RedHat has issued advisories on May 12: https://rhn.redhat.com/errata/RHSA-2015-0990.html https://rhn.redhat.com/errata/RHSA-2015-0980.html A patch is attached to the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1208294 Reproducible: Steps to Reproduce:
@David I think that our pcs-0.9.26 package is not affected because it does not contains the pcsd stuff and also it does not contains the pcsd.rb file that need to be patched for the security fix. It is a very very old version that we have in our mga4 repo. -------------------------------------------------- RedHat patch: --- pcs-0.9.137/pcsd/pcsd.rb.secure_fix 2015-03-30 13:48:50.209887370-0500 +++ pcs-0.9.137/pcsd/pcsd.rb 2015-03-30 13:50:47.321660377 -0500 @@ -31,7 +31,9 @@ end use Rack::Session::Cookie, :expire_after => 60 * 60, - :secret => secret + :secret => secret, + :secure => true, # only send over HTTPS + :httponly => true # don't provide to javascript #use Rack::SSL @@ -45,8 +47,6 @@ also_reload 'pcs.rb' also_reload 'auth.rb' also_reload 'wizard.rb' -enable :sessions - before do if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth' protected!
CC: (none) => geiger.david68210
Thanks, indeed the Mageia 4 version didn't have pcsd. Only the Cauldron version (which was dropped) did.
Status: NEW => RESOLVEDResolution: (none) => INVALID
mga4 version was old. btw pcs is dropped from cauldron? if yes it should be removed from svn then.
CC: (none) => mageiaResolution: INVALID => FIXED
Not really fixed since we didn't do anything, it was invalid for our version. If it's reimported into Cauldron later it'll need to actually be fixed. There are several packages in SVN that need to be moved to obsolete. I was going to wait until after mga5 was branched just in case the maintainers wanted to bring them back again. There was someone on the dev mailing list that had been running a script to list them, hopefully he will again to help find all the ones that need to be moved.
Resolution: FIXED => INVALID