Hello Sathish, The CVEs you mentioned (CVE-2024-25126, CVE-2024-26141, CVE-2024-26146) were filed against the rack rubygem and not PCS itself. Therefore, the PCS upstream project is not directly impacted by these CVEs and doesn't require a change.
However, PCS does rely on and uses the rack rubygem at runtime. So, if you're using PCS from the upstream source, it's important to ensure you have up-to-date rubygems installed to avoid using vulnerable versions of rack. The advisory you linked (RHSA-2024:3431) addresses these CVEs in the PCS package for RHEL 8.6. This is because the PCS package shipped with RHEL includes some bundled rubygems, including rack. Upgrading the rack rubygem and rebuilding the PCS package were necessary to resolve the CVEs in that specific scenario. Regards, Ondrej On Tue, 11 Jun 2024 at 15:18, S Sathish S <s.s.sath...@ericsson.com> wrote: > > Hi Tomas/Team, > > > > In our application we are using pcs-0.10.16 version and that module has > vulnerability(CVE-2024-25126,CVE-2024-26141,CVE-2024-26146) reported and > fixed on below RHSA Errata. can you check and provided fixed on PCS 0.10.x > latest version on upstream also. > > > > https://access.redhat.com/errata/RHSA-2024:3431 > > > > Thanks and Regards, > S Sathish S _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/
