Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 528
Alerts This Week
Warning Icon 1 528

Scientific Linux SL5.x Security Advisory: Moderate Conga Update for XSS

Scientific Large Esm H446
Moderate: conga security, bug fix, and enhancement update
Date: Tue, 6 Mar 2012 14:48:54 -0600
Reply-To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Sender: Security Errata for Scientific Linux
 
From: This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: Security ERRATA Moderate: conga on SL5.x i386/x86_64
Comments: To: This email address is being protected from spambots. You need JavaScript enabled to view it.

Synopsis: Moderate: conga security, bug fix, and enhancement update
Issue Date: 2012-02-21
CVE Numbers: CVE-2010-1104
 CVE-2011-1948

The conga packages provide a web-based administration tool for remote
cluster and storage management.

Multiple cross-site scripting (XSS) flaws were found in luci, the conga
web-based administration application. If a remote attacker could trick a
user, who was logged into the luci interface, into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's luci session. (CVE-2010-1104, CVE-2011-1948)

These updated conga packages include several bug fixes and an enhancement.

Users of conga are advised to upgrade to these updated packages, which
correct these issues and add this enhancement. After installing the updated
packages, luci must be restarted ("service luci restart") for the update to
take effect.

SL5:
 i386
 conga-debuginfo-0.12.2-51.el5.i386.rpm
 luci-0.12.2-51.el5.i386.rpm
 ricci-0.12.2-51.el5.i386.rpm
 x86_64
 conga-debuginfo-0.12.2-51.el5.x86_64.rpm
 luci-0.12.2-51.el5.x86_64.rpm
 ricci-0.12.2-51.el5.x86_64.rpm

- Scientific Linux Development Team