3.8. conga
Updated conga packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The Conga project is a management system for remote workstations. It consists of
luci
, which is a secure web-based front end, and ricci
, which is a secure daemon that dispatches incoming messages to underlying management modules.
Security Fixes
- CVE-2014-3521
- It was discovered that various components in the
luci
site extensions-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could elevate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data. - CVE-2013-6496
- Multiple information leak flaws were found in the way
conga
processedluci
site extensions-related URL requests. A remote, unauthenticated attacker could issue a specially-crafted HTTP request that, when processed, would lead to unauthorized information disclosure. - CVE-2012-5500
- It was discovered that Plone, included as part of
luci
, allowed a remote anonymous user to change titles of content items due to improper permissions checks. - CVE-2012-5499
- It was discovered that Plone, included as part of
luci
, did not properly handle the processing of very large values passed to an internal utility function. A remote attacker could use a specially-crafted URL that, when processed, would lead to excessive memory consumption. - CVE-2012-5498
- It was discovered that Plone, included as part of
luci
, did not properly handle the processing of requests for certain collections. A remote attacker could use a specially-crafted URL that, when processed, would lead to excessive I/O and/or cache resource consumption. - CVE-2012-5497
- It was discovered that Plone, included as part of
luci
, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially-crafted URL that, when processed, could allow the attacker to enumerate user account names. - CVE-2012-5485
- It was discovered that Plone, included as part of
luci
, did not properly protect the administrator interface (control panel) which could allow a remote attacker to inject a specially-crafted Python statement or script into Plone's restricted Python sandbox that, when the administrator interface was accessed, would be executed with the privileges of that admin user. - CVE-2012-5486
- It was discovered that Plone, included as part of
luci
, did improper sanitization of HTTP headers provided within certain URL requests. A remote attacker would use a specially-crafted URL that, when processed, would lead to the injected HTTP headers being returned as part of the Plone HTTP response, which could lead to various negative consequences. - CVE-2012-5488
- It was discovered that Plone, included as part of
luci
, improperly protected the privilege of runningRestrictedPython
scripts. A remote attacker could use a specially-crafted URL that, when processed, would allow the attacker to submit and perform expensive computations or, in conjunction with other attacks, be able to access or alter privileged information.
The CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and the CVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.
Bug Fixes
- BZ#970288
- Due to a bug in the underlying source code that checks the return value when stopping the
luci
service,luci
was reported as stopped even if it was not. This bug has been fixed and the return value is correctly checked, so thatluci
works properly in the described scenario. - BZ#106526
- The
startup_wait
parameter has been added to theostgreSQL 8
P resource agent. For more information, see RHBA-2014:17291. With this update theluci
service has been modified to reflect this change. - BZ#1072075
- Previously, the
luci
service did not parse distribution release string from the remotericci
agent correctly; any minor version with two or more digits in that string was unexpectedly truncated to the initial digit. This behavior caused several regressions in offered configuration options starting with Red Hat Enterprise Linux 5.10 identification understood as version 5.1. This bug has been fixed with this update, andluci
now correctly parses minor versions, thus no regressions occur. - BZ#1076711
- Previously,
ricci
modules shipped directly with the ricci package mishandled requests with size in bytes divisible by 4096, which is the size of the read buffer in bytes. Consequently, these modules incorrectly evaluated such requests as errors. This bug has been fixed and the modules now process all requests as expected. See also RHBA-2014:17436 for the information about a remainingricci
module shipped with the modcluster package.
All conga users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the luci and ricci services will be restarted automatically.