From 72637d984bd1a813c509289e0cf2ccb2d96911aa Mon Sep 17 00:00:00 2001 From: Tomas Jelinek Date: Fri, 22 May 2015 10:31:54 +0200 Subject: [PATCH] Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed) --- pcs.spec | 7 ++++++- secure-cookie.patch | 22 ++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 secure-cookie.patch diff --git a/pcs.spec b/pcs.spec index 3f966a6..8491a00 100644 --- a/pcs.spec +++ b/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.9.139 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 URL: http://github.com/feist/pcs Group: System Environment/Base @@ -12,6 +12,7 @@ BuildRequires: systemd Summary: Pacemaker Configuration System Source0: http://people.redhat.com/cfeist/pcs/pcs-withgems-%{version}.tar.gz Patch0: fedfix.patch +Patch1: secure-cookie.patch Requires: pacemaker ruby python Requires: python-clufter Requires: rubygem-sinatra rubygem-highline rubygem-rack rubygem-rack-protection rubygem-tilt @@ -25,6 +26,7 @@ easily view, modify and created pacemaker based clusters. %setup -q %patch0 -p1 -b .fedfix +%patch1 -p1 -b .fedfix cd pcsd ; bundle install --local ; cd .. %build @@ -68,6 +70,9 @@ chmod 755 $RPM_BUILD_ROOT/%{python_sitelib}/pcs/pcs.py %doc COPYING README %changelog +* Fri May 22 2015 Tomas Jelinek - 0.9.139-4 +- Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed) + * Thu Mar 26 2015 Tomas Jelinek - 0.9.139-3 - Add BuildRequires: systemd (rhbz#1206253) diff --git a/secure-cookie.patch b/secure-cookie.patch new file mode 100644 index 0000000..9990ffe --- /dev/null +++ b/secure-cookie.patch @@ -0,0 +1,22 @@ +--- pcs-0.9.137/pcsd/pcsd.rb.secure_fix 2015-03-30 13:48:50.209887370 -0500 ++++ pcs-0.9.137/pcsd/pcsd.rb 2015-03-30 13:50:47.321660377 -0500 +@@ -31,7 +31,9 @@ end + + use Rack::Session::Cookie, + :expire_after => 60 * 60, +- :secret => secret ++ :secret => secret, ++ :secure => true, # only send over HTTPS ++ :httponly => true # don't provide to javascript + + #use Rack::SSL + +@@ -45,8 +47,6 @@ also_reload 'pcs.rb' + also_reload 'auth.rb' + also_reload 'wizard.rb' + +-enable :sessions +- + before do + $session = session + $cookies = cookies