Two flaws were reported in Cherokee.
The first (CVE-2011-2191) is that the Cherokee server admin configuration web interface is vulnerable to CSRF. If an admin is logged into the Cherokee admin interface and visits a site which runs a malicious script, Cherokee can be reconfigured to execute arbitrary commands . It is also vulnerable to use the CSRF to produce a persistant XSS .
The second (CVE-2011-2090) is that Cherokee seeds srand with a combination of the time and the PID of the admin process, after which rand() is called to generate a random password -- this is unsafe and allows for fairly easy local password guessing by a local user .
Created cherokee tracking bugs for this issue
Affects: fedora-all [bug 713306]
Affects: epel-all [bug 713307]
Partial duplicate to 710471 (CVE-2011-2190)
Ahh, didn't see we had a bug for that already. Thanks!
This issue has been resolved via the following updates:
1) cherokee-1.2.101-1.fc15 for Fedora 15,
2) cherokee-1.2.101-1.fc14 for Fedora 14,
3) cherokee-1.2.101-1.el6 for Fedora EPEL 6,
4) cherokee-1.2.101-1.el5 for Fedora EPEL 5,
5) cherokee-1.2.101-1.el4 for Fedora EPEL 4.
These updated packages have been pushed to -testing repository, and upon their required testing is complete, they will be pushed to -stable repository.
This bug consists of two separate issues. AFAICT, the second one has been dealt with, but the first one is still open.
I am not really familiar with RedHat's workflow, but at least I have been unable to find anything fixing the CSRF bug, short of this mail sent by the upstream author, stating he has not found a way to solve it: