Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-2319

It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum RHSA-2023:1591. The CVE-2023-2319 was assigned to that Red Hat specific security regression in Red Hat Enterprise Linux 9.2.

CVE
#vulnerability#web#linux#red_hat#dos#ibm#ruby#sap

Synopsis

Important: pcs security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for pcs is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

Security Fix(es):

  • pcs: webpack: Regression of CVE-2023-28154 fixes in the Red Hat Enterprise Linux (CVE-2023-2319)
  • rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)
  • rubygem-rack: denial of service in header parsing (CVE-2023-27539)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Command ‘pcs config checkpoint diff’ does not show configuration differences between checkpoints (BZ#2180697)
  • Need a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources (BZ#2180704)
  • [WebUI] fence levels prevent loading of cluster status (BZ#2183180)

Affected Products

  • Red Hat Enterprise Linux High Availability for x86_64 9 x86_64
  • Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support 9.2 x86_64
  • Red Hat Enterprise Linux Resilient Storage for x86_64 9 x86_64
  • Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support 9.2 x86_64
  • Red Hat Enterprise Linux Resilient Storage for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux High Availability for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux Resilient Storage for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux Resilient Storage for IBM Power LE - Extended Update Support 9.2 ppc64le
  • Red Hat Enterprise Linux High Availability for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux High Availability (for IBM Power LE) - Extended Update Support 9.2 ppc64le
  • Red Hat Enterprise Linux High Availability for Power LE - Update Services for SAP Solutions 9.2 ppc64le
  • Red Hat Enterprise Linux High Availability for x86_64 - Update Services for SAP Solutions 9.2 x86_64
  • Red Hat Enterprise Linux High Availability for ARM 64 9 aarch64
  • Red Hat Enterprise Linux High Availability (for IBM z Systems) - Extended Update Support 9.2 s390x
  • Red Hat Enterprise Linux High Availability (for ARM 64) - Extended Update Support 9.2 aarch64
  • Red Hat Enterprise Linux Resilient Storage for IBM z Systems - Extended Update Support 9.2 s390x
  • Red Hat Enterprise Linux High Availability for ARM 64 - 4 years of updates 9.2 aarch64
  • Red Hat Enterprise Linux High Availability for IBM z Systems - 4 years of updates 9.2 s390x
  • Red Hat Enterprise Linux Resilient Storage for x86_64 - 4 years of updates 9.2 x86_64
  • Red Hat Enterprise Linux Resilient Storage for Power LE - 4 years of updates 9.2 ppc64le
  • Red Hat Enterprise Linux Resilient Storage for IBM z Systems - 4 years of updates 9.2 s390x

Fixes

  • BZ - 2176477 - CVE-2023-27530 rubygem-rack: Denial of service in Multipart MIME parsing
  • BZ - 2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing
  • BZ - 2180697 - Command ‘pcs config checkpoint diff’ does not show configuration differences between checkpoints [rhel-9.2.0.z]
  • BZ - 2180704 - Need a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources [rhel-9.2.0.z]
  • BZ - 2183180 - [WebUI] fence levels prevent loading of cluster status [rhel-9.2.0.z]

