| Description: | The Conga project is a management system for remote workstations.It consists of luci, which is a secure web-based front end, and ricci,which is a secure daemon that dispatches incoming messages to underlyingmanagement modules.It was discovered that Plone, included as a part of luci, did not properlyprotect the administrator interface (control panel). A remote attackercould use this flaw to inject a specially crafted Python statement orscript into Plone's restricted Python sandbox that, when the administratorinterface was accessed, would be executed with the privileges of thatadministrator user. (CVE-2012-5485)It was discovered that Plone, included as a part of luci, did not properlysanitize HTTP headers provided within certain URL requests. A remoteattacker could use a specially crafted URL that, when processed, wouldcause the injected HTTP headers to be returned as a part of the Plone HTTPresponse, potentially allowing the attacker to perform other more advancedattacks. (CVE-2012-5486)Multiple information leak flaws were found in the way conga processed lucisite extension-related URL requests. A remote, unauthenticated attackercould issue a specially crafted HTTP request that, when processed, wouldresult in unauthorized information disclosure. (CVE-2013-6496)It was discovered that various components in the luci siteextension-related URLs were not properly restricted to administrativeusers. A remote, authenticated attacker could escalate their privileges toperform certain actions that should be restricted to administrative users,such as adding users and systems, and viewing log data. (CVE-2014-3521)It was discovered that Plone, included as a part of luci, did not properlyprotect the privilege of running RestrictedPython scripts. A remoteattacker could use a specially crafted URL that, when processed, wouldallow the attacker to submit and perform expensive computations or, inconjunction with other attacks, be able to access or alter privilegedinformation. (CVE-2012-5488)It was discovered that Plone, included as a part of luci, did not properlyenforce permissions checks on the membership database. A remote attackercould use a specially crafted URL that, when processed, could allow theattacker to enumerate user account names. (CVE-2012-5497)It was discovered that Plone, included as a part of luci, did not properlyhandle the processing of requests for certain collections. A remoteattacker could use a specially crafted URL that, when processed, would leadto excessive I/O and/or cache resource consumption. (CVE-2012-5498)It was discovered that Plone, included as a part of luci, did not properlyhandle the processing of very large values passed to an internal utilityfunction. A remote attacker could use a specially crafted URL that, whenprocessed, would lead to excessive memory consumption. (CVE-2012-5499)It was discovered that Plone, included as a part of luci, allowed a remoteanonymous user to change titles of content items due to improperpermissions checks. (CVE-2012-5500)The CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and theCVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.In addition, these updated conga packages include several bug fixes.Space precludes documenting all of these changes in this advisory.Users are directed to the Red Hat Enterprise Linux 5.11 Technical Notes,linked to in the References section, for information on the mostsignificant of these changesAll conga users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing thisupdate, the luci and ricci services will be restarted automatically. |