Synopsis:          Important: pcs security and bug fix update
Advisory ID:       SLSA-2015:0990-1
Issue Date:        2015-05-12
CVE Numbers:       CVE-2015-1848
--

It was found that the pcs daemon did not sign cookies containing session
data that were sent to clients connecting via the pcsd web UI. A remote
attacker could use this flaw to forge cookies and bypass authorization
checks, possibly gaining elevated privileges in the pcsd web UI. Note: the
pcsd web UI is not enabled by default. (CVE-2015-1848)

This update also fixes the following bug:

* When the IPv6 protocol was disabled on a system, starting the pcsd
daemon on this system previously failed. This update adds the ability for
pcsd to fall back to IPv4 when IPv6 is not available. As a result, pcsd
starts properly and uses IPv4 if IPv6 is disabled.

After installing the updated packages, the pcsd daemon will be restarted
automatically.
--

SL6
  x86_64
    pcs-0.9.123-9.el6_6.2.x86_64.rpm
    pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm
  i386
    pcs-0.9.123-9.el6_6.2.i686.rpm
    pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm
  srpm
    pcs-0.9.123-9.el6_6.2.src.rpm
  noarch
    pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm
    pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm

- Scientific Linux Development Team