tojeline pushed to pcs (f20). "Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri May 22 09:47:58 UTC 2015
From acc2483f9bc4f0844f473ec23fd2b058d80ad6d9 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline at redhat.com>
Date: Fri, 22 May 2015 11:19:39 +0200
Subject: Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)
diff --git a/pcs.spec b/pcs.spec
index cf2c918..1592a13 100644
--- a/pcs.spec
+++ b/pcs.spec
@@ -1,6 +1,6 @@
Name: pcs
Version: 0.9.115
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2
URL: http://github.com/feist/pcs
Group: System Environment/Base
@@ -14,6 +14,7 @@ Source0: http://people.redhat.com/cfeist/pcs/pcs-withgems-%{version}.tar.gz
Patch0: fedfix.patch
Patch1: rebase.patch
Patch2: bz1078343-Add-support-for-setting-certain-corosync-totem-optio.patch
+Patch3: secure-cookie.patch
Requires: pacemaker ruby python
Requires: rubygem-sinatra rubygem-highline rubygem-rack rubygem-rack-protection rubygem-tilt
Requires: rubygem-eventmachine rubygem-rack-test rubygem-multi_json rubygem-json
@@ -28,6 +29,7 @@ easily view, modify and created pacemaker based clusters.
%patch0 -p1 -b .fedfix
%patch1 -p1 -b .rebase
%patch2 -p1 -b .bz1078343
+%patch3 -p1 -b .fedfix
cd pcsd ; bundle install --local ; cd ..
%build
@@ -71,6 +73,9 @@ chmod 755 $RPM_BUILD_ROOT/%{python_sitelib}/pcs/pcs.py
%doc COPYING README
%changelog
+* Fri May 22 2015 Tomas Jelinek <tojeline at redhat.com> - 0.9.115-3
+- Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)
+
* Fri Mar 27 2015 Tomas Jelinek <tojeline at redhat.com> - 0.9.115-2
- Fixed postinstall, preuninstall and postuinstall scripts (rhbz#1096224)
diff --git a/secure-cookie.patch b/secure-cookie.patch
new file mode 100644
index 0000000..08c2baa
--- /dev/null
+++ b/secure-cookie.patch
@@ -0,0 +1,22 @@
+--- pcs-0.9.137/pcsd/pcsd.rb.secure_fix 2015-03-30 13:48:50.209887370 -0500
++++ pcs-0.9.137/pcsd/pcsd.rb 2015-03-30 13:50:47.321660377 -0500
+@@ -31,7 +31,9 @@ end
+
+ use Rack::Session::Cookie,
+ :expire_after => 60 * 60,
+- :secret => secret
++ :secret => secret,
++ :secure => true, # only send over HTTPS
++ :httponly => true # don't provide to javascript
+
+ #use Rack::SSL
+
+@@ -45,8 +47,6 @@ also_reload 'pcs.rb'
+ also_reload 'auth.rb'
+ also_reload 'wizard.rb'
+
+-enable :sessions
+-
+ before do
+ if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth'
+ protected!
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/pcs.git/commit/?h=f20&id=acc2483f9bc4f0844f473ec23fd2b058d80ad6d9
More information about the scm-commits
mailing list