Описание
ELSA-2025-20962: pcs security update (IMPORTANT)
[0.11.10-1.el9_7.1]
- Fixed CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919 by updating bundled rubygem rack Resolves: RHEL-120945, RHEL-121035, RHEL-123630, RHEL-123642, RHEL-124938
[0.11.10-1]
- Rebased pcs to the latest sources (see CHANGELOG.md) Resolves: RHEL-77194, RHEL-92044
- Updated pcs-web-ui to 0.1.23 (see CHANGELOG_WUI.md) Resolves: RHEL-76309, RHEL-99805
- There is now a changelog for the pcsd web UI Resolves: RHEL-86233
- Fixed directory permissions for RHEL Image Mode Resolves: RHEL-97220
- Updated bundled rubygem rack
[0.11.9-3]
- Rebased pcs to the latest sources (see CHANGELOG.md) Resolves: RHEL-35420, RHEL-76055, RHEL-76059, RHEL-76060, RHEL-76153, RHEL-76154, RHEL-76170, RHEL-76177, RHEL-82894
- Rebased pcs-web-ui to the latest sources Resolves: RHEL-76310, RHEL-76311, RHEL-76312, RHEL-79317, RHEL-85196, RHEL-85197, RHEL-85745
- The upstream version of pcs-web-ui can now be queried through RPM - see bundled(pcs-web-ui) Resolves: RHEL-86229
- Updated bundled rubygems: backports, childprocess, ffi, puma, rack, rack-protection, rack-session, rack-test, sinatra, tilt Resolves: RHEL-90151
- Bundled rubygem logger
Обновленные пакеты
Oracle Linux 9
Oracle Linux aarch64
pcs
0.11.10-1.el9_7.1
pcs-snmp
0.11.10-1.el9_7.1
Oracle Linux x86_64
pcs
0.11.10-1.el9_7.1
pcs-snmp
0.11.10-1.el9_7.1
Ссылки на источники
Связанные уязвимости
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.