tojeline pushed to pcs (f20). "Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)"

notifications at fedoraproject.org notifications at fedoraproject.org
Fri May 22 09:47:58 UTC 2015 

From acc2483f9bc4f0844f473ec23fd2b058d80ad6d9 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline at redhat.com>
Date: Fri, 22 May 2015 11:19:39 +0200
Subject: Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)


diff --git a/pcs.spec b/pcs.spec
index cf2c918..1592a13 100644
--- a/pcs.spec
+++ b/pcs.spec
@@ -1,6 +1,6 @@
 Name: pcs		
 Version: 0.9.115
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 URL: http://github.com/feist/pcs
 Group: System Environment/Base
@@ -14,6 +14,7 @@ Source0: http://people.redhat.com/cfeist/pcs/pcs-withgems-%{version}.tar.gz
 Patch0: fedfix.patch
 Patch1: rebase.patch
 Patch2: bz1078343-Add-support-for-setting-certain-corosync-totem-optio.patch
+Patch3: secure-cookie.patch
 Requires: pacemaker ruby python
 Requires: rubygem-sinatra rubygem-highline rubygem-rack rubygem-rack-protection rubygem-tilt
 Requires: rubygem-eventmachine rubygem-rack-test rubygem-multi_json rubygem-json
@@ -28,6 +29,7 @@ easily view, modify and created pacemaker based clusters.
 %patch0 -p1 -b .fedfix
 %patch1 -p1 -b .rebase
 %patch2 -p1 -b .bz1078343
+%patch3 -p1 -b .fedfix
 cd pcsd ; bundle install --local ; cd ..
 
 %build
@@ -71,6 +73,9 @@ chmod 755 $RPM_BUILD_ROOT/%{python_sitelib}/pcs/pcs.py
 %doc COPYING README
 
 %changelog
+* Fri May 22 2015 Tomas Jelinek <tojeline at redhat.com> - 0.9.115-3
+- Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)
+
 * Fri Mar 27 2015 Tomas Jelinek <tojeline at redhat.com> - 0.9.115-2
 - Fixed postinstall, preuninstall and postuinstall scripts (rhbz#1096224)
 
diff --git a/secure-cookie.patch b/secure-cookie.patch
new file mode 100644
index 0000000..08c2baa
--- /dev/null
+++ b/secure-cookie.patch
@@ -0,0 +1,22 @@
+--- pcs-0.9.137/pcsd/pcsd.rb.secure_fix        2015-03-30 13:48:50.209887370 -0500
++++ pcs-0.9.137/pcsd/pcsd.rb   2015-03-30 13:50:47.321660377 -0500
+@@ -31,7 +31,9 @@ end
+ 
+ use Rack::Session::Cookie,
+   :expire_after => 60 * 60,
+-  :secret => secret
++  :secret => secret,
++  :secure => true, # only send over HTTPS
++  :httponly => true # don't provide to javascript
+ 
+ #use Rack::SSL
+ 
+@@ -45,8 +47,6 @@ also_reload 'pcs.rb'
+ also_reload 'auth.rb'
+ also_reload 'wizard.rb'
+ 
+-enable :sessions
+-
+ before do
+   if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth'
+     protected! 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/pcs.git/commit/?h=f20&id=acc2483f9bc4f0844f473ec23fd2b058d80ad6d9

More information about the scm-commits mailing list