CentOS Errata and Security Advisory CESA-2016:2596
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
The following packages have been upgraded to a newer upstream version: pcs (0.9.152). (BZ#1299847)
A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. (CVE-2016-0720)
It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. (CVE-2016-0721)
These issues were discovered by Martin Prpic (Red Hat Product Security).
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-cr-announce/2016-November/003644.html
Affected packages: pcs
Upstream details at: https://rhn.redhat.com/errata/RHSA-2016-2596.html