Synopsis: Important: pcs security and bug fix update Advisory ID: SLSA-2015:0990-1 Issue Date: 2015-05-12 CVE Numbers: CVE-2015-1848 -- It was found that the pcs daemon did not sign cookies containing session data that were sent to clients connecting via the pcsd web UI. A remote attacker could use this flaw to forge cookies and bypass authorization checks, possibly gaining elevated privileges in the pcsd web UI. Note: the pcsd web UI is not enabled by default. (CVE-2015-1848) This update also fixes the following bug: * When the IPv6 protocol was disabled on a system, starting the pcsd daemon on this system previously failed. This update adds the ability for pcsd to fall back to IPv4 when IPv6 is not available. As a result, pcsd starts properly and uses IPv4 if IPv6 is disabled. After installing the updated packages, the pcsd daemon will be restarted automatically. -- SL6 x86_64 pcs-0.9.123-9.el6_6.2.x86_64.rpm pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm i386 pcs-0.9.123-9.el6_6.2.i686.rpm pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm srpm pcs-0.9.123-9.el6_6.2.src.rpm noarch pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm - Scientific Linux Development Team