import OL pcs-0.11.9-2.el9_6.2

.gitignore

@@ -11,7 +11,7 @@ SOURCES/pcs-web-ui-0.1.22.tar.gz
 SOURCES/pcs-web-ui-node-modules-0.1.22.tar.xz
 SOURCES/puma-6.4.3.gem
 SOURCES/pyagentx-0.4.pcs.2.tar.gz
-SOURCES/rack-3.1.14.gem
+SOURCES/rack-3.2.3.gem
 SOURCES/rack-protection-4.0.0.gem
 SOURCES/rack-session-2.0.0.gem
 SOURCES/rack-test-2.1.0.gem

.pcs.metadata

@@ -11,7 +11,7 @@ b19baebde3b478071597b5579a36d5a6e9064790 SOURCES/pcs-web-ui-0.1.22.tar.gz
 29c9677893485e6ad75862092fc9eedd6f0ad9e9 SOURCES/pcs-web-ui-node-modules-0.1.22.tar.xz
 f72357acbdcfd68b4b41a999ed47926c0e54ea5e SOURCES/puma-6.4.3.gem
 3176b2f2b332c2b6bf79fe882e83feecf3d3f011 SOURCES/pyagentx-0.4.pcs.2.tar.gz
-e415f71f155098fd79c4b0fb3d0b5803c434e3d2 SOURCES/rack-3.1.14.gem
+d5b8c814183f606adaeaca1251d0af6c91c41974 SOURCES/rack-3.2.3.gem
 f91158b296882aa5b3798ff6c24f01cdf233ef48 SOURCES/rack-protection-4.0.0.gem
 9e7935696af0b64cc5f5ce2dfeabdb7e0d3a84f0 SOURCES/rack-session-2.0.0.gem
 ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem

SOURCES/RHEL-90153-01-support-for-query-limits-in-rack.patch

@@ -0,0 +1,45 @@
+From 7762456c5b6eb6ec50426c171f87f700fe1fed9e Mon Sep 17 00:00:00 2001
+From: Miroslav Lisik <mlisik@redhat.com>
+Date: Tue, 20 May 2025 16:34:18 +0200
+Subject: [PATCH 2/3] support for query limits in rack
+
+---
+ pcsd/conf/pcsd | 6 ++++++
+ pcsd/pcsd.rb   | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/pcsd/conf/pcsd b/pcsd/conf/pcsd
+index 0ffbd616..7206e95a 100644
+--- a/pcsd/conf/pcsd
++++ b/pcsd/conf/pcsd
+@@ -48,5 +48,11 @@ PCSD_SESSION_LIFETIME=3600
+ # is 50 (even if set lower).
+ PCSD_RESTART_AFTER_REQUESTS=200
+ 
++# These environment variables set the maximum query string bytesize and the
++# maximum number of query parameters that pcsd will attempt to parse.
++# See CVE-2025-46727 for details.
++#RACK_QUERY_PARSER_BYTESIZE_LIMIT=4194304
++#RACK_QUERY_PARSER_PARAMS_LIMIT=4096
++
+ # Do not change
+ RACK_ENV=production
+diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
+index 5b8d0a11..a62434c6 100644
+--- a/pcsd/pcsd.rb
++++ b/pcsd/pcsd.rb
+@@ -74,6 +74,11 @@ configure do
+   CAPABILITIES_PCSD = capabilities_pcsd.freeze
+ end
+ 
++error Rack::QueryParser::QueryLimitError do
++  $logger.warn(env['sinatra.error'].message)
++  return 400, env['sinatra.error'].message
++end
++
+ def run_cfgsync
+   node_connected = true
+   if Cfgsync::ConfigSyncControl.sync_thread_allowed?()
+-- 
+2.49.0
+

