import OL fence-agents-4.10.0-76.el9_5.6

2025-03-26 12:29:49 +00:00 · 2025-03-26 12:29:49 +00:00 · 961e4cc6df
commit 961e4cc6df
parent fc82836a77
6 changed files with 105 additions and 72 deletions
--- a/.fence-agents.metadata
+++ b/.fence-agents.metadata
@ -1,4 +1,3 @@
-a9db54d91b53f76f546afa1414dd015c0574ebeb SOURCES/Jinja2-3.1.3.tar.gz
 e1b766b2b1601fde67b3b19ed2f13b9746bb1cca SOURCES/MarkupSafe-2.0.1.tar.gz
 e1fb5dc6f95a85e7d1f93c6701b331201e8b5479 SOURCES/PyJWT-2.1.0-py3-none-any.whl
 53fc16036940089ceadd4127381e40fd6106a7ed SOURCES/PyYAML-5.1.tar.gz
@ -43,6 +42,7 @@ dc553afa7a3f23b92ee9ecd27d0b15153c0e9f75 SOURCES/googleapis_common_protos-1.53.0
 999b6718b4d789d8ca0d2ddf7c07826154291825 SOURCES/idna-2.10-py2.py3-none-any.whl
 08c0449533fc94462f78652dea209099754d9ee4 SOURCES/idna-3.3.tar.gz
 240cc4206740fafacb74bbf0d0c4ff70e41c8a85 SOURCES/isodate-0.6.0-py2.py3-none-any.whl
+41fdca818f95b8f0d35298eaab42f4e714dedf19 SOURCES/jinja2-3.1.6.tar.gz
 68904717c48e95adb47d815178fff8d80f39b2ab SOURCES/jmespath-0.7.1-py2.py3-none-any.whl
 d06a9547b1a87e9c51b0a7c708189d993f2e3d89 SOURCES/kubernetes-12.0.1.tar.gz
 ecd73099139d222059443ad19dfeee3f715e1ab0 SOURCES/msal-1.18.0.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,3 @@
-SOURCES/Jinja2-3.1.3.tar.gz
 SOURCES/MarkupSafe-2.0.1.tar.gz
 SOURCES/PyJWT-2.1.0-py3-none-any.whl
 SOURCES/PyYAML-5.1.tar.gz
@ -43,6 +42,7 @@ SOURCES/httplib2-0.19.1-py3-none-any.whl
 SOURCES/idna-2.10-py2.py3-none-any.whl
 SOURCES/idna-3.3.tar.gz
 SOURCES/isodate-0.6.0-py2.py3-none-any.whl
+SOURCES/jinja2-3.1.6.tar.gz
 SOURCES/jmespath-0.7.1-py2.py3-none-any.whl
 SOURCES/kubernetes-12.0.1.tar.gz
 SOURCES/msal-1.18.0.tar.gz
--- a/SOURCES/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
+++ b/SOURCES/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
@ -1,65 +0,0 @@
-From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001
-From: David Lord <davidism@gmail.com>
-Date: Thu, 2 May 2024 09:14:00 -0700
-Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
-
---
- CHANGES.rst           |  6 ++++++
- src/jinja2/filters.py | 22 +++++++++++++++++-----
- tests/test_filters.py | 11 ++++++-----
- 3 files changed, 29 insertions(+), 10 deletions(-)
-
-diff --git a/kubevirt/jinja2/filters.py b/kubevirt/jinja2/filters.py
-index 4cf3c11fb..acd11976e 100644
--- a/kubevirt/jinja2/filters.py
-+++ b/kubevirt/jinja2/filters.py
-@@ -250,7 +250,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
-     yield from value.items()
- 
- 
-_space_re = re.compile(r"\s", flags=re.ASCII)
-+# Check for characters that would move the parser state from key to value.
-+# https://html.spec.whatwg.org/#attribute-name-state
-+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
- 
- 
- @pass_eval_context
-@@ -259,8 +261,14 @@ def do_xmlattr(
- ) -> str:
-     """Create an SGML/XML attribute string based on the items in a dict.
- 
-    If any key contains a space, this fails with a ``ValueError``. Values that
-    are neither ``none`` nor ``undefined`` are automatically escaped.
-+    **Values** that are neither ``none`` nor ``undefined`` are automatically
-+    escaped, safely allowing untrusted user input.
-+
-+    User input should not be used as **keys** to this filter. If any key
-+    contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
-+    sign, this fails with a ``ValueError``. Regardless of this, user input
-+    should never be used as keys to this filter, or must be separately validated
-+    first.
- 
-     .. sourcecode:: html+jinja
- 
-@@ -280,6 +288,10 @@ def do_xmlattr(
-     As you can see it automatically prepends a space in front of the item
-     if the filter returned something unless the second parameter is false.
- 
-+    .. versionchanged:: 3.1.4
-+        Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
-+        are not allowed.
-+
-     .. versionchanged:: 3.1.3
-         Keys with spaces are not allowed.
-     """
-@@ -289,8 +301,8 @@ def do_xmlattr(
-         if value is None or isinstance(value, Undefined):
-             continue
- 
-        if _space_re.search(key) is not None:
-            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
-+        if _attr_key_re.search(key) is not None:
-+            raise ValueError(f"Invalid character in attribute name: {key!r}")
