Synopsis: Important: pcs security and bug fix update
Advisory ID: SLSA-2015:0990-1
Issue Date: 2015-05-12
CVE Numbers: CVE-2015-1848
—
It was found that the pcs daemon did not sign cookies containing session
data that were sent to clients connecting via the pcsd web UI. A remote
attacker could use this flaw to forge cookies and bypass authorization
checks, possibly gaining elevated privileges in the pcsd web UI. Note: the
pcsd web UI is not enabled by default. (CVE-2015-1848)
This update also fixes the following bug:
* When the IPv6 protocol was disabled on a system, starting the pcsd
daemon on this system previously failed. This update adds the ability for
pcsd to fall back to IPv4 when IPv6 is not available. As a result, pcsd
starts properly and uses IPv4 if IPv6 is disabled.
After installing the updated packages, the pcsd daemon will be restarted
automatically.
—
SL6
x86_64
pcs-0.9.123-9.el6_6.2.x86_64.rpm
pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm
i386
pcs-0.9.123-9.el6_6.2.i686.rpm
pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm
srpm
pcs-0.9.123-9.el6_6.2.src.rpm
noarch
pcs-debuginfo-0.9.123-9.el6_6.2.x86_64.rpm
pcs-debuginfo-0.9.123-9.el6_6.2.i686.rpm
– Scientific Linux Development Team
