3.8. conga

Security Fixes

CVE-2014-3521

It was discovered that various components in the luci site extensions-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could elevate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data.

CVE-2013-6496

Multiple information leak flaws were found in the way conga processed luci site extensions-related URL requests. A remote, unauthenticated attacker could issue a specially-crafted HTTP request that, when processed, would lead to unauthorized information disclosure.

CVE-2012-5500

It was discovered that Plone, included as part of luci, allowed a remote anonymous user to change titles of content items due to improper permissions checks.

CVE-2012-5499

It was discovered that Plone, included as part of luci, did not properly handle the processing of very large values passed to an internal utility function. A remote attacker could use a specially-crafted URL that, when processed, would lead to excessive memory consumption.

CVE-2012-5498

It was discovered that Plone, included as part of luci, did not properly handle the processing of requests for certain collections. A remote attacker could use a specially-crafted URL that, when processed, would lead to excessive I/O and/or cache resource consumption.

CVE-2012-5497

It was discovered that Plone, included as part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially-crafted URL that, when processed, could allow the attacker to enumerate user account names.

CVE-2012-5485

It was discovered that Plone, included as part of luci, did not properly protect the administrator interface (control panel) which could allow a remote attacker to inject a specially-crafted Python statement or script into Plone's restricted Python sandbox that, when the administrator interface was accessed, would be executed with the privileges of that admin user.

CVE-2012-5486

It was discovered that Plone, included as part of luci, did improper sanitization of HTTP headers provided within certain URL requests. A remote attacker would use a specially-crafted URL that, when processed, would lead to the injected HTTP headers being returned as part of the Plone HTTP response, which could lead to various negative consequences.

CVE-2012-5488

It was discovered that Plone, included as part of luci, improperly protected the privilege of running RestrictedPython scripts. A remote attacker could use a specially-crafted URL that, when processed, would allow the attacker to submit and perform expensive computations or, in conjunction with other attacks, be able to access or alter privileged information.

Bug Fixes

BZ#970288

Due to a bug in the underlying source code that checks the return value when stopping the luci service, luci was reported as stopped even if it was not. This bug has been fixed and the return value is correctly checked, so that luci works properly in the described scenario.

BZ#106526

The startup_wait parameter has been added to the ostgreSQL 8P resource agent. For more information, see RHBA-2014:17291. With this update the luci service has been modified to reflect this change.

BZ#1072075

Previously, the luci service did not parse distribution release string from the remote ricci agent correctly; any minor version with two or more digits in that string was unexpectedly truncated to the initial digit. This behavior caused several regressions in offered configuration options starting with Red Hat Enterprise Linux 5.10 identification understood as version 5.1. This bug has been fixed with this update, and luci now correctly parses minor versions, thus no regressions occur.

BZ#1076711

Previously, ricci modules shipped directly with the ricci package mishandled requests with size in bytes divisible by 4096, which is the size of the read buffer in bytes. Consequently, these modules incorrectly evaluated such requests as errors. This bug has been fixed and the modules now process all requests as expected. See also RHBA-2014:17436 for the information about a remaining ricci module shipped with the modcluster package.