Synopsis: Important: pcs security and bug fix update Advisory ID: SLSA-2015:0980-1 Issue Date: 2015-05-12 CVE Numbers: CVE-2015-1848 -- It was found that the pcs daemon did not sign cookies containing session data that were sent to clients connecting via the pcsd web UI. A remote attacker could use this flaw to forge cookies and bypass authorization checks, possibly gaining elevated privileges in the pcsd web UI. (CVE-2015-1848) This update also fixes the following bug: * Previously, the Corosync tool allowed the two_node option and the auto_tie_breaker option to exist in the corosync.conf file at the same time. As a consequence, if both options were included, auto_tie_breaker was silently ignored and the two_node fence race decided which node would survive in the event of a communication break. With this update, the pcs daemon has been fixed so that it does not produce corosync.conf files with both two_node and auto_tie_breaker included. In addition, if both two_node and auto_tie_breaker are detected in corosync.conf, Corosync issues a message at start-up and disables two_node mode. As a result, auto_tie_breaker effectively overrides two_node mode if both options are specified. After installing the updated packages, the pcsd daemon will be restarted automatically. -- SL7 x86_64 pcs-0.9.137-13.el7_1.2.x86_64.rpm pcs-debuginfo-0.9.137-13.el7_1.2.x86_64.rpm python-clufter-0.9.137-13.el7_1.2.x86_64.rpm - Scientific Linux Development Team