From 6fbe4aa99cacb7d5889c2eaf86e87445cddc565d Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Wed, 27 Sep 2023 14:50:24 +0200
Subject: [PATCH] - fence_scsi: fix registration handling if ISID conflicts  
 Resolves: RHEL-5396 - bundled certifi: fix CVE-2023-37920   Resolves:
 RHEL-9446

---
 ...6-fence_scsi-1-fix-ISID-reg-handling.patch |  68 +++++
 ...nce_scsi-2-fix-ISID-reg-handling-off.patch | 103 +++++++
 fence-agents.spec                             | 251 +++++++++---------
 sources                                       |   3 +-
 4 files changed, 302 insertions(+), 123 deletions(-)
 create mode 100644 RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
 create mode 100644 RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch

diff --git a/RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch b/RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
new file mode 100644
index 0000000..9641fd7
--- /dev/null
+++ b/RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
@@ -0,0 +1,68 @@
+From 9d0d0d013c7edae43a4ebc5f46bf2e7a4f127654 Mon Sep 17 00:00:00 2001
+From: "sreejit.mohanan" <sreejit.mohanan@nutanix.com>
+Date: Fri, 17 Feb 2023 18:04:03 -0800
+Subject: [PATCH] fence_scsi: fix registration handling if ISID conflicts ISID
+ (Initiator Session ID) belonging to I_T Nexus changes for RHEL based on the
+ session ID. This means that the connection to the device can be set up with
+ different ISID on reconnects.
+
+fence_scsi treats same key as a tip to ignore issuing registration
+to the device but if the device was registered using a different
+ISID, the key would be the same but the I_T Nexus (new ISID) would
+not have access to the device.
+
+Fixing this by preempting the old key and replacing with the current
+one.
+---
+ agents/scsi/fence_scsi.py | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
+index f9e6823b2..85e4f29e6 100644
+--- a/agents/scsi/fence_scsi.py
++++ b/agents/scsi/fence_scsi.py
+@@ -137,12 +137,41 @@ def register_dev(options, dev):
+ 		for slave in get_mpath_slaves(dev):
+ 			register_dev(options, slave)
+ 		return True
+-	if get_reservation_key(options, dev, False) == options["--key"]:
+-		return True
++
++	# Check if any registration exists for the key already. We track this in
++	# order to decide whether the existing registration needs to be cleared.
++	# This is needed since the previous registration could be for a
++	# different I_T nexus (different ISID).
++	registration_key_exists = False
++	if options["--key"] in get_registration_keys(options, dev):
++		registration_key_exists = True
++	if not register_helper(options, options["--key"], dev):
++		return False
++
++	if registration_key_exists:
++		# If key matches, make sure it matches with the connection that
++		# exists right now. To do this, we can issue a preempt with same key
++		# which should replace the old invalid entries from the target.
++		if not preempt(options, options["--key"], dev):
++			return False
++
++		# If there was no reservation, we need to issue another registration
++		# since the previous preempt would clear registration made above.
++		if get_reservation_key(options, dev, False) != options["--key"]:
++			return register_helper(options, options["--key"], dev)
++	return True
++
++# cancel registration without aborting tasks
++def preempt(options, host, dev):
++	reset_dev(options,dev)
++	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
++	return not bool(run_cmd(options, cmd)["rc"])
++
++# helper function to send the register command
++def register_helper(options, host, dev):
+ 	reset_dev(options, dev)
+ 	cmd = options["--sg_persist-path"] + " -n -o -I -S " + options["--key"] + " -d " + dev
+ 	cmd += " -Z" if "--aptpl" in options else ""
+-	#cmd return code != 0 but registration can be successful
+ 	return not bool(run_cmd(options, cmd)["rc"])
+ 
+ 
diff --git a/RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch b/RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
new file mode 100644
index 0000000..cfafaa7
--- /dev/null
+++ b/RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
@@ -0,0 +1,103 @@
+From 34baef58db442148b8e067509d2cdd37b7a91ef4 Mon Sep 17 00:00:00 2001
+From: "sreejit.mohanan" <sreejit.mohanan@nutanix.com>
+Date: Thu, 7 Sep 2023 15:57:51 -0700
+Subject: [PATCH] fence_scsi: fix registration handling in device 'off'
+ workflows
+
+ISID (Initiator Session ID) belonging to I_T Nexus changes for
+RHEL based on the session ID. This means that the connection to
+the device can be set up with different ISID on reconnects.
