luci-0.26.0-48.AXS4

The luci packages contain a web-based high-availability cluster configuration application.

Security issues fixed with this release:

• CVE-2013-4481
Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as "authentication secrets."

• CVE-2013-4482
Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in the (1) current working directory or (2) its parent directories.

Fixed bugs:

• Luci's capability to work with the full set of agents parameters has been restored. Configured fence device parameters that were previously discarded now work as expected: this includes parameters for "cmd_prompt", "login_timeout", "power_timeout", "retry_on", "shell_timeout" and "delay".

• Luci's capability to work with the full set of fence devices. Previously, Dell iDRAC (idrac), HP iLO2 (ilo2), HP iLO3 (ilo3), and IBM Integrated Management Module (imm) devices or agents would not properly work, nor would a cluster comprising them.