- fence_scsi: fix registration handling if ISID conflicts

Resolves: RHEL-5396 - bundled certifi: fix CVE-2023-37920 Resolves: RHEL-9446
2023-09-27 14:50:24 +02:00 · 2023-09-27 14:50:24 +02:00 · 6fbe4aa99c
commit 6fbe4aa99c
parent 0d3103d97e
4 changed files with 302 additions and 123 deletions
--- a/RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
+++ b/RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
@ -0,0 +1,68 @@
 From 9d0d0d013c7edae43a4ebc5f46bf2e7a4f127654 Mon Sep 17 00:00:00 2001
 From: "sreejit.mohanan" <sreejit.mohanan@nutanix.com>
 Date: Fri, 17 Feb 2023 18:04:03 -0800
 Subject: [PATCH] fence_scsi: fix registration handling if ISID conflicts ISID
 (Initiator Session ID) belonging to I_T Nexus changes for RHEL based on the
 session ID. This means that the connection to the device can be set up with
 different ISID on reconnects.
 fence_scsi treats same key as a tip to ignore issuing registration
 to the device but if the device was registered using a different
 ISID, the key would be the same but the I_T Nexus (new ISID) would
 not have access to the device.
 Fixing this by preempting the old key and replacing with the current
 one.
 ---
 agents/scsi/fence_scsi.py | 35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)
 diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
 index f9e6823b2..85e4f29e6 100644
 --- a/agents/scsi/fence_scsi.py
 +++ b/agents/scsi/fence_scsi.py
@@ -137,12 +137,41 @@ def register_dev(options, dev):
 		for slave in get_mpath_slaves(dev):
 			register_dev(options, slave)
 		return True
 -	if get_reservation_key(options, dev, False) == options["--key"]:
 -		return True
 +
 +	# Check if any registration exists for the key already. We track this in
 +	# order to decide whether the existing registration needs to be cleared.
 +	# This is needed since the previous registration could be for a
 +	# different I_T nexus (different ISID).
 +	registration_key_exists = False
 +	if options["--key"] in get_registration_keys(options, dev):
 +		registration_key_exists = True
 +	if not register_helper(options, options["--key"], dev):
 +		return False
 +
 +	if registration_key_exists:
 +		# If key matches, make sure it matches with the connection that
 +		# exists right now. To do this, we can issue a preempt with same key
 +		# which should replace the old invalid entries from the target.
 +		if not preempt(options, options["--key"], dev):
 +			return False
 +
 +		# If there was no reservation, we need to issue another registration
 +		# since the previous preempt would clear registration made above.
 +		if get_reservation_key(options, dev, False) != options["--key"]:
 +			return register_helper(options, options["--key"], dev)
 +	return True
 +
 +# cancel registration without aborting tasks
 +def preempt(options, host, dev):
 +	reset_dev(options,dev)
 +	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
 +	return not bool(run_cmd(options, cmd)["rc"])
 +
 +# helper function to send the register command
 +def register_helper(options, host, dev):
 	reset_dev(options, dev)
 	cmd = options["--sg_persist-path"] + " -n -o -I -S " + options["--key"] + " -d " + dev
 	cmd += " -Z" if "--aptpl" in options else ""
 -	#cmd return code != 0 but registration can be successful
 	return not bool(run_cmd(options, cmd)["rc"])
--- a/RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
+++ b/RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
@ -0,0 +1,103 @@
 From 34baef58db442148b8e067509d2cdd37b7a91ef4 Mon Sep 17 00:00:00 2001
 From: "sreejit.mohanan" <sreejit.mohanan@nutanix.com>
 Date: Thu, 7 Sep 2023 15:57:51 -0700
 Subject: [PATCH] fence_scsi: fix registration handling in device 'off'
 workflows
 ISID (Initiator Session ID) belonging to I_T Nexus changes for
 RHEL based on the session ID. This means that the connection to
 the device can be set up with different ISID on reconnects.
 When a device is powered off, fence_scsi assumes that the client
 has a registration to the device and sends a preempt-and-abort
 request which ends up failing due to reservation conflict.
 Fixing this by registering the host key with the device and preempting
 the old registration (if it exists). This should make sure that the
 host is able to preempt the other key successfully.
 ---
 agents/scsi/fence_scsi.py | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)
 diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
 index 42530ceb5..519319bf5 100644
 --- a/agents/scsi/fence_scsi.py
 +++ b/agents/scsi/fence_scsi.py
@@ -41,7 +41,7 @@ def set_status(conn, options):
 		for dev in options["devices"]:
 			is_block_device(dev)
 -			register_dev(options, dev)
 +			register_dev(options, dev, options["--key"])
 			if options["--key"] not in get_registration_keys(options, dev):
 				count += 1
 				logging.debug("Failed to register key "\
@@ -62,7 +62,7 @@ def set_status(conn, options):
 			fail_usage("Failed: keys cannot be same. You can not fence yourself.")
 		for dev in options["devices"]:
 			is_block_device(dev)
 -
 +			register_dev(options, dev, host_key)
 			if options["--key"] in get_registration_keys(options, dev):
 				preempt_abort(options, host_key, dev)
@@ -131,11 +131,11 @@ def reset_dev(options, dev):
 	return run_cmd(options, options["--sg_turs-path"] + " " + dev)["rc"]
 -def register_dev(options, dev):
 +def register_dev(options, dev, key):
 	dev = os.path.realpath(dev)
 	if re.search(r"^dm", dev[5:]):
 		for slave in get_mpath_slaves(dev):
 -			register_dev(options, slave)
 +			register_dev(options, slave, key)
 		return True
 	# Check if any registration exists for the key already. We track this in
@@ -143,34 +143,35 @@ def register_dev(options, dev):
 	# This is needed since the previous registration could be for a
 	# different I_T nexus (different ISID).
 	registration_key_exists = False
 -	if options["--key"] in get_registration_keys(options, dev):
 +	if key in get_registration_keys(options, dev):
 +		logging.debug("Registration key exists for device " + dev)
 		registration_key_exists = True
 -	if not register_helper(options, options["--key"], dev):
 +	if not register_helper(options, dev, key):
 		return False
 	if registration_key_exists:
 		# If key matches, make sure it matches with the connection that
 		# exists right now. To do this, we can issue a preempt with same key
 		# which should replace the old invalid entries from the target.
 -		if not preempt(options, options["--key"], dev):
 +		if not preempt(options, key, dev, key):
 			return False
 		# If there was no reservation, we need to issue another registration
 		# since the previous preempt would clear registration made above.
 -		if get_reservation_key(options, dev, False) != options["--key"]:
 -			return register_helper(options, options["--key"], dev)
 +		if get_reservation_key(options, dev, False) != key:
 +			return register_helper(options, dev, key)
 	return True
 -# cancel registration without aborting tasks
 -def preempt(options, host, dev):
 +# helper function to preempt host with 'key' using 'host_key' without aborting tasks
 +def preempt(options, host_key, dev, key):
 	reset_dev(options,dev)
 -	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
 +	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host_key + " -S " + key + " -d " + dev
 	return not bool(run_cmd(options, cmd)["rc"])
 # helper function to send the register command
 -def register_helper(options, host, dev):
 +def register_helper(options, dev, key):
 	reset_dev(options, dev)
 -	cmd = options["--sg_persist-path"] + " -n -o -I -S " + options["--key"] + " -d " + dev
 +	cmd = options["--sg_persist-path"] + " -n -o -I -S " + key + " -d " + dev
 	cmd += " -Z" if "--aptpl" in options else ""
 	return not bool(run_cmd(options, cmd)["rc"])
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -18,7 +18,7 @@
 %global kubernetes		kubernetes
 %global kubernetes_version	12.0.1
 %global certifi 		certifi
-%global certifi_version		2021.10.8
+%global certifi_version 	2023.7.22
 %global googleauth		google-auth
 %global googleauth_version	2.3.0
 %global cachetools		cachetools
@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 55%{?alphatag:.%{alphatag}}%{?dist}
+Release: 56%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -109,85 +109,84 @@ Source1025: azure_mgmt_compute-21.0.0-py2.py3-none-any.whl
 Source1026: azure_mgmt_core-1.2.2-py2.py3-none-any.whl
 Source1027: azure_mgmt_network-19.0.0-py2.py3-none-any.whl
 Source1028: azure-identity-1.10.0.zip
-Source1029: certifi-2021.5.30-py2.py3-none-any.whl
+Source1029: chardet-4.0.0-py2.py3-none-any.whl
-Source1030: chardet-4.0.0-py2.py3-none-any.whl
+Source1030: idna-2.10-py2.py3-none-any.whl
-Source1031: idna-2.10-py2.py3-none-any.whl
+Source1031: isodate-0.6.0-py2.py3-none-any.whl
-Source1032: isodate-0.6.0-py2.py3-none-any.whl
+Source1032: msrest-0.6.21-py2.py3-none-any.whl
-Source1033: msrest-0.6.21-py2.py3-none-any.whl
+Source1033: msrestazure-0.6.4-py2.py3-none-any.whl
-Source1034: msrestazure-0.6.4-py2.py3-none-any.whl
+Source1034: %{oauthlib}-%{oauthlib_version}.tar.gz
-Source1035: %{oauthlib}-%{oauthlib_version}.tar.gz
+Source1035: PyJWT-2.1.0-py3-none-any.whl
-Source1036: PyJWT-2.1.0-py3-none-any.whl
+Source1036: requests-2.25.1-py2.py3-none-any.whl
-Source1037: requests-2.25.1-py2.py3-none-any.whl
+Source1037: requests_oauthlib-1.3.0-py2.py3-none-any.whl
-Source1038: requests_oauthlib-1.3.0-py2.py3-none-any.whl
+Source1038: msal-1.18.0.tar.gz
-Source1139: msal-1.18.0.tar.gz
+Source1039: msal-extensions-1.0.0.tar.gz
-Source1140: msal-extensions-1.0.0.tar.gz
+Source1040: portalocker-2.5.1.tar.gz
 Source1141: portalocker-2.5.1.tar.gz
 # google
-Source1042: cachetools-4.2.2-py3-none-any.whl
+Source1041: cachetools-4.2.2-py3-none-any.whl
-Source1043: chardet-3.0.4-py2.py3-none-any.whl
+Source1042: chardet-3.0.4-py2.py3-none-any.whl
