Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2015:2369-01] Low: openhpi security, bug fix, and enhancement update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Low: openhpi security, bug fix, and enhancement update

Advisory ID: RHSA-2015:2369-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2369.html

Issue date: 2015-11-19

CVE Names: CVE-2015-3248

=====================================================================

 

1. Summary:

 

Updated openhpi packages that fix one security issue, several bugs, and add

various enhancements are now available for Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having Low security

impact. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available from the CVE link in the

References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

 

3. Description:

 

OpenHPI is an open source project created with the intent of providing an

implementation of the SA Forum's Hardware Platform Interface (HPI).

HPI provides an abstracted interface to managing computer hardware,

typically for chassis and rack based servers. HPI includes resource

modeling, access to and control over sensor, control, watchdog, and

inventory data associated with resources, abstracted System Event Log

interfaces, hardware events and alerts, and a managed hotswap interface.

 

It was found that the "/var/lib/openhpi" directory provided by OpenHPI used

world-writeable and world-readable permissions. A local user could use this

flaw to view, modify, and delete OpenHPI-related data, or even fill up the

storage device hosting the /var/lib directory. (CVE-2015-3248)

 

This issue was discovered by Marko Myllynen of Red Hat.

 

The openhpi packages have been upgraded to upstream version 3.4.0, which

provides a number of bug fixes and enhancements over the previous version.

(BZ#1127908)

 

This update also fixes the following bug:

 

* Network timeouts were handled incorrectly in the openhpid daemon. As a

consequence, network connections could fail when external plug-ins were

used. With this update, handling of network socket timeouts has been

improved in openhpid, and the described problem no longer occurs.

(BZ#1208127)

 

All openhpi users are advised to upgrade to these updated packages, which

correct these issues and add these enhancements.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1233520 - CVE-2015-3248 openhpi: world writable /var/lib/openhpi directory

 

6. Package List:

 

Red Hat Enterprise Linux ComputeNode (v. 7):

 

Source:

openhpi-3.4.0-2.el7.src.rpm

 

x86_64:

openhpi-3.4.0-2.el7.i686.rpm

openhpi-3.4.0-2.el7.x86_64.rpm

openhpi-debuginfo-3.4.0-2.el7.i686.rpm

openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm

openhpi-libs-3.4.0-2.el7.i686.rpm

openhpi-libs-3.4.0-2.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

x86_64:

openhpi-debuginfo-3.4.0-2.el7.i686.rpm

openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm

openhpi-devel-3.4.0-2.el7.i686.rpm

openhpi-devel-3.4.0-2.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

openhpi-3.4.0-2.el7.src.rpm

 

aarch64:

openhpi-3.4.0-2.el7.aarch64.rpm

openhpi-debuginfo-3.4.0-2.el7.aarch64.rpm

openhpi-libs-3.4.0-2.el7.aarch64.rpm

 

ppc64:

openhpi-3.4.0-2.el7.ppc.rpm

openhpi-3.4.0-2.el7.ppc64.rpm

openhpi-debuginfo-3.4.0-2.el7.ppc.rpm

openhpi-debuginfo-3.4.0-2.el7.ppc64.rpm

openhpi-libs-3.4.0-2.el7.ppc.rpm

openhpi-libs-3.4.0-2.el7.ppc64.rpm

 

ppc64le:

openhpi-3.4.0-2.el7.ppc64le.rpm

openhpi-debuginfo-3.4.0-2.el7.ppc64le.rpm

openhpi-libs-3.4.0-2.el7.ppc64le.rpm

 

s390x:

openhpi-3.4.0-2.el7.s390.rpm

openhpi-3.4.0-2.el7.s390x.rpm

openhpi-debuginfo-3.4.0-2.el7.s390.rpm

openhpi-debuginfo-3.4.0-2.el7.s390x.rpm

openhpi-libs-3.4.0-2.el7.s390.rpm

openhpi-libs-3.4.0-2.el7.s390x.rpm

 

x86_64:

openhpi-3.4.0-2.el7.i686.rpm

openhpi-3.4.0-2.el7.x86_64.rpm

openhpi-debuginfo-3.4.0-2.el7.i686.rpm

openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm

openhpi-libs-3.4.0-2.el7.i686.rpm

openhpi-libs-3.4.0-2.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

aarch64:

openhpi-debuginfo-3.4.0-2.el7.aarch64.rpm

openhpi-devel-3.4.0-2.el7.aarch64.rpm

 

ppc64:

openhpi-debuginfo-3.4.0-2.el7.ppc.rpm

openhpi-debuginfo-3.4.0-2.el7.ppc64.rpm

openhpi-devel-3.4.0-2.el7.ppc.rpm

openhpi-devel-3.4.0-2.el7.ppc64.rpm

 

ppc64le:

openhpi-debuginfo-3.4.0-2.el7.ppc64le.rpm

openhpi-devel-3.4.0-2.el7.ppc64le.rpm

 

s390x:

openhpi-debuginfo-3.4.0-2.el7.s390.rpm

openhpi-debuginfo-3.4.0-2.el7.s390x.rpm

openhpi-devel-3.4.0-2.el7.s390.rpm

openhpi-devel-3.4.0-2.el7.s390x.rpm

 

x86_64:

openhpi-debuginfo-3.4.0-2.el7.i686.rpm

openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm

openhpi-devel-3.4.0-2.el7.i686.rpm

openhpi-devel-3.4.0-2.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

openhpi-3.4.0-2.el7.src.rpm

 

x86_64:

openhpi-3.4.0-2.el7.i686.rpm

openhpi-3.4.0-2.el7.x86_64.rpm

openhpi-debuginfo-3.4.0-2.el7.i686.rpm

openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm

openhpi-libs-3.4.0-2.el7.i686.rpm

openhpi-libs-3.4.0-2.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 7):

 

x86_64:

openhpi-debuginfo-3.4.0-2.el7.i686.rpm

openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm

openhpi-devel-3.4.0-2.el7.i686.rpm

openhpi-devel-3.4.0-2.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-3248

https://access.redhat.com/security/updates/classification/#low

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFWTkUOXlSAg2UNWIIRAuJyAJ9a80MvBwQ4f9eQ0EdzTO6Ihi3pMACglfQc

wrC52WABEXFR4qEOS+K6Eqk=

=Cqgp

-----END PGP SIGNATURE-----

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×