CVE-2022-30123

[mp0026778]

Hi Team,

I am unable to find the fix for CVE-2022-30123 for pcs in centos 7.9. Any help would be helpful.

[TrevorH]

https://access.redhat.com/security/cve/CVE-2022-30123 says it was fixed in November 2022.

The rpm changelog does not explicitly mention the CVE number but I presume teh comment about upgrading rubygem-rack is the one.

Code: Select all

* Thu Oct 06 2022 Ivan Devat <idevat@redhat.com> - 0.9.169-3.el7_3.2
- Update rubygem rack
- Upgrade jquery in web-ui
- Resolves: rhbz#2099578 rhbz#2093232

[mp0026778]

As mentioned, the fix came in November 2022, but the last update show Oct 2022. So not sure if the fix was applied for pcs.

[TrevorH]

Fix dates often pre-date the announcement of the vulnerability and the fix. That's because some vulnerabilities are embargoed to allow everyone to line up all their ducks ready to release as soon as the problem is made public. If you read the bugzilla entry that is linked off the CVE page it shows the problem was reported 2022-06-21.

I've also checked the changelog on RHEL 7 using `yum changelog pcs --enablerepo=rhel-ha-for-rhel-7-server-rpms` and it exactly the same as the current CentOS 7 version.