pcs-0.11.9-2.el9.ML.1
エラータID: AXSA:2025-10296:03
リリース日:
2025/07/01 Tuesday - 02:21
題名:
pcs-0.11.9-2.el9.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Ruby の rubygem-rack パッケージの Rack::CommonLogger() メソッド
には、CR/LF 改行文字および空白文字を含むデータをログに記録して
しまう問題があるため、リモートの攻撃者により、Rack::Auth::Basic
モジュールを用いて改行文字や空白文字を含むように細工されたユーザー
名を用いたログインの試行を介して、ログデータの破壊や改竄を可能と
する脆弱性が存在します。(CVE-2025-25184)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-25184
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.
追加情報:
N/A
ダウンロード:
SRPMS
- pcs-0.11.9-2.el9.ML.1.src.rpm
MD5: 36a5947132e5ceadfc955657696fe5ac
SHA-256: 62c269546a229c4cf9e7749929c9b52572bb6f9adaac973a9f5906e359625c8c
Size: 26.34 MB
Asianux Server 9 for x86_64
- pcs-0.11.9-2.el9.ML.1.x86_64.rpm
MD5: a6830ea49a02866c4495ba6dd10cb291
SHA-256: f6095d06939c8d5d82f4ad7485564c96898cea1247b6f02a37e7af03821cf9a3
Size: 4.45 MB - pcs-snmp-0.11.9-2.el9.ML.1.x86_64.rpm
MD5: 2d944c75bdc70d39927471bf85da10a7
SHA-256: d4a9ae0379e872f8ba96c5824c34e408fb7cc432c27e45824e71e65dfc89d69a
Size: 70.84 kB
English