14 changed files with 2486 additions and 192 deletions
--- a/.fence-agents.metadata
+++ b/.fence-agents.metadata
@ -1,37 +0,0 @@
-3297473a9d57e93ff378eab173990c1b64673c01 SOURCES/Jinja2-3.0.2.tar.gz
-e1b766b2b1601fde67b3b19ed2f13b9746bb1cca SOURCES/MarkupSafe-2.0.1.tar.gz
-a8c40a3ae9d4c159382a58db3153d83e5521c51e SOURCES/PyYAML-6.0.tar.gz
-0a56f6d9ed2014a363486d33b63eca094379be06 SOURCES/aliyun-python-sdk-core-2.13.1.tar.gz
-c2a98b9a1562d223a76514f05028488ca000c395 SOURCES/aliyun-python-sdk-ecs-4.9.3.tar.gz
-f14647a4d37a9a254c4e711b95a7654fc418e41e SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
-2512ff4ef016cad0b916006f6acf2a309f908c4d SOURCES/botocore-1.23.46.tar.gz
-0d12f48faa727f0979e9ad5c4c80dfa32b73caff SOURCES/cachetools-4.2.4.tar.gz
-b13e22d55867e2ca5f92e5289cfdc21ba6e343aa SOURCES/certifi-2021.10.8.tar.gz
-2384f6cfba4685d901262e073a4455d4cf76d102 SOURCES/chardet-4.0.0.tar.gz
-865df92e66e5dc7b940144cbad8115c07dc8784f SOURCES/charset-normalizer-2.0.7.tar.gz
-e2561df8e7ff9113dab118a651371dd88dab0142 SOURCES/fence-agents-4.2.1.tar.gz
-f4e578dc0ed68d6667d7b36cdfc2647d55e9858f SOURCES/google-auth-2.3.0.tar.gz
-74ec77d2e2ef6b2ef8503e6e398faa6f3ba298ae SOURCES/httplib2-0.19.1-py3-none-any.whl
-08c0449533fc94462f78652dea209099754d9ee4 SOURCES/idna-3.3.tar.gz
-356c48dfea2214dd9e7e2b222a99dddfe9c0d05c SOURCES/jmespath-0.10.0.tar.gz
-d06a9547b1a87e9c51b0a7c708189d993f2e3d89 SOURCES/kubernetes-12.0.1.tar.gz
-f6efa66f6106b069b5c0e0cf8cc677e4e96c91ca SOURCES/oauthlib-3.1.1.tar.gz
-570d69d8c108ebb8aee562389d13b07dfb61ce25 SOURCES/openshift-0.12.1.tar.gz
-bccbc1bf76a9db46998eb8e1ffa2f2a2baf9237a SOURCES/packaging-21.2-py3-none-any.whl
-e0fa19f8fda46a1fa2253477499b116b33f67175 SOURCES/pyasn1-0.4.8.tar.gz
-43b89feb6864fe359aae89120627165219de313b SOURCES/pyasn1-modules-0.2.8.tar.gz
-326a73f58a62ebee00c11a12cfdd838b196e0e8e SOURCES/pycryptodome-3.6.4.tar.gz
-c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
-c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
-1dc2fa004aa6517f1620e55d8a7b8e68a9cf2a47 SOURCES/python-string-utils-1.0.0.tar.gz
-8c7a89d183d3e9b70bf91ba5b75eccf7111b9d8d SOURCES/requests-2.26.0.tar.gz
-f139aed770519b6a095b8fdc888d03955cbe9d8e SOURCES/requests-oauthlib-1.3.0.tar.gz
-e8a53067e03fe1b6682fd99a40a7359396a06daa SOURCES/rsa-4.7.2.tar.gz
-d1011ff44cd5a045de0460c1b79ec65592e86860 SOURCES/ruamel.yaml-0.17.16.tar.gz
-27de97227bbbde5a9f571f9fad223578d7bdf7cc SOURCES/ruamel.yaml.clib-0.2.6.tar.gz
-d5354718cb8c9330d3abc27445467ce8a5ed9d70 SOURCES/setuptools-58.3.0.tar.gz
-a4f02fddae697614e356cadfddb6241cc7737f38 SOURCES/setuptools_scm-6.3.2.tar.gz
-06fa0bb50f2a4e2917fd14c21e9d2d5508ce0163 SOURCES/six-1.16.0.tar.gz
-b42b7960047441db7dc021cc20e14279bd836f8d SOURCES/tomli-1.0.1.tar.gz
-eb35c3fd8b0867ae988a15917d6b80e8bdf60222 SOURCES/urllib3-1.26.7.tar.gz
-540f083782c584989c1a0f69ffd69ba7aae07db6 SOURCES/websocket-client-1.2.1.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -6,7 +6,7 @@ SOURCES/aliyun-python-sdk-ecs-4.9.3.tar.gz
 SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
 SOURCES/botocore-1.23.46.tar.gz
 SOURCES/cachetools-4.2.4.tar.gz
-SOURCES/certifi-2021.10.8.tar.gz
+SOURCES/certifi-2023.7.22.tar.gz
 SOURCES/chardet-4.0.0.tar.gz
 SOURCES/charset-normalizer-2.0.7.tar.gz
 SOURCES/fence-agents-4.2.1.tar.gz
@ -20,7 +20,7 @@ SOURCES/openshift-0.12.1.tar.gz
 SOURCES/packaging-21.2-py3-none-any.whl
 SOURCES/pyasn1-0.4.8.tar.gz
 SOURCES/pyasn1-modules-0.2.8.tar.gz
-SOURCES/pycryptodome-3.6.4.tar.gz
+SOURCES/pycryptodome-3.20.0.tar.gz
 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 SOURCES/python-dateutil-2.8.2.tar.gz
 SOURCES/python-string-utils-1.0.0.tar.gz
@ -33,5 +33,5 @@ SOURCES/setuptools-58.3.0.tar.gz
 SOURCES/setuptools_scm-6.3.2.tar.gz
 SOURCES/six-1.16.0.tar.gz
 SOURCES/tomli-1.0.1.tar.gz
-SOURCES/urllib3-1.26.7.tar.gz
+SOURCES/urllib3-1.26.18.tar.gz
 SOURCES/websocket-client-1.2.1.tar.gz
--- a/SOURCES/RHEL-14031-1-all-agents-metadata-update-IO-Power-Network.patch
+++ b/SOURCES/RHEL-14031-1-all-agents-metadata-update-IO-Power-Network.patch
--- a/SOURCES/RHEL-14031-2-fence_cisco_mds-undo-metadata-change.patch
+++ b/SOURCES/RHEL-14031-2-fence_cisco_mds-undo-metadata-change.patch
@ -0,0 +1,35 @@
+From 639732ddca765b2f147ef0c0a896968e3304ca49 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 23 Oct 2023 09:28:55 +0200
+Subject: [PATCH] fence_cisco_mds: undo metadata change, as it is an I/O agent
+
+---
+ agents/cisco_mds/fence_cisco_mds.py     | 2 +-
+ tests/data/metadata/fence_cisco_mds.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/agents/cisco_mds/fence_cisco_mds.py b/agents/cisco_mds/fence_cisco_mds.py
+index 04cd1f842..fbb876a94 100644
+--- a/agents/cisco_mds/fence_cisco_mds.py
+++ b/agents/cisco_mds/fence_cisco_mds.py
+@@ -77,7 +77,7 @@ def main():
+ 
+ 	docs = {}
+ 	docs["shortdesc"] = "Fence agent for Cisco MDS"
+-	docs["longdesc"] = "fence_cisco_mds is a Power Fencing agent \
+	docs["longdesc"] = "fence_cisco_mds is an I/O Fencing agent \
+ which can be used with any Cisco MDS 9000 series with SNMP enabled device."
+ 	docs["vendorurl"] = "http://www.cisco.com"
+ 	show_docs(options, docs)
+diff --git a/tests/data/metadata/fence_cisco_mds.xml b/tests/data/metadata/fence_cisco_mds.xml
+index 2105ecccc..829c9dcbe 100644
+--- a/tests/data/metadata/fence_cisco_mds.xml
+++ b/tests/data/metadata/fence_cisco_mds.xml
+@@ -1,6 +1,6 @@
+ <?xml version="1.0" ?>
+ <resource-agent name="fence_cisco_mds" shortdesc="Fence agent for Cisco MDS" >
+-<longdesc>fence_cisco_mds is a Power Fencing agent which can be used with any Cisco MDS 9000 series with SNMP enabled device.</longdesc>
+<longdesc>fence_cisco_mds is an I/O Fencing agent which can be used with any Cisco MDS 9000 series with SNMP enabled device.</longdesc>
+ <vendor-url>http://www.cisco.com</vendor-url>
+ <parameters>
+ 	<parameter name="action" unique="0" required="1">
--- a/SOURCES/RHEL-14343-fence_zvmip-1-document-user-permissions.patch
+++ b/SOURCES/RHEL-14343-fence_zvmip-1-document-user-permissions.patch
@ -0,0 +1,159 @@
+From dcb8ddd13c3dfad02e00c07f283251e0c2a60c46 Mon Sep 17 00:00:00 2001
+From: Reid Wahl <nrwahl@protonmail.com>
+Date: Mon, 16 Aug 2021 17:44:13 -0700
+Subject: [PATCH] fence_zvmip: Update longdesc to document all required
+ functions
+
+In RHBZ#1935641, IBM explained that the requesting user needs
+authorization for more functions than what is currently documented.
+
+They said:
+"""
+What we found is that you need rights from three different NICKS:
+SERVER_MANAGEMENT, IMAGE_CHARACTERISTICS and IMAGE_OPERATIONS.
+You won't be able to give a user all three NICKS.
+Therefore, you have to create a new NICK with all capabilities from all
+three NICKS together and then assign the new NICK to the USER
+"ZCLUSTER".
+Even better is to just use the needed Subset with a new NICK.
+We found five commands which are used in the fencing code and on the
+z/VM Log which should be enough for fencing to work.
+
+We suggest creating following files:
+
+File VSMWORK1 NAMELIST:
+```
+:nick.ZVM_FENCE
+:list.
+IMAGE_ACTIVATE
+IMAGE_DEACTIVATE
+IMAGE_STATUS_QUERY
+CHECK_AUTHENTICATION
+IMAGE_NAME_QUERY_DM
+```
+
+File VSMWORK1 AUTHLIST:
+```
+ZCLUSTER                            ALL                              ZVM_FENCE
+```
+
+For details, we suggest adding a link to the current z/VM docu:
+ - NAMELIST: https://www.ibm.com/support/knowledgecenter/de/SSB27U_7.2.0/com.ibm.zvm.v720.dmse6/namelst.htm
+ - AUTHLIST: https://www.ibm.com/support/knowledgecenter/de/SSB27U_7.2.0/com.ibm.zvm.v720.dmse6/auf.htm
+"""
+
+Resolves: RHBZ1935641
+
+Signed-off-by: Reid Wahl <nrwahl@protonmail.com>
+---
+ agents/zvm/fence_zvmip.py           | 37 ++++++++++++++++++++++-------
+ tests/data/metadata/fence_zvmip.xml | 37 ++++++++++++++++++++++-------
+ 2 files changed, 56 insertions(+), 18 deletions(-)
+
+diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py
+index 4f538e10d..c37950a20 100644
+--- a/agents/zvm/fence_zvmip.py
+++ b/agents/zvm/fence_zvmip.py
+@@ -199,21 +199,40 @@ def main():
+ 
+ 	docs = {}
+ 	docs["shortdesc"] = "Fence agent for use with z/VM Virtual Machines"
+-	docs["longdesc"] = """The fence_zvm agent is intended to be used with with z/VM SMAPI service via TCP/IP
+	docs["longdesc"] = """The fence_zvmip agent is intended to be used with the
+z/VM SMAPI service via TCP/IP.
