Hello Sathish,

The CVEs you mentioned (CVE-2024-25126, CVE-2024-26141,
CVE-2024-26146) were filed against the rack rubygem and not PCS
itself. Therefore, the PCS upstream project is not directly impacted
by these CVEs and doesn't require a change.

However, PCS does rely on and uses the rack rubygem at runtime. So, if
you're using PCS from the upstream source, it's important to ensure
you have up-to-date rubygems installed to avoid using vulnerable
versions of rack.

The advisory you linked (RHSA-2024:3431) addresses these CVEs in the
PCS package for RHEL 8.6. This is because the PCS package shipped with
RHEL includes some bundled rubygems, including rack. Upgrading the
rack rubygem and rebuilding the PCS package were necessary to resolve
the CVEs in that specific scenario.

Regards,
Ondrej

On Tue, 11 Jun 2024 at 15:18, S Sathish S <s.s.sath...@ericsson.com> wrote:
>
> Hi Tomas/Team,
>
>
>
> In our application we are using pcs-0.10.16 version and that module has 
> vulnerability(CVE-2024-25126,CVE-2024-26141,CVE-2024-26146) reported and 
> fixed on below RHSA Errata. can you check and provided fixed on PCS 0.10.x 
> latest version on upstream also.
>
>
>
> https://access.redhat.com/errata/RHSA-2024:3431
>
>
>
> Thanks and Regards,
> S Sathish S

_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Reply via email to