[ClusterLabs] PCS security vulnerability

Ondrej Mular omular at redhat.com
Wed Jun 12 09:56:21 UTC 2024


Hello Sathish,

The CVEs you mentioned (CVE-2024-25126, CVE-2024-26141,
CVE-2024-26146) were filed against the rack rubygem and not PCS
itself. Therefore, the PCS upstream project is not directly impacted
by these CVEs and doesn't require a change.

However, PCS does rely on and uses the rack rubygem at runtime. So, if
you're using PCS from the upstream source, it's important to ensure
you have up-to-date rubygems installed to avoid using vulnerable
versions of rack.

The advisory you linked (RHSA-2024:3431) addresses these CVEs in the
PCS package for RHEL 8.6. This is because the PCS package shipped with
RHEL includes some bundled rubygems, including rack. Upgrading the
rack rubygem and rebuilding the PCS package were necessary to resolve
the CVEs in that specific scenario.

Regards,
Ondrej

On Tue, 11 Jun 2024 at 15:18, S Sathish S <s.s.sathish at ericsson.com> wrote:
>
> Hi Tomas/Team,
>
>
>
> In our application we are using pcs-0.10.16 version and that module has vulnerability(CVE-2024-25126,CVE-2024-26141,CVE-2024-26146) reported and fixed on below RHSA Errata. can you check and provided fixed on PCS 0.10.x latest version on upstream also.
>
>
>
> https://access.redhat.com/errata/RHSA-2024:3431
>
>
>
> Thanks and Regards,
> S Sathish S



More information about the Users mailing list