+ 
+-To  use this agent the z/VM SMAPI service needs to be configured to allow the virtual machine running this agent to connect to it and issue
+-the image_recycle operation.  This involves updating the VSMWORK1 AUTHLIST VMSYS:VSMWORK1. file. The entry should look something similar to
+-this:
+The z/VM SMAPI service must be configured so that the virtual machine running
+the agent can connect to the service, access the system's directory manager,
+and shortly thereafter run image_deactivate and image_activate. This involves
+updating the VSMWORK1 NAMELIST and VSMWORK1 AUTHLIST VMSYS:VSMWORK1 files.
+
+The NAMELIST entry assigns all the required functions to one nick and should
+look similar to this:
+
+:nick.ZVM_FENCE
+:list.
+IMAGE_ACTIVATE
+IMAGE_DEACTIVATE
+IMAGE_STATUS_QUERY
+CHECK_AUTHENTICATION
+IMAGE_NAME_QUERY_DM
+
+
+The AUTHLIST entry authorizes the user to perform all the functions associated
+with the nick, and should look similar to this:
+ 
+ Column 1                   Column 66                Column 131
+ 
+-   |                          |                        |
+-   V                          V                        V
+|                          |                        |
+V                          V                        V
+
+XXXXXXXX                   ALL                      ZVM_FENCE
+ 
+-XXXXXXXX                      ALL                      IMAGE_CHARACTERISTICS
+where XXXXXXXX is the name of the user in the authuser field of the request.
+ 
+-Where XXXXXXX is the name of the virtual machine used in the authuser field of the request. This virtual machine also has to be authorized
+-to access the system's directory manager.
+Refer to the official z/VM documentation for complete instructions and
+reference materials.
+ """
+ 	docs["vendorurl"] = "http://www.ibm.com"
+ 	show_docs(options, docs)
+diff --git a/tests/data/metadata/fence_zvmip.xml b/tests/data/metadata/fence_zvmip.xml
+index 6996ab736..96393bdfa 100644
+--- a/tests/data/metadata/fence_zvmip.xml
+++ b/tests/data/metadata/fence_zvmip.xml
+@@ -1,20 +1,39 @@
+ <?xml version="1.0" ?>
+ <resource-agent name="fence_zvmip" shortdesc="Fence agent for use with z/VM Virtual Machines" >
+-<longdesc>The fence_zvm agent is intended to be used with with z/VM SMAPI service via TCP/IP
+<longdesc>The fence_zvmip agent is intended to be used with the
+z/VM SMAPI service via TCP/IP.
+ 
+-To  use this agent the z/VM SMAPI service needs to be configured to allow the virtual machine running this agent to connect to it and issue
+-the image_recycle operation.  This involves updating the VSMWORK1 AUTHLIST VMSYS:VSMWORK1. file. The entry should look something similar to
+-this:
+The z/VM SMAPI service must be configured so that the virtual machine running
+the agent can connect to the service, access the system's directory manager,
+and shortly thereafter run image_deactivate and image_activate. This involves
+updating the VSMWORK1 NAMELIST and VSMWORK1 AUTHLIST VMSYS:VSMWORK1 files.
+
+The NAMELIST entry assigns all the required functions to one nick and should
+look similar to this:
+
+:nick.ZVM_FENCE
+:list.
+IMAGE_ACTIVATE
+IMAGE_DEACTIVATE
+IMAGE_STATUS_QUERY
+CHECK_AUTHENTICATION
+IMAGE_NAME_QUERY_DM
+
+
+The AUTHLIST entry authorizes the user to perform all the functions associated
+with the nick, and should look similar to this:
+ 
+ Column 1                   Column 66                Column 131
+ 
+-   |                          |                        |
+-   V                          V                        V
+|                          |                        |
+V                          V                        V
+
+XXXXXXXX                   ALL                      ZVM_FENCE
+ 
+-XXXXXXXX                      ALL                      IMAGE_CHARACTERISTICS
+where XXXXXXXX is the name of the user in the authuser field of the request.
+ 
+-Where XXXXXXX is the name of the virtual machine used in the authuser field of the request. This virtual machine also has to be authorized
+-to access the system's directory manager.
+Refer to the official z/VM documentation for complete instructions and
+reference materials.
+ </longdesc>
+ <vendor-url>http://www.ibm.com</vendor-url>
+ <parameters>
--- a/SOURCES/RHEL-14343-fence_zvmip-2-fix-manpage-formatting.patch
+++ b/SOURCES/RHEL-14343-fence_zvmip-2-fix-manpage-formatting.patch
@ -0,0 +1,41 @@
+From adac1d81c5758235b6df46d0a91f1e948655848a Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 3 Jan 2024 10:17:50 +0100
+Subject: [PATCH] fence_zvmip: fix manpage formatting
+
+---
+ agents/zvm/fence_zvmip.py | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py
+index f1cea2652..bd8273c49 100644
+--- a/agents/zvm/fence_zvmip.py
+++ b/agents/zvm/fence_zvmip.py
+@@ -210,12 +210,12 @@ def main():
+ The NAMELIST entry assigns all the required functions to one nick and should
+ look similar to this:
+ 
+-:nick.ZVM_FENCE
+-:list.
