import Oracle_OSS pcs-0.10.18-2.0.1.el8_10.9

.gitignore

@@ -19,4 +19,4 @@ SOURCES/rexml-3.4.1.gem
 SOURCES/ruby2_keywords-0.0.5.gem
 SOURCES/sinatra-2.2.4.gem
 SOURCES/tilt-2.3.0.gem
-SOURCES/tornado-v6.1.0.pcs.3.tar.gz
+SOURCES/tornado-v6.1.0.pcs.4.tar.gz

.pcs.metadata

@@ -1,4 +1,4 @@
-679a4ce22a33ffd4d704261a17c00cff98d9499a SOURCES/HAM-logo.png
+b15d48d01ccd5a2a481e3a0c66928eed4bd98b8f SOURCES/HAM-logo.png
 0ef72a288913e220695ad62718aeb75171924028 SOURCES/backports-3.24.1.gem
 07b26abbf7ff0dcba5c7f9e814ff7eebafefb058 SOURCES/dacite-1.8.1.tar.gz
 8b7598273d2ae6dad2b88466aefac55071a41926 SOURCES/dataclasses-0.8.tar.gz
@@ -19,4 +19,4 @@ ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
 d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
 fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
 4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
-1f4e55c234da0b22aac09cca5a971c4ec2cb500a SOURCES/tornado-v6.1.0.pcs.3.tar.gz
+bf4020626453c8db65d1817bed7b1884ea530e92 SOURCES/tornado-v6.1.0.pcs.4.tar.gz

SOURCES/RHEL-155293-01-disable-multipart-requests-in-Tornado.patch

@@ -0,0 +1,54 @@
+From 7fc3db518798cbbd4d11028d52837d460640fb06 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Posp=C3=AD=C5=A1il?= <mpospisi@redhat.com>
+Date: Wed, 25 Mar 2026 22:01:21 +0100
+Subject: [PATCH] disable multipart requests in Tornado
+
+Pcsd doesn't use multipart requests and recently, there have been
+vulnerabilities targeting both Rack and Tornado. Since we use Tornado as
+a proxy for our Ruby daemon, this also helps mitigate future Rack multipart
+vulnerabilities.
+
+Multipart vulnerabilities:
+https://www.cve.org/CVERecord?id=CVE-2026-31958
+https://www.cve.org/CVERecord?id=CVE-2025-61771
+https://www.cve.org/CVERecord?id=CVE-2025-61770
+---
+ pcs/daemon/run.py | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/pcs/daemon/run.py b/pcs/daemon/run.py
+index 0a6b1b211..19586b18a 100644
+--- a/pcs/daemon/run.py
++++ b/pcs/daemon/run.py
+@@ -3,6 +3,11 @@ import signal
+ import socket
+ from pathlib import Path
+ 
++from tornado.httputil import (
++    ParseBodyConfig,
++    ParseMultipartConfig,
++    set_parse_body_config,
++)
+ from tornado.ioloop import IOLoop
+ from tornado.locks import Lock
+ from tornado.web import Application
+@@ -71,6 +76,16 @@ def configure_app(
+             reload its SSL certificates). A relevant handler should get this
+             object via the method `initialize`.
+         """
++
++        # Disable multipart requests to enhance security due to recent CVEs
++        # https://www.cve.org/CVERecord?id=CVE-2026-31958
++        # https://www.cve.org/CVERecord?id=CVE-2025-61771
++        # https://www.cve.org/CVERecord?id=CVE-2025-61770
++        # https://www.tornadoweb.org/en/stable/httputil.html#tornado.httputil.set_parse_body_config
++        set_parse_body_config(
++            ParseBodyConfig(multipart=ParseMultipartConfig(enabled=False))
++        )
++
+         routes = sinatra_remote.get_routes(
+             ruby_pcsd_wrapper,
+             sync_config_lock,
+-- 
+2.53.0
+

