From 0932aa5f6504d40d5d39084002574207508b321f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 6 Nov 2025 09:23:40 +0000 Subject: [PATCH] import OL pcs-0.11.9-2.el9_6.2 --- .gitignore | 2 +- .pcs.metadata | 2 +- ...-01-support-for-query-limits-in-rack.patch | 45 ++++++++++++++ ...ase-of-target-role-in-cluster-status.patch | 52 ++++++++++++++++ SOURCES/fix-tests-for-tornado-6.5.patch | 28 +++++++++ SPECS/pcs.spec | 59 ++++++++++++------- 6 files changed, 164 insertions(+), 24 deletions(-) create mode 100644 SOURCES/RHEL-90153-01-support-for-query-limits-in-rack.patch create mode 100644 SOURCES/RHEL-92551-01-ignore-case-of-target-role-in-cluster-status.patch create mode 100644 SOURCES/fix-tests-for-tornado-6.5.patch diff --git a/.gitignore b/.gitignore index 15bb6fa..80d5cee 100644 --- a/.gitignore +++ b/.gitignore @@ -11,7 +11,7 @@ SOURCES/pcs-web-ui-0.1.22.tar.gz SOURCES/pcs-web-ui-node-modules-0.1.22.tar.xz SOURCES/puma-6.4.3.gem SOURCES/pyagentx-0.4.pcs.2.tar.gz -SOURCES/rack-3.1.14.gem +SOURCES/rack-3.2.3.gem SOURCES/rack-protection-4.0.0.gem SOURCES/rack-session-2.0.0.gem SOURCES/rack-test-2.1.0.gem diff --git a/.pcs.metadata b/.pcs.metadata index 5acdf6f..e096887 100644 --- a/.pcs.metadata +++ b/.pcs.metadata @@ -11,7 +11,7 @@ b19baebde3b478071597b5579a36d5a6e9064790 SOURCES/pcs-web-ui-0.1.22.tar.gz 29c9677893485e6ad75862092fc9eedd6f0ad9e9 SOURCES/pcs-web-ui-node-modules-0.1.22.tar.xz f72357acbdcfd68b4b41a999ed47926c0e54ea5e SOURCES/puma-6.4.3.gem 3176b2f2b332c2b6bf79fe882e83feecf3d3f011 SOURCES/pyagentx-0.4.pcs.2.tar.gz -e415f71f155098fd79c4b0fb3d0b5803c434e3d2 SOURCES/rack-3.1.14.gem +d5b8c814183f606adaeaca1251d0af6c91c41974 SOURCES/rack-3.2.3.gem f91158b296882aa5b3798ff6c24f01cdf233ef48 SOURCES/rack-protection-4.0.0.gem 9e7935696af0b64cc5f5ce2dfeabdb7e0d3a84f0 SOURCES/rack-session-2.0.0.gem ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem diff --git a/SOURCES/RHEL-90153-01-support-for-query-limits-in-rack.patch b/SOURCES/RHEL-90153-01-support-for-query-limits-in-rack.patch new file mode 100644 index 0000000..06ec4c7 --- /dev/null +++ b/SOURCES/RHEL-90153-01-support-for-query-limits-in-rack.patch @@ -0,0 +1,45 @@ +From 7762456c5b6eb6ec50426c171f87f700fe1fed9e Mon Sep 17 00:00:00 2001 +From: Miroslav Lisik +Date: Tue, 20 May 2025 16:34:18 +0200 +Subject: [PATCH 2/3] support for query limits in rack + +--- + pcsd/conf/pcsd | 6 ++++++ + pcsd/pcsd.rb | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/pcsd/conf/pcsd b/pcsd/conf/pcsd +index 0ffbd616..7206e95a 100644 +--- a/pcsd/conf/pcsd ++++ b/pcsd/conf/pcsd +@@ -48,5 +48,11 @@ PCSD_SESSION_LIFETIME=3600 + # is 50 (even if set lower). + PCSD_RESTART_AFTER_REQUESTS=200 + ++# These environment variables set the maximum query string bytesize and the ++# maximum number of query parameters that pcsd will attempt to parse. ++# See CVE-2025-46727 for details. ++#RACK_QUERY_PARSER_BYTESIZE_LIMIT=4194304 ++#RACK_QUERY_PARSER_PARAMS_LIMIT=4096 ++ + # Do not change + RACK_ENV=production +diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb +index 5b8d0a11..a62434c6 100644 +--- a/pcsd/pcsd.rb ++++ b/pcsd/pcsd.rb +@@ -74,6 +74,11 @@ configure do + CAPABILITIES_PCSD = capabilities_pcsd.freeze + end + ++error Rack::QueryParser::QueryLimitError do ++ $logger.warn(env['sinatra.error'].message) ++ return 400, env['sinatra.error'].message ++end ++ + def run_cfgsync + node_connected = true + if Cfgsync::ConfigSyncControl.sync_thread_allowed?