-Source1044: google_api_core-1.30.0-py2.py3-none-any.whl
+Source1043: google_api_core-1.30.0-py2.py3-none-any.whl
-Source1045: google_api_python_client-1.12.8-py2.py3-none-any.whl
+Source1044: google_api_python_client-1.12.8-py2.py3-none-any.whl
-Source1046: googleapis_common_protos-1.53.0-py2.py3-none-any.whl
+Source1045: googleapis_common_protos-1.53.0-py2.py3-none-any.whl
-Source1047: google_auth-1.32.0-py2.py3-none-any.whl
+Source1046: google_auth-1.32.0-py2.py3-none-any.whl
-Source1048: google_auth_httplib2-0.1.0-py2.py3-none-any.whl
+Source1047: google_auth_httplib2-0.1.0-py2.py3-none-any.whl
-Source1049: httplib2-0.19.1-py3-none-any.whl
+Source1048: httplib2-0.19.1-py3-none-any.whl
-Source1050: packaging-20.9-py2.py3-none-any.whl
+Source1049: packaging-20.9-py2.py3-none-any.whl
-Source1051: protobuf-3.17.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
+Source1050: protobuf-3.17.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
-Source1052: pyasn1-0.4.8-py2.py3-none-any.whl
+Source1051: pyasn1-0.4.8-py2.py3-none-any.whl
-Source1053: pyasn1_modules-0.2.8-py2.py3-none-any.whl
+Source1052: pyasn1_modules-0.2.8-py2.py3-none-any.whl
-Source1054: pyparsing-2.4.7-py2.py3-none-any.whl
+Source1053: pyparsing-2.4.7-py2.py3-none-any.whl
-Source1055: pyroute2-0.6.4.tar.gz
+Source1054: pyroute2-0.6.4.tar.gz
-Source1056: pyroute2.core-0.6.4.tar.gz
+Source1055: pyroute2.core-0.6.4.tar.gz
-Source1057: pyroute2.ethtool-0.6.4.tar.gz
+Source1056: pyroute2.ethtool-0.6.4.tar.gz
-Source1058: pyroute2.ipdb-0.6.4.tar.gz
+Source1057: pyroute2.ipdb-0.6.4.tar.gz
-Source1059: pyroute2.ipset-0.6.4.tar.gz
+Source1058: pyroute2.ipset-0.6.4.tar.gz
-Source1060: pyroute2.ndb-0.6.4.tar.gz
+Source1059: pyroute2.ndb-0.6.4.tar.gz
-Source1061: pyroute2.nftables-0.6.4.tar.gz
+Source1060: pyroute2.nftables-0.6.4.tar.gz
-Source1062: pyroute2.nslink-0.6.4.tar.gz
+Source1061: pyroute2.nslink-0.6.4.tar.gz
-Source1063: pytz-2021.1-py2.py3-none-any.whl
+Source1062: pytz-2021.1-py2.py3-none-any.whl
-Source1064: rsa-4.7.2-py3-none-any.whl
+Source1063: rsa-4.7.2-py3-none-any.whl
-Source1065: setuptools-57.0.0-py3-none-any.whl
+Source1064: setuptools-57.0.0-py3-none-any.whl
-Source1066: uritemplate-3.0.1-py2.py3-none-any.whl
+Source1065: uritemplate-3.0.1-py2.py3-none-any.whl
 # common (pexpect / suds)
-Source1067: pexpect-4.8.0-py2.py3-none-any.whl
+Source1066: pexpect-4.8.0-py2.py3-none-any.whl
-Source1068: ptyprocess-0.7.0-py2.py3-none-any.whl
+Source1067: ptyprocess-0.7.0-py2.py3-none-any.whl
-Source1069: suds_community-0.8.5-py3-none-any.whl
+Source1068: suds_community-0.8.5-py3-none-any.whl
 ### END ###
 # kubevirt
 ## pip download --no-binary :all: openshift "ruamel.yaml.clib>=0.1.2"
 ### BEGIN
-Source1070: %{openshift}-%{openshift_version}.tar.gz
+Source1069: %{openshift}-%{openshift_version}.tar.gz
-Source1071: %{ruamelyamlclib}-%{ruamelyamlclib_version}.tar.gz