Red Hat Enterprise Linux High Availability for x86_64 9

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

x86_64

pcs-0.11.4-7.el9_2.x86_64.rpm

SHA-256: dd912651e784794640c19cda2f0e63fb87297ed4bf12e10742c162054afa46d5

pcs-snmp-0.11.4-7.el9_2.x86_64.rpm

SHA-256: fe989a6295b88a58b4ea349b2d583065f174e752e76daedcbd8e7bb82772b38e

Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

x86_64

pcs-0.11.4-7.el9_2.x86_64.rpm

SHA-256: dd912651e784794640c19cda2f0e63fb87297ed4bf12e10742c162054afa46d5

pcs-snmp-0.11.4-7.el9_2.x86_64.rpm

SHA-256: fe989a6295b88a58b4ea349b2d583065f174e752e76daedcbd8e7bb82772b38e

Red Hat Enterprise Linux Resilient Storage for x86_64 9

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

x86_64

pcs-0.11.4-7.el9_2.x86_64.rpm

SHA-256: dd912651e784794640c19cda2f0e63fb87297ed4bf12e10742c162054afa46d5

pcs-snmp-0.11.4-7.el9_2.x86_64.rpm

SHA-256: fe989a6295b88a58b4ea349b2d583065f174e752e76daedcbd8e7bb82772b38e

Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

x86_64

pcs-0.11.4-7.el9_2.x86_64.rpm

SHA-256: dd912651e784794640c19cda2f0e63fb87297ed4bf12e10742c162054afa46d5

pcs-snmp-0.11.4-7.el9_2.x86_64.rpm

SHA-256: fe989a6295b88a58b4ea349b2d583065f174e752e76daedcbd8e7bb82772b38e

Red Hat Enterprise Linux Resilient Storage for IBM z Systems 9

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

s390x

pcs-0.11.4-7.el9_2.s390x.rpm

SHA-256: 9f22470176e419c5fa841c9b9df10e9be05d9abb75663ef30232eb482898d5a1

pcs-snmp-0.11.4-7.el9_2.s390x.rpm

SHA-256: 78d2ebc2f3606539c70078419ef552896204a9e01aef8e167a41ad1f8a130aa8

Red Hat Enterprise Linux High Availability for IBM z Systems 9

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

s390x

pcs-0.11.4-7.el9_2.s390x.rpm

SHA-256: 9f22470176e419c5fa841c9b9df10e9be05d9abb75663ef30232eb482898d5a1

pcs-snmp-0.11.4-7.el9_2.s390x.rpm

SHA-256: 78d2ebc2f3606539c70078419ef552896204a9e01aef8e167a41ad1f8a130aa8

Red Hat Enterprise Linux Resilient Storage for Power, little endian 9

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

ppc64le

pcs-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 3fcbeb1b21d66242b46bb303500ddca90503d47608877b972a1df3e9cfa4a1eb

pcs-snmp-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 7ced1e414813033219a9b3958df428bb2cda26a8e0cf5085eb2bae59086bc023

Red Hat Enterprise Linux Resilient Storage for IBM Power LE - Extended Update Support 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

ppc64le

pcs-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 3fcbeb1b21d66242b46bb303500ddca90503d47608877b972a1df3e9cfa4a1eb

pcs-snmp-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 7ced1e414813033219a9b3958df428bb2cda26a8e0cf5085eb2bae59086bc023

Red Hat Enterprise Linux High Availability for Power, little endian 9

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

ppc64le

pcs-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 3fcbeb1b21d66242b46bb303500ddca90503d47608877b972a1df3e9cfa4a1eb

pcs-snmp-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 7ced1e414813033219a9b3958df428bb2cda26a8e0cf5085eb2bae59086bc023

Red Hat Enterprise Linux High Availability (for IBM Power LE) - Extended Update Support 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

ppc64le

pcs-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 3fcbeb1b21d66242b46bb303500ddca90503d47608877b972a1df3e9cfa4a1eb

pcs-snmp-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 7ced1e414813033219a9b3958df428bb2cda26a8e0cf5085eb2bae59086bc023

Red Hat Enterprise Linux High Availability for Power LE - Update Services for SAP Solutions 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

ppc64le

pcs-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 3fcbeb1b21d66242b46bb303500ddca90503d47608877b972a1df3e9cfa4a1eb

pcs-snmp-0.11.4-7.el9_2.ppc64le.rpm

SHA-256: 7ced1e414813033219a9b3958df428bb2cda26a8e0cf5085eb2bae59086bc023

Red Hat Enterprise Linux High Availability for x86_64 - Update Services for SAP Solutions 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