() +-- +2.49.0 + diff --git a/SOURCES/RHEL-92551-01-ignore-case-of-target-role-in-cluster-status.patch b/SOURCES/RHEL-92551-01-ignore-case-of-target-role-in-cluster-status.patch new file mode 100644 index 0000000..222ee8b --- /dev/null +++ b/SOURCES/RHEL-92551-01-ignore-case-of-target-role-in-cluster-status.patch @@ -0,0 +1,52 @@ +From f3c666b40d88096f02d7180a13919cb2d00c41ce Mon Sep 17 00:00:00 2001 +From: Peter Romancik +Date: Mon, 19 May 2025 09:13:43 +0200 +Subject: [PATCH 1/3] ignore case of target-role in cluster status + +--- + pcs/lib/pacemaker/status.py | 5 +++-- + pcs_test/tier0/lib/pacemaker/test_status.py | 11 +++++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/pcs/lib/pacemaker/status.py b/pcs/lib/pacemaker/status.py +index ed5eb0ba..f4ffe047 100644 +--- a/pcs/lib/pacemaker/status.py ++++ b/pcs/lib/pacemaker/status.py +@@ -383,9 +383,10 @@ def _get_target_role(resource: _Element) -> Optional[PcmkRoleType]: + target_role = resource.get("target_role") + if target_role is None: + return None +- if target_role not in PCMK_ROLES: ++ target_role_normalized = target_role.capitalize() ++ if target_role_normalized not in PCMK_ROLES: + raise UnknownPcmkRoleError(str(resource.get("id")), target_role) +- return PcmkRoleType(target_role) ++ return PcmkRoleType(target_role_normalized) + + + def _remove_clone_suffix(resource_id: str) -> tuple[str, Optional[str]]: +diff --git a/pcs_test/tier0/lib/pacemaker/test_status.py b/pcs_test/tier0/lib/pacemaker/test_status.py +index 6f350fd4..3e6ee7ba 100644 +--- a/pcs_test/tier0/lib/pacemaker/test_status.py ++++ b/pcs_test/tier0/lib/pacemaker/test_status.py +@@ -581,6 +581,17 @@ class TestPrimitiveStatusToDto(TestCase): + self.assertEqual(cm.exception.resource_id, "resource") + self.assertEqual(cm.exception.role, value) + ++ def test_target_role_ignore_case(self): ++ for value in ["started", "STARTED", "sTaRtEd"]: ++ with self.subTest(value=value): ++ primitive_xml = etree.fromstring( ++ fixture_primitive_xml(target_role=value) ++ ) ++ result = status._primitive_to_dto(primitive_xml) ++ self.assertEqual( ++ result, fixture_primitive_dto(target_role=PCMK_ROLE_STARTED) ++ ) ++ + + class TestGroupStatusToDto(TestCase): + # pylint: disable=protected-access +-- +2.49.0 + diff --git a/SOURCES/fix-tests-for-tornado-6.5.patch b/SOURCES/fix-tests-for-tornado-6.5.patch new file mode 100644 index 0000000..859b4b3 --- /dev/null +++ b/SOURCES/fix-tests-for-tornado-6.5.patch @@ -0,0 +1,28 @@ +From a63fcd9e4ebc5a05cf7c45499e00151cf27561dd Mon Sep 17 00:00:00 2001 +From: Miroslav Lisik +Date: Fri, 16 May 2025 13:30:04 +0200 +Subject: [PATCH 3/3] fix tests for tornado-6.5 + +* since tornado-6.5, the host value for HTTPServerRequest should come + from http header 'Host' +* https://www.tornadoweb.org/en/stable/releases/v6.5.0.html#tornado-httputil +* https://github.com/tornadoweb/tornado/commit/4ce700affdd23631a0514d1a0460c0854b0687fe +--- + pcs_test/tier0/daemon/test_ruby_pcsd.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/pcs_test/tier0/daemon/test_ruby_pcsd.py b/pcs_test/tier0/daemon/test_ruby_pcsd.py +index 49b18128..2f7014b5 100644 +--- a/pcs_test/tier0/daemon/test_ruby_pcsd.py ++++ b/pcs_test/tier0/daemon/test_ruby_pcsd.py +@@ -37,7 +37,6 @@ def create_http_request(): + uri="/pcsd/uri", + headers=HTTPHeaders({"Cookie": "cookie1=first;cookie2=second"}), + body=str.encode(urlencode({"post-key": "post-value"})), +- host="pcsd-host:2224", + ) + + +-- +2.49.0 + diff --git a/SPECS/pcs.spec b/SPECS/pcs.spec index e23d054..4e0e1ca 100644 --- a/SPECS/pcs.spec +++ b/SPECS/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.11.9 -Release: 2%{?dist}.1 +Release: 2%{?dist}.2 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/ # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses # GPL-2.0-only: pcs @@ -53,7 +53,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64 %global version_rubygem_mustermann 3.0.3 %global version_rubygem_nio4r 2.7.4 %global version_rubygem_puma 6.4.3 -%global version_rubygem_rack 3.1.14 +%global version_rubygem_rack 3.2.3 %global version_rubygem_rack_protection 4.0.0 %global version_rubygem_rack_session 2.0.0 %global version_rubygem_rack_test 2.1.0 @@ -112,6 +112,9 @@ Source101: https://github.com/ClusterLabs/pcs-web-ui/releases/download/%{ui_vers Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch Patch2: RHEL-79055-fix-restarting-bundle-instances.patch Patch3: RHEL-79160-fix-deletion-of-misconfigured-bundles.patch +Patch4: RHEL-90153-01-support-for-query-limits-in-rack.patch +Patch5: RHEL-92551-01-ignore-case-of-target-role-in-cluster-status.patch +Patch6: fix-tests-for-tornado-6.5.patch # ui patches: >200 # Patch201: bzNUMBER-01-name.patch @@ -215,23 +218,25 @@ Requires: logrotate # for working with qdevice certificates (certutil) Requires: nss-tools -Provides: bundled(dacite) = %{dacite_version} -Provides: bundled(backports) = %{version_rubygem_backports} -Provides: bundled(base64) = %{version_rubygem_base64} -Provides: bundled(childprocess) = %{version_rubygem_childprocess} -Provides: bundled(ethon) = %{version_rubygem_ethon} -Provides: bundled(ffi) = %{version_rubygem_ffi} -Provides: bundled(mustermann) = %{version_rubygem_mustermann} -Provides: bundled(nio4r) = %{version_rubygem_nio4r} -Provides: bundled(puma) = %{version_rubygem_puma} -Provides: bundled(rack) = %{version_rubygem_rack} -Provides: bundled(rack_protection) = %{version_rubygem_rack_protection} -Provides: bundled(rack_session) = %{version_rubygem_rack_session} -Provides: bundled(rack_test) = %{version_rubygem_rack_test} -Provides: bundled(rackup) = %{version_rubygem_rackup} -Provides: bundled(ruby2_keywords) = %{version_rubygem_ruby2_keywords} -Provides: bundled(sinatra) = %{version_rubygem_sinatra} -Provides: bundled(tilt) = %{version_rubygem_tilt} + +Provides: bundled(python3-dacite) = %{dacite_version} + +Provides: bundled(rubygem-backports) = %{version_rubygem_backports} +Provides: bundled(rubygem-base64) = %{version_rubygem_base64} +Provides: bundled(rubygem-childprocess) = %{version_rubygem_childprocess} +Provides: bundled(rubygem-ethon) = %{version_rubygem_ethon} +Provides: bundled(rubygem-ffi) = %{version_rubygem_ffi} +Provides: bundled(rubygem-mustermann) = %{version_rubygem_mustermann} +Provides: bundled(rubygem-nio4r) = %{version_rubygem_nio4r} +Provides: bundled(rubygem-puma) = %{version_rubygem_puma} +Provides: bundled(rubygem-rack) = %{version_rubygem_rack} +Provides: bundled(rubygem-rack-protection) = %{version_rubygem_rack_protection} +Provides: bundled(rubygem-rack-session) = %{version_rubygem_rack_session} +Provides: bundled(rubygem-rack-test) = %{version_rubygem_rack_test} +Provides: bundled(rubygem-rackup) = %{version_rubygem_rackup} +Provides: bundled(rubygem-ruby2_keywords) = %{version_rubygem_ruby2_keywords} +Provides: bundled(rubygem-sinatra) = %{version_rubygem_sinatra} +Provides: bundled(rubygem-tilt) = %{version_rubygem_tilt} %description pcs is a corosync and pacemaker configuration tool. It permits users to @@ -254,7 +259,7 @@ Requires: pcs = %{version}-%{release} Requires: pacemaker Requires: net-snmp -Provides: bundled(pyagentx) = %{pyagentx_version} +Provides: bundled(python3-pyagentx) = %{pyagentx_version} %description -n %{pcs_snmp_pkg_name} SNMP agent that provides information about pacemaker cluster to the master agent (snmpd) @@ -326,6 +331,9 @@ update_times_patch %{PATCH201} update_times_patch %{PATCH1} update_times_patch %{PATCH2} update_times_patch %{PATCH3} +update_times_patch %{PATCH4} +update_times_patch %{PATCH5} +update_times_patch %{PATCH6} # generate .tarball-version if building from an untagged commit, not a released version # autogen uses git-version-gen which uses .tarball-version for generating version number @@ -601,8 +609,15 @@ run_all_tests %license pyagentx_LICENSE.txt %changelog -* Wed May 28 2025 Teo Gonzalez - 0.11.9-2.el9_6.1 -- rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser (CVE-2025-46727) +* Fri Oct 24 2025 Michal Pospisil - 0.11.9-2%{?dist}.2 +- Fixed CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919 by updating bundled rubygem rack + Resolves: RHEL-120943, RHEL-121036, RHEL-123631, RHEL-123644, RHEL-124942 + +* Mon May 26 2025 Michal Pospisil - 0.11.9-2%{?dist}.1 +- Fixed CVE-2025-46727 by updating bundled rubygem rack + Resolves: RHEL-90153 +- Fixed a regression in resource/stonith delete, booth delete, status query resource and remote node removal commands which failed when target-role was improperly capitalized + Resolves: RHEL-92551 * Fri Feb 14 2025 Michal Pospisil - 0.11.9-2 - Fixed restarting bundles