+
+When a device is powered off, fence_scsi assumes that the client
+has a registration to the device and sends a preempt-and-abort
+request which ends up failing due to reservation conflict.
+
+Fixing this by registering the host key with the device and preempting
+the old registration (if it exists). This should make sure that the
+host is able to preempt the other key successfully.
+---
+ agents/scsi/fence_scsi.py | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
+index 42530ceb5..519319bf5 100644
+--- a/agents/scsi/fence_scsi.py
++++ b/agents/scsi/fence_scsi.py
+@@ -41,7 +41,7 @@ def set_status(conn, options):
+ 		for dev in options["devices"]:
+ 			is_block_device(dev)
+ 
+-			register_dev(options, dev)
++			register_dev(options, dev, options["--key"])
+ 			if options["--key"] not in get_registration_keys(options, dev):
+ 				count += 1
+ 				logging.debug("Failed to register key "\
+@@ -62,7 +62,7 @@ def set_status(conn, options):
+ 			fail_usage("Failed: keys cannot be same. You can not fence yourself.")
+ 		for dev in options["devices"]:
+ 			is_block_device(dev)
+-
++			register_dev(options, dev, host_key)
+ 			if options["--key"] in get_registration_keys(options, dev):
+ 				preempt_abort(options, host_key, dev)
+ 
+@@ -131,11 +131,11 @@ def reset_dev(options, dev):
+ 	return run_cmd(options, options["--sg_turs-path"] + " " + dev)["rc"]
+ 
+ 
+-def register_dev(options, dev):
++def register_dev(options, dev, key):
+ 	dev = os.path.realpath(dev)
+ 	if re.search(r"^dm", dev[5:]):
+ 		for slave in get_mpath_slaves(dev):
+-			register_dev(options, slave)
++			register_dev(options, slave, key)
+ 		return True
+ 
+ 	# Check if any registration exists for the key already. We track this in
+@@ -143,34 +143,35 @@ def register_dev(options, dev):
+ 	# This is needed since the previous registration could be for a
+ 	# different I_T nexus (different ISID).
+ 	registration_key_exists = False
+-	if options["--key"] in get_registration_keys(options, dev):
++	if key in get_registration_keys(options, dev):
++		logging.debug("Registration key exists for device " + dev)
+ 		registration_key_exists = True
+-	if not register_helper(options, options["--key"], dev):
++	if not register_helper(options, dev, key):
+ 		return False
+ 
+ 	if registration_key_exists:
+ 		# If key matches, make sure it matches with the connection that
+ 		# exists right now. To do this, we can issue a preempt with same key
+ 		# which should replace the old invalid entries from the target.
+-		if not preempt(options, options["--key"], dev):
++		if not preempt(options, key, dev, key):
+ 			return False
+ 
+ 		# If there was no reservation, we need to issue another registration
+ 		# since the previous preempt would clear registration made above.
