Please download and install Hotfix, Privilege Manager for Unix 6.0.0.061 for Solution 133824 by Clicking Here for server policy packages.
Client packages can be downloaded HereThe following is a list of issues resolved in this hotfix.
|Resolved Issue||Issue ID|
|Two security vulnerabilities (CVE-2017-6553 - pmmasterd buffer overflow & CVE-2017-6554 - pmmasterd arbitrary file write) were addressed, by which a remote attacker could gain control of the policy server. Validation code has been added and obsolete code removed to secure the pmmasterd daemon against these vulnerabilities.||0006556|
|The pmlogsrvd sometimes would not respond to terminate signal (kill -15) leaving it in a loop doing nothing and consuming CPU resources.||0006553|
|The pmpolicy program will filter out double quote (“) characters from commit messages to prevent issues in MCU when generating the “policy changes” report.||0006546|
|The pmlogsrvd will periodically remove events from the event cache that cannot be processed.||0006537|
When the policy server is very busy, the mktemp() policy function may use an malformed filename causing an error message similar to the following when opening the iolog file:
pmmasterd6.0.0 (040):3361.01 open iolog log:
The pmmasterd now protects against this by retrying to generate the filename and open the iolog file if a failure occurs.
Fixed memory leak and modified the evcache processing to improve memory usage.
Two new pm.settings values have been introduced:
EventQueueProcessLimit – Limits the number of cached events that will be processed at a time (to limit memory usage). Default value is 0 (no limit)
EventQueueFlush – Interval in minutes in which the pmlogsrvd process reopens the eventlog database, thereby flushing the data used in memory. Default is 0 (the database is kept open while the service is running).
|Using the getstringpasswd() function would crash pmmasterd and cause the session to fail. This has now been fixed.||0006544|
|pmlogsearch will now return partial results if secondary policy servers are unavailable instead of returning an error, so that MCU can display the partial results.||0006542|
|Several settings were not able to be configured via the -d option in pmjoin and pmsrvconfig. All valid settings are now recognized by the -d option.||0006540|
|On Linux platforms fixed a stdout issue for print() statements when running multiple commands (one of which being pmrun) via ssh.||0006536|
|Changes to the runhost variable within the policy were being reset, causing the changes to be ignored.||0006531|
|Privilege Manager for Unix||6.0.0 versions prior to 6.0.0 (061)|
To install this hotfix:
Before applying this hotfix, ensure you have an appropriate backup of your machine.
Depending on your platform's package management software, you may be required to remove previous versions to upgrade to a newer version.
Copy the installation files to temporary directory.
Change directory to the package location and run the platform specific package install program to install the desired package.
For example, on a Redhat based x86_64 system, you may use rpm --upgrade to upgrade the server package:
rpm --upgrade qpm-server-6.0.0-50-x86_64.rpm
Determining if This Hotfix Is Installed
To determine if this hotfix is installed:
Verify the build number by running "pmrun -v" and "pmlocald -v" (the build number is displayed in parenthesis):
Removing This Hotfix
To remove this hotfix:
Use the platform specific package management software to remove the installed package and re-install to the previous installed version.
For example, on a Redhat based x86_64 system, you may use the rpm --oldpackage option to rollback the server package:
rpm --upgrade --oldpackage qpm-server_6.0.0-<version>-x86_64.rpm
(On policy servers only) If reverting to a version prior to 6.0.0 (032), change the pmpolicy service user's shell to a standard UNIX shell (e.g. /bin/bash)
usermod -s /bin/bash pmpolicy