Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Scientific Linux: SLSA-2015:0990-1 Critical pcs Authorization Bypass

Scientific Large Esm H446
Important: pcs security and bug fix update
Date: Wed, 13 May 2015 15:37:42 +0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Important: pcs on SL6.x i386/srpm/x86_64
MIME-Version: 1.0

Synopsis: Important: pcs security and bug fix update
Advisory ID: SLSA-2015:0990-1
Issue Date: 2015-05-12
CVE Numbers: CVE-2015-1848
--

It was found that the pcs daemon did not sign cookies containing session
data that were sent to clients connecting via the pcsd web UI. A remote
attacker could use this flaw to forge cookies and bypass authorization
checks, possibly gaining elevated privileges in the pcsd web UI. Note: the
pcsd web UI is not enabled by default. (CVE-2015-1848)

This update also fixes the following bug:

* When the IPv6 protocol was disabled on a system, starting the pcsd
daemon on this system previously failed. This update adds the ability for
pcsd to fall back to IPv4 when IPv6 is not available. As a result, pcsd
starts properly and uses IPv4 if IPv6 is disabled.

After installing the updated packages, the pcsd daemon will be restarted
automatically.
--

SL6
 x86_64
 pcs-0.9.123-9.el6_6.2.x86_64.rpm
 pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm
 i386
 pcs-0.9.123-9.el6_6.2.i686.rpm
 pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm
 srpm
 pcs-0.9.123-9.el6_6.2.src.rpm
 noarch
 pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm
 pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm

- Scientific Linux Development Team