LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

March 2012

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA March 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: conga on SL5.x i386/x86_64
From:	[log in to unmask]
Reply To:	[log in to unmask]
Date:	Tue, 6 Mar 2012 14:48:54 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (34 lines)

Synopsis:    Moderate: conga security, bug fix, and enhancement update
Issue Date:  2012-02-21
CVE Numbers: CVE-2010-1104
             CVE-2011-1948


The conga packages provide a web-based administration tool for remote
cluster and storage management.

Multiple cross-site scripting (XSS) flaws were found in luci, the conga
web-based administration application. If a remote attacker could trick a
user, who was logged into the luci interface, into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's luci session. (CVE-2010-1104, CVE-2011-1948)

These updated conga packages include several bug fixes and an enhancement.

Users of conga are advised to upgrade to these updated packages, which
correct these issues and add this enhancement. After installing the updated
packages, luci must be restarted ("service luci restart") for the update to
take effect.

SL5:
  i386
     conga-debuginfo-0.12.2-51.el5.i386.rpm
     luci-0.12.2-51.el5.i386.rpm
     ricci-0.12.2-51.el5.i386.rpm
  x86_64
     conga-debuginfo-0.12.2-51.el5.x86_64.rpm
     luci-0.12.2-51.el5.x86_64.rpm
     ricci-0.12.2-51.el5.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV