From fa59ce97fd6c56683b29fb5ab1318251cd8de5ff Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 14 Dec 2023 17:21:57 +0300 Subject: [PATCH] - Fix CVE-2023-43804.patch - Update certifi to 2023.07.22 --- .fence-agents.metadata | 3 +- .gitignore | 3 +- SOURCES/CVE-2023-43804.patch | 70 ++++++++++++++++++++++++++++++++++++ SPECS/fence-agents.spec | 18 +++++++--- 4 files changed, 85 insertions(+), 9 deletions(-) create mode 100644 SOURCES/CVE-2023-43804.patch diff --git a/.fence-agents.metadata b/.fence-agents.metadata index 6d85c18..055c2c1 100644 --- a/.fence-agents.metadata +++ b/.fence-agents.metadata @@ -19,8 +19,7 @@ e20df6c9635f1db9a3c891b9239b4319d88b1747 SOURCES/azure_mgmt_core-1.2.2-py2.py3-n 6ef53a76455b377b02b4774c32a04e241cdb24eb SOURCES/botocore-2.0.0dev123.zip c953dcd6e69587e5b182d77255ed836172fea70a SOURCES/cachetools-4.2.2-py3-none-any.whl 0d12f48faa727f0979e9ad5c4c80dfa32b73caff SOURCES/cachetools-4.2.4.tar.gz -b13e22d55867e2ca5f92e5289cfdc21ba6e343aa SOURCES/certifi-2021.10.8.tar.gz -2fcaa39108a9c99700c6f3f4198fcaa47b8ed707 SOURCES/certifi-2021.5.30-py2.py3-none-any.whl +e8217d20c809f93bf1df6c57f38c9c56f406e1bb SOURCES/certifi-2023.7.22.tar.gz 17953cc85717e0f4501dbc7b5fb8e75d67dcdcd3 SOURCES/cffi-1.14.5-cp39-cp39-manylinux1_x86_64.whl 96faab7de7e9a71b37f22adb64daf2898e967e3e SOURCES/chardet-3.0.4-py2.py3-none-any.whl e9eb83c71c09b3c8249bd7d6d2619b65fff03874 SOURCES/chardet-4.0.0-py2.py3-none-any.whl diff --git a/.gitignore b/.gitignore index 1284b26..f438961 100644 --- a/.gitignore +++ b/.gitignore @@ -19,8 +19,7 @@ SOURCES/botocore-1.20.102-py2.py3-none-any.whl SOURCES/botocore-2.0.0dev123.zip SOURCES/cachetools-4.2.2-py3-none-any.whl SOURCES/cachetools-4.2.4.tar.gz -SOURCES/certifi-2021.10.8.tar.gz -SOURCES/certifi-2021.5.30-py2.py3-none-any.whl +SOURCES/certifi-2023.7.22.tar.gz SOURCES/cffi-1.14.5-cp39-cp39-manylinux1_x86_64.whl SOURCES/chardet-3.0.4-py2.py3-none-any.whl SOURCES/chardet-4.0.0-py2.py3-none-any.whl diff --git a/SOURCES/CVE-2023-43804.patch b/SOURCES/CVE-2023-43804.patch new file mode 100644 index 0000000..6c3433e --- /dev/null +++ b/SOURCES/CVE-2023-43804.patch @@ -0,0 +1,70 @@ +From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 2 Oct 2023 19:46:16 +0400 +Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f + +--- + CHANGES.rst | 5 ++++ + docs/user-guide.rst | 3 +++ + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 4 +-- + test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++----- + 5 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py +index ea48afe3ca..7572bfd26a 100644 +--- a/kubevirt/urllib3/util/retry.py ++++ b/kubevirt/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/aws/urllib3/util/retry.py ++++ b/aws/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/awscli/urllib3/util/retry.py ++++ b/awscli/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/azure/urllib3/util/retry.py ++++ b/azure/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/google/urllib3/util/retry.py ++++ b/google/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/SPECS/fence-agents.spec b/SPECS/fence-agents.spec index 20fe6e2..749e6ac 100644 --- a/SPECS/fence-agents.spec +++ b/SPECS/fence-agents.spec @@ -18,7 +18,7 @@ %global kubernetes kubernetes %global kubernetes_version 12.0.1 %global certifi certifi -%global certifi_version 2021.10.8 +%global certifi_version 2023.7.22 %global googleauth google-auth %global googleauth_version 2.3.0 %global cachetools cachetools @@ -59,7 +59,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 55%{?alphatag:.%{alphatag}}%{?dist} +Release: 55%{?alphatag:.%{alphatag}}%{?dist}.2.alma.1 License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -109,7 +109,6 @@ Source1025: azure_mgmt_compute-21.0.0-py2.py3-none-any.whl Source1026: azure_mgmt_core-1.2.2-py2.py3-none-any.whl Source1027: azure_mgmt_network-19.0.0-py2.py3-none-any.whl Source1028: azure-identity-1.10.0.zip -Source1029: certifi-2021.5.30-py2.py3-none-any.whl Source1030: chardet-4.0.0-py2.py3-none-any.whl Source1031: idna-2.10-py2.py3-none-any.whl Source1032: isodate-0.6.0-py2.py3-none-any.whl @@ -242,6 +241,10 @@ Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch +# Patches were taken from: +# https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d +Patch1002: CVE-2023-43804.patch + %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %ifarch x86_64 %global testagents virsh heuristics_ping aliyun aws azure_arm gce openstack virt @@ -440,9 +443,10 @@ popd %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm %{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift rm -rf kubevirt/rsa* -# Patch1001 + pushd support /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1002} popd ./autogen.sh @@ -600,7 +604,7 @@ Provides: bundled(python-azure-core) = 1.15.0 Provides: bundled(python-azure-mgmt-compute) = 21.0.0 Provides: bundled(python-azure-mgmt-core) = 1.2.2 Provides: bundled(python-azure-mgmt-network) = 19.0.0 -Provides: bundled(python-certifi) = 2021.5.30 +Provides: bundled(python-certifi) = %{certifi_version} Provides: bundled(python-chardet) = 4.0.0 Provides: bundled(python-idna) = 2.10 Provides: bundled(python-isodate) = 0.6.0 @@ -1477,6 +1481,10 @@ are located on corosync cluster nodes. %endif %changelog +* Thu Dec 14 2023 Eduard Abdullin - 4.10.0-55.2.alma.1 +- Fix CVE-2023-43804.patch +- Update certifi to 2023.07.22 + * Thu Aug 3 2023 Oyvind Albrigtsen - 4.10.0-55 - bundled dateutil: fix tarfile CVE-2007-4559 Resolves: rhbz#2217902