwxrwxrwx 2 nobody root 4096 Apr 5 2011 /var/lib/ganglia/rrds/ # service httpd start # service gmond start # service gmetad start # service ganglia-script start Starting GANGLIA monitor scripts: parametre Can't open: No such file or directory at /usr/bin/ganglia-script line 31. [ OK ] Able to browse to http://localhost/ganglia and view the local node data and graphs of usage statistics. After ----- The error still occurs with ganglia-gmetad 3/5: ganglia-gmetad ###########################################warning: group nobody does not exist - using root # gmetad is launched as nobody users now, changing /var/lib/ganglia/rrds permissions to nobody.nobody chown: invalid user: `nobody.nobody' warning: %post(ganglia-gmetad-3.1.7-5.1.mga1.i586) scriptlet failed, exit status 1 # service ganglia-script start Starting GANGLIA monitor scripts: parametre Can't open: No such file or directory at /usr/bin/ganglia-script line 31. [ OK ] This error probably stems from: $ ls /usr/share/ganglia-monitor-script/script ls: cannot access /usr/share/ganglia-monitor-script/script: No such file or directory # mkdir -p /usr/share/ganglia-monitor-script/script # service ganglia-script start Starting GANGLIA monitor scripts: parametre [ OK ] Apart from these issues it seems OK with just one host. I'll install on mga2 x86_64 also and try to configure a cluster.
Testing mga2 x86_64 There seem to be a number of issues with ganglia in both mga1 and mga2. Not yet tested gmond with an active nfs share as the computer is struggling a bit and you will probably want to address these anyway. Before ------ Same issue on install mga2 4/7: ganglia-gmetad ######################################################## warning: group nobody does not exist - using root # gmetad.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig gmetad on gmetad is launched as nobody users now, changing /var/lib/ganglia/rrds permissions to nobody.nobody chown: invalid user: `nobody.nobody' warning: %post(ganglia-gmetad-3.1.7-7.mga2.x86_64) scriptlet failed, exit status 1 Some errors starting gmond #systemctl status gmond.service /usr/sbin/gmond[14492]: [PYTHON] Can't open the python module path /usr/lib64/ganglia/python_modules. /usr/sbin/gmond[14492]: Module python_module failed to initialize. gmond[14459]: Starting GANGLIA gmond: [ OK ] Also similar errors to mga1 starting ganglia-script.service # systemctl status ganglia-script.service ganglia-script[14604]: Starting GANGLIA monitor scripts: parametre ganglia-script[14604]: Can't open: No such file or directory at /usr/bin/ganglia-script line 31. ganglia-script[14604]: [ OK ] Browsing to http://localhost/ganglia I can see both nodes, this one and the mga1 i586. Choosing the remote node from the drop down menu displays some graphs but at the top, above them, it has two links beside each other. I think they should be graphs for Load last hour and Memory last hour on the remote host which have failed to display. 'Cluster LOAD Cluster MEM' Clicking Cluster LOAD gives this error: The image âhttp://localhost/ganglia/graph.php?g=load_report&z=large&c=Cluster&h=mgaone32&m=load_one&r=hour&s=descending&hc=4&mc=2&st=1347380741â cannot be displayed, because it contains errors. Clicking Cluster MEM gives this error: The image âhttp://localhost/ganglia/graph.php?g=mem_report&z=large&c=Cluster&h=mgaone32&m=load_one&r=hour&s=descending&hc=4&mc=2&st=1347380741â cannot be displayed, because it contains errors. Viewing from the other host on mga1 i586 instead does show these two graphs. After ----- Still the error with ganglia-gmetad 3/5: ganglia-gmetad ########################################################################################################warning: group nobody does not exist - using root # gmetad is launched as nobody users now, changing /var/lib/ganglia/rrds permissions to nobody.nobody chown: invalid user: `nobody.nobody' warning: %post(ganglia-gmetad-3.1.7-7.1.mga2.x86_64) scriptlet failed, exit status 1 Also the error with ganglia-script: ganglia-script[15636]: Starting GANGLIA monitor scripts: parametre ganglia-script[15636]: Can't open: No such file or directory at /usr/bin/ganglia-script line 31. ganglia-script[15636]: [ OK ] And the error with gmond: /usr/sbin/gmond[15819]: [PYTHON] Can't open the python module path /usr/lib64/ganglia/python_modules. /usr/sbin/gmond[15819]: Module python_module failed to initialize. gmond[15786]: Starting GANGLIA gmond: [ OK ] Also the two graphs which gave errors still give errors.
Whiteboard: MGA1TOO => MGA1TOO feedback
Ping for packager response, we're lagging with this one.
Created some separate bugs for the issues with ganglia. As there is no packager response and they are not regressions we will have to validate this update in it's current state. bug 7586 created for ganglia-gmetad - %post script bug 7587 created for ganglia-script - No such file or directory bug 7588 created for the missing graphs in mga2 bug 7589 created for gmond service - Module python_module failed to initialize
Whiteboard: MGA1TOO feedback => MGA1TOO feedback mga2-64-OK? mga1-32-OK?
Testing complete mga2 32 All the same problems as before plus another one. Browsing to http://localhost/ganglia gives.. Cannot find any metrics for selected cluster "Cluster", exiting. Check ganglia XML tree (telnet 127.0.0.1 8652) It can be seen as a node from another computer though. bug 7601 created for this issue.
Whiteboard: MGA1TOO feedback mga2-64-OK? mga1-32-OK? => MGA1TOO feedback mga2-32-OK? mga2-64-OK? mga1-32-OK?
Testing complete mga1 64 Validating (reluctantly) SRPMs and advisory in comment 5 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO feedback mga2-32-OK? mga2-64-OK? mga1-32-OK? => MGA1TOO feedback mga2-32-OK? mga2-64-OK? mga1-32-OK? mga1-64-OK?
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0277
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Debian has issued an advisory for this on January 21: http://www.debian.org/security/2013/dsa-2610 This issue was assigned CVE-2012-3448, so if anyone's looking for that, we have already fixed it.