- 
-         items.append(f'{escape(key)}="{escape(value)}"')
- 
--- a/SOURCES/RHEL-59882-fence_scsi-only-preempt-once-for-mpath-devices.patch
+++ b/SOURCES/RHEL-59882-fence_scsi-only-preempt-once-for-mpath-devices.patch
@ -0,0 +1,40 @@
+From cb57f1c2ee734a40d01249305965ea4ecdf02039 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 5 Sep 2024 09:06:34 +0200
+Subject: [PATCH] fence_scsi: preempt clears all devices on the mpath device,
+ so only run it for the first device
+
+---
+ agents/scsi/fence_scsi.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
+index a1598411c..12f7fb49b 100644
+--- a/agents/scsi/fence_scsi.py
+++ b/agents/scsi/fence_scsi.py
+@@ -131,11 +131,13 @@ def reset_dev(options, dev):
+ 	return run_cmd(options, options["--sg_turs-path"] + " " + dev)["rc"]
+ 
+ 
+-def register_dev(options, dev, key):
+def register_dev(options, dev, key, do_preempt=True):
+ 	dev = os.path.realpath(dev)
+ 	if re.search(r"^dm", dev[5:]):
+-		for slave in get_mpath_slaves(dev):
+-			register_dev(options, slave, key)
+		devices = get_mpath_slaves(dev)
+		register_dev(options, devices[0], key)
+		for device in devices[1:]:
+			register_dev(options, device, key, False)
+ 		return True
+ 
+ 	# Check if any registration exists for the key already. We track this in
+@@ -153,7 +155,7 @@ def register_dev(options, dev, key):
+ 		# If key matches, make sure it matches with the connection that
+ 		# exists right now. To do this, we can issue a preempt with same key
+ 		# which should replace the old invalid entries from the target.
+-		if not preempt(options, key, dev, key):
+		if do_preempt and not preempt(options, key, dev, key):
+ 			return False
+ 
+ 		# If there was no reservation, we need to issue another registration
--- a/SOURCES/RHEL-83487-fence_ibm_vpc-refresh-bearer-token.patch
+++ b/SOURCES/RHEL-83487-fence_ibm_vpc-refresh-bearer-token.patch
@ -0,0 +1,38 @@
+From 293b3961149f680ead9028e6719c405957abc6b7 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 13 Mar 2025 16:40:30 +0100
+Subject: [PATCH] fence_ibm_vpc: refresh bearer-token in connect() if token
+ data is corrupt, and avoid edge-case of writing empty token file
+
+---
+ agents/ibm_vpc/fence_ibm_vpc.py | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/agents/ibm_vpc/fence_ibm_vpc.py b/agents/ibm_vpc/fence_ibm_vpc.py
+index 035a3235a..efda5eed7 100755
+--- a/agents/ibm_vpc/fence_ibm_vpc.py
+++ b/agents/ibm_vpc/fence_ibm_vpc.py
+@@ -105,6 +105,8 @@ def get_bearer_token(conn, options):
+ 			except Exception as e:
+ 				logging.error("Failed: Unable to authenticate: {}".format(e))
+ 				fail(EC_LOGIN_DENIED)
+			if len(token) < 1:
+				fail(EC_LOGIN_DENIED)
+ 			file_obj.write(token)
+ 	finally:
+ 		os.umask(oldumask)
+@@ -152,6 +154,14 @@ def connect(opt):
+ 	# set auth token for later requests
+ 	conn = set_bearer_token(conn, bearer_token)
+ 
+	try:
+		command = "instances?version=2021-05-25&generation=2&limit=1"
+		res = send_command(conn, opt, command)
+	except Exception as e:
+		logging.warning("Failed to login/connect. Updating bearer-token.")
+		bearer_token = get_bearer_token(conn, opt)
+		conn = set_bearer_token(conn, bearer_token)
+
+ 	return conn
+ 
+ def disconnect(conn):
--- a/SPECS/fence-agents.spec
+++ b/SPECS/fence-agents.spec
@ -37,8 +37,8 @@
 %global urllib3_version 	1.26.18
 %global websocketclient 	websocket-client
 %global websocketclient_version 1.2.1
-%global jinja2			Jinja2
-%global jinja2_version		3.1.3
+%global jinja2			jinja2
+%global jinja2_version		3.1.6
 %global markupsafe		MarkupSafe
 %global markupsafe_version	2.0.1
 %global stringutils		string-utils
@ -57,7 +57,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 76%{?alphatag:.%{alphatag}}%{?dist}
+Release: 76%{?alphatag:.%{alphatag}}%{?dist}.6
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -254,11 +254,12 @@ Patch54: RHEL-35263-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patc
 Patch55: RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch
 Patch56: RHEL-43235-fence_aws-1-list-add-instance-name-status.patch
 Patch57: RHEL-43235-fence_aws-2-log-error-for-unknown-states.patch
+Patch58: RHEL-59882-fence_scsi-only-preempt-once-for-mpath-devices.patch
+Patch59: RHEL-83487-fence_ibm_vpc-refresh-bearer-token.patch