SOURCES/RHEL-92551-01-ignore-case-of-target-role-in-cluster-status.patch

@@ -0,0 +1,52 @@
+From f3c666b40d88096f02d7180a13919cb2d00c41ce Mon Sep 17 00:00:00 2001
+From: Peter Romancik <promanci@redhat.com>
+Date: Mon, 19 May 2025 09:13:43 +0200
+Subject: [PATCH 1/3] ignore case of target-role in cluster status
+
+---
+ pcs/lib/pacemaker/status.py                 |  5 +++--
+ pcs_test/tier0/lib/pacemaker/test_status.py | 11 +++++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/pcs/lib/pacemaker/status.py b/pcs/lib/pacemaker/status.py
+index ed5eb0ba..f4ffe047 100644
+--- a/pcs/lib/pacemaker/status.py
++++ b/pcs/lib/pacemaker/status.py
+@@ -383,9 +383,10 @@ def _get_target_role(resource: _Element) -> Optional[PcmkRoleType]:
+     target_role = resource.get("target_role")
+     if target_role is None:
+         return None
+-    if target_role not in PCMK_ROLES:
++    target_role_normalized = target_role.capitalize()
++    if target_role_normalized not in PCMK_ROLES:
+         raise UnknownPcmkRoleError(str(resource.get("id")), target_role)
+-    return PcmkRoleType(target_role)
++    return PcmkRoleType(target_role_normalized)
+ 
+ 
+ def _remove_clone_suffix(resource_id: str) -> tuple[str, Optional[str]]:
+diff --git a/pcs_test/tier0/lib/pacemaker/test_status.py b/pcs_test/tier0/lib/pacemaker/test_status.py
+index 6f350fd4..3e6ee7ba 100644
+--- a/pcs_test/tier0/lib/pacemaker/test_status.py
++++ b/pcs_test/tier0/lib/pacemaker/test_status.py
+@@ -581,6 +581,17 @@ class TestPrimitiveStatusToDto(TestCase):
+                 self.assertEqual(cm.exception.resource_id, "resource")
+                 self.assertEqual(cm.exception.role, value)
+ 
++    def test_target_role_ignore_case(self):
++        for value in ["started", "STARTED", "sTaRtEd"]:
++            with self.subTest(value=value):
++                primitive_xml = etree.fromstring(
++                    fixture_primitive_xml(target_role=value)
++                )
++                result = status._primitive_to_dto(primitive_xml)
++                self.assertEqual(
++                    result, fixture_primitive_dto(target_role=PCMK_ROLE_STARTED)
++                )
++
+ 
+ class TestGroupStatusToDto(TestCase):
+     # pylint: disable=protected-access
+-- 
+2.49.0
+

SOURCES/fix-tests-for-tornado-6.5.patch

@@ -0,0 +1,28 @@
+From a63fcd9e4ebc5a05cf7c45499e00151cf27561dd Mon Sep 17 00:00:00 2001
+From: Miroslav Lisik <mlisik@redhat.com>
+Date: Fri, 16 May 2025 13:30:04 +0200
+Subject: [PATCH 3/3] fix tests for tornado-6.5
+
+* since tornado-6.5, the host value for HTTPServerRequest should come
+  from http header 'Host'
+* https://www.tornadoweb.org/en/stable/releases/v6.5.0.html#tornado-httputil
+* https://github.com/tornadoweb/tornado/commit/4ce700affdd23631a0514d1a0460c0854b0687fe
+---
+ pcs_test/tier0/daemon/test_ruby_pcsd.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/pcs_test/tier0/daemon/test_ruby_pcsd.py b/pcs_test/tier0/daemon/test_ruby_pcsd.py
+index 49b18128..2f7014b5 100644
+--- a/pcs_test/tier0/daemon/test_ruby_pcsd.py
++++ b/pcs_test/tier0/daemon/test_ruby_pcsd.py
+@@ -37,7 +37,6 @@ def create_http_request():
+         uri="/pcsd/uri",
+         headers=HTTPHeaders({"Cookie": "cookie1=first;cookie2=second"}),
+         body=str.encode(urlencode({"post-key": "post-value"})),
+-        host="pcsd-host:2224",
+     )
+ 
+ 
+-- 
+2.49.0
+

SPECS/pcs.spec

@@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.11.9
-Release: 2%{?dist}.1
+Release: 2%{?dist}.2
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@@ -53,7 +53,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 %global version_rubygem_mustermann  3.0.3
 %global version_rubygem_nio4r 2.7.4
 %global version_rubygem_puma 6.4.3
-%global version_rubygem_rack 3.1.14
+%global version_rubygem_rack 3.2.3
 %global version_rubygem_rack_protection  4.0.0
 %global version_rubygem_rack_session 2.0.0
 %global version_rubygem_rack_test  2.1.0
@@ -112,6 +112,9 @@ Source101: https://github.com/ClusterLabs/pcs-web-ui/releases/download/%{ui_vers
 Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-79055-fix-restarting-bundle-instances.patch
 Patch3: RHEL-79160-fix-deletion-of-misconfigured-bundles.patch
+Patch4: RHEL-90153-01-support-for-query-limits-in-rack.patch
+Patch5: RHEL-92551-01-ignore-case-of-target-role-in-cluster-status.patch
+Patch6: fix-tests-for-tornado-6.5.patch
 
 # ui patches: >200
 # Patch201: bzNUMBER-01-name.patch
@@ -215,23 +218,25 @@ Requires: logrotate
 # for working with qdevice certificates (certutil)
 Requires: nss-tools
 