+-		if get_reservation_key(options, dev, False) != options["--key"]:
+-			return register_helper(options, options["--key"], dev)
++		if get_reservation_key(options, dev, False) != key:
++			return register_helper(options, dev, key)
+ 	return True
+ 
+-# cancel registration without aborting tasks
+-def preempt(options, host, dev):
++# helper function to preempt host with 'key' using 'host_key' without aborting tasks
++def preempt(options, host_key, dev, key):
+ 	reset_dev(options,dev)
+-	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
++	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host_key + " -S " + key + " -d " + dev
+ 	return not bool(run_cmd(options, cmd)["rc"])
+ 
+ # helper function to send the register command
+-def register_helper(options, host, dev):
++def register_helper(options, dev, key):
+ 	reset_dev(options, dev)
+-	cmd = options["--sg_persist-path"] + " -n -o -I -S " + options["--key"] + " -d " + dev
++	cmd = options["--sg_persist-path"] + " -n -o -I -S " + key + " -d " + dev
+ 	cmd += " -Z" if "--aptpl" in options else ""
+ 	return not bool(run_cmd(options, cmd)["rc"])
+ 
diff --git a/fence-agents.spec b/fence-agents.spec
index 20fe6e2..aa2ab3e 100644
--- a/fence-agents.spec
+++ b/fence-agents.spec
@@ -17,8 +17,8 @@
 %global ruamelyamlclib_version	0.2.6
 %global kubernetes		kubernetes
 %global kubernetes_version	12.0.1
-%global certifi			certifi
-%global certifi_version		2021.10.8
+%global certifi 		certifi
+%global certifi_version 	2023.7.22
 %global googleauth		google-auth
 %global googleauth_version	2.3.0
 %global cachetools		cachetools
@@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 55%{?alphatag:.%{alphatag}}%{?dist}
+Release: 56%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -109,85 +109,84 @@ Source1025: azure_mgmt_compute-21.0.0-py2.py3-none-any.whl
 Source1026: azure_mgmt_core-1.2.2-py2.py3-none-any.whl
 Source1027: azure_mgmt_network-19.0.0-py2.py3-none-any.whl
 Source1028: azure-identity-1.10.0.zip
-Source1029: certifi-2021.5.30-py2.py3-none-any.whl
-Source1030: chardet-4.0.0-py2.py3-none-any.whl
-Source1031: idna-2.10-py2.py3-none-any.whl
-Source1032: isodate-0.6.0-py2.py3-none-any.whl
-Source1033: msrest-0.6.21-py2.py3-none-any.whl
-Source1034: msrestazure-0.6.4-py2.py3-none-any.whl
-Source1035: %{oauthlib}-%{oauthlib_version}.tar.gz
-Source1036: PyJWT-2.1.0-py3-none-any.whl
-Source1037: requests-2.25.1-py2.py3-none-any.whl
-Source1038: requests_oauthlib-1.3.0-py2.py3-none-any.whl
-Source1139: msal-1.18.0.tar.gz
-Source1140: msal-extensions-1.0.0.tar.gz
-Source1141: portalocker-2.5.1.tar.gz
+Source1029: chardet-4.0.0-py2.py3-none-any.whl
+Source1030: idna-2.10-py2.py3-none-any.whl
+Source1031: isodate-0.6.0-py2.py3-none-any.whl
+Source1032: msrest-0.6.21-py2.py3-none-any.whl
+Source1033: msrestazure-0.6.4-py2.py3-none-any.whl
+Source1034: %{oauthlib}-%{oauthlib_version}.tar.gz
+Source1035: PyJWT-2.1.0-py3-none-any.whl
+Source1036: requests-2.25.1-py2.py3-none-any.whl
