pcs-0.11.4-7.el9.ML.1

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

Security Fix(es):

* pcs: webpack: Regression of CVE-2023-28154 fixes in the MIRACLE LINUX (CVE-2023-2319)
* rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)
* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Command 'pcs config checkpoint diff' does not show configuration differences between checkpoints
* Need a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources
* [WebUI] fence levels prevent loading of cluster status

CVE-2023-2319
It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum RHSA-2023:1591. The CVE-2023-2319 was assigned to that Red Hat specific security regression in Red Hat Enterprise Linux 9.2.
CVE-2023-27530
A DoS vulnerability exists in Rack ＜v3.0.4.2, ＜2.2.6.3, ＜v2.1.4.3 and ＜v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
CVE-2023-27539
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.