Synopsis:          Important: pcs security and bug fix update
Advisory ID:       SLSA-2015:0980-1
Issue Date:        2015-05-12
CVE Numbers:       CVE-2015-1848
--

It was found that the pcs daemon did not sign cookies containing session
data that were sent to clients connecting via the pcsd web UI. A remote
attacker could use this flaw to forge cookies and bypass authorization
checks, possibly gaining elevated privileges in the pcsd web UI.
(CVE-2015-1848)

This update also fixes the following bug:

* Previously, the Corosync tool allowed the two_node option and the
auto_tie_breaker option to exist in the corosync.conf file at the same
time. As a consequence, if both options were included, auto_tie_breaker
was silently ignored and the two_node fence race decided which node would
survive in the event of a communication break. With this update, the pcs
daemon has been fixed so that it does not produce corosync.conf files with
both two_node and auto_tie_breaker included. In addition, if both two_node
and auto_tie_breaker are detected in corosync.conf, Corosync issues a
message at start-up and disables two_node mode. As a result,
auto_tie_breaker effectively overrides two_node mode if both options are
specified.

After installing the updated packages, the pcsd daemon will be restarted
automatically.
--

SL7
  x86_64
    pcs-0.9.137-13.el7_1.2.x86_64.rpm
    pcs-debuginfo-0.9.137-13.el7_1.2.x86_64.rpm
    python-clufter-0.9.137-13.el7_1.2.x86_64.rpm

- Scientific Linux Development Team