+Source1070: %{ruamelyamlclib}-%{ruamelyamlclib_version}.tar.gz
-Source1072: %{kubernetes}-%{kubernetes_version}.tar.gz
+Source1071: %{kubernetes}-%{kubernetes_version}.tar.gz
-Source1073: %{certifi}-%{certifi_version}.tar.gz
+Source1072: %{certifi}-%{certifi_version}.tar.gz
-Source1074: %{googleauth}-%{googleauth_version}.tar.gz
+Source1073: %{googleauth}-%{googleauth_version}.tar.gz
-Source1075: %{cachetools}-%{cachetools_version}.tar.gz
+Source1074: %{cachetools}-%{cachetools_version}.tar.gz
-Source1076: %{pyasn1modules}-%{pyasn1modules_version}.tar.gz
+Source1075: %{pyasn1modules}-%{pyasn1modules_version}.tar.gz
-Source1077: %{pyasn1}-%{pyasn1_version}.tar.gz
+Source1076: %{pyasn1}-%{pyasn1_version}.tar.gz
-Source1078: python-%{dateutil}-%{dateutil_version}.tar.gz
+Source1077: python-%{dateutil}-%{dateutil_version}.tar.gz
-Source1079: %{pyyaml}-%{pyyaml_version}.tar.gz
+Source1078: %{pyyaml}-%{pyyaml_version}.tar.gz
 ## rsa is dependency for "pip install",
 ## but gets removed to use cryptography lib instead
-Source1080: rsa-4.7.2.tar.gz
+Source1079: rsa-4.7.2.tar.gz
-Source1081: %{six}-%{six_version}.tar.gz
+Source1080: %{six}-%{six_version}.tar.gz
-Source1082: %{urllib3}-%{urllib3_version}.tar.gz
+Source1081: %{urllib3}-%{urllib3_version}.tar.gz
-Source1083: %{websocketclient}-%{websocketclient_version}.tar.gz
+Source1082: %{websocketclient}-%{websocketclient_version}.tar.gz
-Source1084: %{jinja2}-%{jinja2_version}.tar.gz
+Source1083: %{jinja2}-%{jinja2_version}.tar.gz
-Source1085: %{markupsafe}-%{markupsafe_version}.tar.gz
+Source1084: %{markupsafe}-%{markupsafe_version}.tar.gz
-Source1086: python-%{stringutils}-%{stringutils_version}.tar.gz
+Source1085: python-%{stringutils}-%{stringutils_version}.tar.gz
-Source1087: %{requests}-%{requests_version}.tar.gz
+Source1086: %{requests}-%{requests_version}.tar.gz
-Source1088: %{chrstnormalizer}-%{chrstnormalizer_version}.tar.gz
+Source1087: %{chrstnormalizer}-%{chrstnormalizer_version}.tar.gz
-Source1089: %{idna}-%{idna_version}.tar.gz
+Source1088: %{idna}-%{idna_version}.tar.gz
-Source1090: %{reqstsoauthlib}-%{reqstsoauthlib_version}.tar.gz
+Source1089: %{reqstsoauthlib}-%{reqstsoauthlib_version}.tar.gz
-Source1091: %{ruamelyaml}-%{ruamelyaml_version}.tar.gz
+Source1090: %{ruamelyaml}-%{ruamelyaml_version}.tar.gz
-Source1092: %{setuptools}-%{setuptools_version}.tar.gz
+Source1091: %{setuptools}-%{setuptools_version}.tar.gz
 ## required for installation
-Source1093: setuptools_scm-6.3.2.tar.gz
+Source1092: setuptools_scm-6.3.2.tar.gz
-Source1094: packaging-21.2-py3-none-any.whl
+Source1093: packaging-21.2-py3-none-any.whl
-Source1095: poetry-core-1.0.7.tar.gz
+Source1094: poetry-core-1.0.7.tar.gz
-Source1096: pyparsing-3.0.1.tar.gz
+Source1095: pyparsing-3.0.1.tar.gz
-Source1097: tomli-1.0.1.tar.gz
+Source1096: tomli-1.0.1.tar.gz
-Source1098: wheel-0.37.0-py2.py3-none-any.whl