SPECS/pcs.spec

@@ -1,6 +1,6 @@
-Name: pcs
-Version: 0.10.18
-Release: 2%{?dist}.8
+Name:                 pcs
+Version:              0.10.18
+Release:              2.0.1%{?dist}.9
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@@ -13,12 +13,12 @@ Release: 2%{?dist}.8
 # BSD-2-Clause or Ruby: open4, ruby2_keywords
 # BSD-3-Clause: puma
 # BSD-3-Clause and MIT: ffi
-License: GPL-2.0-only AND Apache-2.0 AND MIT AND BSD-3-Clause AND (Apache-2.0 OR BSD-3-Clause) AND (BSD-2-Clause OR Ruby) AND (BSD-2-Clause OR GPL-2.0-or-later) AND (GPL-2.0-only or Ruby)
-URL: https://github.com/ClusterLabs/pcs
-Group: System Environment/Base
-Summary: Pacemaker/Corosync Configuration System
+License:              GPL-2.0-only AND Apache-2.0 AND MIT AND BSD-3-Clause AND (Apache-2.0 OR BSD-3-Clause) AND (BSD-2-Clause OR Ruby) AND (BSD-2-Clause OR GPL-2.0-or-later) AND (GPL-2.0-only or Ruby)
+URL:                  https://github.com/ClusterLabs/pcs
+Group:                System Environment/Base
+Summary:              Pacemaker/Corosync Configuration System
 #building only for architectures with pacemaker and corosync available
-ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
+ExclusiveArch:        i686 x86_64 s390x ppc64le aarch64
 
 # When specifying a commit, use its long hash
 %global version_or_commit %{version}
@@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 
 # DO NOT UPDATE
 # Tornado 6.2 requires Python 3.7+
-%global tornado_version    6.1.0.pcs.3
+%global tornado_version    6.1.0.pcs.4
 
 %global pcs_bundled_dir pcs_bundled
 %global pcsd_public_dir pcsd/public
@@ -83,154 +83,155 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 %endif
 
 # part after the last slash is recognized as filename in look-aside cache
-Source0: %{url}/archive/%{?v_prefix}%{version_or_commit}/%{pcs_source_name}.tar.gz
-Source1: HAM-logo.png
+Source0:              %{url}/archive/%{?v_prefix}%{version_or_commit}/%{pcs_source_name}.tar.gz
+Source1:              HAM-logo.png
 
-Source41: https://github.com/ondrejmular/pyagentx/archive/v%{pyagentx_version}/pyagentx-%{pyagentx_version}.tar.gz
-Source42: tornado-v%{tornado_version}.tar.gz
-Source43: https://github.com/ericvsmith/dataclasses/archive/%{dataclasses_version}/dataclasses-%{dataclasses_version}.tar.gz
-Source44: https://github.com/konradhalas/dacite/archive/v%{dacite_version}/dacite-%{dacite_version}.tar.gz
-Source45: https://pypi.python.org/packages/source/p/python-dateutil/python-dateutil-%{dateutil_version}.tar.gz
+Source41:             https://github.com/ondrejmular/pyagentx/archive/v%{pyagentx_version}/pyagentx-%{pyagentx_version}.tar.gz
+Source42:             tornado-v%{tornado_version}.tar.gz
+Source43:             https://github.com/ericvsmith/dataclasses/archive/%{dataclasses_version}/dataclasses-%{dataclasses_version}.tar.gz
+Source44:             https://github.com/konradhalas/dacite/archive/v%{dacite_version}/dacite-%{dacite_version}.tar.gz
+Source45:             https://pypi.python.org/packages/source/p/python-dateutil/python-dateutil-%{dateutil_version}.tar.gz
 
