From a085b3ba9643d31a839dfeb0001716894983e63a Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 15 Nov 2023 08:08:58 +0000 Subject: [PATCH 1/2] import CS open-vm-tools-12.2.5-4.el8 --- .gitignore | 2 +- .open-vm-tools.metadata | 2 +- ...e-method-to-allow-expected-pre-froze.patch | 424 ++++++++++++++++++ ...y-X509-certs-to-verify-the-SAML-toke.patch | 38 ++ SOURCES/vgauthd.service | 2 +- SOURCES/vmtoolsd.service | 2 +- SPECS/open-vm-tools.spec | 41 +- 7 files changed, 502 insertions(+), 9 deletions(-) create mode 100644 SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch create mode 100644 SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch diff --git a/.gitignore b/.gitignore index d478b40..2b8e988 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/open-vm-tools-12.1.5-20735119.tar.gz +SOURCES/open-vm-tools-12.2.5-21855600.tar.gz diff --git a/.open-vm-tools.metadata b/.open-vm-tools.metadata index 378fafe..eab5035 100644 --- a/.open-vm-tools.metadata +++ b/.open-vm-tools.metadata @@ -1 +1 @@ -92cfc4bc23f3f4392a0e925d639aeac37c4aafb5 SOURCES/open-vm-tools-12.1.5-20735119.tar.gz +6bc6e77418cc4a039063a7ca40859535b9bbb339 SOURCES/open-vm-tools-12.2.5-21855600.tar.gz diff --git a/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch b/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch new file mode 100644 index 0000000..3e21c9c --- /dev/null +++ b/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch @@ -0,0 +1,424 @@ +From 4fb21bd75fd5a4eceed67a8050436b47750ca716 Mon Sep 17 00:00:00 2001 +From: Katy Feng +Date: Tue, 22 Aug 2023 11:11:42 -0700 +Subject: [PATCH] Provide alternate method to allow (expected) pre-frozen + filesystems + +RH-Author: Ani Sinha +RH-MergeRequest: 30: Provide alternate method to allow (expected) pre-frozen filesystems when taking a quiesced snapshot. +RH-Jira: RHEL-7012 +RH-Commit: [1/1] 07570fcdc1fd697d54268e530fc64162eb2a0bdb + +Effective with open-vm-tools 12.2.0, Linux quiesced snapshots will fail if +any filesystem(s) have been prefrozen by other than the vmtoolsd process. +This has been done to assure that filesystems are inactive while the +snapshots are being taken. Some existing prefreeze scripts may be freezing +some filesystem(s). In these cases, the vmtoolsd process must be informed of +anticipated pre-frozen filesystems by providing an "excludedFileSystem" list in +the [vmbackup] section of the tools.conf file. + +This change provides a new switch in the tools.conf file to allow pre-frozen +filesystems to be encountered and accepted when doing a quiesced snapshot +operation. With the default value of "false", the "ignoreFrozenFileSystems" +can be configured with a setting of "true" to notify the quiesced snapshot +operation that pre-frozen filesystems are allowed. + +(cherry picked from commit 60c3a80ddc2b400366ed05169e16a6bed6501da2) +Signed-off-by: Ani Sinha +--- + open-vm-tools/lib/include/syncDriver.h | 5 ++-- + open-vm-tools/lib/syncDriver/nullDriver.c | 10 +++++--- + open-vm-tools/lib/syncDriver/syncDriverInt.h | 14 +++++++---- + .../lib/syncDriver/syncDriverLinux.c | 25 ++++++++++++++----- + .../lib/syncDriver/syncDriverPosix.c | 7 +++--- + open-vm-tools/lib/syncDriver/vmSyncDriver.c | 10 +++++--- + .../services/plugins/vix/foundryToolsDaemon.c | 14 +++++++++-- + .../services/plugins/vmbackup/stateMachine.c | 8 ++++-- + .../services/plugins/vmbackup/syncDriverOps.c | 5 ++-- + .../services/plugins/vmbackup/vmBackupInt.h | 19 ++++++++------ + open-vm-tools/tools.conf | 23 +++++++++++++++++ + 11 files changed, 103 insertions(+), 37 deletions(-) + +diff --git a/open-vm-tools/lib/include/syncDriver.h b/open-vm-tools/lib/include/syncDriver.h +index 20712f66..8ef229d4 100644 +--- a/open-vm-tools/lib/include/syncDriver.h ++++ b/open-vm-tools/lib/include/syncDriver.h +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2005-2018 VMware, Inc. All rights reserved. ++ * Copyright (c) 2005-2018, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -51,7 +51,8 @@ typedef enum { + Bool SyncDriver_Init(void); + Bool SyncDriver_Freeze(const char *drives, Bool enableNullDriver, + SyncDriverHandle *handle, +- const char *excludedFileSystems); ++ const char *excludedFileSystems, ++ Bool ignoreFrozenFS); + Bool SyncDriver_Thaw(const SyncDriverHandle handle); + SyncDriverStatus SyncDriver_QueryStatus(const SyncDriverHandle handle, + int32 timeout); +diff --git a/open-vm-tools/lib/syncDriver/nullDriver.c b/open-vm-tools/lib/syncDriver/nullDriver.c +index 5e19e208..be96222a 100644 +--- a/open-vm-tools/lib/syncDriver/nullDriver.c ++++ b/open-vm-tools/lib/syncDriver/nullDriver.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -54,8 +54,9 @@ NullDriverClose(SyncDriverHandle handle) + * + * Calls sync(). + * +- * @param[in] paths Unused. +- * @param[out] handle Where to store the operation handle. ++ * @param[in] paths Unused. ++ * @param[out] handle Where to store the operation handle. ++ * @param[in] ignoreFrozenFS Unused. + * + * @return A SyncDriverErr. + * +@@ -64,7 +65,8 @@ NullDriverClose(SyncDriverHandle handle) + + SyncDriverErr + NullDriver_Freeze(const GSList *paths, +- SyncDriverHandle *handle) ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFS) + { + /* + * This is more of a "let's at least do something" than something that +diff --git a/open-vm-tools/lib/syncDriver/syncDriverInt.h b/open-vm-tools/lib/syncDriver/syncDriverInt.h +index 04f37bf2..a5706298 100644 +--- a/open-vm-tools/lib/syncDriver/syncDriverInt.h ++++ b/open-vm-tools/lib/syncDriver/syncDriverInt.h +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2017 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2017, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -41,7 +41,8 @@ typedef enum { + } SyncDriverErr; + + typedef SyncDriverErr (*SyncFreezeFn)(const GSList *paths, +- SyncDriverHandle *handle); ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFs); + + typedef struct SyncHandle { + SyncDriverErr (*thaw)(const SyncDriverHandle handle); +@@ -55,15 +56,18 @@ typedef struct SyncHandle { + #if defined(__linux__) + SyncDriverErr + LinuxDriver_Freeze(const GSList *userPaths, +- SyncDriverHandle *handle); ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFs); + + SyncDriverErr + VmSync_Freeze(const GSList *userPaths, +- SyncDriverHandle *handle); ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFs); + + SyncDriverErr + NullDriver_Freeze(const GSList *userPaths, +- SyncDriverHandle *handle); ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFs); + #endif + + #endif +diff --git a/open-vm-tools/lib/syncDriver/syncDriverLinux.c b/open-vm-tools/lib/syncDriver/syncDriverLinux.c +index 6d9a3568..4581098e 100644 +--- a/open-vm-tools/lib/syncDriver/syncDriverLinux.c ++++ b/open-vm-tools/lib/syncDriver/syncDriverLinux.c +@@ -199,8 +199,9 @@ LinuxFiGetAttr(const SyncDriverHandle handle, // IN (ignored) + * slow when guest is performing significant IO. Therefore, caller should + * consider running this function in a separate thread. + * +- * @param[in] paths List of paths to freeze. +- * @param[out] handle Handle to use for thawing. ++ * @param[in] paths List of paths to freeze. ++ * @param[out] handle Handle to use for thawing. ++ * @param[in] ignoreFrozenFS Switch to allow EBUSY error. + * + * @return A SyncDriverErr. + * +@@ -209,7 +210,8 @@ LinuxFiGetAttr(const SyncDriverHandle handle, // IN (ignored) + + SyncDriverErr + LinuxDriver_Freeze(const GSList *paths, +- SyncDriverHandle *handle) ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFS) + { + ssize_t count = 0; + Bool first = TRUE; +@@ -324,9 +326,12 @@ LinuxDriver_Freeze(const GSList *paths, + * Previously, an EBUSY error was ignored, assuming that we may try + * to freeze the same superblock more than once depending on the + * OS configuration (e.g., usage of bind mounts). +- * Using the filesystem Id to check if this is a filesystem that we +- * have seen previously and will ignore this FD only if that is +- * the case. Log a warning otherwise since the quiesced snapshot ++ * Use the filesystem Id to check if this filesystem has been ++ * handled before and, if so, ignore it. ++ * Alternatively, allow (ignore) the EBUSY if the ++ * "ignoreFrozenFileSystems" switch inside "vmbackup" section of ++ * tools.conf file is TRUE. ++ * Otherwise, log a warning as the quiesced snapshot + * attempt will fail. + */ + if (ioctlerr == EBUSY) { +@@ -339,6 +344,14 @@ LinuxDriver_Freeze(const GSList *paths, + */ + Debug(LGPFX "skipping path '%s' - previously frozen", path); + continue; ++ } else if (ignoreFrozenFS) { ++ /* ++ * Ignores the EBUSY error if the FS has been frozen by another ++ * process and the 'ignoreFrozenFileSystems' setting is ++ * turned on in tools.conf file. ++ */ ++ Debug(LGPFX "Ignoring the frozen filesystem '%s'",path); ++ continue; + } + /* + * It appears that this FS has been locked or frozen by another +diff --git a/open-vm-tools/lib/syncDriver/syncDriverPosix.c b/open-vm-tools/lib/syncDriver/syncDriverPosix.c +index 7b6132ba..27369639 100644 +--- a/open-vm-tools/lib/syncDriver/syncDriverPosix.c ++++ b/open-vm-tools/lib/syncDriver/syncDriverPosix.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2005-2019 VMware, Inc. All rights reserved. ++ * Copyright (c) 2005-2019, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -456,7 +456,8 @@ Bool + SyncDriver_Freeze(const char *userPaths, // IN + Bool enableNullDriver, // IN + SyncDriverHandle *handle, // OUT +- const char *excludedFileSystems) // IN ++ const char *excludedFileSystems, // IN ++ Bool ignoreFrozenFS) // IN + { + GSList *paths = NULL; + SyncDriverErr err = SD_UNAVAILABLE; +@@ -517,7 +518,7 @@ SyncDriver_Freeze(const char *userPaths, // IN + continue; + } + #endif +- err = freezeFn(paths, handle); ++ err = freezeFn(paths, handle, ignoreFrozenFS); + } + + /* +diff --git a/open-vm-tools/lib/syncDriver/vmSyncDriver.c b/open-vm-tools/lib/syncDriver/vmSyncDriver.c +index 2bd0e886..a0d4a315 100644 +--- a/open-vm-tools/lib/syncDriver/vmSyncDriver.c ++++ b/open-vm-tools/lib/syncDriver/vmSyncDriver.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -91,8 +91,9 @@ VmSyncClose(SyncDriverHandle handle) + * Opens a description to the driver's proc node, and if successful, send an + * ioctl to freeze the requested filesystems. + * +- * @param[in] paths List of paths to freeze. +- * @param[out] handle Where to store the handle to use for thawing. ++ * @param[in] paths List of paths to freeze. ++ * @param[out] handle Where to store the handle to use for thawing. ++ * @param[in] ignoreFrozenFS Unused. + * + * @return A SyncDriverErr. + * +@@ -101,7 +102,8 @@ VmSyncClose(SyncDriverHandle handle) + + SyncDriverErr + VmSync_Freeze(const GSList *paths, +- SyncDriverHandle *handle) ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFS) + { + int file; + Bool first = TRUE; +diff --git a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c +index 7d45d3f5..079540f1 100644 +--- a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c ++++ b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2003-2021 VMware, Inc. All rights reserved. ++ * Copyright (c) 2003-2021, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -545,6 +545,8 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data) + GKeyFile *confDictRef = ctx->config; + Bool enableNullDriver; + GSource *timer; ++ char *excludedFileSystems; ++ Bool ignoreFrozenFS; + + /* + * Parse the arguments +@@ -581,10 +583,18 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data) + "vmbackup", + "enableNullDriver", + FALSE); ++ excludedFileSystems = VMTools_ConfigGetString(confDictRef, ++ "vmbackup", ++ "excludedFileSystems", ++ NULL); ++ ignoreFrozenFS = VMTools_ConfigGetBoolean(confDictRef, ++ "vmbackup", ++ "ignoreFrozenFileSystems", ++ FALSE); + + /* Perform the actual freeze. */ + if (!SyncDriver_Freeze(driveList, enableNullDriver, &gSyncDriverHandle, +- NULL) || ++ excludedFileSystems, ignoreFrozenFS) || + SyncDriver_QueryStatus(gSyncDriverHandle, INFINITE) != SYNCDRIVER_IDLE) { + g_warning("%s: Failed to Freeze drives '%s'\n", + __FUNCTION__, driveList); +diff --git a/open-vm-tools/services/plugins/vmbackup/stateMachine.c b/open-vm-tools/services/plugins/vmbackup/stateMachine.c +index 99f52582..b04565d8 100644 +--- a/open-vm-tools/services/plugins/vmbackup/stateMachine.c ++++ b/open-vm-tools/services/plugins/vmbackup/stateMachine.c +@@ -1073,9 +1073,13 @@ VmBackupStartCommon(RpcInData *data, + #if defined(__linux__) + gBackupState->excludedFileSystems = + VMBACKUP_CONFIG_GET_STR(ctx->config, "excludedFileSystems", NULL); +- g_debug("Using excludedFileSystems = \"%s\"\n", ++ gBackupState->ignoreFrozenFS = ++ VMBACKUP_CONFIG_GET_BOOL(ctx->config, "ignoreFrozenFileSystems", FALSE); ++ ++ g_debug("Using excludedFileSystems = \"%s\", ignoreFrozenFileSystems = %d\n", + (gBackupState->excludedFileSystems != NULL) ? +- gBackupState->excludedFileSystems : "(null)"); ++ gBackupState->excludedFileSystems : "(null)", ++ gBackupState->ignoreFrozenFS); + #endif + g_debug("Quiescing volumes: %s", + (gBackupState->volumes) ? gBackupState->volumes : "(null)"); +diff --git a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c +index cc01d294..a090ec72 100644 +--- a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c ++++ b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2007-2019, 2021 VMware, Inc. All rights reserved. ++ * Copyright (C) 2007-2019, 2021, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -276,7 +276,8 @@ VmBackupNewDriverOp(VmBackupState *state, // IN + useNullDriverPrefs ? + state->enableNullDriver : FALSE, + op->syncHandle, +- state->excludedFileSystems); ++ state->excludedFileSystems, ++ state->ignoreFrozenFS); + break; + case OP_THAW: + op->manifest = SyncNewManifest(state, *op->syncHandle); +diff --git a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h +index 0c912174..65e2e552 100644 +--- a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h ++++ b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2008-2019 VMware, Inc. All rights reserved. ++ * Copyright (c) 2008-2019, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -100,18 +100,22 @@ struct VmBackupSyncCompleter; + * Don't modify the fields directly - rather, use VmBackup_SetCurrentOp, + * which does most of the handling needed by users of the state machine. + * +- * NOTE: The thread for freeze operation modifies currentOp in BackupState +- * which is also accessed by the AsyncCallback driving the state +- * machine (run by main thread). Also, gcc might generate two +- * instructions for writing a 64-bit value. Therefore, protect the +- * access to currentOp and related fields using opLock mutex. ++ * NOTE 1: The thread for freeze operation modifies currentOp in BackupState ++ * which is also accessed by the AsyncCallback driving the state ++ * machine (run by main thread). Also, gcc might generate two ++ * instructions for writing a 64-bit value. Therefore, protect the ++ * access to currentOp and