+Source1037: requests_oauthlib-1.3.0-py2.py3-none-any.whl
+Source1038: msal-1.18.0.tar.gz
+Source1039: msal-extensions-1.0.0.tar.gz
+Source1040: portalocker-2.5.1.tar.gz
 # google
-Source1042: cachetools-4.2.2-py3-none-any.whl
-Source1043: chardet-3.0.4-py2.py3-none-any.whl
-Source1044: google_api_core-1.30.0-py2.py3-none-any.whl
-Source1045: google_api_python_client-1.12.8-py2.py3-none-any.whl
-Source1046: googleapis_common_protos-1.53.0-py2.py3-none-any.whl
-Source1047: google_auth-1.32.0-py2.py3-none-any.whl
-Source1048: google_auth_httplib2-0.1.0-py2.py3-none-any.whl
-Source1049: httplib2-0.19.1-py3-none-any.whl
-Source1050: packaging-20.9-py2.py3-none-any.whl
-Source1051: protobuf-3.17.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
-Source1052: pyasn1-0.4.8-py2.py3-none-any.whl
-Source1053: pyasn1_modules-0.2.8-py2.py3-none-any.whl
-Source1054: pyparsing-2.4.7-py2.py3-none-any.whl
-Source1055: pyroute2-0.6.4.tar.gz
-Source1056: pyroute2.core-0.6.4.tar.gz
-Source1057: pyroute2.ethtool-0.6.4.tar.gz
-Source1058: pyroute2.ipdb-0.6.4.tar.gz
-Source1059: pyroute2.ipset-0.6.4.tar.gz
-Source1060: pyroute2.ndb-0.6.4.tar.gz
-Source1061: pyroute2.nftables-0.6.4.tar.gz
-Source1062: pyroute2.nslink-0.6.4.tar.gz
-Source1063: pytz-2021.1-py2.py3-none-any.whl
-Source1064: rsa-4.7.2-py3-none-any.whl
-Source1065: setuptools-57.0.0-py3-none-any.whl
-Source1066: uritemplate-3.0.1-py2.py3-none-any.whl
+Source1041: cachetools-4.2.2-py3-none-any.whl
+Source1042: chardet-3.0.4-py2.py3-none-any.whl
+Source1043: google_api_core-1.30.0-py2.py3-none-any.whl
+Source1044: google_api_python_client-1.12.8-py2.py3-none-any.whl
+Source1045: googleapis_common_protos-1.53.0-py2.py3-none-any.whl
+Source1046: google_auth-1.32.0-py2.py3-none-any.whl
+Source1047: google_auth_httplib2-0.1.0-py2.py3-none-any.whl
+Source1048: httplib2-0.19.1-py3-none-any.whl
+Source1049: packaging-20.9-py2.py3-none-any.whl
+Source1050: protobuf-3.17.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
+Source1051: pyasn1-0.4.8-py2.py3-none-any.whl
+Source1052: pyasn1_modules-0.2.8-py2.py3-none-any.whl
+Source1053: pyparsing-2.4.7-py2.py3-none-any.whl
+Source1054: pyroute2-0.6.4.tar.gz
+Source1055: pyroute2.core-0.6.4.tar.gz
+Source1056: pyroute2.ethtool-0.6.4.tar.gz
+Source1057: pyroute2.ipdb-0.6.4.tar.gz
+Source1058: pyroute2.ipset-0.6.4.tar.gz
+Source1059: pyroute2.ndb-0.6.4.tar.gz
+Source1060: pyroute2.nftables-0.6.4.tar.gz
+Source1061: pyroute2.nslink-0.6.4.tar.gz
+Source1062: pytz-2021.1-py2.py3-none-any.whl
+Source1063: rsa-4.7.2-py3-none-any.whl
+Source1064: setuptools-57.0.0-py3-none-any.whl
+Source1065: uritemplate-3.0.1-py2.py3-none-any.whl
 # common (pexpect / suds)
-Source1067: pexpect-4.8.0-py2.py3-none-any.whl
-Source1068: ptyprocess-0.7.0-py2.py3-none-any.whl
-Source1069: suds_community-0.8.5-py3-none-any.whl
+Source1066: pexpect-4.8.0-py2.py3-none-any.whl
+Source1067: ptyprocess-0.7.0-py2.py3-none-any.whl
+Source1068: suds_community-0.8.5-py3-none-any.whl