-Source81: https://rubygems.org/downloads/backports-%{version_rubygem_backports}.gem
-Source82: https://rubygems.org/downloads/ethon-%{version_rubygem_ethon}.gem
-Source83: https://rubygems.org/downloads/ffi-%{version_rubygem_ffi}.gem
-Source84: https://rubygems.org/downloads/json-%{version_rubygem_json}.gem
-Source85: https://rubygems.org/downloads/rexml-%{version_rubygem_rexml}.gem
-Source86: https://rubygems.org/downloads/mustermann-%{version_rubygem_mustermann}.gem
+Source81:             https://rubygems.org/downloads/backports-%{version_rubygem_backports}.gem
+Source82:             https://rubygems.org/downloads/ethon-%{version_rubygem_ethon}.gem
+Source83:             https://rubygems.org/downloads/ffi-%{version_rubygem_ffi}.gem
+Source84:             https://rubygems.org/downloads/json-%{version_rubygem_json}.gem
+Source85:             https://rubygems.org/downloads/rexml-%{version_rubygem_rexml}.gem
+Source86:             https://rubygems.org/downloads/mustermann-%{version_rubygem_mustermann}.gem
 # We needed to re-upload open4 rubygem because of issues with sources in gating.
 # Unfortunately, there was no newer version available, therefore we had to
 # change its 'version' ourselves.
-Source87: https://rubygems.org/downloads/open4-%{version_rubygem_open4}.gem#/open4-%{version_rubygem_open4}-1.gem
-Source88: https://rubygems.org/downloads/rack-%{version_rubygem_rack}.gem
-Source89: https://rubygems.org/downloads/rack-protection-%{version_rubygem_rack_protection}.gem
-Source90: https://rubygems.org/downloads/rack-test-%{version_rubygem_rack_test}.gem
-Source91: https://rubygems.org/downloads/sinatra-%{version_rubygem_sinatra}.gem
-Source92: https://rubygems.org/downloads/tilt-%{version_rubygem_tilt}.gem
-Source93: https://rubygems.org/downloads/nio4r-%{version_rubygem_nio4r}.gem
-Source94: https://rubygems.org/downloads/puma-%{version_rubygem_puma}.gem
-Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_keywords}.gem
+Source87:             https://rubygems.org/downloads/open4-%{version_rubygem_open4}.gem#/open4-%{version_rubygem_open4}-1.gem
+Source88:             https://rubygems.org/downloads/rack-%{version_rubygem_rack}.gem
+Source89:             https://rubygems.org/downloads/rack-protection-%{version_rubygem_rack_protection}.gem
+Source90:             https://rubygems.org/downloads/rack-test-%{version_rubygem_rack_test}.gem
+Source91:             https://rubygems.org/downloads/sinatra-%{version_rubygem_sinatra}.gem
+Source92:             https://rubygems.org/downloads/tilt-%{version_rubygem_tilt}.gem
+Source93:             https://rubygems.org/downloads/nio4r-%{version_rubygem_nio4r}.gem
+Source94:             https://rubygems.org/downloads/puma-%{version_rubygem_puma}.gem
+Source95:             https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_keywords}.gem
 
 # pcs patches: <= 200
 # Patch1: bzNUMBER-01-name.patch
-Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
-Patch2: RHEL-17280-01-disable-new-webui-routes.patch
-Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
-Patch4: RHEL-90147-support-for-query-limits-in-rack.patch
+Patch1:               do-not-support-cluster-setup-with-udp-u-transport.patch
+Patch2:               RHEL-17280-01-disable-new-webui-routes.patch
+Patch3:               RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
+Patch4:               RHEL-90147-support-for-query-limits-in-rack.patch
+Patch5:               RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
 
 # git for patches
-BuildRequires: git-core
+BuildRequires:        git-core
 # printf from coreutils is used in makefile, head is used in spec
-BuildRequires: coreutils
+BuildRequires:        coreutils
 # python for pcs
-BuildRequires: platform-python
-BuildRequires: python3-devel
-BuildRequires: platform-python-setuptools
-BuildRequires: python3-pycurl
-BuildRequires: python3-pip
-BuildRequires: python3-pyparsing
-BuildRequires: python3-cryptography
-BuildRequires: python3-lxml
+BuildRequires:        platform-python
+BuildRequires:        python3-devel
+BuildRequires:        platform-python-setuptools
+BuildRequires:        python3-pycurl
+BuildRequires:        python3-pip
+BuildRequires:        python3-pyparsing
+BuildRequires:        python3-cryptography
+BuildRequires:        python3-lxml
 # for building bundled python packages
-BuildRequires: python3-wheel
+BuildRequires:        python3-wheel
 # for bundled python dateutil
-BuildRequires: python3-setuptools_scm
+BuildRequires:        python3-setuptools_scm
 # gcc for compiling custom rubygems
-BuildRequires: gcc
-BuildRequires: gcc-c++
+BuildRequires:        gcc
+BuildRequires:        gcc-c++
 # ruby and gems for pcsd
-BuildRequires: ruby >= 2.2.0
-BuildRequires: ruby-devel
-BuildRequires: rubygems
-BuildRequires: rubygem-bundler
+BuildRequires:        ruby >= 2.2.0
+BuildRequires:        ruby-devel
+BuildRequires:        rubygems
+BuildRequires:        rubygem-bundler
 # ruby libraries for tests
-BuildRequires: rubygem-test-unit
+BuildRequires:        rubygem-test-unit
 # for touching patch files (sanitization function)
-BuildRequires: diffstat
+BuildRequires:        diffstat
 # for post, preun and postun macros
-BuildRequires: systemd
+BuildRequires:        systemd
 # pam is used for authentication inside daemon (python ctypes)
 # needed for tier0 tests during build
-BuildRequires: pam
+BuildRequires:        pam
 
