Synopsis:	Important: tog-pegasus security update
Issue date:	2008-11-25
CVE Names:	CVE-2008-4313 CVE-2008-4315

Scientific Linux defines additional security enhancements for OpenGroup Pegasus 
WBEM services in addition to those defined by the upstream OpenGroup Pegasus
release.

After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these
additional security enhancements were no longer being applied. As a
consequence, access to OpenPegasus WBEM services was not restricted to the
dedicated users. An attacker able to authenticate using a valid user account 
could use this flaw to send requests to WBEM services. (CVE-2008-4313)

Note: default SELinux policy prevents tog-pegasus from modifying system
files. This flaw's impact depends on whether or not tog-pegasus is confined
by SELinux, and on any additional CMPI providers installed and enabled on a
particular system.

Failed authentication attempts against the OpenPegasus CIM server were not
logged to the system log. An attacker could use this flaw to perform password 
guessing attacks against a user account without leaving traces in the system 
log. (CVE-2008-4315)

SL 5.x

    SRPMS:
tog-pegasus-2.7.0-2.el5_2.1.src.rpm
    i386:
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm
    x86_64:
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-2.7.0-2.el5_2.1.x86_64.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm

-Connie Sieh
-Troy Dawson