Headline
RHSA-2022:4661: Red Hat Security Advisory: pcs security update
An update for pcs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-29970: sinatra: path traversal possible outside of public_dir when serving static files
Synopsis
Important: pcs security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for pcs is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Security Fix(es):
- sinatra: path traversal possible outside of public_dir when serving static files (CVE-2022-29970)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux High Availability for x86_64 8 x86_64
- Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support 8.6 x86_64
- Red Hat Enterprise Linux Resilient Storage for x86_64 8 x86_64
- Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support 8.6 x86_64
- Red Hat Enterprise Linux Resilient Storage for IBM z Systems 8 s390x
- Red Hat Enterprise Linux High Availability for IBM z Systems 8 s390x
- Red Hat Enterprise Linux Resilient Storage for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux Resilient Storage for IBM Power LE - Extended Update Support 8.6 ppc64le
- Red Hat Enterprise Linux High Availability for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux High Availability (for IBM Power LE) - Extended Update Support 8.6 ppc64le
- Red Hat Enterprise Linux High Availability for Power LE - Update Services for SAP Solutions 8.6 ppc64le
- Red Hat Enterprise Linux High Availability for x86_64 - Update Services for SAP Solutions 8.6 x86_64
- Red Hat Enterprise Linux High Availability for ARM 64 8 aarch64
- Red Hat Enterprise Linux High Availability (for IBM z Systems) - Extended Update Support 8.6 s390x
- Red Hat Enterprise Linux High Availability (for ARM 64) - Extended Update Support 8.6 aarch64
- Red Hat Enterprise Linux Resilient Storage for IBM z Systems - Extended Update Support 8.6 s390x
- Red Hat Enterprise Linux High Availability for x86_64 - Telecommunications Update Service 8.6 x86_64
Fixes
- BZ - 2081096 - CVE-2022-29970 sinatra: path traversal possible outside of public_dir when serving static files
References
- https://access.redhat.com/security/updates/classification/#important
- https://bugzilla.redhat.com/show_bug.cgi?id=2081331
Red Hat Enterprise Linux High Availability for x86_64 8
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
x86_64
pcs-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: 4f67d2e6ec17425157766a75bfd9768b1cdd372b5a909010e8644224c4ac542f
pcs-snmp-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: a6ba7b5f2a43623de06bb16f6cf55a4167ccdcc03fb916d72675c274785ee6ca
Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
x86_64
pcs-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: 4f67d2e6ec17425157766a75bfd9768b1cdd372b5a909010e8644224c4ac542f
pcs-snmp-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: a6ba7b5f2a43623de06bb16f6cf55a4167ccdcc03fb916d72675c274785ee6ca
Red Hat Enterprise Linux Resilient Storage for x86_64 8
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
x86_64
pcs-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: 4f67d2e6ec17425157766a75bfd9768b1cdd372b5a909010e8644224c4ac542f
pcs-snmp-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: a6ba7b5f2a43623de06bb16f6cf55a4167ccdcc03fb916d72675c274785ee6ca
Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
x86_64
pcs-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: 4f67d2e6ec17425157766a75bfd9768b1cdd372b5a909010e8644224c4ac542f
pcs-snmp-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: a6ba7b5f2a43623de06bb16f6cf55a4167ccdcc03fb916d72675c274785ee6ca
Red Hat Enterprise Linux Resilient Storage for IBM z Systems 8
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
s390x
pcs-0.10.12-6.el8_6.1.s390x.rpm
SHA-256: 5fb02446461595a42528eb2fcbd20a75abc91b73d49941f81b35d8290f4c8184
pcs-snmp-0.10.12-6.el8_6.1.s390x.rpm
SHA-256: 94b52875abe44349b226086ed8105d9266c0a7c577eea9c156875db11aae32d1
Red Hat Enterprise Linux High Availability for IBM z Systems 8
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
s390x
pcs-0.10.12-6.el8_6.1.s390x.rpm
SHA-256: 5fb02446461595a42528eb2fcbd20a75abc91b73d49941f81b35d8290f4c8184
pcs-snmp-0.10.12-6.el8_6.1.s390x.rpm
SHA-256: 94b52875abe44349b226086ed8105d9266c0a7c577eea9c156875db11aae32d1
Red Hat Enterprise Linux Resilient Storage for Power, little endian 8
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
ppc64le
pcs-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: d1da6d505c9e6ec0b1865b3c95527ec67f4ab50f5c9743acfe91388b021563b7
pcs-snmp-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: 868d3bf01d6938dc8422c6af31e800f0a26469101231a8289fbb3694ac078926
Red Hat Enterprise Linux Resilient Storage for IBM Power LE - Extended Update Support 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
ppc64le
pcs-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: d1da6d505c9e6ec0b1865b3c95527ec67f4ab50f5c9743acfe91388b021563b7
pcs-snmp-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: 868d3bf01d6938dc8422c6af31e800f0a26469101231a8289fbb3694ac078926
Red Hat Enterprise Linux High Availability for Power, little endian 8
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
ppc64le