 # pcsd fonts and font management tools for creating symlinks to fonts
-BuildRequires: fontconfig
-BuildRequires: liberation-sans-fonts
-BuildRequires: make
-BuildRequires: overpass-fonts
+BuildRequires:        fontconfig
+BuildRequires:        liberation-sans-fonts
+BuildRequires:        make
+BuildRequires:        overpass-fonts
 # Red Hat logo for creating symlink of favicon
-BuildRequires: redhat-logos
+BuildRequires:        redhat-logos
 
 # cluster stack packages for pkg-config
-BuildRequires: booth
-BuildRequires: corosync-qdevice-devel
-BuildRequires: corosynclib-devel >= 3.0
-BuildRequires: fence-agents-common
-BuildRequires: pacemaker-libs-devel >= 2.0.0
-BuildRequires: resource-agents
-BuildRequires: sbd
+BuildRequires:        booth
+BuildRequires:        corosync-qdevice-devel
+BuildRequires:        corosynclib-devel >= 3.0
+BuildRequires:        fence-agents-common
+BuildRequires:        pacemaker-libs-devel >= 2.0.0
+BuildRequires:        resource-agents
+BuildRequires:        sbd
 
 # python and libraries for pcs, setuptools for pcs entrypoint
-Requires: platform-python
-Requires: python3-lxml
-Requires: platform-python-setuptools
-Requires: python3-clufter => 0.70.0
-Requires: python3-pycurl
-Requires: python3-pyparsing
-Requires: python3-cryptography
+Requires:             platform-python
+Requires:             python3-lxml
+Requires:             platform-python-setuptools
+Requires:             python3-clufter => 0.70.0
+Requires:             python3-pycurl
+Requires:             python3-pyparsing
+Requires:             python3-cryptography
 # ruby and gems for pcsd
-Requires: ruby >= 2.2.0
-Requires: rubygems
+Requires:             ruby >= 2.2.0
+Requires:             rubygems
 # for killall
-Requires: psmisc
+Requires:             psmisc
 # cluster stack and related packages
-Requires: pcmk-cluster-manager >= 2.0.0
-Suggests: pacemaker
-Requires: (corosync >= 2.99 if pacemaker)
+Requires:             pcmk-cluster-manager >= 2.0.0
+Suggests:             pacemaker
+Requires:             (corosync >= 2.99 if pacemaker)
 # pcs enables corosync encryption by default so we require libknet1-plugins-all
-Requires: (libknet1-plugins-all if corosync)
-Requires: pacemaker-cli >= 2.0.0
+Requires:             (libknet1-plugins-all if corosync)
+Requires:             pacemaker-cli >= 2.0.0
 # for post, preun and postun macros
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
 # pam is used for authentication inside daemon (python ctypes)
 # more details: https://bugzilla.redhat.com/show_bug.cgi?id=1717113
-Requires: pam
+Requires:             pam
 # pcsd fonts
-Requires: liberation-sans-fonts
-Requires: overpass-fonts
+Requires:             liberation-sans-fonts
+Requires:             overpass-fonts
 # favicon Red Hat logo
-Requires: redhat-logos
+Requires:             redhat-logos
 # needs logrotate for /etc/logrotate.d/pcsd
-Requires: logrotate
+Requires:             logrotate
 
-Provides: bundled(python3-tornado) = %{tornado_version}
-Provides: bundled(python3-dataclasses) = %{dataclasses_version}
-Provides: bundled(python3-dacite) = %{dacite_version}
-Provides: bundled(python3-dateutil) = %{dateutil_version}
+Provides:             bundled(python3-tornado) = %{tornado_version}
+Provides:             bundled(python3-dataclasses) = %{dataclasses_version}
+Provides:             bundled(python3-dacite) = %{dacite_version}
+Provides:             bundled(python3-dateutil) = %{dateutil_version}
 