 ### END ###
 # kubevirt
 ## pip download --no-binary :all: openshift "ruamel.yaml.clib>=0.1.2"
 ### BEGIN
-Source1070: %{openshift}-%{openshift_version}.tar.gz
-Source1071: %{ruamelyamlclib}-%{ruamelyamlclib_version}.tar.gz
-Source1072: %{kubernetes}-%{kubernetes_version}.tar.gz
-Source1073: %{certifi}-%{certifi_version}.tar.gz
-Source1074: %{googleauth}-%{googleauth_version}.tar.gz
-Source1075: %{cachetools}-%{cachetools_version}.tar.gz
-Source1076: %{pyasn1modules}-%{pyasn1modules_version}.tar.gz
-Source1077: %{pyasn1}-%{pyasn1_version}.tar.gz
-Source1078: python-%{dateutil}-%{dateutil_version}.tar.gz
-Source1079: %{pyyaml}-%{pyyaml_version}.tar.gz
+Source1069: %{openshift}-%{openshift_version}.tar.gz
+Source1070: %{ruamelyamlclib}-%{ruamelyamlclib_version}.tar.gz
+Source1071: %{kubernetes}-%{kubernetes_version}.tar.gz
+Source1072: %{certifi}-%{certifi_version}.tar.gz
+Source1073: %{googleauth}-%{googleauth_version}.tar.gz
+Source1074: %{cachetools}-%{cachetools_version}.tar.gz
+Source1075: %{pyasn1modules}-%{pyasn1modules_version}.tar.gz
+Source1076: %{pyasn1}-%{pyasn1_version}.tar.gz
+Source1077: python-%{dateutil}-%{dateutil_version}.tar.gz
+Source1078: %{pyyaml}-%{pyyaml_version}.tar.gz
 ## rsa is dependency for "pip install",
 ## but gets removed to use cryptography lib instead
-Source1080: rsa-4.7.2.tar.gz
-Source1081: %{six}-%{six_version}.tar.gz
-Source1082: %{urllib3}-%{urllib3_version}.tar.gz
-Source1083: %{websocketclient}-%{websocketclient_version}.tar.gz
-Source1084: %{jinja2}-%{jinja2_version}.tar.gz
-Source1085: %{markupsafe}-%{markupsafe_version}.tar.gz
-Source1086: python-%{stringutils}-%{stringutils_version}.tar.gz
-Source1087: %{requests}-%{requests_version}.tar.gz
-Source1088: %{chrstnormalizer}-%{chrstnormalizer_version}.tar.gz
-Source1089: %{idna}-%{idna_version}.tar.gz
-Source1090: %{reqstsoauthlib}-%{reqstsoauthlib_version}.tar.gz
-Source1091: %{ruamelyaml}-%{ruamelyaml_version}.tar.gz
-Source1092: %{setuptools}-%{setuptools_version}.tar.gz
+Source1079: rsa-4.7.2.tar.gz
+Source1080: %{six}-%{six_version}.tar.gz
+Source1081: %{urllib3}-%{urllib3_version}.tar.gz
+Source1082: %{websocketclient}-%{websocketclient_version}.tar.gz
+Source1083: %{jinja2}-%{jinja2_version}.tar.gz
+Source1084: %{markupsafe}-%{markupsafe_version}.tar.gz
+Source1085: python-%{stringutils}-%{stringutils_version}.tar.gz
+Source1086: %{requests}-%{requests_version}.tar.gz
+Source1087: %{chrstnormalizer}-%{chrstnormalizer_version}.tar.gz
+Source1088: %{idna}-%{idna_version}.tar.gz
+Source1089: %{reqstsoauthlib}-%{reqstsoauthlib_version}.tar.gz
+Source1090: %{ruamelyaml}-%{ruamelyaml_version}.tar.gz
+Source1091: %{setuptools}-%{setuptools_version}.tar.gz
 ## required for installation
-Source1093: setuptools_scm-6.3.2.tar.gz
-Source1094: packaging-21.2-py3-none-any.whl
-Source1095: poetry-core-1.0.7.tar.gz
-Source1096: pyparsing-3.0.1.tar.gz
-Source1097: tomli-1.0.1.tar.gz
-Source1098: wheel-0.37.0-py2.py3-none-any.whl
