[Ganglia-developers] Ganglia 3.0.x security fix
Dear all: We have been informed by CERN that our web frontend has a security vulnerability and Alex Dean has stepped up to get this fixed. The latest snapshot of the 3.0.x branch with the fix is available here: http://www.ganglia.info/snapshots/3.0.x/ We would like to make an official release of 3.0.6 ASAP to address this security issue so we would really appreciate it if the community could help us test the snapshot to confirm that everything is working fine. I would personally really appreciate it if you could send a quick note stating that you have tested it and on what distro/arch etc.. Thanks again for your support -- also special thanks goes to Romain Wartel from CERN for discovering and reporting this vulnerability. Cheers, Bernard - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] Ganglia 3.0.x security fix
Hi Matt: On 12/10/07, Matthew Chambers [EMAIL PROTECTED] wrote: I'm trying to install the development snapshot. I had 3.0.4 installed and I tried to just install the new web snapshot on the existing install since I assumed that nothing has made 3.0.x's frontend incompatible with 3.0.4's gmetad. It appears that the snapshot installs to /var/www/ganglia whereas the original 3.0.4 package I have is installed in /usr/share/ganglia. Installing the 3.0.x snapshot also seem to Are you on a Red Hat based system? They should all install to /var/www/html/ganglia (assuming you are talking about the web files): rpm -qlp /usr/src/redhat/RPMS/noarch/ganglia-web-3.0.4-1.noarch.rpm | grep www | head /var/www/html/ganglia /var/www/html/ganglia/AUTHORS /var/www/html/ganglia/COPYING /var/www/html/ganglia/ChangeLog /var/www/html/ganglia/Makefile.am /var/www/html/ganglia/auth.php /var/www/html/ganglia/class.TemplatePower.inc.php /var/www/html/ganglia/cluster_legend.html /var/www/html/ganglia/cluster_view.php /var/www/html/ganglia/conf.php remove the /etc/httpd/conf.d/ganglia.conf that creates the /ganglia alias. I uninstalled the snapshot and updated all my ganglia packages to 3.0.5 and that gave me back my ganglia.conf, but I'm still not sure how to install the snapshot. Am I supposed to override the destination directory when installing the RPM? The ganglia-web RPM does not provide /etc/httpd/conf.d/ganglia.conf. I upgraded from 3.0.5 to the snapshot release without any issue -- didn't try with 3.0.4 but I wouldn't expect any problems either. Cheers, Bernard - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] Ganglia 3.0.x security fix
Bernard Li wrote: Hi Matt: On 12/10/07, Matthew Chambers [EMAIL PROTECTED] wrote: I'm trying to install the development snapshot. I had 3.0.4 installed and I tried to just install the new web snapshot on the existing install since I assumed that nothing has made 3.0.x's frontend incompatible with 3.0.4's gmetad. It appears that the snapshot installs to /var/www/ganglia whereas the original 3.0.4 package I have is installed in /usr/share/ganglia. Installing the 3.0.x snapshot also seem to Are you on a Red Hat based system? They should all install to /var/www/html/ganglia (assuming you are talking about the web files): rpm -qlp /usr/src/redhat/RPMS/noarch/ganglia-web-3.0.4-1.noarch.rpm | grep www | head /var/www/html/ganglia /var/www/html/ganglia/AUTHORS /var/www/html/ganglia/COPYING /var/www/html/ganglia/ChangeLog /var/www/html/ganglia/Makefile.am /var/www/html/ganglia/auth.php /var/www/html/ganglia/class.TemplatePower.inc.php /var/www/html/ganglia/cluster_legend.html /var/www/html/ganglia/cluster_view.php /var/www/html/ganglia/conf.php Yes I meant /var/www/html/ganglia, but I am on Fedora 7 PPC and both the 3.0.4 and 3.0.5 packages install the web frontend files to /usr/share/ganglia. The ganglia-web package I get via yum is not noarch though. remove the /etc/httpd/conf.d/ganglia.conf that creates the /ganglia alias. I uninstalled the snapshot and updated all my ganglia packages to 3.0.5 and that gave me back my ganglia.conf, but I'm still not sure how to install the snapshot. Am I supposed to override the destination directory when installing the RPM? The ganglia-web RPM does not provide /etc/httpd/conf.d/ganglia.conf. I think that RPM automatically uninstalled the 3.0.4 ganglia-web package when I updated it with the new snapshot, and my distro's version of the ganglia-web package must include ganglia.conf while the noarch one does not? -Matt - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] Ganglia 3.0.x security fix