+-IMAGE_ACTIVATE
+-IMAGE_DEACTIVATE
+-IMAGE_STATUS_QUERY
+-CHECK_AUTHENTICATION
+:nick.ZVM_FENCE\n.br\n\
+:list.\n.br\n\
+IMAGE_ACTIVATE\n.br\n\
+IMAGE_DEACTIVATE\n.br\n\
+IMAGE_STATUS_QUERY\n.br\n\
+CHECK_AUTHENTICATION\n.br\n\
+ IMAGE_NAME_QUERY_DM
+ 
+ 
+@@ -224,7 +224,7 @@ def main():
+ 
+ Column 1                   Column 66                Column 131
+ 
+-|                          |                        |
+|                          |                        |\n.br\n\
+ V                          V                        V
+ 
+ XXXXXXXX                   ALL                      ZVM_FENCE
--- a/SOURCES/RHEL-22174-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch
+++ b/SOURCES/RHEL-22174-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch
@ -0,0 +1,63 @@
+From 7dd3680e6eea0d77fde024763657aa4d884ddb23 Mon Sep 17 00:00:00 2001
+From: Calum Hutton <calum.hutton@snyk.io>
+Date: Thu, 26 Oct 2023 12:08:53 +0100
+Subject: [PATCH] xmlattr filter disallows keys with spaces
+
+---
+ CHANGES.rst           |  1 +
+ src/jinja2/filters.py | 28 +++++++++++++++++++++-------
+ tests/test_filters.py |  6 ++++++
+ 3 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
+index ed07c4c0e..c7ecc9bb6 100644
+--- a/kubevirt/jinja2/filters.py
+++ b/kubevirt/jinja2/filters.py
+@@ -248,13 +248,17 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
+     yield from value.items()
+ 
+ 
+_space_re = re.compile(r"\s", flags=re.ASCII)
+
+
+ @pass_eval_context
+ def do_xmlattr(
+     eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True
+ ) -> str:
+     """Create an SGML/XML attribute string based on the items in a dict.
+-    All values that are neither `none` nor `undefined` are automatically
+-    escaped:
+
+    If any key contains a space, this fails with a ``ValueError``. Values that
+    are neither ``none`` nor ``undefined`` are automatically escaped.
+ 
+     .. sourcecode:: html+jinja
+ 
+@@ -273,12 +277,22 @@ def do_xmlattr(
+ 
+     As you can see it automatically prepends a space in front of the item
+     if the filter returned something unless the second parameter is false.
+
+    .. versionchanged:: 3.1.3
+        Keys with spaces are not allowed.
+     """
+-    rv = " ".join(
+-        f'{escape(key)}="{escape(value)}"'
+-        for key, value in d.items()
+-        if value is not None and not isinstance(value, Undefined)
+-    )
+    items = []
+
+    for key, value in d.items():
+        if value is None or isinstance(value, Undefined):
+            continue
+
+        if _space_re.search(key) is not None:
+            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+
+        items.append(f'{escape(key)}="{escape(value)}"')
+
+    rv = " ".join(items)
+ 
+     if autospace and rv:
+         rv = " " + rv
--- a/SOURCES/RHEL-5397-4-fence_scsi-log-err.patch
+++ b/SOURCES/RHEL-5397-4-fence_scsi-log-err.patch
@ -0,0 +1,22 @@
+--- a/agents/scsi/fence_scsi.py 2024-01-03 14:15:20.755284113 +0100
+++ b/agents/scsi/fence_scsi.py 2024-01-03 12:32:01.598598127 +0100
+@@ -190,7 +190,8 @@
+ 	cmd = options["--sg_persist-path"] + " -n -i " + opts + "-r -d " + dev
+ 	out = run_cmd(options, cmd)
+ 	if out["rc"] and fail:
+-		fail_usage("Cannot get reservation key")
+		fail_usage('Cannot get reservation key on device "' + dev
+                        + '": ' + out["err"])
+ 	match = re.search(r"\s+key=0x(\S+)\s+", out["out"], re.IGNORECASE)
+ 	return match.group(1) if match else None
+ 
+@@ -204,7 +205,8 @@
+ 	cmd = options["--sg_persist-path"] + " -n -i " + opts + "-k -d " + dev
+ 	out = run_cmd(options, cmd)
+ 	if out["rc"]:
+-		fail_usage("Cannot get registration keys", fail)
+		fail_usage('Cannot get registration keys on device "' + dev
+                        + '": ' + out["err"], fail)
+ 		if not fail:
+ 			return []
+ 	for line in out["out"].split("\n"):
--- a/SOURCES/RHEL-5397-fence_scsi-1-fix-ISID-reg-handling.patch
+++ b/SOURCES/RHEL-5397-fence_scsi-1-fix-ISID-reg-handling.patch
@ -0,0 +1,68 @@
+From 9d0d0d013c7edae43a4ebc5f46bf2e7a4f127654 Mon Sep 17 00:00:00 2001
+From: "sreejit.mohanan" <sreejit.mohanan@nutanix.com>
+Date: Fri, 17 Feb 2023 18:04:03 -0800
+Subject: [PATCH] fence_scsi: fix registration handling if ISID conflicts ISID
+ (Initiator Session ID) belonging to I_T Nexus changes for RHEL based on the
+ session ID. This means that the connection to the device can be set up with
+ different ISID on reconnects.
+
+fence_scsi treats same key as a tip to ignore issuing registration
+to the device but if the device was registered using a different
+ISID, the key would be the same but the I_T Nexus (new ISID) would
+not have access to the device.
+
+Fixing this by preempting the old key and replacing with the current
+one.
+---
+ agents/scsi/fence_scsi.py | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
+index f9e6823b2..85e4f29e6 100644
+--- a/agents/scsi/fence_scsi.py
+++ b/agents/scsi/fence_scsi.py
+@@ -137,12 +137,41 @@ def register_dev(options, dev):
+ 		for slave in get_mpath_slaves(dev):
+ 			register_dev(options, slave)
+ 		return True
+-	if get_reservation_key(options, dev, False) == options["--key"]:
+-		return True
+
+	# Check if any registration exists for the key already. We track this in
+	# order to decide whether the existing registration needs to be cleared.
+	# This is needed since the previous registration could be for a
+	# different I_T nexus (different ISID).
