Search

3.8. conga

download PDF
Updated conga packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The Conga project is a management system for remote workstations. It consists of luci, which is a secure web-based front end, and ricci, which is a secure daemon that dispatches incoming messages to underlying management modules.

Security Fixes

CVE-2014-3521
It was discovered that various components in the luci site extensions-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could elevate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data.
CVE-2013-6496
Multiple information leak flaws were found in the way conga processed luci site extensions-related URL requests. A remote, unauthenticated attacker could issue a specially-crafted HTTP request that, when processed, would lead to unauthorized information disclosure.
CVE-2012-5500
It was discovered that Plone, included as part of luci, allowed a remote anonymous user to change titles of content items due to improper permissions checks.
CVE-2012-5499
It was discovered that Plone, included as part of luci, did not properly handle the processing of very large values passed to an internal utility function. A remote attacker could use a specially-crafted URL that, when processed, would lead to excessive memory consumption.
CVE-2012-5498
It was discovered that Plone, included as part of luci, did not properly handle the processing of requests for certain collections. A remote attacker could use a specially-crafted URL that, when processed, would lead to excessive I/O and/or cache resource consumption.
CVE-2012-5497
It was discovered that Plone, included as part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially-crafted URL that, when processed, could allow the attacker to enumerate user account names.
CVE-2012-5485
It was discovered that Plone, included as part of luci, did not properly protect the administrator interface (control panel) which could allow a remote attacker to inject a specially-crafted Python statement or script into Plone's restricted Python sandbox that, when the administrator interface was accessed, would be executed with the privileges of that admin user.
CVE-2012-5486
It was discovered that Plone, included as part of luci, did improper sanitization of HTTP headers provided within certain URL requests. A remote attacker would use a specially-crafted URL that, when processed, would lead to the injected HTTP headers being returned as part of the Plone HTTP response, which could lead to various negative consequences.
CVE-2012-5488
It was discovered that Plone, included as part of luci, improperly protected the privilege of running RestrictedPython scripts. A remote attacker could use a specially-crafted URL that, when processed, would allow the attacker to submit and perform expensive computations or, in conjunction with other attacks, be able to access or alter privileged information.
The CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and the CVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.

Bug Fixes

BZ#970288
Due to a bug in the underlying source code that checks the return value when stopping the luci service, luci was reported as stopped even if it was not. This bug has been fixed and the return value is correctly checked, so that luci works properly in the described scenario.
BZ#106526
The startup_wait parameter has been added to the ostgreSQL 8P resource agent. For more information, see RHBA-2014:17291. With this update the luci service has been modified to reflect this change.
BZ#1072075
Previously, the luci service did not parse distribution release string from the remote ricci agent correctly; any minor version with two or more digits in that string was unexpectedly truncated to the initial digit. This behavior caused several regressions in offered configuration options starting with Red Hat Enterprise Linux 5.10 identification understood as version 5.1. This bug has been fixed with this update, and luci now correctly parses minor versions, thus no regressions occur.
BZ#1076711
Previously, ricci modules shipped directly with the ricci package mishandled requests with size in bytes divisible by 4096, which is the size of the read buffer in bytes. Consequently, these modules incorrectly evaluated such requests as errors. This bug has been fixed and the modules now process all requests as expected. See also RHBA-2014:17436 for the information about a remaining ricci module shipped with the modcluster package.
All conga users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the luci and ricci services will be restarted automatically.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.