| Revision Date: | 2016-11-03 | Version: | 639 |
| Title: | RHSA-2016:2596: pcs security, bug fix, and enhancement update (Moderate) |
| Description: | The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
The following packages have been upgraded to a newer upstream version: pcs (0.9.152). (BZ#1299847)
Security Fix(es):
A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. (CVE-2016-0720)
It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. (CVE-2016-0721)
These issues were discovered by Martin Prpic (Red Hat Product Security).
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
|
| Family: | unix | Class: | patch |
| Status: | | Reference(s): | CVE-2016-0720
CVE-2016-0721
RHSA-2016:2596
RHSA-2016:2596-01
RHSA-2016:2596-02
RHSA-2016:2596-02
|
| Platform(s): | Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7 (please do not use for >= RHEL-7.5)
| Product(s): | |
| Definition Synopsis |
| Red Hat Enterprise Linux must be installed OR Package Information
Red Hat Enterprise Linux 7 is installed
AND pcs is earlier than 0:0.9.152-10.el7
AND pcs is signed with Red Hat redhatrelease2 key
|
| Definition Synopsis |
| pcs is earlier than 0:0.9.152-10.el7
AND pcs is signed with Red Hat redhatrelease2 key
AND Package Information
Red Hat Enterprise Linux 7 Client is installed
OR Red Hat Enterprise Linux 7 Server is installed
OR Red Hat Enterprise Linux 7 Workstation is installed
OR Red Hat Enterprise Linux 7 ComputeNode is installed
|