x86_64

pcs-0.11.4-7.el9_2.x86_64.rpm

SHA-256: dd912651e784794640c19cda2f0e63fb87297ed4bf12e10742c162054afa46d5

pcs-snmp-0.11.4-7.el9_2.x86_64.rpm

SHA-256: fe989a6295b88a58b4ea349b2d583065f174e752e76daedcbd8e7bb82772b38e

Red Hat Enterprise Linux High Availability for ARM 64 9

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

aarch64

pcs-0.11.4-7.el9_2.aarch64.rpm

SHA-256: 92fb2116808f40a02cf51386aa5578614c8292deaec6114c8cf65ff8f51170b8

pcs-snmp-0.11.4-7.el9_2.aarch64.rpm

SHA-256: cb65116400e24f0849df23c212ca1247a1285b8f3c08495577e206d3d4d5ddd2

Red Hat Enterprise Linux High Availability (for IBM z Systems) - Extended Update Support 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

s390x

pcs-0.11.4-7.el9_2.s390x.rpm

SHA-256: 9f22470176e419c5fa841c9b9df10e9be05d9abb75663ef30232eb482898d5a1

pcs-snmp-0.11.4-7.el9_2.s390x.rpm

SHA-256: 78d2ebc2f3606539c70078419ef552896204a9e01aef8e167a41ad1f8a130aa8

Red Hat Enterprise Linux High Availability (for ARM 64) - Extended Update Support 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

aarch64

pcs-0.11.4-7.el9_2.aarch64.rpm

SHA-256: 92fb2116808f40a02cf51386aa5578614c8292deaec6114c8cf65ff8f51170b8

pcs-snmp-0.11.4-7.el9_2.aarch64.rpm

SHA-256: cb65116400e24f0849df23c212ca1247a1285b8f3c08495577e206d3d4d5ddd2

Red Hat Enterprise Linux Resilient Storage for IBM z Systems - Extended Update Support 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

s390x

pcs-0.11.4-7.el9_2.s390x.rpm

SHA-256: 9f22470176e419c5fa841c9b9df10e9be05d9abb75663ef30232eb482898d5a1

pcs-snmp-0.11.4-7.el9_2.s390x.rpm

SHA-256: 78d2ebc2f3606539c70078419ef552896204a9e01aef8e167a41ad1f8a130aa8

Red Hat Enterprise Linux High Availability for ARM 64 - 4 years of updates 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

aarch64

pcs-0.11.4-7.el9_2.aarch64.rpm

SHA-256: 92fb2116808f40a02cf51386aa5578614c8292deaec6114c8cf65ff8f51170b8

pcs-snmp-0.11.4-7.el9_2.aarch64.rpm

SHA-256: cb65116400e24f0849df23c212ca1247a1285b8f3c08495577e206d3d4d5ddd2

Red Hat Enterprise Linux High Availability for IBM z Systems - 4 years of updates 9.2

SRPM

pcs-0.11.4-7.el9_2.src.rpm

SHA-256: 3526d12631b027388b5211e9844a1d6814868c7bf3af8aaab3ca5716d86e9708

s390x

pcs-0.11.4-7.el9_2.s390x.rpm

SHA-256: 9f22470176e419c5fa841c9b9df10e9be05d9abb75663ef30232eb482898d5a1

pcs-snmp-0.11.4-7.el9_2.s390x.rpm

SHA-256: 78d2ebc2f3606539c70078419ef552896204a9e01aef8e167a41ad1f8a130aa8

Red Hat Enterprise Linux Resilient Storage for x86_64 - 4 years of updates 9.2

SRPM

x86_64

Red Hat Enterprise Linux Resilient Storage for Power LE - 4 years of updates 9.2

SRPM

ppc64le

Red Hat Enterprise Linux Resilient Storage for IBM z Systems - 4 years of updates 9.2

SRPM

s390x

Related news

Ubuntu Security Notice USN-7036-1

Ubuntu Security Notice 7036-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.

Ubuntu Security Notice USN-6905-1

Ubuntu Security Notice 6905-1 - It was discovered that Rack incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

Ubuntu Security Notice USN-6837-1

Ubuntu Security Notice 6837-1 - It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service.

