diff --git a/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch b/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch deleted file mode 100644 index 700ab80..0000000 --- a/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch +++ /dev/null @@ -1,65 +0,0 @@ -From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001 -From: David Lord -Date: Thu, 2 May 2024 09:14:00 -0700 -Subject: [PATCH] disallow invalid characters in keys to xmlattr filter - ---- - CHANGES.rst | 6 ++++++ - src/jinja2/filters.py | 22 +++++++++++++++++----- - tests/test_filters.py | 11 ++++++----- - 3 files changed, 29 insertions(+), 10 deletions(-) - -diff --git a/kubevirt/jinja2/filters.py b/kubevirt/jinja2/filters.py -index 4cf3c11fb..acd11976e 100644 ---- a/kubevirt/jinja2/filters.py -+++ b/kubevirt/jinja2/filters.py -@@ -250,7 +250,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K - yield from value.items() - - --_space_re = re.compile(r"\s", flags=re.ASCII) -+# Check for characters that would move the parser state from key to value. -+# https://html.spec.whatwg.org/#attribute-name-state -+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) - - - @pass_eval_context -@@ -259,8 +261,14 @@ def do_xmlattr( - ) -> str: - """Create an SGML/XML attribute string based on the items in a dict. - -- If any key contains a space, this fails with a ``ValueError``. Values that -- are neither ``none`` nor ``undefined`` are automatically escaped. -+ **Values** that are neither ``none`` nor ``undefined`` are automatically -+ escaped, safely allowing untrusted user input. -+ -+ User input should not be used as **keys** to this filter. If any key -+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals -+ sign, this fails with a ``ValueError``. Regardless of this, user input -+ should never be used as keys to this filter, or must be separately validated -+ first. - - .. sourcecode:: html+jinja - -@@ -280,6 +288,10 @@ def do_xmlattr( - As you can see it automatically prepends a space in front of the item - if the filter returned something unless the second parameter is false. - -+ .. versionchanged:: 3.1.4 -+ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign -+ are not allowed. -+ - .. versionchanged:: 3.1.3 - Keys with spaces are not allowed. - """ -@@ -289,8 +301,8 @@ def do_xmlattr( - if value is None or isinstance(value, Undefined): - continue - -- if _space_re.search(key) is not None: -- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") -+ if _attr_key_re.search(key) is not None: -+ raise ValueError(f"Invalid character in attribute name: {key!r}") - - items.append(f'{escape(key)}="{escape(value)}"') - diff --git a/fence-agents.spec b/fence-agents.spec index f9e3a21..083911a 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -37,8 +37,8 @@ %global urllib3_version 1.26.18 %global websocketclient websocket-client %global websocketclient_version 1.2.1 -%global jinja2 Jinja2 -%global jinja2_version 3.1.3 +%global jinja2 jinja2 +%global jinja2_version 3.1.5 %global markupsafe MarkupSafe %global markupsafe_version 2.0.1 %global stringutils string-utils @@ -57,7 +57,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 82%{?alphatag:.%{alphatag}}%{?dist} +Release: 83%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -250,7 +250,6 @@ Patch61: RHEL-62206-fence_ibm_powervs-add-private-endpoint-and-token-file-suppor ### HA support libs/utils ### # all archs Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch -Patch1001: RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch # cloud (x86_64 only) Patch2000: bz2217902-2-aws-azure-fix-bundled-dateutil-CVE-2007-4559.patch Patch2001: RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch @@ -484,7 +483,6 @@ rm -rf kubevirt/rsa* # regular patch doesnt work in build-section pushd support /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1000} -/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001} %ifarch x86_64 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2000} @@ -1526,6 +1524,10 @@ are located on corosync cluster nodes. %endif %changelog +* Wed Jan 8 2025 Oyvind Albrigtsen - 4.10.0-83 +- bundled jinja2: fix CVE-2024-56201 and CVE-2024-56326 + Resolves: RHEL-72074, RHEL-72067 + * Tue Nov 26 2024 Oyvind Albrigtsen - 4.10.0-82 - Move fence-agents to AppStream Resolves: RHEL-68841 diff --git a/sources b/sources index 67bcb8e..8ce7793 100644 --- a/sources +++ b/sources @@ -81,7 +81,7 @@ SHA512 (PyYAML-5.1.tar.gz) = 8f27f92bdfa310a99dd6d83947332cc033fa18f0011998bb585 SHA512 (rsa-4.7.2.tar.gz) = 63f561774dbaa10511167cba31e0f852e32b3250f2803edaa2729dc2b28baa2c42cb79dfbd49e38eb42ce82f665ed4c3d9dcc810c37380401e2c62202b1c7948 SHA512 (six-1.16.0.tar.gz) = 076fe31c8f03b0b52ff44346759c7dc8317da0972403b84dfe5898179f55acdba6c78827e0f8a53ff20afe8b76432c6fe0d655a75c24259d9acbaa4d9e8015c0 SHA512 (websocket-client-1.2.1.tar.gz) = fdbeb7ac2add27478a17b388ac62e9378094a368f29749d8b63c274ee41836506369dddd083956f42f1f2d74948392b3ddd59b801c98f9e028c126bdb54c636b -SHA512 (Jinja2-3.1.3.tar.gz) = 5c36d0cd094b40626511f30c561176c095c49ef4066c2752a9edc3e6feb2430dafa866c17deebddcd0168aa1f0fd3944916d592c5c999639b8152e7c1009c700 +SHA512 (jinja2-3.1.5.tar.gz) = 75ad0094482c69d45fcd3aa8ee32e249931e53fee3f804f6ddfd5b6da0ed16962d8f1fced811e7dcb4d8401fadd828e77528d6d1280547a7d4f5f77cccf9bbd4 SHA512 (MarkupSafe-2.0.1.tar.gz) = 77249bda784111ece15d59eb3de1cbb37a58fb9f22902fe6b73fea9eb0f23857ccbe53dc55463278e3b91f78dc35e2b027fd823ca50d88d8985d5a98ce2327f1 SHA512 (python-string-utils-1.0.0.tar.gz) = 23ee48053848edd74915a985ee9edec48bbba468e228745f7d27b6a855c67f6b7ddf1cf71049458bf0b1c6c4d4f905ebacfac960597cbadbbe2daa1fe9472280 SHA512 (requests-2.26.0.tar.gz) = c3397d77f0d2f1afb05661c4b98adad6c1ddaf360906254150b33ab0d9479fd306905bd6d61b8cf8becd9a40bdcf9b03542e8267c644ef19f03f44bfca0bc461