Security Advisory Moderate: conga security, bug fix, and enhancement update

Advisory: RHSA-2012:0151-3
Type: Security Advisory
Severity: Moderate
Issued on: 2012-02-21
Last updated on: 2012-02-21
Affected Products: RHEL Clustering (v. 5 server)
CVEs ( CVE-2010-1104


Updated conga packages that fix multiple security issues, several bugs,
and add one enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The conga packages provide a web-based administration tool for remote
cluster and storage management.

Multiple cross-site scripting (XSS) flaws were found in luci, the conga
web-based administration application. If a remote attacker could trick a
user, who was logged into the luci interface, into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's luci session. (CVE-2010-1104, CVE-2011-1948)

These updated conga packages include several bug fixes and an enhancement.
Space precludes documenting all of these changes in this advisory. Users
are directed to the Red Hat Enterprise Linux 5.8 Technical Notes, linked to
in the References, for information on the most significant of these

Users of conga are advised to upgrade to these updated packages, which
correct these issues and add this enhancement. After installing the updated
packages, luci must be restarted ("service luci restart") for the update to
take effect.


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

RHEL Clustering (v. 5 server)

File outdated by:  RHSA-2014:1194
    MD5: 9d3378d9ca1e7cedcc6c07e5b0b3091f
SHA-256: 7a8a0ea4fbf84d8cc0d0b02030741d83edb9a121d2dc558aea1d32d2be05a571
File outdated by:  RHSA-2014:1194
    MD5: fe499fa65f946945506cd18a4bd9fd92
SHA-256: 114adcf5e336da51b0985c5f496cae16ed660d10e2e19b737604a9ea3382fa49
File outdated by:  RHSA-2014:1194
    MD5: b55dfa612b1a6bab9b6445c6bc05f91f
SHA-256: ebe204dfd57c4c1ab3ab942e1c86780bd657937521d0f1961f9a8667590be1a8
File outdated by:  RHSA-2014:1194
    MD5: 2036e5a847998be6580d5b0776ad6908
SHA-256: adf3a324274634a885d6b919f2d2661a37be9743fe003c0d3ff7f2d5ec1361d9
File outdated by:  RHSA-2014:1194
    MD5: 749a4cf82b41f0081f0e07ab214cc63b
SHA-256: 09e99b11dff17da2dc1d3fd9427002efd2df4597a4a2ea219f1062308c7e6383
File outdated by:  RHSA-2014:1194
    MD5: c29a4ce5cb5456fa02fa62b5244644a7
SHA-256: 51a5a4993e9226750db88b0fc6fad7dd84aae9155e0ad1185d1a6a4a28afe641
File outdated by:  RHSA-2014:1194
    MD5: 925cf60e3dc0454fefb1f91941514275
SHA-256: 846993cad623ebcc0e4425c139d0ca17aae4bd16c2d9778c16b939c02b882f04
File outdated by:  RHSA-2014:1194
    MD5: 92fe91abfce8c80c279ad061d394cfcb
SHA-256: 76e4014e99d3424e19d9fdc6a86931e13be989103e36e3b9dde525500dc90871
File outdated by:  RHSA-2014:1194
    MD5: 4f4e11ace6ef2ac653bc7c498c16507d
SHA-256: 25cb7a7d2360719b6c4fb40a0924b18eac19b02e4f750a81c56efccfa1975d3b
File outdated by:  RHSA-2014:1194
    MD5: fddce92cd0d6d083fdf1faf82aadae84
SHA-256: 5be7a5d6fa137ba6ba69b4fb216138564d60f2fa225f0ee0f775eae913b65a50
File outdated by:  RHSA-2014:1194
    MD5: e3f01fe632a59ae05ccb1bf7ba67e2ba
SHA-256: b433abc93bb6b431d8ea89df97b176a375e7d9fd689e06015687ea074ea84073
File outdated by:  RHSA-2014:1194
    MD5: 6c4d34f1881ab00a3fc8fc15fb80cf10
SHA-256: 48a01135b1d58f3bc79535869085fa1fd28034217b5454320f6d6c5aea49184c
File outdated by:  RHSA-2014:1194
    MD5: 6f0f59ec6224f935a02863c8cec8d9df
SHA-256: 7988f136e1c9001af6fa54cca67000c90822ff399f61526d90db9c117b6ff9ed
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

577019 - CVE-2010-1104 zope: XSS on error page
711494 - CVE-2011-1948 plone: A reflected cross site scripting vulnerability
723188 - Luci does not allow to modify __max_restarts and __restart_expire_time for independent subtrees, only for non-critical resources.
755935 - luci_admin man page is misleading
755941 - luci_admin restore is not consistent


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at