-Provides: bundled(dacite) = %{dacite_version}
-Provides: bundled(backports) = %{version_rubygem_backports}
-Provides: bundled(base64) = %{version_rubygem_base64}
-Provides: bundled(childprocess) = %{version_rubygem_childprocess}
-Provides: bundled(ethon) = %{version_rubygem_ethon}
-Provides: bundled(ffi) = %{version_rubygem_ffi}
-Provides: bundled(mustermann) = %{version_rubygem_mustermann}
-Provides: bundled(nio4r) = %{version_rubygem_nio4r}
-Provides: bundled(puma) = %{version_rubygem_puma}
-Provides: bundled(rack) = %{version_rubygem_rack}
-Provides: bundled(rack_protection) = %{version_rubygem_rack_protection}
-Provides: bundled(rack_session) = %{version_rubygem_rack_session}
-Provides: bundled(rack_test) = %{version_rubygem_rack_test}
-Provides: bundled(rackup) = %{version_rubygem_rackup}
-Provides: bundled(ruby2_keywords) = %{version_rubygem_ruby2_keywords}
-Provides: bundled(sinatra) = %{version_rubygem_sinatra}
-Provides: bundled(tilt) = %{version_rubygem_tilt}
+
+Provides: bundled(python3-dacite) = %{dacite_version}
+
+Provides: bundled(rubygem-backports) = %{version_rubygem_backports}
+Provides: bundled(rubygem-base64) = %{version_rubygem_base64}
+Provides: bundled(rubygem-childprocess) = %{version_rubygem_childprocess}
+Provides: bundled(rubygem-ethon) = %{version_rubygem_ethon}
+Provides: bundled(rubygem-ffi) = %{version_rubygem_ffi}
+Provides: bundled(rubygem-mustermann) = %{version_rubygem_mustermann}
+Provides: bundled(rubygem-nio4r) = %{version_rubygem_nio4r}
+Provides: bundled(rubygem-puma) = %{version_rubygem_puma}
+Provides: bundled(rubygem-rack) = %{version_rubygem_rack}
+Provides: bundled(rubygem-rack-protection) = %{version_rubygem_rack_protection}
+Provides: bundled(rubygem-rack-session) = %{version_rubygem_rack_session}
+Provides: bundled(rubygem-rack-test) = %{version_rubygem_rack_test}
+Provides: bundled(rubygem-rackup) = %{version_rubygem_rackup}
+Provides: bundled(rubygem-ruby2_keywords) = %{version_rubygem_ruby2_keywords}
+Provides: bundled(rubygem-sinatra) = %{version_rubygem_sinatra}
+Provides: bundled(rubygem-tilt) = %{version_rubygem_tilt}
 
 %description
 pcs is a corosync and pacemaker configuration tool.  It permits users to
@@ -254,7 +259,7 @@ Requires: pcs = %{version}-%{release}
 Requires: pacemaker
 Requires: net-snmp
 
-Provides: bundled(pyagentx) = %{pyagentx_version}
+Provides: bundled(python3-pyagentx) = %{pyagentx_version}
 
 %description -n %{pcs_snmp_pkg_name}
 SNMP agent that provides information about pacemaker cluster to the master agent (snmpd)
@@ -326,6 +331,9 @@ update_times_patch %{PATCH201}
 update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
 update_times_patch %{PATCH3}
+update_times_patch %{PATCH4}
+update_times_patch %{PATCH5}
+update_times_patch %{PATCH6}
 
 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@@ -601,8 +609,15 @@ run_all_tests
 %license pyagentx_LICENSE.txt
 
 %changelog
-* Wed May 28 2025 Teo Gonzalez <teo.g.gonzalez@oracle.com> - 0.11.9-2.el9_6.1
-- rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser (CVE-2025-46727)
+* Fri Oct 24 2025 Michal Pospisil <mpospisi@redhat.com> - 0.11.9-2%{?dist}.2
+- Fixed CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919 by updating bundled rubygem rack
+  Resolves: RHEL-120943, RHEL-121036, RHEL-123631, RHEL-123644, RHEL-124942
+
+* Mon May 26 2025 Michal Pospisil <mpospisi@redhat.com> - 0.11.9-2%{?dist}.1
+- Fixed CVE-2025-46727 by updating bundled rubygem rack
+  Resolves: RHEL-90153
+- Fixed a regression in resource/stonith delete, booth delete, status query resource and remote node removal commands which failed when target-role was improperly capitalized
+  Resolves: RHEL-92551
 
 * Fri Feb 14 2025 Michal Pospisil <mpospisi@redhat.com> - 0.11.9-2
 - Fixed restarting bundles