diff --git a/bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch b/bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch new file mode 100644 index 0000000..9706cec --- /dev/null +++ b/bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch @@ -0,0 +1,50 @@ +--- a/aws/dateutil/zoneinfo/rebuild.py 2023-01-26 16:29:30.000000000 +0100 ++++ b/aws/dateutil/zoneinfo/rebuild.py 2023-07-19 10:12:42.277559948 +0200 +@@ -21,7 +21,12 @@ + try: + with TarFile.open(filename) as tf: + for name in zonegroups: +- tf.extract(name, tmpdir) ++ if hasattr(tarfile, 'data_filter'): ++ # Python with CVE-2007-4559 mitigation (PEP 706) ++ tf.extract(name, tmpdir, filter='data') ++ else: ++ # Fallback to a possibly dangerous extraction (before PEP 706) ++ tf.extract(name, tmpdir) + filepaths = [os.path.join(tmpdir, n) for n in zonegroups] + + _run_zic(zonedir, filepaths) + +--- a/awscli/dateutil/zoneinfo/rebuild.py 2023-01-26 16:29:30.000000000 +0100 ++++ b/awscli/dateutil/zoneinfo/rebuild.py 2023-07-19 10:12:42.277559948 +0200 +@@ -21,7 +21,12 @@ + try: + with TarFile.open(filename) as tf: + for name in zonegroups: +- tf.extract(name, tmpdir) ++ if hasattr(tarfile, 'data_filter'): ++ # Python with CVE-2007-4559 mitigation (PEP 706) ++ tf.extract(name, tmpdir, filter='data') ++ else: ++ # Fallback to a possibly dangerous extraction (before PEP 706) ++ tf.extract(name, tmpdir) + filepaths = [os.path.join(tmpdir, n) for n in zonegroups] + + _run_zic(zonedir, filepaths) + +--- a/azure/dateutil/zoneinfo/rebuild.py 2023-01-26 16:29:30.000000000 +0100 ++++ b/azure/dateutil/zoneinfo/rebuild.py 2023-07-19 10:12:42.277559948 +0200 +@@ -21,7 +21,12 @@ + try: + with TarFile.open(filename) as tf: + for name in zonegroups: +- tf.extract(name, tmpdir) ++ if hasattr(tarfile, 'data_filter'): ++ # Python with CVE-2007-4559 mitigation (PEP 706) ++ tf.extract(name, tmpdir, filter='data') ++ else: ++ # Fallback to a possibly dangerous extraction (before PEP 706) ++ tf.extract(name, tmpdir) + filepaths = [os.path.join(tmpdir, n) for n in zonegroups] + + _run_zic(zonedir, filepaths) diff --git a/bz2224267-fence_ipmilan-fix-typos-in-metadata.patch b/bz2224267-fence_ipmilan-fix-typos-in-metadata.patch new file mode 100644 index 0000000..61342cf --- /dev/null +++ b/bz2224267-fence_ipmilan-fix-typos-in-metadata.patch @@ -0,0 +1,123 @@ +From ddfaa29150d0d6fd8841b3e39fa5e806812542b5 Mon Sep 17 00:00:00 2001 +From: razo7 +Date: Wed, 19 Jul 2023 16:33:01 +0300 +Subject: [PATCH] Fix typo in fence_ipmilan description + +Add spaces in the long description +--- + agents/ipmilan/fence_ipmilan.py | 4 ++-- + tests/data/metadata/fence_idrac.xml | 2 +- + tests/data/metadata/fence_ilo3.xml | 2 +- + tests/data/metadata/fence_ilo4.xml | 2 +- + tests/data/metadata/fence_ilo5.xml | 2 +- + tests/data/metadata/fence_imm.xml | 2 +- + tests/data/metadata/fence_ipmilan.xml | 2 +- + tests/data/metadata/fence_ipmilanplus.xml | 2 +- + 8 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/agents/ipmilan/fence_ipmilan.py b/agents/ipmilan/fence_ipmilan.py +index 0acf977da..91e09ac7d 100644 +--- a/agents/ipmilan/fence_ipmilan.py ++++ b/agents/ipmilan/fence_ipmilan.py +@@ -203,8 +203,8 @@ def main(): + + docs = {} + docs["shortdesc"] = "Fence agent for IPMI" +- docs["longdesc"] = "fence_ipmilan is an I/O Fencing agent\ +-which can be used with machines controlled by IPMI.\ ++ docs["longdesc"] = "fence_ipmilan is an I/O Fencing agent \ ++which can be used with machines controlled by IPMI. \ + This agent calls support software ipmitool (http://ipmitool.sf.net/). \ + WARNING! This fence agent might report success before the node is powered off. \ + You should use -m/method onoff if your fence device works correctly with that option." +diff --git a/tests/data/metadata/fence_idrac.xml b/tests/data/metadata/fence_idrac.xml +index 2d4876493..d1f283e4a 100644 +--- a/tests/data/metadata/fence_idrac.xml ++++ b/tests/data/metadata/fence_idrac.xml +@@ -6,7 +6,7 @@ + + + +-fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. ++fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. + + + +diff --git a/tests/data/metadata/fence_ilo3.xml b/tests/data/metadata/fence_ilo3.xml +index 0567b539c..5aca0211b 100644 +--- a/tests/data/metadata/fence_ilo3.xml ++++ b/tests/data/metadata/fence_ilo3.xml +@@ -6,7 +6,7 @@ + + + +-fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. ++fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. + + + +diff --git a/tests/data/metadata/fence_ilo4.xml b/tests/data/metadata/fence_ilo4.xml +index 647bb1021..3aa001ad2 100644 +--- a/tests/data/metadata/fence_ilo4.xml ++++ b/tests/data/metadata/fence_ilo4.xml +@@ -6,7 +6,7 @@ + + + +-fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. ++fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. + + + +diff --git a/tests/data/metadata/fence_ilo5.xml b/tests/data/metadata/fence_ilo5.xml +index 6c99db22a..262787905 100644 +--- a/tests/data/metadata/fence_ilo5.xml ++++ b/tests/data/metadata/fence_ilo5.xml +@@ -6,7 +6,7 @@ + + + +-fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. ++fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. + + + +diff --git a/tests/data/metadata/fence_imm.xml b/tests/data/metadata/fence_imm.xml +index 5c5bf910f..26f9a76d3 100644 +--- a/tests/data/metadata/fence_imm.xml ++++ b/tests/data/metadata/fence_imm.xml +@@ -6,7 +6,7 @@ + + + +-fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. ++fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. + + + +diff --git a/tests/data/metadata/fence_ipmilan.xml b/tests/data/metadata/fence_ipmilan.xml +index a31afcfd4..daad65a70 100644 +--- a/tests/data/metadata/fence_ipmilan.xml ++++ b/tests/data/metadata/fence_ipmilan.xml +@@ -6,7 +6,7 @@ + + + +-fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. ++fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. + + + +diff --git a/tests/data/metadata/fence_ipmilanplus.xml b/tests/data/metadata/fence_ipmilanplus.xml +index 19c252933..7b678b245 100644 +--- a/tests/data/metadata/fence_ipmilanplus.xml ++++ b/tests/data/metadata/fence_ipmilanplus.xml +@@ -6,7 +6,7 @@ + + + +-fence_ipmilan is an I/O Fencing agentwhich can be used with machines controlled by IPMI.This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. ++fence_ipmilan is an I/O Fencing agent which can be used with machines controlled by IPMI. This agent calls support software ipmitool (http://ipmitool.sf.net/). WARNING! This fence agent might report success before the node is powered off. You should use -m/method onoff if your fence device works correctly with that option. + + + diff --git a/fence-agents.spec b/fence-agents.spec index 87a8d0f..7f0c612 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -60,7 +60,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 48%{?alphatag:.%{alphatag}}%{?dist} +Release: 49%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -237,6 +237,10 @@ Patch42: bz2187327-fence_scsi-1-detect-devices-in-shared-vgs.patch Patch43: bz2187327-fence_scsi-2-support-space-separated-devices.patch Patch44: bz2211930-fence_azure-arm-stack-hub-support.patch Patch45: bz2221643-fence_ibm_powervs-performance-improvements.patch +Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch + +### HA support libs/utils ### +Patch1000: bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %ifarch x86_64 @@ -393,6 +397,7 @@ BuildRequires: %{systemd_units} %patch43 -p1 %patch44 -p1 %patch45 -p1 +%patch46 -p1 # prevent compilation of something that won't get used anyway sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac @@ -423,6 +428,12 @@ sed -i -e "/^#\!\/Users/c#\!%{__python3}" support/aws/bin/jp support/aliyun/bin/ sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/support/awscli')" support/awscli/bin/aws %endif +# regular patch doesnt work in build-section +# Patch1000 +pushd support +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch +popd + ./autogen.sh %{configure} --disable-libvirt-qmf-plugin PYTHONPATH="support/aliyun:support/aws:support/azure:support/google:support/common" \ %if %{defined _tmpfilesdir} @@ -1459,6 +1470,12 @@ are located on corosync cluster nodes. %endif %changelog +* Thu Jul 20 2023 Oyvind Albrigtsen - 4.10.0-49 +- bundled dateutil: fix tarfile CVE-2007-4559 + Resolves: rhbz#2217902 +- fence_ipmilan: fix typos in metadata + Resolves: rhbz#2224267 + * Tue Jul 11 2023 Oyvind Albrigtsen - 4.10.0-48 - fence_ibm_powervs: performance improvements Resolves: rhbz#2221643 diff --git a/tests/run_tests.sh b/tests/run_tests.sh index d9e5fd0..20d93dd 100755 --- a/tests/run_tests.sh +++ b/tests/run_tests.sh @@ -10,10 +10,23 @@ echo "INFO: pcs: agents available..." # test bundled libraries declare -A libs=( - ["aliyunsdkcore"]="sys.path.insert(0, '/usr/lib/fence-agents/bundled/aliyun');" - ["azure"]="sys.path.insert(0, '/usr/lib/fence-agents/bundled/azure');" - ["msrestazure"]="sys.path.insert(0, '/usr/lib/fence-agents/bundled/azure');" + # aliyun + ["aliyunsdkcore"]="sys.path.insert(0, '/usr/lib/fence-agents/support/aliyun');" + ["aliyun-python-sdk-ecs"]="sys.path.insert(0, '/usr/lib/fence-agents/support/aliyun');" + ["aliyuncli"]="sys.path.insert(0, '/usr/lib/fence-agents/support/aliyun');" + # aws + ["boto3"]="sys.path.insert(0, '/usr/lib/fence-agents/support/aws');" + # azure + ["azure"]="sys.path.insert(0, '/usr/lib/fence-agents/support/azure');" + ["msrestazure"]="sys.path.insert(0, '/usr/lib/fence-agents/support/azure');" + # common + ["pexpect"]="sys.path.insert(0, '/usr/lib/fence-agents/support/common');" + ["suds"]="sys.path.insert(0, '/usr/lib/fence-agents/support/common');" + # google + ["google-api-python-client"]="sys.path.insert(0, '/usr/lib/fence-agents/support/google');" + ["pyroute2"]="sys.path.insert(0, '/usr/lib/fence-agents/support/google');" ) + for lib in "${!libs[@]}"; do output=$(python3 -c "import sys; sys.path.append('/usr/share/fence'); \ ${libs[$lib]} \