Subject: | |
From: | |
Reply To: | |
Date: | Wed, 13 May 2015 15:37:42 +0000 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Important: pcs security and bug fix update
Advisory ID: SLSA-2015:0990-1
Issue Date: 2015-05-12
CVE Numbers: CVE-2015-1848
--
It was found that the pcs daemon did not sign cookies containing session
data that were sent to clients connecting via the pcsd web UI. A remote
attacker could use this flaw to forge cookies and bypass authorization
checks, possibly gaining elevated privileges in the pcsd web UI. Note: the
pcsd web UI is not enabled by default. (CVE-2015-1848)
This update also fixes the following bug:
* When the IPv6 protocol was disabled on a system, starting the pcsd
daemon on this system previously failed. This update adds the ability for
pcsd to fall back to IPv4 when IPv6 is not available. As a result, pcsd
starts properly and uses IPv4 if IPv6 is disabled.
After installing the updated packages, the pcsd daemon will be restarted
automatically.
--
SL6
x86_64
pcs-0.9.123-9.el6_6.2.x86_64.rpm
pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm
i386
pcs-0.9.123-9.el6_6.2.i686.rpm
pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm
srpm
pcs-0.9.123-9.el6_6.2.src.rpm
noarch
pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm
pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm
- Scientific Linux Development Team
|
|
|