Synopsis: Important: pcs security and bug fix update
Advisory ID: SLSA-2015:0980-1
Issue Date: 2015-05-12
CVE Numbers: CVE-2015-1848
—
It was found that the pcs daemon did not sign cookies containing session
data that were sent to clients connecting via the pcsd web UI. A remote
attacker could use this flaw to forge cookies and bypass authorization
checks, possibly gaining elevated privileges in the pcsd web UI.
(CVE-2015-1848)
This update also fixes the following bug:
* Previously, the Corosync tool allowed the two_node option and the
auto_tie_breaker option to exist in the corosync.conf file at the same
time. As a consequence, if both options were included, auto_tie_breaker
was silently ignored and the two_node fence race decided which node would
survive in the event of a communication break. With this update, the pcs
daemon has been fixed so that it does not produce corosync.conf files with
both two_node and auto_tie_breaker included. In addition, if both two_node
and auto_tie_breaker are detected in corosync.conf, Corosync issues a
message at start-up and disables two_node mode. As a result,
auto_tie_breaker effectively overrides two_node mode if both options are
specified.
After installing the updated packages, the pcsd daemon will be restarted
automatically.
—
SL7
x86_64
pcs-0.9.137-13.el7_1.2.x86_64.rpm
pcs-debuginfo-0.9.137-13.el7_1.2.x86_64.rpm
python-clufter-0.9.137-13.el7_1.2.x86_64.rpm
– Scientific Linux Development Team
