LANDESK Security and Patch News
- (25 February 2016) LANDESK has provided an update for the Cloud Service Appliance version 4.3 - CSA patch 175 This patch addresses the following issues.
Patch 176 characteristics:
- Unlike previous patches, #176 reboots the CSA machine after applying the updates. This has become necessary in order to replace some locked libraries.
- For security reasons, the "Software package upload" capability has been removed. It will no longer appear as a choice on the CSA main menu page.
- To reduce the chance of a successful scripted attack on the CSA user interface, #176 introduces a combination of session and request tokens. This may occasionally cause a UI action to be rejected, especially if the browser session is left idling for an extended period of time. The CSA will then issue a timeout error message. That page also contains a link that takes to user back to the main page. Under some conditions, the user may also be asked to re-authenticate with the CSA.
Patch 176 contains the following fixes:
- 287669: The CSA no longer allows arbitrary files to be imported as backup files (System->Backup/restore). The backup file to be imported must have been previously generated with the CSA backup function and must have a tarball extension. Also disable the Software Packages Upload function as it opens up a similar vulnerability window.
- 287671,287673: Strengthen input validation and transformation on a number input fields in the CSA user interface to prevent cross-scripting attacks.
- 287674: Use a combination of session cookies and request tokens to make it harder to attack the CSA user interface via scripts (Cross-Site Request Forgery).
- 289207: The CSA now properly populates the Organizational Unit (OU) attribute of a certificate signing request (CSR)
- Update the glibc runtime library to deal with the buffer overflow vulnerability reported in CVE-2015-7547.
Each new CSA patch release will be a cumulative release of new and previous updates. There is no longer for prerequisite patch installs.
- Vulnerability ID – GSB431_176
- Vulnerability ID – N/A
New Patch Downloads
Where to Send Feedback
LANDESK Product Support
Copyright © 2016 LANDESK Software. All rights reserved. LANDESK is either a registered trademark or trademark of LANDESK Software, Ltd. or its affiliated entities in the United States and/or other countries. Other names or brands may be claimed as the property of others.
Information in this document is provided for information purposes only. The information presented here is subject to change without notice. This information is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including any implied warranties and conditions of merchantability or fitness for a particular purpose. LANDESK disclaims any liability with respect to this document and LANDESK has no responsibility or liability for any third party products of any content contained on any site referenced herein. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. For the most current product information, please visit http://www.LANDESK.com