Описание
ELSA-2025-8319: pcs security update (IMPORTANT)
[0.12.0-3.el10_0.2]
- Rebased pcs to the latest sources (see CHANGELOG.md) Resolves: RHEL-7681, RHEL-21050, RHEL-22423, RHEL-35407, RHEL-44347, RHEL-63186, RHEL-66607, RHEL-76176, RHEL-81938
- Rebased HA Cluster Management add-on to the latest sources Resolves: RHEL-30686, RHEL-30695, RHEL-30698, RHEL-79314, RHEL-84143, RHEL-85195
- The upstream version of HA Cluster Management add-on can now be queried through RPM - see bundled(pcs-web-ui) Resolves: RHEL-86227
- Updated bundled rubygems: backports, childprocess, ffi, puma, rack, rack-protection, rack-session, rack-test, sinatra, tilt
- Updated bundled Python dependency dacite
Обновленные пакеты
Oracle Linux 10
Oracle Linux aarch64
cockpit-ha-cluster
0.12.0-3.el10_0.2
pcs
0.12.0-3.el10_0.2
pcs-snmp
0.12.0-3.el10_0.2
Oracle Linux x86_64
cockpit-ha-cluster
0.12.0-3.el10_0.2
pcs
0.12.0-3.el10_0.2
pcs-snmp
0.12.0-3.el10_0.2
Связанные CVE
Связанные уязвимости
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix...
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix...
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix th
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, ...
Rack has an Unbounded-Parameter DoS in Rack::QueryParser