INFSA-2024:6670: Pcs security update
Information about definition
Identificator: INFSA-2024:6670
Type: security
Release date: 2024-09-20 19:16:44 UTC
Information about package
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
Vulnerabilities description
- CVE-2024-41123
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.
- CVE-2024-41946
A flaw was found in the REXML package. Reading an XML file that contains many entity expansions may lead to a denial of service due to resource starvation. An attacker can use this flaw to trick a user into processing an untrusted XML file.
- CVE-2024-43398
A vulnerability was found in REXML RubyGems. This package is vulnerable to denial of service (DoS) when parsing a deep XML structure with the same local name attribute. This vulnerability only affects tree parser API like REXML::Document.new, other parser APIs such as stream parser API and SAX2 parser API are not affected.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-41123
|
no information | 5.3 | no information |
|
NIST — CVE-2024-41946
|
no information | 3.3 | no information |
|
NIST — CVE-2024-43398
|
no information | 5.9 | no information |
Updated packages