pcs-0.10.18-2.el8_10.5.ML.1
エラータID: AXSA:2025-10529:04
リリース日:
2025/07/22 Tuesday - 11:59
題名:
pcs-0.10.18-2.el8_10.5.ML.1
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Rack の Rack::QueryParser() メソッドには、'&' で区切られたキー
と値からなるパラメーター数を制限していない問題があるため、リモート
の攻撃者により、細工された HTTP リクエストの送信を介して、サービス
拒否攻撃 (CPU リソースおよびメモリの枯渇) を可能とする脆弱性が存在
します。(CVE-2025-46727)
- python-tornado には、リソースの制限を実施していない問題がある
ため、リモートの攻撃者により、サービス拒否攻撃 (リソース枯渇) を
可能とする脆弱性が存在します。(CVE-2025-47287)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-46727
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
CVE-2025-47287
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
追加情報:
N/A
ダウンロード:
SRPMS
- pcs-0.10.18-2.el8_10.5.ML.1.src.rpm
MD5: e6c577a70abb26c648f4bb2557bf58cc
SHA-256: 5e926ec94a73597f9d90902f7a128d550e94ec23e9ffb9a741c9b5a81e3025fe
Size: 5.17 MB
Asianux Server 8 for x86_64
- pcs-0.10.18-2.el8_10.5.ML.1.x86_64.rpm
MD5: 1abe509e45d3063e9192198c3091da36
SHA-256: d3c6454e6ce3ddda49e2fe95edaccc649f9fec70752482db8c3479bf65753386
Size: 4.11 MB - pcs-snmp-0.10.18-2.el8_10.5.ML.1.x86_64.rpm
MD5: 5ef5cc050a5fb467b79d2ad5a05def7a
SHA-256: ae8b666c8eeb1ce582431d8e7f9776eaf6334a27fd1f31987176f07562678a0d
Size: 81.48 kB
English