RLSA-2025:19719

Synopsis

Important: pcs security update

Description

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

Security Fix(es):

* rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters (CVE-2025-59830)

* rack: Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) (CVE-2025-61770)

* rack: Rack's multipart parser buffers large non?file fields entirely in memory, enabling DoS (memory exhaustion) (CVE-2025-61771)

* rack: Rack memory exhaustion denial of service (CVE-2025-61772)

* rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion (CVE-2025-61919)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected products

Rocky Linux 8 aarch64 Rocky Linux 8 x86_64

Fixes

2398167 2402174 2402175 2402200 2403180

CVEs

CVE-2025-59830 CVE-2025-61770 CVE-2025-61771 CVE-2025-61772 CVE-2025-61919

Affected packages

Rocky Linux 8 aarch64 - ResilientStorage

pcs-0:0.10.18-2.el8_10.7.aarch64.rpm pcs-0:0.10.18-2.el8_10.7.src.rpm pcs-snmp-0:0.10.18-2.el8_10.7.aarch64.rpm

Rocky Linux 8 aarch64 - HighAvailability

pcs-0:0.10.18-2.el8_10.7.aarch64.rpm pcs-0:0.10.18-2.el8_10.7.src.rpm pcs-snmp-0:0.10.18-2.el8_10.7.aarch64.rpm

Rocky Linux 8 x86_64 - HighAvailability

pcs-0:0.10.18-2.el8_10.7.src.rpm pcs-0:0.10.18-2.el8_10.7.x86_64.rpm pcs-snmp-0:0.10.18-2.el8_10.7.x86_64.rpm

Rocky Linux 8 x86_64 - ResilientStorage

pcs-0:0.10.18-2.el8_10.7.src.rpm pcs-0:0.10.18-2.el8_10.7.x86_64.rpm pcs-snmp-0:0.10.18-2.el8_10.7.x86_64.rpm