Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)

pcs.spec

@@ -1,6 +1,6 @@
 Name: pcs		
 Version: 0.9.139
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2
 URL: http://github.com/feist/pcs
 Group: System Environment/Base
@@ -12,6 +12,7 @@ BuildRequires: systemd
 Summary: Pacemaker Configuration System	
 Source0: http://people.redhat.com/cfeist/pcs/pcs-withgems-%{version}.tar.gz
 Patch0: fedfix.patch
+Patch1: secure-cookie.patch
 Requires: pacemaker ruby python
 Requires: python-clufter
 Requires: rubygem-sinatra rubygem-highline rubygem-rack rubygem-rack-protection rubygem-tilt
@@ -25,6 +26,7 @@ easily view, modify and created pacemaker based clusters.
 %setup -q
 
 %patch0 -p1 -b .fedfix
+%patch1 -p1 -b .fedfix
 cd pcsd ; bundle install --local ; cd ..
 
 %build
@@ -68,6 +70,9 @@ chmod 755 $RPM_BUILD_ROOT/%{python_sitelib}/pcs/pcs.py
 %doc COPYING README
 
 %changelog
+* Fri May 22 2015 Tomas Jelinek <tojeline@redhat.com> - 0.9.139-4
+- Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)
+
 * Thu Mar 26 2015 Tomas Jelinek <tojeline@redhat.com> - 0.9.139-3
 - Add BuildRequires: systemd (rhbz#1206253)
 

secure-cookie.patch

@@ -0,0 +1,22 @@
+--- pcs-0.9.137/pcsd/pcsd.rb.secure_fix        2015-03-30 13:48:50.209887370 -0500
++++ pcs-0.9.137/pcsd/pcsd.rb   2015-03-30 13:50:47.321660377 -0500
+@@ -31,7 +31,9 @@ end
+ 
+ use Rack::Session::Cookie,
+   :expire_after => 60 * 60,
+-  :secret => secret
++  :secret => secret,
++  :secure => true, # only send over HTTPS
++  :httponly => true # don't provide to javascript
+ 
+ #use Rack::SSL
+ 
+@@ -45,8 +47,6 @@ also_reload 'pcs.rb'
+ also_reload 'auth.rb'
+ also_reload 'wizard.rb'
+ 
+-enable :sessions
+-
+ before do
+   $session = session
+   $cookies = cookies