Skip to navigation

Security Advisory Important: conga security update

Advisory: RHSA-2011:0393-1
Type: Security Advisory
Severity: Important
Issued on: 2011-03-28
Last updated on: 2011-03-28
Affected Products: Cluster Suite EL4
CVEs (cve.mitre.org): CVE-2011-0720

Details

Updated conga packages that fix one security issue are now available for
Red Hat Cluster Suite 4.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The conga packages provide a web-based administration tool for remote
cluster and storage management.

A privilege escalation flaw was found in luci, the Conga web-based
administration application. A remote attacker could possibly use this flaw
to obtain administrative access, allowing them to read, create, or modify
the content of the luci application. (CVE-2011-0720)

Users of Conga are advised to upgrade to these updated packages, which
contain a backported patch to resolve this issue. After installing the
updated packages, luci must be restarted ("service luci restart") for the
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Cluster Suite EL4

SRPMS:
conga-0.11.2-4.el4.2.src.rpm     MD5: 635754beb78cefbfbf3c7f49dbd39e31
SHA-256: 046a20f67f10c7535adb920f056ad2ea8f1a204f91e6085019e5d2acee55485c
 
IA-32:
luci-0.11.2-4.el4.2.i386.rpm     MD5: f98d8abcde872891a97c5d0fe0275e52
SHA-256: 6ca319f75919e4eb0bd2be70e4984fc5a0964d210535c6cbfe00a7f8dabeadb7
ricci-0.11.2-4.el4.2.i386.rpm     MD5: f6ce24fc1f71b3e864df21bad992099e
SHA-256: 4b6a0d2a4617a606490a01cdf996d34f0f4e4461de63d2efed902fc0c5bfc7b4
 
IA-64:
luci-0.11.2-4.el4.2.ia64.rpm     MD5: 144181b18f8e74c7c049187613208bc9
SHA-256: 4f00820c9ba1421077c752b5c744d7d76ae09c5a12191963ee6dbfc9b1cef3c5
ricci-0.11.2-4.el4.2.ia64.rpm     MD5: 2de2877487f94dd1f24286639a10c18b
SHA-256: 187f8cd6e2cf277338e7cc42b8b463122d8b96ef735315389a379638722d4c43
 
PPC:
luci-0.11.2-4.el4.2.ppc.rpm     MD5: 7918c1389239acbc43006a3951641080
SHA-256: 639b1065c30008ba6b4067716707c004a45f7068913b80439155145c0ed0ed04
ricci-0.11.2-4.el4.2.ppc.rpm     MD5: d9905b9e8acc1ad84b3f5109b60f3fbf
SHA-256: a513a581cc08bae596e807bbfcb64bc6f8c4c475868bfc2cff90a82e9f88845b
 
x86_64:
luci-0.11.2-4.el4.2.x86_64.rpm     MD5: dd6301528e52fe012d7e3599730cc5f8
SHA-256: 812c9bc8ca83f7cf4ec5fb818db93eebc12d78c214ccbbb8d5dafb94ec62a605
ricci-0.11.2-4.el4.2.x86_64.rpm     MD5: adceec405f68499ed3f5bf58d5dd27dd
SHA-256: 2c7237a37bf1aa3a35e1e348d8d42c08041e2411748dd2155a7bed7f0e634369
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

676961 - CVE-2011-0720 plone: unauthorized remote administrative access


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/