+	registration_key_exists = False
+	if options["--key"] in get_registration_keys(options, dev):
+		registration_key_exists = True
+	if not register_helper(options, options["--key"], dev):
+		return False
+
+	if registration_key_exists:
+		# If key matches, make sure it matches with the connection that
+		# exists right now. To do this, we can issue a preempt with same key
+		# which should replace the old invalid entries from the target.
+		if not preempt(options, options["--key"], dev):
+			return False
+
+		# If there was no reservation, we need to issue another registration
+		# since the previous preempt would clear registration made above.
+		if get_reservation_key(options, dev, False) != options["--key"]:
+			return register_helper(options, options["--key"], dev)
+	return True
+
+# cancel registration without aborting tasks
+def preempt(options, host, dev):
+	reset_dev(options,dev)
+	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
+	return not bool(run_cmd(options, cmd)["rc"])
+
+# helper function to send the register command
+def register_helper(options, host, dev):
+ 	reset_dev(options, dev)
+ 	cmd = options["--sg_persist-path"] + " -n -o -I -S " + options["--key"] + " -d " + dev
+ 	cmd += " -Z" if "--aptpl" in options else ""
+-	#cmd return code != 0 but registration can be successful
+ 	return not bool(run_cmd(options, cmd)["err"])
+ 
+ 
--- a/SOURCES/RHEL-5397-fence_scsi-2-fix-ISID-reg-handling-off.patch
+++ b/SOURCES/RHEL-5397-fence_scsi-2-fix-ISID-reg-handling-off.patch
@ -0,0 +1,103 @@
+From 34baef58db442148b8e067509d2cdd37b7a91ef4 Mon Sep 17 00:00:00 2001
+From: "sreejit.mohanan" <sreejit.mohanan@nutanix.com>
+Date: Thu, 7 Sep 2023 15:57:51 -0700
+Subject: [PATCH] fence_scsi: fix registration handling in device 'off'
+ workflows
+
+ISID (Initiator Session ID) belonging to I_T Nexus changes for
+RHEL based on the session ID. This means that the connection to
+the device can be set up with different ISID on reconnects.
+
+When a device is powered off, fence_scsi assumes that the client
+has a registration to the device and sends a preempt-and-abort
+request which ends up failing due to reservation conflict.
+
+Fixing this by registering the host key with the device and preempting
+the old registration (if it exists). This should make sure that the
+host is able to preempt the other key successfully.
+---
+ agents/scsi/fence_scsi.py | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
+index 42530ceb5..519319bf5 100644
+--- a/agents/scsi/fence_scsi.py
+++ b/agents/scsi/fence_scsi.py
+@@ -41,7 +41,7 @@ def set_status(conn, options):
+ 		for dev in options["devices"]:
+ 			is_block_device(dev)
+ 
+-			register_dev(options, dev)
+			register_dev(options, dev, options["--key"])
+ 			if options["--key"] not in get_registration_keys(options, dev):
+ 				count += 1
+ 				logging.debug("Failed to register key "\
+@@ -62,7 +62,7 @@ def set_status(conn, options):
+ 			fail_usage("Failed: keys cannot be same. You can not fence yourself.")
+ 		for dev in options["devices"]:
+ 			is_block_device(dev)
+-
+			register_dev(options, dev, host_key)
+ 			if options["--key"] in get_registration_keys(options, dev):
+ 				preempt_abort(options, host_key, dev)
+ 
+@@ -131,11 +131,11 @@ def reset_dev(options, dev):
+ 	return run_cmd(options, options["--sg_turs-path"] + " " + dev)["rc"]
+ 
+ 
+-def register_dev(options, dev):
+def register_dev(options, dev, key):
+ 	dev = os.path.realpath(dev)
+ 	if re.search(r"^dm", dev[5:]):
+ 		for slave in get_mpath_slaves(dev):
+-			register_dev(options, slave)
+			register_dev(options, slave, key)
+ 		return True
+ 
+ 	# Check if any registration exists for the key already. We track this in
+@@ -143,34 +143,35 @@ def register_dev(options, dev):
+ 	# This is needed since the previous registration could be for a
+ 	# different I_T nexus (different ISID).
+ 	registration_key_exists = False
+-	if options["--key"] in get_registration_keys(options, dev):
+	if key in get_registration_keys(options, dev):
+		logging.debug("Registration key exists for device " + dev)
+ 		registration_key_exists = True
+-	if not register_helper(options, options["--key"], dev):
+	if not register_helper(options, dev, key):
+ 		return False
+ 
+ 	if registration_key_exists:
+ 		# If key matches, make sure it matches with the connection that
+ 		# exists right now. To do this, we can issue a preempt with same key
+ 		# which should replace the old invalid entries from the target.
+-		if not preempt(options, options["--key"], dev):
+		if not preempt(options, key, dev, key):
+ 			return False
+ 
+ 		# If there was no reservation, we need to issue another registration
+ 		# since the previous preempt would clear registration made above.