+Source1092: setuptools_scm-6.3.2.tar.gz
+Source1093: packaging-21.2-py3-none-any.whl
+Source1094: poetry-core-1.0.7.tar.gz
+Source1095: pyparsing-3.0.1.tar.gz
+Source1096: tomli-1.0.1.tar.gz
+Source1097: wheel-0.37.0-py2.py3-none-any.whl
 ### END
 
 Patch0: ha-cloud-support-aliyun.patch
@@ -237,6 +236,8 @@ Patch43: bz2187327-fence_scsi-2-support-space-separated-devices.patch
 Patch44: bz2211930-fence_azure-arm-stack-hub-support.patch
 Patch45: bz2221643-fence_ibm_powervs-performance-improvements.patch
 Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch
+Patch47: RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
+Patch48: RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
 
 ### HA support libs/utils ###
 Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
@@ -351,53 +352,55 @@ BuildRequires: %{systemd_units}
 
 %prep
 %setup -q -n %{name}-%{version}%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1 -F2
-%patch15 -p1 -F1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
-%patch35 -p1
-%patch36 -p1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1
-%patch41 -p1
-%patch42 -p1
-%patch43 -p1
-%patch44 -p1
-%patch45 -p1
-%patch46 -p1
+%patch -p1 -P 0
+%patch -p1 -P 1
+%patch -p1 -P 2
+%patch -p1 -P 3
+%patch -p1 -P 4
+%patch -p1 -P 5
+%patch -p1 -P 6
+%patch -p1 -P 7
+%patch -p1 -P 8
+%patch -p1 -P 9
+%patch -p1 -P 10
+%patch -p1 -P 11
+%patch -p1 -P 12
+%patch -p1 -P 13
+%patch -p1 -P 14 -F2
+%patch -p1 -P 15 -F1
+%patch -p1 -P 16
+%patch -p1 -P 17
+%patch -p1 -P 18
+%patch -p1 -P 19
+%patch -p1 -P 20
+%patch -p1 -P 21
+%patch -p1 -P 22
+%patch -p1 -P 23
+%patch -p1 -P 24
+%patch -p1 -P 25
+%patch -p1 -P 26
+%patch -p1 -P 27
+%patch -p1 -P 28
+%patch -p1 -P 29
+%patch -p1 -P 30
+%patch -p1 -P 31
+%patch -p1 -P 32
+%patch -p1 -P 33
+%patch -p1 -P 34
+%patch -p1 -P 35
+%patch -p1 -P 36
+%patch -p1 -P 37
+%patch -p1 -P 38
+%patch -p1 -P 39
+%patch -p1 -P 40
+%patch -p1 -P 41
+%patch -p1 -P 42
+%patch -p1 -P 43
+%patch -p1 -P 44
+%patch -p1 -P 45
+%patch -p1 -P 46
+%patch -p1 -P 47
+%patch -p1 -P 48
 
 # prevent compilation of something that won't get used anyway
 sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@@ -600,7 +603,7 @@ Provides: bundled(python-azure-core) = 1.15.0
 Provides: bundled(python-azure-mgmt-compute) = 21.0.0
 Provides: bundled(python-azure-mgmt-core) = 1.2.2
 Provides: bundled(python-azure-mgmt-network) = 19.0.0
-Provides: bundled(python-certifi) = 2021.5.30
+Provides: bundled(python-certifi) = %{certifi_version}
 Provides: bundled(python-chardet) = 4.0.0
 Provides: bundled(python-idna) = 2.10
 Provides: bundled(python-isodate) = 0.6.0
@@ -1477,6 +1480,12 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
+* Wed Sep 27 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-56
+- fence_scsi: fix registration handling if ISID conflicts
+  Resolves: RHEL-5396
+- bundled certifi: fix CVE-2023-37920
+  Resolves: RHEL-9446
+
 * Thu Aug  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-55