pcs-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: d1da6d505c9e6ec0b1865b3c95527ec67f4ab50f5c9743acfe91388b021563b7
pcs-snmp-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: 868d3bf01d6938dc8422c6af31e800f0a26469101231a8289fbb3694ac078926
Red Hat Enterprise Linux High Availability (for IBM Power LE) - Extended Update Support 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
ppc64le
pcs-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: d1da6d505c9e6ec0b1865b3c95527ec67f4ab50f5c9743acfe91388b021563b7
pcs-snmp-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: 868d3bf01d6938dc8422c6af31e800f0a26469101231a8289fbb3694ac078926
Red Hat Enterprise Linux High Availability for Power LE - Update Services for SAP Solutions 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
ppc64le
pcs-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: d1da6d505c9e6ec0b1865b3c95527ec67f4ab50f5c9743acfe91388b021563b7
pcs-snmp-0.10.12-6.el8_6.1.ppc64le.rpm
SHA-256: 868d3bf01d6938dc8422c6af31e800f0a26469101231a8289fbb3694ac078926
Red Hat Enterprise Linux High Availability for x86_64 - Update Services for SAP Solutions 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
x86_64
pcs-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: 4f67d2e6ec17425157766a75bfd9768b1cdd372b5a909010e8644224c4ac542f
pcs-snmp-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: a6ba7b5f2a43623de06bb16f6cf55a4167ccdcc03fb916d72675c274785ee6ca
Red Hat Enterprise Linux High Availability for ARM 64 8
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
aarch64
pcs-0.10.12-6.el8_6.1.aarch64.rpm
SHA-256: 9bc73283f2cc553f531a654beb2c389783d58f70b1f8a5d43fd1f80a8bacf3ab
pcs-snmp-0.10.12-6.el8_6.1.aarch64.rpm
SHA-256: a056515f4f095cc3cc81610a22d5a66e195cf6844d40a758251e553ab702b6a2
Red Hat Enterprise Linux High Availability (for IBM z Systems) - Extended Update Support 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
s390x
pcs-0.10.12-6.el8_6.1.s390x.rpm
SHA-256: 5fb02446461595a42528eb2fcbd20a75abc91b73d49941f81b35d8290f4c8184
pcs-snmp-0.10.12-6.el8_6.1.s390x.rpm
SHA-256: 94b52875abe44349b226086ed8105d9266c0a7c577eea9c156875db11aae32d1
Red Hat Enterprise Linux High Availability (for ARM 64) - Extended Update Support 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
aarch64
pcs-0.10.12-6.el8_6.1.aarch64.rpm
SHA-256: 9bc73283f2cc553f531a654beb2c389783d58f70b1f8a5d43fd1f80a8bacf3ab
pcs-snmp-0.10.12-6.el8_6.1.aarch64.rpm
SHA-256: a056515f4f095cc3cc81610a22d5a66e195cf6844d40a758251e553ab702b6a2
Red Hat Enterprise Linux Resilient Storage for IBM z Systems - Extended Update Support 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
s390x
pcs-0.10.12-6.el8_6.1.s390x.rpm
SHA-256: 5fb02446461595a42528eb2fcbd20a75abc91b73d49941f81b35d8290f4c8184
pcs-snmp-0.10.12-6.el8_6.1.s390x.rpm
SHA-256: 94b52875abe44349b226086ed8105d9266c0a7c577eea9c156875db11aae32d1
Red Hat Enterprise Linux High Availability for x86_64 - Telecommunications Update Service 8.6
SRPM
pcs-0.10.12-6.el8_6.1.src.rpm
SHA-256: b580f25ecf6e3b8104b78b447dd1b7d0652cf72f9d8df314d8d4ccef3b6b6cba
x86_64
pcs-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: 4f67d2e6ec17425157766a75bfd9768b1cdd372b5a909010e8644224c4ac542f
pcs-snmp-0.10.12-6.el8_6.1.x86_64.rpm
SHA-256: a6ba7b5f2a43623de06bb16f6cf55a4167ccdcc03fb916d72675c274785ee6ca
Related news
Red Hat Security Advisory 2022-8506-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.
An update is now available for Red Hat Satellite 6.12. The release contains a new version of Satellite and important security fixes for various components.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way * CVE-2022-22818: django: Possible XSS via '{% debug %}' template tag * CVE-2022-24836: nokogiri: ReDoS in HTML encoding detection * CVE-2022-25648: ruby-git: package vulnerable to Command Injection via git argument injection * CVE-2022-29970: sinatra: path traversal possible outside of public_dir when servin...
Red Hat Security Advisory 2022-4587-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a traversal vulnerability.
Red Hat Security Advisory 2022-4661-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a traversal vulnerability.
An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29970: sinatra: path traversal possible outside of public_dir when serving static files
Red Hat Security Advisory 2022-2253-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a traversal vulnerability.
Red Hat Security Advisory 2022-2256-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a traversal vulnerability.
Red Hat Security Advisory 2022-2255-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a traversal vulnerability.
An update for pcs is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29970: sinatra: path traversal possible outside of public_dir when serving static files
An update for pcs is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29970: sinatra: path traversal possible outside of public_dir when serving static files
An update for pcs is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29970: sinatra: path traversal possible outside of public_dir when serving static files
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.