 ### HA support libs/utils ###
 # all archs
 Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch1001: RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
 # cloud (x86_64 only)
 Patch2000: bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
 Patch2001: RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch
@ -433,6 +434,8 @@ BuildRequires: %{systemd_units}
 %patch -p1 -P 55
 %patch -p1 -P 56
 %patch -p1 -P 57
+%patch -p1 -P 58
+%patch -p1 -P 59

 # prevent compilation of something that won't get used anyway
 sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@ -489,7 +492,6 @@ rm -rf kubevirt/rsa*
 # regular patch doesnt work in build-section
 pushd support
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1000}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}

 %ifarch x86_64
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2000}
@ -1530,6 +1532,24 @@ are located on corosync cluster nodes.
 %endif

 %changelog
+* Fri Mar 14 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-76.6
+- fence_ibm_vpc: refresh bearer-token if token data is corrupt, and
+  avoid edge-case of writing empty token file
+  Resolves: RHEL-83487
+
+* Tue Mar 11 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-76.5
+- bundled jinja2: fix CVE-2025-27516
+  Resolves: RHEL-82712
+
+* Thu Jan  9 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-76.4
+- bundled jinja2: fix CVE-2024-56201 and CVE-2024-56326
+  Resolves: RHEL-72070, RHEL-72063
+
+* Wed Sep 25 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-76.1
+- fence_scsi: preempt clears all devices on the mpath device, so only
+  run it for the first device
+  Resolves: RHEL-59882
+
 * Tue Jul 23 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-76
 - bundled setuptools: fix CVE-2024-6345