+Source1097: wheel-0.37.0-py2.py3-none-any.whl
 ### END
 Patch0: ha-cloud-support-aliyun.patch
@ -237,6 +236,8 @@ Patch43: bz2187327-fence_scsi-2-support-space-separated-devices.patch
 Patch44: bz2211930-fence_azure-arm-stack-hub-support.patch
 Patch45: bz2221643-fence_ibm_powervs-performance-improvements.patch
 Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch
 Patch47: RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
 Patch48: RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
 ### HA support libs/utils ###
 Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
@ -351,53 +352,55 @@ BuildRequires: %{systemd_units}
 %prep
 %setup -q -n %{name}-%{version}%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}
-%patch0 -p1
+%patch -p1 -P 0
-%patch1 -p1
+%patch -p1 -P 1
-%patch2 -p1
+%patch -p1 -P 2
-%patch3 -p1
+%patch -p1 -P 3
-%patch4 -p1
+%patch -p1 -P 4
-%patch5 -p1
+%patch -p1 -P 5
-%patch6 -p1
+%patch -p1 -P 6
-%patch7 -p1
+%patch -p1 -P 7
-%patch8 -p1
+%patch -p1 -P 8
-%patch9 -p1
+%patch -p1 -P 9
-%patch10 -p1
+%patch -p1 -P 10
-%patch11 -p1
+%patch -p1 -P 11
-%patch12 -p1
+%patch -p1 -P 12
-%patch13 -p1
+%patch -p1 -P 13
-%patch14 -p1 -F2
+%patch -p1 -P 14 -F2
-%patch15 -p1 -F1
+%patch -p1 -P 15 -F1
-%patch16 -p1
+%patch -p1 -P 16
-%patch17 -p1
+%patch -p1 -P 17
-%patch18 -p1
+%patch -p1 -P 18
-%patch19 -p1
+%patch -p1 -P 19
-%patch20 -p1
+%patch -p1 -P 20
-%patch21 -p1
+%patch -p1 -P 21
-%patch22 -p1
+%patch -p1 -P 22
-%patch23 -p1
+%patch -p1 -P 23
-%patch24 -p1
+%patch -p1 -P 24
-%patch25 -p1
+%patch -p1 -P 25
-%patch26 -p1
+%patch -p1 -P 26
-%patch27 -p1
+%patch -p1 -P 27
-%patch28 -p1
+%patch -p1 -P 28
-%patch29 -p1
+%patch -p1 -P 29
-%patch30 -p1
+%patch -p1 -P 30
-%patch31 -p1
+%patch -p1 -P 31
-%patch32 -p1
+%patch -p1 -P 32
-%patch33 -p1
+%patch -p1 -P 33
-%patch34 -p1
+%patch -p1 -P 34
-%patch35 -p1
+%patch -p1 -P 35
-%patch36 -p1
+%patch -p1 -P 36
-%patch37 -p1
+%patch -p1 -P 37
-%patch38 -p1
+%patch -p1 -P 38
-%patch39 -p1
+%patch -p1 -P 39
-%patch40 -p1
+%patch -p1 -P 40
-%patch41 -p1
+%patch -p1 -P 41
-%patch42 -p1
+%patch -p1 -P 42
-%patch43 -p1
+%patch -p1 -P 43
-%patch44 -p1
+%patch -p1 -P 44
-%patch45 -p1
+%patch -p1 -P 45
-%patch46 -p1
+%patch -p1 -P 46
 %patch -p1 -P 47
 %patch -p1 -P 48
 # prevent compilation of something that won't get used anyway
 sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@ -600,7 +603,7 @@ Provides: bundled(python-azure-core) = 1.15.0
 Provides: bundled(python-azure-mgmt-compute) = 21.0.0
 Provides: bundled(python-azure-mgmt-core) = 1.2.2
 Provides: bundled(python-azure-mgmt-network) = 19.0.0
-Provides: bundled(python-certifi) = 2021.5.30
+Provides: bundled(python-certifi) = %{certifi_version}
 Provides: bundled(python-chardet) = 4.0.0
 Provides: bundled(python-idna) = 2.10
 Provides: bundled(python-isodate) = 0.6.0
@ -1477,6 +1480,12 @@ are located on corosync cluster nodes.
 %endif
 %changelog
 * Wed Sep 27 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-56
 - fence_scsi: fix registration handling if ISID conflicts
  Resolves: RHEL-5396
 - bundled certifi: fix CVE-2023-37920
  Resolves: RHEL-9446
 * Thu Aug  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-55
 - bundled dateutil: fix tarfile CVE-2007-4559
  Resolves: rhbz#2217902
--- a/3
+++ b/3
@ -35,7 +35,7 @@ SHA512 (azure_mgmt_compute-21.0.0-py2.py3-none-any.whl) = e02fe9e100d898f4bbc14f
 SHA512 (azure_mgmt_core-1.2.2-py2.py3-none-any.whl) = ea0b4062314de37d048cf6d9e40757372e050291a8861719dda2f1446c2e9a932050d0c0f732a8afb182993b7f700b5d6053217801199a4257b6269f5c7e47e5
 SHA512 (azure_mgmt_network-19.0.0-py2.py3-none-any.whl) = aa18ed97f167a1abf60c8fd7ae81b6777565c13f8ace06c81cdc70bf16c9fc2efad1984b8f159877ba3118312d2b81759df3b8e42b6f874cea5214943e8b054d
 SHA512 (azure-identity-1.10.0.zip) = 66551765ac0a4d43dc95cb755be3bfc31e2e7afa7eebf72c061c6c7d1dd0cf88988d88a39c2c1463fe27caced7ccd72da6520a9e977bfed0ee5f495fe00fab6a
-SHA512 (certifi-2021.5.30-py2.py3-none-any.whl) = 395c349cef4f8247af20a763a1927fe243e52d7fe846874f100b33e46119e48a3b7b681d3f3e879fe18a07ae81ba791ac7d0ed61017990d722f29d17e2573811
+SHA512 (certifi-2023.7.22.tar.gz) = 220ec0a4251f301f057b4875e5966a223085b0c764c911450b43df7f49dbc5af50f14eeb692d935c0baa95d7c800055fa03efa4aaabba397a82c7b07c042bd90
 SHA512 (chardet-4.0.0-py2.py3-none-any.whl) = cc8cdd5e73b4eace0131bbeaf6099e322ba5c2f827f26ad3316c674c60529d77f39f68d9fb83199ab78d16902021ab1ae58d74ab62d770cf95ceb804b9242e90
 SHA512 (idna-2.10-py2.py3-none-any.whl) = 7b7be129e1a99288aa74a15971377cb17bee1618843c03c8f782e287d0f3ecf3b8f26e3ea736444eb358f1d6079131a7eb291446f3279874eb8e00b624d9471c
 SHA512 (isodate-0.6.0-py2.py3-none-any.whl) = 6d39a350ff4af87c74ae3226e6627f9c254205bfd2a761a5bf956883667bbe6d4678e1830b629c899a6f0fe67a9603cb4890c5a1fa6c8d245fe4fdbddddde870
@ -79,7 +79,6 @@ SHA512 (suds_community-0.8.5-py3-none-any.whl) = 0719c3c2988ff96bd8698df326fb332
 SHA512 (openshift-0.12.1.tar.gz) = 35a0ecfbc12d657f5f79d4c752a7c023a2a5e3fc5e7b377d9f11ce4a7d5f666ca5c6296f31adb44b7680d051af42d3638ced1092fb7e9146d2cc998f2c3a7b80
 SHA512 (ruamel.yaml.clib-0.2.6.tar.gz) = 12307a3c3bae09cf65d9672894c9a869a7ed5483ca3afb9ee39d8bcbf1948b012a0dbf570e315cc8b9a8b55184de9e10324953ec4819d214379e01522ee13b20
 SHA512 (kubernetes-12.0.1.tar.gz) = ff4739dc185dbf46050e53382b9260a0a69c55b43820ccb1df498718c78d1bf42842f4ab1b6d0c3520c5edab45d9c9c9527aea9ccb0b6347f34e18202f9155a2
 SHA512 (certifi-2021.10.8.tar.gz) = 06dc41a471f16f6c52751854e82fb42011c9388651cff55761298b86ba437d431e6325ab039ef330f2b2c5f69f5ba43dc468e7ca3df205a8bb31468f43711fbe
 SHA512 (google-auth-2.3.0.tar.gz) = cf0040d238880ea4bbad64f0a47311f2ed3922a7301a0d5287319b39ea8e76dca66dc78fd860cc12386b078bd2147a1cba01de97381420ef94cc44fca0c90ad1
 SHA512 (cachetools-4.2.4.tar.gz) = 29a6bb3a064e5603cd3e3882d8e5a6a6ef95ba3029716692c9a82d7186a0befcfb8ed4a0ee3ecb591fdff93a46836d5b25acca7ba5eab1ba837e86404aea8fcf
 SHA512 (pyasn1-modules-0.2.8.tar.gz) = fdfcaa065deffdd732deaa1fa30dec2fc4a90ffe15bd12de40636ce0212f447611096d2f4e652ed786b5c47544439e6a93721fabe121f3320f13965692a1ca5b