Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3664

CVE affecting pmix in RHEL and CentOS Stream

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • rhel-8.8.0, rhel-9.2.0
    • pmix
    • None
    • None
    • None
    • rhel-net-drivers
    • ssg_networking
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • CentOS Stream
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      There's a CVE (from 9/9) against pmix and all versions in RHEL/CentOS Stream seem to be affected

       

      https://nvd.nist.gov/vuln/detail/CVE-2023-41915

       

      OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.

       

      Base score: 8.1 (high)

       

       

      Please provide the package NVR for which bug is seen:

      c8s has pmix-2.2.5-1.el8

      c9s has pmix-3.2.3-3.el9

      Fedora (rawhide) has 4.1.2-5.fc39 - https://src.fedoraproject.org/rpms/pmix

       

      How reproducible:

      Always

      Steps to reproduce

      N/A

      Expected results

      Fix backported

      Actual results

              kheib Kamal Heib
              michel.lind Michel Lind (Inactive)
              Kamal Heib Kamal Heib
              Brian Chae Brian Chae (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: