pcs-0.10.18-2.el8_10.5.ML.1

エラータID: AXSA:2025-10529:04

Release date: 
Tuesday, July 22, 2025 - 11:59
Subject: 
pcs-0.10.18-2.el8_10.5.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The pcs packages provide a command-line configuration system for the Pacemaker
and Corosync utilities.

Security Fix(es):

rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser (CVE-2025-46727)
tornado: Tornado Multipart Form-Data Denial of Service (CVE-2025-47287)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2025-46727
A flaw was found in Rack::QueryParser. This vulnerability allows denial of
service via oversized HTTP requests containing many parameters, resulting in
memory exhaustion that consumes all available memory or CPU resource pinning,
which keeps the CPU constantly busy.
CVE-2025-47287
A flaw was found in Tornado. This vulnerability can lead to a a denial of
service by generating an extremely high volume of log entries.

Solution: 

Update packages.

CVEs: 
CVE-2025-46727
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
CVE-2025-47287
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
Additional Info: 

N/A

Download: 

SRPMS
  1. pcs-0.10.18-2.el8_10.5.ML.1.src.rpm
    MD5: e6c577a70abb26c648f4bb2557bf58cc
    SHA-256: 5e926ec94a73597f9d90902f7a128d550e94ec23e9ffb9a741c9b5a81e3025fe
    Size: 5.17 MB

Asianux Server 8 for x86_64
  1. pcs-0.10.18-2.el8_10.5.ML.1.x86_64.rpm
    MD5: 1abe509e45d3063e9192198c3091da36
    SHA-256: d3c6454e6ce3ddda49e2fe95edaccc649f9fec70752482db8c3479bf65753386
    Size: 4.11 MB
  2. pcs-snmp-0.10.18-2.el8_10.5.ML.1.x86_64.rpm
    MD5: 5ef5cc050a5fb467b79d2ad5a05def7a
    SHA-256: ae8b666c8eeb1ce582431d8e7f9776eaf6334a27fd1f31987176f07562678a0d
    Size: 81.48 kB