Debrand logo

.gitignore

@@ -12,11 +12,11 @@ SOURCES/pcs-0.10.18.tar.gz
 SOURCES/puma-6.4.0.gem
 SOURCES/pyagentx-0.4.pcs.2.tar.gz
 SOURCES/python-dateutil-2.8.2.tar.gz
-SOURCES/rack-2.2.8.1.gem
+SOURCES/rack-2.2.16.gem
 SOURCES/rack-protection-2.2.4.gem
 SOURCES/rack-test-2.1.0.gem
 SOURCES/rexml-3.3.6.gem
 SOURCES/ruby2_keywords-0.0.5.gem
 SOURCES/sinatra-2.2.4.gem
 SOURCES/tilt-2.3.0.gem
-SOURCES/tornado-6.1.0.pcs.1.tar.gz
+SOURCES/tornado-6.1.0.pcs.2.tar.gz

.pcs.metadata

@@ -12,11 +12,11 @@ b3cd873042b17021355b68f1f7aa313f0c1f3fee SOURCES/pcs-0.10.18.tar.gz
 d6049c4555f3c9d198e6eb1d7e53ce9b68e175ff SOURCES/puma-6.4.0.gem
 3176b2f2b332c2b6bf79fe882e83feecf3d3f011 SOURCES/pyagentx-0.4.pcs.2.tar.gz
 c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
-fcdee79d1b0bb7e3666bad96321fc124bc8215e9 SOURCES/rack-2.2.8.1.gem
+807c69f4ebada58686cee22884623063745007c2 SOURCES/rack-2.2.16.gem
 5347315a7283f0b04443e924ed4eaa17807432c8 SOURCES/rack-protection-2.2.4.gem
 ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
 89f8446e89976f3677767d426a4edc6ccba574be SOURCES/rexml-3.3.6.gem
 d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
 fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
 4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
-c65f61a0f55a342f142f2a6be2d5fcc7f4cab0c9 SOURCES/tornado-6.1.0.pcs.1.tar.gz
+3e0fc1e17c45a8e25bdd6ade8dbbc522f64f2ae1 SOURCES/tornado-6.1.0.pcs.2.tar.gz

SOURCES/RHEL-90147-support-for-query-limits-in-rack.patch

@@ -0,0 +1,45 @@
+From 0ad47ec40b7a9a2cb6bdbdf11e1e5b3c59f49b8b Mon Sep 17 00:00:00 2001
+From: Miroslav Lisik <mlisik@redhat.com>
+Date: Tue, 20 May 2025 16:34:18 +0200
+Subject: [PATCH] support for query limits in rack
+
+---
+ pcsd/conf/pcsd | 6 ++++++
+ pcsd/pcsd.rb   | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/pcsd/conf/pcsd b/pcsd/conf/pcsd
+index 98df4744..65a9c9a9 100644
+--- a/pcsd/conf/pcsd
++++ b/pcsd/conf/pcsd
+@@ -45,5 +45,11 @@ PCSD_SESSION_LIFETIME=3600
+ # is 50 (even if set lower).
+ PCSD_RESTART_AFTER_REQUESTS=200
+ 
++# These environment variables set the maximum query string bytesize and the
++# maximum number of query parameters that pcsd will attempt to parse.
++# See CVE-2025-46727 for details.
++#RACK_QUERY_PARSER_BYTESIZE_LIMIT=4194304
++#RACK_QUERY_PARSER_PARAMS_LIMIT=4096
++
+ # Do not change
+ RACK_ENV=production
+diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
+index 11698f54..a2634e4e 100644
+--- a/pcsd/pcsd.rb
++++ b/pcsd/pcsd.rb
+@@ -90,6 +90,11 @@ configure do
+   CAPABILITIES_PCSD = capabilities_pcsd.freeze
+ end
+ 
++error Rack::QueryParser::QueryLimitError do
++  $logger.warn(env['sinatra.error'].message)
++  return 400, env['sinatra.error'].message
++end
++
+ def run_cfgsync
+   node_connected = true
+   if Cfgsync::ConfigSyncControl.sync_thread_allowed?()
+-- 
+2.49.0
+

SPECS/pcs.spec

@@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.4.alma.1
+Release: 2%{?dist}.5.alma.1
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@@ -39,7 +39,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 %global version_rubygem_nio4r 2.5.9
 %global version_rubygem_open4  1.3.4
 %global version_rubygem_puma 6.4.0
-%global version_rubygem_rack  2.2.8.1
+%global version_rubygem_rack  2.2.16
 %global version_rubygem_rack_protection  2.2.4
 %global version_rubygem_rack_test  2.1.0
 %global version_rubygem_rexml  3.3.6
@@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 
 # DO NOT UPDATE
 # Tornado 6.2 requires Python 3.7+
-%global tornado_version    6.1.0.pcs.1
+%global tornado_version    6.1.0.pcs.2
 
 %global pcs_bundled_dir pcs_bundled
 %global pcsd_public_dir pcsd/public
@@ -116,6 +116,7 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_
 Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-17280-01-disable-new-webui-routes.patch
 Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
+Patch4: RHEL-90147-support-for-query-limits-in-rack.patch
 
 # git for patches
 BuildRequires: git-core
@@ -306,6 +307,7 @@ update_times_patch(){
 update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
 update_times_patch %{PATCH3}
+update_times_patch %{PATCH4}
 
 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@@ -562,10 +564,16 @@ remove_all_tests
 %license pyagentx_LICENSE.txt
 
 %changelog
-* Mon Mar 17 2025 Eduard Abdullin <eabdullin@almalinux.org> - 0.10.18-2.4.alma.1
+* Wed May 28 2025 Eduard Abdullin <eabdullin@almalinux.org> - 0.10.18-2.5.alma.1
 - Debrand logo
 
-* Tue Mar 4 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%dist.3
+* Thu May 22 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%dist.5
+- Fixed CVE-2024-52804 by patching bundled Tornado
+  Resolves: RHEL-93167
+- Fixed CVE-2025-46727 by updating bundled rubygem rack
+  Resolves: RHEL-90147
+
+* Tue Mar 4 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%dist.4
 - Fixed CVE-2024-52804 by patching bundled Tornado
   Resolves: RHEL-81924