 - bundled dateutil: fix tarfile CVE-2007-4559
   Resolves: rhbz#2217902
diff --git a/sources b/sources
index eebeba2..a74872c 100644
--- a/sources
+++ b/sources
@@ -35,7 +35,7 @@ SHA512 (azure_mgmt_compute-21.0.0-py2.py3-none-any.whl) = e02fe9e100d898f4bbc14f
 SHA512 (azure_mgmt_core-1.2.2-py2.py3-none-any.whl) = ea0b4062314de37d048cf6d9e40757372e050291a8861719dda2f1446c2e9a932050d0c0f732a8afb182993b7f700b5d6053217801199a4257b6269f5c7e47e5
 SHA512 (azure_mgmt_network-19.0.0-py2.py3-none-any.whl) = aa18ed97f167a1abf60c8fd7ae81b6777565c13f8ace06c81cdc70bf16c9fc2efad1984b8f159877ba3118312d2b81759df3b8e42b6f874cea5214943e8b054d
 SHA512 (azure-identity-1.10.0.zip) = 66551765ac0a4d43dc95cb755be3bfc31e2e7afa7eebf72c061c6c7d1dd0cf88988d88a39c2c1463fe27caced7ccd72da6520a9e977bfed0ee5f495fe00fab6a
-SHA512 (certifi-2021.5.30-py2.py3-none-any.whl) = 395c349cef4f8247af20a763a1927fe243e52d7fe846874f100b33e46119e48a3b7b681d3f3e879fe18a07ae81ba791ac7d0ed61017990d722f29d17e2573811
+SHA512 (certifi-2023.7.22.tar.gz) = 220ec0a4251f301f057b4875e5966a223085b0c764c911450b43df7f49dbc5af50f14eeb692d935c0baa95d7c800055fa03efa4aaabba397a82c7b07c042bd90
 SHA512 (chardet-4.0.0-py2.py3-none-any.whl) = cc8cdd5e73b4eace0131bbeaf6099e322ba5c2f827f26ad3316c674c60529d77f39f68d9fb83199ab78d16902021ab1ae58d74ab62d770cf95ceb804b9242e90
 SHA512 (idna-2.10-py2.py3-none-any.whl) = 7b7be129e1a99288aa74a15971377cb17bee1618843c03c8f782e287d0f3ecf3b8f26e3ea736444eb358f1d6079131a7eb291446f3279874eb8e00b624d9471c
 SHA512 (isodate-0.6.0-py2.py3-none-any.whl) = 6d39a350ff4af87c74ae3226e6627f9c254205bfd2a761a5bf956883667bbe6d4678e1830b629c899a6f0fe67a9603cb4890c5a1fa6c8d245fe4fdbddddde870
@@ -79,7 +79,6 @@ SHA512 (suds_community-0.8.5-py3-none-any.whl) = 0719c3c2988ff96bd8698df326fb332
 SHA512 (openshift-0.12.1.tar.gz) = 35a0ecfbc12d657f5f79d4c752a7c023a2a5e3fc5e7b377d9f11ce4a7d5f666ca5c6296f31adb44b7680d051af42d3638ced1092fb7e9146d2cc998f2c3a7b80
 SHA512 (ruamel.yaml.clib-0.2.6.tar.gz) = 12307a3c3bae09cf65d9672894c9a869a7ed5483ca3afb9ee39d8bcbf1948b012a0dbf570e315cc8b9a8b55184de9e10324953ec4819d214379e01522ee13b20
 SHA512 (kubernetes-12.0.1.tar.gz) = ff4739dc185dbf46050e53382b9260a0a69c55b43820ccb1df498718c78d1bf42842f4ab1b6d0c3520c5edab45d9c9c9527aea9ccb0b6347f34e18202f9155a2
-SHA512 (certifi-2021.10.8.tar.gz) = 06dc41a471f16f6c52751854e82fb42011c9388651cff55761298b86ba437d431e6325ab039ef330f2b2c5f69f5ba43dc468e7ca3df205a8bb31468f43711fbe
 SHA512 (google-auth-2.3.0.tar.gz) = cf0040d238880ea4bbad64f0a47311f2ed3922a7301a0d5287319b39ea8e76dca66dc78fd860cc12386b078bd2147a1cba01de97381420ef94cc44fca0c90ad1
 SHA512 (cachetools-4.2.4.tar.gz) = 29a6bb3a064e5603cd3e3882d8e5a6a6ef95ba3029716692c9a82d7186a0befcfb8ed4a0ee3ecb591fdff93a46836d5b25acca7ba5eab1ba837e86404aea8fcf
 SHA512 (pyasn1-modules-0.2.8.tar.gz) = fdfcaa065deffdd732deaa1fa30dec2fc4a90ffe15bd12de40636ce0212f447611096d2f4e652ed786b5c47544439e6a93721fabe121f3320f13965692a1ca5b