Hi Matt: It sounds like you are upgrading Ganglia from the distribution version to the official upstream version. This may not always be compatible (I would probably go as far as saying they're incompatible). I only maintain the upstream ganglia.spec, Jarod Wilson maintains the Fedora/Red Hat spec files. So what I suggest is to uninstall the distribution version, rebuild Ganglia using the SRPM: rpmbuild --rebuild --target noarch,ppc(64) ganglia tarball then install that. Thanks, Bernard On 12/10/07, Matthew Chambers [EMAIL PROTECTED] wrote: Bernard Li wrote: Hi Matt: On 12/10/07, Matthew Chambers [EMAIL PROTECTED] wrote: I'm trying to install the development snapshot. I had 3.0.4 installed and I tried to just install the new web snapshot on the existing install since I assumed that nothing has made 3.0.x's frontend incompatible with 3.0.4's gmetad. It appears that the snapshot installs to /var/www/ganglia whereas the original 3.0.4 package I have is installed in /usr/share/ganglia. Installing the 3.0.x snapshot also seem to Are you on a Red Hat based system? They should all install to /var/www/html/ganglia (assuming you are talking about the web files): rpm -qlp /usr/src/redhat/RPMS/noarch/ganglia-web-3.0.4-1.noarch.rpm | grep www | head /var/www/html/ganglia /var/www/html/ganglia/AUTHORS /var/www/html/ganglia/COPYING /var/www/html/ganglia/ChangeLog /var/www/html/ganglia/Makefile.am /var/www/html/ganglia/auth.php /var/www/html/ganglia/class.TemplatePower.inc.php /var/www/html/ganglia/cluster_legend.html /var/www/html/ganglia/cluster_view.php /var/www/html/ganglia/conf.php Yes I meant /var/www/html/ganglia, but I am on Fedora 7 PPC and both the 3.0.4 and 3.0.5 packages install the web frontend files to /usr/share/ganglia. The ganglia-web package I get via yum is not noarch though. remove the /etc/httpd/conf.d/ganglia.conf that creates the /ganglia alias. I uninstalled the snapshot and updated all my ganglia packages to 3.0.5 and that gave me back my ganglia.conf, but I'm still not sure how to install the snapshot. Am I supposed to override the destination directory when installing the RPM? The ganglia-web RPM does not provide /etc/httpd/conf.d/ganglia.conf. I think that RPM automatically uninstalled the 3.0.4 ganglia-web package when I updated it with the new snapshot, and my distro's version of the ganglia-web package must include ganglia.conf while the noarch one does not? -Matt - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] Ganglia 3.0.x security fix
Bernard Li wrote: Hi Matt: It sounds like you are upgrading Ganglia from the distribution version to the official upstream version. This may not always be compatible (I would probably go as far as saying they're incompatible). I only maintain the upstream ganglia.spec, Jarod Wilson maintains the Fedora/Red Hat spec files. So what I suggest is to uninstall the distribution version, rebuild Ganglia using the SRPM: rpmbuild --rebuild --target noarch,ppc(64) ganglia tarball then install that. Thanks, Bernard Hi Bernard, Thanks for the help. I tried that method, and got pretty far, but then got this error: gcc -O0 -I../lib -I../gmond -I../srclib/expat/lib/ -O3 -Wall -D_REENTRANT -O3 -o gmetad gmetad.o cmdline.o data_thread.o server.o process_xml.o rrd_helpers.o conf.o type_hash.o xml_hash.o cleanup.o -L/frogstar/usr/ppc/lib -L/usr/lib ../lib/.libs/libganglia.a /frogstar/usr/ppc/lib/librrd.a -L/lib -lpng12 -lpangocairo-1.0 -lpango-1.0 -lcairo -lgobject-2.0 -lgmodule-2.0 -lglib-2.0 -lm ../srclib/expat/lib/.libs/libexpat.a -ldl -lresolv -lnsl -lpthread /usr/bin/ld: cannot find -lpangocairo-1.0 collect2: ld returned 1 exit status I installed cairo-devel and pango-devel packages and the next build attempt worked fine, so it appears those dependencies are not properly checked for in the build (FYI). After that things went smoothly and it appears to be running fine (http://fenchurch.mc.vanderbilt.edu/ganglia); I only updated ganglia on the head node (hosting both the web frontend and gmetad). -Matt - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