+-		if get_reservation_key(options, dev, False) != options["--key"]:
+-			return register_helper(options, options["--key"], dev)
+		if get_reservation_key(options, dev, False) != key:
+			return register_helper(options, dev, key)
+ 	return True
+ 
+-# cancel registration without aborting tasks
+-def preempt(options, host, dev):
+# helper function to preempt host with 'key' using 'host_key' without aborting tasks
+def preempt(options, host_key, dev, key):
+ 	reset_dev(options,dev)
+-	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
+	cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host_key + " -S " + key + " -d " + dev
+ 	return not bool(run_cmd(options, cmd)["rc"])
+ 
+ # helper function to send the register command
+-def register_helper(options, host, dev):
+def register_helper(options, dev, key):
+ 	reset_dev(options, dev)
+-	cmd = options["--sg_persist-path"] + " -n -o -I -S " + options["--key"] + " -d " + dev
+	cmd = options["--sg_persist-path"] + " -n -o -I -S " + key + " -d " + dev
+ 	cmd += " -Z" if "--aptpl" in options else ""
+ 	return not bool(run_cmd(options, cmd)["rc"])
+ 
--- a/SOURCES/RHEL-5397-fence_scsi-3-fix-run_cmd.patch
+++ b/SOURCES/RHEL-5397-fence_scsi-3-fix-run_cmd.patch
@ -0,0 +1,93 @@
+--- fence-agents-4.2.1/agents/scsi/fence_scsi.py.old	2024-01-02 12:22:30.198853290 +0100
+++ fence-agents-4.2.1/agents/scsi/fence_scsi.py	2024-01-02 12:24:35.509549785 +0100
+@@ -84,14 +84,14 @@
+ # check if host is ready to execute actions
+ def do_action_monitor(options):
+ 	# Check if required binaries are installed
+-	if bool(run_cmd(options, options["--sg_persist-path"] + " -V")["err"]):
+	if bool(run_cmd(options, options["--sg_persist-path"] + " -V")["rc"]):
+ 		logging.error("Unable to run " + options["--sg_persist-path"])
+ 		return 1
+-	elif bool(run_cmd(options, options["--sg_turs-path"] + " -V")["err"]):
+	elif bool(run_cmd(options, options["--sg_turs-path"] + " -V")["rc"]):
+ 		logging.error("Unable to run " + options["--sg_turs-path"])
+ 		return 1
+ 	elif ("--devices" not in options and 
+-			bool(run_cmd(options,	options["--vgs-path"] + " --version")["err"])):
+			bool(run_cmd(options, options["--vgs-path"] + " --version")["rc"])):
+ 		logging.error("Unable to run " + options["--vgs-path"])
+ 		return 1
+ 
+@@ -102,11 +102,13 @@
+ 	return 0
+ 
+ 
+-#run command, returns dict, ret["err"] = exit code; ret["out"] = output
+# run command, returns dict, ret["rc"] = exit code; ret["out"] = output;
+# ret["err"] = error
+ def run_cmd(options, cmd):
+ 	ret = {}
+-	(ret["err"], ret["out"], _) = run_command(options, cmd)
+	(ret["rc"], ret["out"], ret["err"]) = run_command(options, cmd)
+ 	ret["out"] = "".join([i for i in ret["out"] if i is not None])
+	ret["err"] = "".join([i for i in ret["err"] if i is not None])
+ 	return ret
+ 
+ 
+@@ -122,11 +124,11 @@
+ def preempt_abort(options, host, dev):
+ 	reset_dev(options,dev)
+ 	cmd = options["--sg_persist-path"] + " -n -o -A -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
+-	return not bool(run_cmd(options, cmd)["err"])
+	return not bool(run_cmd(options, cmd)["rc"])
+ 
+ 
+ def reset_dev(options, dev):
+-	return run_cmd(options, options["--sg_turs-path"] + " " + dev)["err"]
+	return run_cmd(options, options["--sg_turs-path"] + " " + dev)["rc"]
+ 
+ 
+ def register_dev(options, dev, key):
+@@ -171,13 +173,13 @@
+ 	reset_dev(options, dev)
+ 	cmd = options["--sg_persist-path"] + " -n -o -I -S " + key + " -d " + dev
+ 	cmd += " -Z" if "--aptpl" in options else ""
+-	return not bool(run_cmd(options, cmd)["err"])
+	return not bool(run_cmd(options, cmd)["rc"])
+ 
+ 
+ def reserve_dev(options, dev):
+ 	reset_dev(options,dev)
+ 	cmd = options["--sg_persist-path"] + " -n -o -R -T 5 -K " + options["--key"] + " -d " + dev
+-	return not bool(run_cmd(options, cmd)["err"])
+	return not bool(run_cmd(options, cmd)["rc"])
+ 
+ 
+ def get_reservation_key(options, dev, fail=True):
+@@ -187,7 +189,7 @@
+ 		opts = "-y "
+ 	cmd = options["--sg_persist-path"] + " -n -i " + opts + "-r -d " + dev
+ 	out = run_cmd(options, cmd)
+-	if out["err"] and fail:
+	if out["rc"] and fail:
+ 		fail_usage("Cannot get reservation key")
+ 	match = re.search(r"\s+key=0x(\S+)\s+", out["out"], re.IGNORECASE)
+ 	return match.group(1) if match else None
+@@ -201,7 +203,7 @@
+ 		opts = "-y "
+ 	cmd = options["--sg_persist-path"] + " -n -i " + opts + "-k -d " + dev
+ 	out = run_cmd(options, cmd)
+-	if out["err"]:
+	if out["rc"]:
+ 		fail_usage("Cannot get registration keys", fail)
+ 		if not fail:
+ 			return []
+@@ -319,7 +321,7 @@
+ 	"--options vg_attr,pv_name "+\
+ 	"--config 'global { locking_type = 0 } devices { preferred_names = [ \"^/dev/dm\" ] }'"
+ 	out = run_cmd(options, cmd)
+-	if out["err"]:
+	if out["rc"]:
+ 		fail_usage("Failed: Cannot get shared devices")
