930578 – (CVE-2015-1848) VUL-1: CVE-2015-1848: pcs: improper web session variable signing

Bug 930578 (CVE-2015-1848) - VUL-1: CVE-2015-1848: pcs: improper web session variable signing

Summary: VUL-1: CVE-2015-1848: pcs: improper web session variable signing

Status:	RESOLVED FIXED

Alias:	CVE-2015-1848

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Kristoffer Gronlund
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/116585/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-05-12 14:36 UTC by Sebastian Krahmer
Modified:	2015-05-13 14:15 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2015-05-12 14:36:52 UTC

I am not sure we need this one. If invalid, just close it as such.
However, I found that we have "pcs" in network:ha-cluser:Factory.
But as it seems to be on no product, we dont need to make updates in
such case.


rh#1208294



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1208294
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1848

Comment 1 Kristoffer Gronlund 2015-05-13 14:14:20 UTC

pcs doesn't build due to missing dependencies, but I have updated the package to include the patch so that once it builds, it will have the fix.

Comment 2 Kristoffer Gronlund 2015-05-13 14:15:07 UTC

Resolving since the package now includes the patch.