Ubuntu Security Notice USN-6689-1

Ubuntu Security Notice 6689-1 - It was discovered that Rack incorrectly parse some headers. An attacker could possibly use this issue to cause a denial of service.

Debian Security Advisory 5530-1

Debian Linux Security Advisory 5530-1 - Several vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface, which may result in denial of service and shell escape sequence injection.

Red Hat Security Advisory 2023-3495-01

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

RHSA-2023:3495: Red Hat Security Advisory: Logging Subsystem 5.7.2 - Red Hat OpenShift security update

Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...

Red Hat Security Advisory 2023-3403-01

Red Hat Security Advisory 2023-3403-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

RHSA-2023:3403: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27530: A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of ...

Red Hat Security Advisory 2023-3082-01

Red Hat Security Advisory 2023-3082-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3082-01

Red Hat Security Advisory 2023-3082-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

RHSA-2023:3082: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27530: A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of service. * CVE-2023-27539:...

RHSA-2023:3082: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27530: A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of service. * CVE-2023-27539:...

RHSA-2023:2652: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2319: It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum RHSA-2023:1591. The CVE-2023-2319 was assigned to that Red Hat specific...

RHSA-2023:2652: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2319: It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum RHSA-2023:1591. The CVE-2023-2319 was assigned to that Red Hat specific...

RHSA-2023:2652: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2319: It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum RHSA-2023:1591. The CVE-2023-2319 was assigned to that Red Hat specific...

RHSA-2023:2652: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2319: It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum RHSA-2023:1591. The CVE-2023-2319 was assigned to that Red Hat specific...

Red Hat Security Advisory 2023-1953-01

Red Hat Security Advisory 2023-1953-01 - Red Hat OpenShift Logging Subsystem 5.6.5 update. Issues addressed include cross site scripting and denial of service vulnerabilities.

RHSA-2023:1953: Red Hat Security Advisory: Logging Subsystem 5.6.5 - Red Hat OpenShift security update

Logging Subsystem 5.6.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpected amount of time, possibly resulting in a denial of service. * CVE-2023-28120: A Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is called on a SafeBuffer with untrus...

Red Hat Security Advisory 2023-1981-01

Red Hat Security Advisory 2023-1981-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1981-01

Red Hat Security Advisory 2023-1981-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1961-01

Red Hat Security Advisory 2023-1961-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1961-01

Red Hat Security Advisory 2023-1961-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

RHSA-2023:1981: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27530: A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of ...

RHSA-2023:1981: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27530: A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of ...

RHSA-2023:1961: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27530: A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of ...

RHSA-2023:1961: Red Hat Security Advisory: pcs security and bug fix update

An update for pcs is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27530: A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of ...

Red Hat Security Advisory 2023-1591-01

Red Hat Security Advisory 2023-1591-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

RHSA-2023:1591: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-28154: A flaw was found in the webpack package. Webpack could allow a remote attacker to bypass security restrictions caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. An attacker can gain access to the real global object by sending a specially-crafted request.

GHSA-c6qg-cjj8-47qp: Possible Denial of Service Vulnerability in Rack’s header parsing

There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539. Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1 # Impact Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. # Workarounds Setting Regexp.timeout in Ruby 3.2 is a possible workaround.

GHSA-hc6q-2mpp-qw7j: Cross-realm object access in Webpack 5

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

CVE-2023-28154: Comparing v5.75.0...v5.76.0 · webpack/webpack

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

CVE-2023-27530: [CVE-2023-27530] Possible DoS Vulnerability in Multipart MIME parsing

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.

CVE-2023-27532: KB4424: CVE-2023-27532

Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

GHSA-3h57-hmj3-gj3p: Rack has possible DoS Vulnerability in Multipart MIME parsing

There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530. Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3 # Impact The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected. All users running an affected release should either upgrade or use one of the workarounds immediately. # Workarounds A proxy can be configured to limit the POST body size which will mitigate this issue.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907