+ 	for line in out["out"].splitlines():
+ 		vg_attr, pv_name = line.strip().split(":")
--- a/SOURCES/bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+++ b/SOURCES/bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
--- a/SOURCES/bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch
+++ b/SOURCES/bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch
--- a/SPECS/fence-agents.spec
+++ b/SPECS/fence-agents.spec
@ -11,7 +11,7 @@
 # alibaba
 # python-pycryptodome bundle
 %global pycryptodome		pycryptodome
-%global pycryptodome_version	3.6.4
+%global pycryptodome_version	3.20.0
 %global pycryptodome_dir	%{bundled_lib_dir}/aliyun/%{pycryptodome}
 # python-aliyun-sdk-core bundle
 %global aliyunsdkcore		aliyun-python-sdk-core
@ -44,7 +44,7 @@
 %global kubernetes		kubernetes
 %global kubernetes_version	12.0.1
 %global certifi			certifi
-%global certifi_version		2021.10.8
+%global certifi_version		2023.7.22
 %global googleauth		google-auth
 %global googleauth_version	2.3.0
 %global cachetools		cachetools
@ -59,10 +59,10 @@
 %global pyyaml_version		6.0
 %global six			six
 %global six_version		1.16.0
-%global urllib3			urllib3
-%global urllib3_version		1.26.7
-%global websocketclient		websocket-client
-%global websocketclient_version	1.2.1
+%global urllib3 		urllib3
+%global urllib3_version 	1.26.18
+%global websocketclient 	websocket-client
+%global websocketclient_version 1.2.1
 %global jinja2			Jinja2
 %global jinja2_version		3.0.2
 %global markupsafe		MarkupSafe
@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 121%{?alphatag:.%{alphatag}}%{?dist}
+Release: 129%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@ -274,10 +274,21 @@ Patch131: bz2187329-fence_scsi-2-support-space-separated-devices.patch
 Patch132: bz2211460-fence_azure-arm-1-stack-hub-support.patch
 Patch133: bz2211460-fence_azure-arm-2-metadata-endpoint-error-message.patch
 Patch134: bz2155453-fence_ibm_powervs-performance-improvements.patch
+Patch135: RHEL-14343-fence_zvmip-1-document-user-permissions.patch
+Patch136: RHEL-14031-1-all-agents-metadata-update-IO-Power-Network.patch
+Patch137: RHEL-14031-2-fence_cisco_mds-undo-metadata-change.patch
+Patch138: RHEL-5397-fence_scsi-1-fix-ISID-reg-handling.patch
+Patch139: RHEL-5397-fence_scsi-2-fix-ISID-reg-handling-off.patch
+Patch140: RHEL-5397-fence_scsi-3-fix-run_cmd.patch
+Patch141: RHEL-5397-4-fence_scsi-log-err.patch
+Patch142: RHEL-14343-fence_zvmip-2-fix-manpage-formatting.patch

 ### HA support libs/utils ###
-Patch1000: bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch1001: bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+# all archs
+Patch1000: bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1001: RHEL-22174-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch
+# cloud (x86_64 only)
+Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch

 %if 0%{?fedora} || 0%{?rhel} > 7
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
@ -355,141 +366,149 @@ BuildRequires: python3-google-api-client python3-pip python3-wheel python3-jinja

 %prep
 %setup -q -n %{name}-%{version}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1 -F2
-%patch31 -p1 -F2
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
-%patch35 -p1
-%patch36 -p1 -F1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1 -F2
-%patch41 -p1
-%patch42 -p1
-%patch43 -p1
-%patch44 -p1
-%patch45 -p1
-%patch46 -p1
-%patch47 -p1
-%patch48 -p1 -F1
-%patch49 -p1
-%patch50 -p1
-%patch51 -p1
-%patch52 -p1
-%patch53 -p1
-%patch54 -p1
-%patch55 -p1
-%patch56 -p1
-%patch57 -p1
-%patch58 -p1
-%patch59 -p1
-%patch60 -p1 -F1
-%patch61 -p1
-%patch62 -p1
-%patch63 -p1
-%patch64 -p1
-%patch65 -p1 -F1
-%patch66 -p1
-%patch67 -p1
-%patch68 -p1
-%patch69 -p1
-%patch70 -p1
-%patch71 -p1
-%patch72 -p1
-%patch73 -p1
-%patch74 -p1
-%patch75 -p1
-%patch76 -p1
-%patch77 -p1
-%patch78 -p1
-%patch79 -p1
-%patch80 -p1
-%patch81 -p1
-%patch82 -p1
-%patch83 -p1
-%patch84 -p1
-%patch85 -p1
-%patch86 -p1 -F1
-%patch87 -p1
-%patch88 -p1
-%patch89 -p1
-%patch90 -p1
-%patch91 -p1
-%patch92 -p1
-%patch93 -p1
-%patch94 -p1
-%patch95 -p1
-%patch96 -p1 -F2
-%patch97 -p1
-%patch98 -p1
-%patch99 -p1
-%patch100 -p1
-%patch101 -p1
-%patch102 -p1
-%patch103 -p1
-%patch104 -p1 -F1
-%patch105 -p1
-%patch106 -p1
-%patch107 -p1
-%patch108 -p1
-%patch109 -p1
-%patch110 -p1
-%patch111 -p1
-%patch112 -p1
-%patch113 -p1
-%patch114 -p1
-%patch115 -p1
-%patch116 -p1
-%patch117 -p1
-%patch118 -p1
-%patch119 -p1
-%patch120 -p1
-%patch121 -p1
-%patch122 -p1 -F2
-%patch123 -p1
-%patch124 -p1
-%patch125 -p1
-%patch126 -p1
-%patch127 -p1
-%patch128 -p1 -F2
-%patch129 -p1
-%patch130 -p1
-%patch131 -p1
-%patch132 -p1
-%patch133 -p1
-%patch134 -p1
+%patch -p1 -P 0
+%patch -p1 -P 1
+%patch -p1 -P 2