related fields using opLock mutex. ++ * ++ * NOTE 2: Only used by Linux guests, ignored on Windows guests and is ++ * initialized to "false" when the VmBackupState is initialized ++ * at the start of a backup operation. + */ + + typedef struct VmBackupState { + ToolsAppCtx *ctx; + VmBackupOp *currentOp; + const char *currentOpName; +- GMutex opLock; // See note above ++ GMutex opLock; // See note 1 above + char *volumes; + char *snapshots; + guint pollPeriod; +@@ -127,6 +131,7 @@ typedef struct VmBackupState { + Bool allowHWProvider; + Bool execScripts; + Bool enableNullDriver; ++ Bool ignoreFrozenFS; // See note 2 above + Bool needsPriv; + gchar *scriptArg; + guint timeout; +diff --git a/open-vm-tools/tools.conf b/open-vm-tools/tools.conf +index e5a03a9c..f238cb59 100644 +--- a/open-vm-tools/tools.conf ++++ b/open-vm-tools/tools.conf +@@ -395,6 +395,29 @@ + + #excludedFileSystems= + ++# Linux: ++# It is possible that filesystems are being frozen in pre-freeze scripts ++# to control the order in which those specific filesystems are to be frozen. ++# The vmtoolsd process must be informed of all such filesystems with the help ++# of "excludedFileSystems" setting of tools.conf. ++# ++# A temporary workaround is available (starting from 12.3.0) for admins to allow ++# quiesceing operation to succeed until the "excludedFileSystems" list ++# is configured. ++# ++# If another process thaws the file system while a quiescing operation ++# operation is ongoing, the snapshot may be compromised. Once the ++# "excludedFileSystems" list is configured this setting MUST be unset (or set ++# to false). ++# ++# The value of ignoreFrozenFileSystems is a true or false; the default is ++# false. ++# ++# Set to true to ignore pre-frozen file systems during the quiescing operation. ++# ++# ignoreFrozenFileSystems is Linux only (Not supported on Windows). ++#ignoreFrozenFileSystems=false ++ + # execScripts specifies whether to execute scripts as part of the quiescing + # operation. Scripts are executed from the scripts directory along with the + # legacy scripts. +-- +2.37.3 + diff --git a/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch b/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch new file mode 100644 index 0000000..2aebc81 --- /dev/null +++ b/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch @@ -0,0 +1,38 @@ +From a839cb975d58968237bd871b1fb4cbe191af085b Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 7 Sep 2023 02:27:50 -0400 +Subject: [PATCH] VGAuth: Allow only X509 certs to verify the SAML token + signature. + +RH-Author: Miroslav Rezanina +RH-Bugzilla: 2236543 +RH-CVE: CVE-2023-20900 + +Signed-off-by: Miroslav Rezanina +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index f5541a9a..0b2a945b 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.39.3 + diff --git a/SOURCES/vgauthd.service b/SOURCES/vgauthd.service index d5fef2c..6ca3508 100644 --- a/SOURCES/vgauthd.service +++ b/SOURCES/vgauthd.service @@ -1,6 +1,6 @@ [Unit] Description=VGAuth Service for open-vm-tools -Documentation=http://github.com/vmware/open-vm-tools +Documentation=https://github.com/vmware/open-vm-tools ConditionVirtualization=vmware PartOf=vmtoolsd.service diff --git a/SOURCES/vmtoolsd.service b/SOURCES/vmtoolsd.service index 773040d..b0984be 100644 --- a/SOURCES/vmtoolsd.service +++ b/SOURCES/vmtoolsd.service @@ -1,6 +1,6 @@ [Unit] Description=Service for virtual machines hosted on VMware -Documentation=http://github.com/vmware/open-vm-tools +Documentation=https://github.com/vmware/open-vm-tools ConditionVirtualization=vmware Requires=vgauthd.service After=vgauthd.service diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec index 1cfa405..9a7f0d4 100644 --- a/SPECS/open-vm-tools.spec +++ b/SPECS/open-vm-tools.spec @@ -1,5 +1,5 @@ ################################################################################ -### Copyright 2013-2021 VMware, Inc. All rights reserved. +### Copyright 2013-2023 VMware, Inc. All rights reserved. ### ### RPM SPEC file for building open-vm-tools packages. ### @@ -19,9 +19,9 @@ ################################################################################ %global _hardened_build 1 -%global majorversion 12.1 +%global majorversion 12.2 %global minorversion 5 -%global toolsbuild 20735119 +%global toolsbuild 21855600 %global toolsversion %{majorversion}.%{minorversion} %global toolsdaemon vmtoolsd %global vgauthdaemon vgauthd @@ -32,7 +32,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 1%{?dist} +Release: 4%{?dist} Summary: Open Virtual Machine Tools for virtual machines hosted on VMware License: GPLv2 URL: https://github.com/vmware/%{name} @@ -51,7 +51,11 @@ ExclusiveArch: x86_64 ExclusiveArch: %{ix86} x86_64 aarch64 %endif -#Patch0: name.patch +# Patch0: name.patch +# For RHEL-4584 - CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-8.10.0] +Patch1: ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch +# For RHEL-7012 - [RHEL8.10][ESXi]Latest version of open-vm-tools breaks VM backups +Patch2: ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch BuildRequires: autoconf BuildRequires: automake @@ -410,6 +414,33 @@ fi %{_bindir}/vmware-vgauth-smoketest %changelog +* Wed Sep 27 2023 Jon Maloy - 12.2.5-4 +- ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch [RHEL-7012] +- Resolves: RHEL-7012 + ([RHEL8.10][ESXi]Latest version of open-vm-tools breaks VM backups) + +* Wed Sep 20 2023 Miroslav Rezanina - 12.2.5-3 +- Rebuild CVE-2023-20900 for 8.10 +- Resolves: RHEL-4584 + (CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-8.10.0]) + +* Tue Jul 11 2023 Miroslav Rezanina - 12.2.5-1 +- Rebase to open-vm-tools 12.2.5 [bz#2214861] +- Resolves: bz#2214861 + ([ESXi][RHEL8]open-vm-tools version 12.2.5 has been released - please rebase) +- Resolves: bz#2216415 + ([ESXi][RHEL8] URL in service unit files are started from http instead of https) + +* Wed Jun 28 2023 Jon Maloy - 12.2.0-3 +- ovt-Remove-some-dead-code.patch [bz#2215563] +- Resolves: bz#2215563 + ([CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-8]) + +* Wed May 03 2023 Miroslav Rezanina - 12.2.0-1 +- Rebase to open-vm-tools 12.2.0 [bz#2177068] +- Resolves: bz#2177068 + ([ESXi][RHEL8]open-vm-tools version 12.2.0 has been released - please rebase) + * Fri Dec 09 2022 Miroslav Rezanina 12.1.5-1 - Rebase to open-vm-tools 12.1.5 [bz#2150188] - Resolves: bz#2150188 From a121052a9af05ecd1e65f4a52eec8a3ff547d560 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 15 Nov 2023 11:10:12 +0300 Subject: [PATCH 2/2] Fix release to match upstream --- SPECS/open-vm-tools.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec index 9a7f0d4..6e1cb76 100644 --- a/SPECS/open-vm-tools.spec +++ b/SPECS/open-vm-tools.spec @@ -32,7 +32,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 4%{?dist} +Release: 3%{?dist} Summary: Open Virtual Machine Tools for virtual machines hosted on VMware License: GPLv2 URL: https://github.com/vmware/%{name} @@ -414,12 +414,12 @@ fi %{_bindir}/vmware-vgauth-smoketest %changelog -* Wed Sep 27 2023 Jon Maloy - 12.2.5-4 +* Wed Sep 27 2023 Jon Maloy - 12.2.5-3 - ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch [RHEL-7012] - Resolves: RHEL-7012 ([RHEL8.10][ESXi]Latest version of open-vm-tools breaks VM backups) -* Wed Sep 20 2023 Miroslav Rezanina - 12.2.5-3 +* Wed Sep 20 2023 Miroslav Rezanina - 12.2.5-2 - Rebuild CVE-2023-20900 for 8.10 - Resolves: RHEL-4584 (CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-8.10.0])