From c3c737aac3d8f3b601840ee7507de58506bfa2d1 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Thu, 23 May 2024 13:51:18 +0200 Subject: [PATCH] - fence_vmware_rest: detect if the API user has sufficient rights to manage the fence device Resolves: RHEL-25256 --- ...e_rest-detect-user-sufficient-rights.patch | 26 +++++++++++++++++++ fence-agents.spec | 9 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch diff --git a/RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch b/RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch new file mode 100644 index 0000000..5f2027a --- /dev/null +++ b/RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch @@ -0,0 +1,26 @@ +From fc7d7c4baef64f510bd3332c9f008d3e1128dc7b Mon Sep 17 00:00:00 2001 +From: Peter Varkoly +Date: Sun, 11 Feb 2024 09:13:51 +0100 +Subject: [PATCH] fence_vmware_rest : monitoring is not detecting if the API + user has sufficient right to manage the fence device. The call + https://{api_host}/api/vcenter/vm is subject to permission checks. If the + delivered list is empty the user has no rights. + +--- + agents/vmware_rest/fence_vmware_rest.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/agents/vmware_rest/fence_vmware_rest.py b/agents/vmware_rest/fence_vmware_rest.py +index 378771863..9dc9a12f4 100644 +--- a/agents/vmware_rest/fence_vmware_rest.py ++++ b/agents/vmware_rest/fence_vmware_rest.py +@@ -60,6 +60,9 @@ def get_list(conn, options): + else: + fail(EC_STATUS) + ++ if options.get("--original-action") == "monitor" and not res["value"]: ++ logging.error("API user does not have sufficient rights to manage the power status.") ++ fail(EC_STATUS) + for r in res["value"]: + outlets[r["name"]] = ("", state[r["power_state"]]) + diff --git a/fence-agents.spec b/fence-agents.spec index cfe49a5..6c7ab1e 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -59,7 +59,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 72%{?alphatag:.%{alphatag}}%{?dist} +Release: 73%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -252,6 +252,7 @@ Patch51: RHEL-14030-2-fence_cisco_mds-undo-metadata-change.patch Patch52: RHEL-14344-fence_zvmip-2-fix-manpage-formatting.patch Patch53: RHEL-31488-RHEL-31485-RHEL-31483-fence_aliyun-update.patch Patch54: RHEL-35263-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patch +Patch55: RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch ### HA support libs/utils ### # all archs @@ -427,6 +428,7 @@ BuildRequires: %{systemd_units} %patch -p1 -P 52 %patch -p1 -P 53 %patch -p1 -P 54 -F2 +%patch -p1 -P 55 # prevent compilation of something that won't get used anyway sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac @@ -1523,6 +1525,11 @@ are located on corosync cluster nodes. %endif %changelog +* Thu May 23 2024 Oyvind Albrigtsen - 4.10.0-73 +- fence_vmware_rest: detect if the API user has sufficient rights to + manage the fence device + Resolves: RHEL-25256 + * Wed May 15 2024 Oyvind Albrigtsen - 4.10.0-72 - bundled jinja2: fix CVE-2024-34064 Resolves: RHEL-35649