+%patch -p1 -P 3
+%patch -p1 -P 4
+%patch -p1 -P 5
+%patch -p1 -P 6
+%patch -p1 -P 7
+%patch -p1 -P 8
+%patch -p1 -P 9
+%patch -p1 -P 10
+%patch -p1 -P 11
+%patch -p1 -P 12
+%patch -p1 -P 13
+%patch -p1 -P 14
+%patch -p1 -P 15
+%patch -p1 -P 16
+%patch -p1 -P 17
+%patch -p1 -P 18
+%patch -p1 -P 19
+%patch -p1 -P 20
+%patch -p1 -P 21
+%patch -p1 -P 22
+%patch -p1 -P 23
+%patch -p1 -P 24
+%patch -p1 -P 25
+%patch -p1 -P 26
+%patch -p1 -P 27
+%patch -p1 -P 28
+%patch -p1 -P 29
+%patch -p1 -P 30 -F2
+%patch -p1 -P 31 -F2
+%patch -p1 -P 32
+%patch -p1 -P 33
+%patch -p1 -P 34
+%patch -p1 -P 35
+%patch -p1 -P 36 -F1
+%patch -p1 -P 37
+%patch -p1 -P 38
+%patch -p1 -P 39
+%patch -p1 -P 40 -F2
+%patch -p1 -P 41
+%patch -p1 -P 42
+%patch -p1 -P 43
+%patch -p1 -P 44
+%patch -p1 -P 45
+%patch -p1 -P 46
+%patch -p1 -P 47
+%patch -p1 -P 48 -F1
+%patch -p1 -P 49
+%patch -p1 -P 50
+%patch -p1 -P 51
+%patch -p1 -P 52
+%patch -p1 -P 53
+%patch -p1 -P 54
+%patch -p1 -P 55
+%patch -p1 -P 56
+%patch -p1 -P 57
+%patch -p1 -P 58
+%patch -p1 -P 59
+%patch -p1 -P 60 -F1
+%patch -p1 -P 61
+%patch -p1 -P 62
+%patch -p1 -P 63
+%patch -p1 -P 64
+%patch -p1 -P 65 -F1
+%patch -p1 -P 66
+%patch -p1 -P 67
+%patch -p1 -P 68
+%patch -p1 -P 69
+%patch -p1 -P 70
+%patch -p1 -P 71
+%patch -p1 -P 72
+%patch -p1 -P 73
+%patch -p1 -P 74
+%patch -p1 -P 75
+%patch -p1 -P 76
+%patch -p1 -P 77
+%patch -p1 -P 78
+%patch -p1 -P 79
+%patch -p1 -P 80
+%patch -p1 -P 81
+%patch -p1 -P 82
+%patch -p1 -P 83
+%patch -p1 -P 84
+%patch -p1 -P 85
+%patch -p1 -P 86 -F1
+%patch -p1 -P 87
+%patch -p1 -P 88
+%patch -p1 -P 89
+%patch -p1 -P 90
+%patch -p1 -P 91
+%patch -p1 -P 92
+%patch -p1 -P 93
+%patch -p1 -P 94
+%patch -p1 -P 95
+%patch -p1 -P 96 -F2
+%patch -p1 -P 97
+%patch -p1 -P 98
+%patch -p1 -P 99
+%patch -p1 -P 100
+%patch -p1 -P 101
+%patch -p1 -P 102
+%patch -p1 -P 103
+%patch -p1 -P 104 -F1
+%patch -p1 -P 105
+%patch -p1 -P 106
+%patch -p1 -P 107
+%patch -p1 -P 108
+%patch -p1 -P 109
+%patch -p1 -P 110
+%patch -p1 -P 111
+%patch -p1 -P 112
+%patch -p1 -P 113
+%patch -p1 -P 114
+%patch -p1 -P 115
+%patch -p1 -P 116
+%patch -p1 -P 117
+%patch -p1 -P 118
+%patch -p1 -P 119
+%patch -p1 -P 120
+%patch -p1 -P 121
+%patch -p1 -P 122 -F2
+%patch -p1 -P 123
+%patch -p1 -P 124
+%patch -p1 -P 125
+%patch -p1 -P 126
+%patch -p1 -P 127
+%patch -p1 -P 128 -F2
+%patch -p1 -P 129
+%patch -p1 -P 130
+%patch -p1 -P 131
+%patch -p1 -P 132
+%patch -p1 -P 133
+%patch -p1 -P 134
+%patch -p1 -P 135
+%patch -p1 -P 136 -F2
+%patch -p1 -P 137
+%patch -p1 -P 138
+%patch -p1 -P 139 -F2
+%patch -p1 -P 140
+%patch -p1 -P 141
+%patch -p1 -P 142

 # prevent compilation of something that won't get used anyway
 sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@ -594,20 +613,20 @@ popd
 %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} jmespath
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/aws --no-index --find-links %{_sourcedir} botocore
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/aws --no-index --find-links %{_sourcedir} requests
-
-# regular patch doesnt work in install-section
-# Patch1000
-pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch
-popd
 %endif

 # kubevirt
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt --no-index --find-links %{_sourcedir} openshift
 rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt/rsa*
-# Patch1001
+
+# regular patch doesnt work in build-section
 pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=1 < %{PATCH1001}
+
+%ifarch x86_64
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
+%endif
 popd

 ## tree fix up
@ -1497,6 +1516,33 @@ Fence agent for IBM z/VM over IP.
 %endif

 %changelog
+* Fri Jan 19 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-129
+- bundled urllib3: fix CVE-2023-45803
+  Resolves: RHEL-18132
+- bundled pycryptodome: fix CVE-2023-52323
+  Resolves: RHEL-20915
+- bundled jinja2: fix CVE-2024-22195
+  Resolves: RHEL-22174
+
+* Wed Jan  3 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-127
+- fence_scsi: fix registration handling if ISID conflicts
+  Resolves: RHEL-5397
+- fence_zvmip: document required user permissions in metadata/manpage
+  Resolves: RHEL-14343
+
+* Mon Oct 23 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-125
+- all agents: update metadata in non-I/O agents to Power or Network
+  fencing
+  Resolves: RHEL-14031
+
+* Thu Oct 12 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-123
+- bundled urllib3: fix CVE-2023-43804
+  Resolves: RHEL-11988
+
+* Tue Sep 26 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-122
+- bundled certifi: fix CVE-2023-37920
+  Resolves: RHEL-6972
+
 * Thu Aug  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-121
 - bundled dateutil: fix tarfile CVE-2007-4559
  Resolves: rhbz#2218234