DSA-2095-1 lvm2 -- insecure communication protocol

Debian Security Advisory

DSA-2095-1 lvm2 -- insecure communication protocol

Date Reported:

23 Aug 2010

Affected Packages:

lvm2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 591204.
In Mitre's CVE dictionary: CVE-2010-2526.

More information:

Alasdair Kergon discovered that the cluster logical volume manager daemon (clvmd) in LVM2, The Linux Logical Volume Manager, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service.

For the stable distribution (lenny), this problem has been fixed in version 2.02.39-8.

For the testing distribution (squeeze), and the unstable distribution (sid), this problem has been fixed in version 2.02.66-3.

We recommend that you upgrade your lvm2 package.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Source:

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8.diff.gz

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39.orig.tar.gz

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8.dsc

Alpha:

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_alpha.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_alpha.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_alpha.udeb

AMD64:

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_amd64.udeb

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_amd64.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_amd64.deb

ARM EABI:

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_armel.udeb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_armel.deb

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_armel.deb

HP Precision:

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_hppa.deb

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_hppa.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_hppa.udeb

Intel IA-32:

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_i386.deb

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_i386.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_i386.udeb

Intel IA-64:

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_ia64.udeb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_ia64.deb

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_ia64.deb

Big-endian MIPS:

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_mips.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_mips.udeb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_mips.deb

Little-endian MIPS:

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_mipsel.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_mipsel.udeb

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_powerpc.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_powerpc.udeb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_s390.deb

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_s390.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_s390.udeb

Sun Sparc:

http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_sparc.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_sparc.deb

http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_sparc.udeb

MD5 checksums of the listed files are available in the original advisory.