-Provides: bundled(rubygem-backports) = %{version_rubygem_backports}
-Provides: bundled(rubygem-ethon) = %{version_rubygem_ethon}
-Provides: bundled(rubygem-ffi) = %{version_rubygem_ffi}
-Provides: bundled(rubygem-json) = %{version_rubygem_json}
-Provides: bundled(rubygem-mustermann) = %{version_rubygem_mustermann}
-Provides: bundled(rubygem-nio4r) = %{version_rubygem_nio4r}
-Provides: bundled(rubygem-open4) = %{version_rubygem_open4}
-Provides: bundled(rubygem-puma) = %{version_rubygem_puma}
-Provides: bundled(rubygem-rack) = %{version_rubygem_rack}
-Provides: bundled(rubygem-rack-protection) = %{version_rubygem_rack_protection}
-Provides: bundled(rubygem-rack-test) = %{version_rubygem_rack_test}
-Provides: bundled(rubygem-rexml) = %{version_rubygem_rexml}
-Provides: bundled(rubygem-ruby2_keywords) = %{version_rubygem_ruby2_keywords}
-Provides: bundled(rubygem-sinatra) = %{version_rubygem_sinatra}
-Provides: bundled(rubygem-tilt) = %{version_rubygem_tilt}
+Provides:             bundled(rubygem-backports) = %{version_rubygem_backports}
+Provides:             bundled(rubygem-ethon) = %{version_rubygem_ethon}
+Provides:             bundled(rubygem-ffi) = %{version_rubygem_ffi}
+Provides:             bundled(rubygem-json) = %{version_rubygem_json}
+Provides:             bundled(rubygem-mustermann) = %{version_rubygem_mustermann}
+Provides:             bundled(rubygem-nio4r) = %{version_rubygem_nio4r}
+Provides:             bundled(rubygem-open4) = %{version_rubygem_open4}
+Provides:             bundled(rubygem-puma) = %{version_rubygem_puma}
+Provides:             bundled(rubygem-rack) = %{version_rubygem_rack}
+Provides:             bundled(rubygem-rack-protection) = %{version_rubygem_rack_protection}
+Provides:             bundled(rubygem-rack-test) = %{version_rubygem_rack_test}
+Provides:             bundled(rubygem-rexml) = %{version_rubygem_rexml}
+Provides:             bundled(rubygem-ruby2_keywords) = %{version_rubygem_ruby2_keywords}
+Provides:             bundled(rubygem-sinatra) = %{version_rubygem_sinatra}
+Provides:             bundled(rubygem-tilt) = %{version_rubygem_tilt}
 
 # javascript bundled libraries for old web-ui
-Provides: bundled(js-ember) = %{ember_version}
-Provides: bundled(js-handlebars) = %{handlebars_version}
-Provides: bundled(js-jquery) = %{jquery_version}
-Provides: bundled(js-jquery-ui) = %{jquery_ui_version}
+Provides:             bundled(js-ember) = %{ember_version}
+Provides:             bundled(js-handlebars) = %{handlebars_version}
+Provides:             bundled(js-jquery) = %{jquery_version}
+Provides:             bundled(js-jquery-ui) = %{jquery_ui_version}
 
 %description
 pcs is a corosync and pacemaker configuration tool.  It permits users to
@@ -238,22 +239,22 @@ easily view, modify and create pacemaker based clusters.
 
 # pcs-snmp package definition
 %package -n %{pcs_snmp_pkg_name}
-Group: System Environment/Base
-Summary: Pacemaker cluster SNMP agent
+Group:                System Environment/Base
+Summary:              Pacemaker cluster SNMP agent
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
 # BSD-2-Clause: pyagentx
-License: GPL-2.0-only AND BSD-2-Clause
-URL: https://github.com/ClusterLabs/pcs
+License:              GPL-2.0-only AND BSD-2-Clause
+URL:                  https://github.com/ClusterLabs/pcs
 
 # tar for unpacking pyagentx source tarball
-BuildRequires: tar
+BuildRequires:        tar
 
-Requires: pcs = %{version}-%{release}
-Requires: pacemaker
-Requires: net-snmp
+Requires:             pcs = %{version}-%{release}
+Requires:             pacemaker
+Requires:             net-snmp
 
-Provides: bundled(python3-pyagentx) = %{pyagentx_version}
+Provides:             bundled(python3-pyagentx) = %{pyagentx_version}
 
 %description -n %{pcs_snmp_pkg_name}
 SNMP agent that provides information about pacemaker cluster to the master agent (snmpd)
@@ -309,6 +310,7 @@ update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
 update_times_patch %{PATCH3}
 update_times_patch %{PATCH4}
+update_times_patch %{PATCH5}
 
 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@@ -565,6 +567,16 @@ remove_all_tests
 %license pyagentx_LICENSE.txt
 
 %changelog
+* Tue Apr 14 2026 EL Errata <el-errata_ww@oracle.com> - 0.10.18-2.0.1.el8_10.9
+- Replaced HAM-logo
+
+* Tue Apr 14 2026 OpenELA Technical Steering Committee <tsc@openela.org> - 0.10.18
+- Debrand PCS
+
+* Thu Mar 26 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.9
+- Fixed CVE-2026-31958 by patching bundled Tornado
+  Resolves: RHEL-155293
+
 * Mon Jan 19 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.8
 - Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado
   Resolves: RHEL-136415, RHEL-136420