[Linux-ha-announce] Announcing! Release 2.0.7 of Linux-HA (with security fix) is now available!

Alan Robertson alanr at unix.sh
Sun Aug 13 23:55:10 MDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Linux-HA team proudly announces security and bug-fix release 2.0.7
of the Linux-HA (aka "heartbeat", aka "OpenHA") software.

As usual, you can find it here:
http://linux-ha.org/download/index.html#2.0.7

2.0.7 has is a recommended upgrade for anyone running a 2.0 version of
heartbeat as it contains a fix for a remote denial of service vulnerability.


* Sun Aug 13 2006  Alan Robertson <alanr at unix.sh> (see doc/AUTHORS file)
+ Version 2.0.7 - security and bug fix release
  + Important steps:
    - Prior to the update, make sure all elements (instance_attributes
      etc) in the CRM configuration have valid id attributes, or set the
      ignore_dtd option to true. Otherwise, the new version will refuse
      to start.
  + SECURITY FIX:
    - Remote Denial of Service attack (#195068, CVE-2006-3121).
    - Local Denial of Service attack (#194444, CVE-2006-3815).
      (actually fixed in 2.0.6)
  + Enhancements:
    - Improved log messages.
    - ptest can now read compressed XML directly. Do not include
      optional actions and dependencies in ptest output by default.
    - crm_resource will now warn and demand exact specification when
      trying to modify an attribute while several sets are present.
  + Bugfixes:
    - Small fix from Serge Dubrouski <sergefd at gmail.com> for one
      annoying problem when PostgreSQL isn't installed on a box and one
      tries to run the script.
    - stonithd log message did not always indicate an error (OSDL 1379)
    - lrmd now limits itself to a maximum of 4 child processes, to avoid
      overloading the node and causing too long delays.
    - Improvements and fixes for Solaris 10.
    - pengine: Processing of pending probes; should not be treated as if
      the resource is running or in a known state.
    - target_role now is only taken into account for managed resources.
    - cib: Detect more cases where the nodes section needs to be
      refreshed.
    - More accurately determine node status. (OSDL 1369)
    - Filter out stop requests that would require a resource to be
      added. (OSDL 1369)
    - Send filtered resource "stops" as successes as to not block
      waiting for filtered actions.
    - By default pass the TE graph via IPC until its too large for IPC
      to deal with, only then fall back to passing via the disk.
    - Stopping of stonith resources can never require stonith, even if
      the node its running on failed; prevent graph loop. (OSDL 1376)
    - STONITH events need to inputs to start events (not stops), to
      avoid graph loop in combination with "stop before" dependencies
      (ie, groups).
    - crmd: Dont stall the FSA if we try to invoke the TE after we've
      stopped it.
    - Always unpack the correct part of a diff operation; diffs should
      now apply in more cases, reducing the need for full refreshs.
    - Correctly observe --disable-snmp-subagent during build.
    - In some states the membership is invalid and shouldn't be
      referenced. (OSDL 1377)
    - Fix a use-before-null-check issue in lrmd. (Coverity #48)
    - OCF Resource Agents outside the default path were incorrectly
      found to be not executable.
    - ccm: hostcache and delnodecache files should not be authoritative
      if autojoin is disabled. (OSDL 1226)
    - With autojoin, llm_get_nodecount() can't return the real max nodes
      anymore, this may cause memory corruption. (OSDL 1382)
    - Fix a memory corruption in membership layer, more frequently
      observed with larger (>5) clusters.
    - Change the default api-auth for pingd to uid=root
    - Dummy RA now OCF compliant.
    - Fix pingd RA metadata to be XML compliant.
    - Actually use RPMREL in the spec file.
  + KNOWN BUGS:
    - When running a cluster of nodes of very different speeds temporary
      membership anomalies may occasionally be seen.  These correct
      themselves and don't appear to be harmful.  They typically
      include a message something like this:
      WARN: Ignoring HA message (op=vote) from XXX: not in our
            membership list



- --
    Alan Robertson <alanr at unix.sh>

"Openness is the foundation and preservative of friendship...  Let me
claim from you at all times your undisguised opinions." - William
Wilberforce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFE4BA9NkLhYXF6ZA4RAqbSAJ0QXxKtlHIkEtTkCefwPkCUaSnkLQCfbE6C
Bl4E128ktdk1GsjYAFybc2E=
=ux+h
-----END PGP SIGNATURE-----

More information about the Linux-ha-announce mailing list