pcs-0.10.18-2.el8_10.9
- Fixed CVE-2026-31958 by patching bundled Tornado Resolves: RHEL-155293
This commit is contained in:
Michal Pospíšil
parent
6694ec7a40
commit
3a7de55e5d
1
.gitignore
vendored
1
.gitignore
vendored
@ -48,3 +48,4 @@
|
||||
/rexml-3.4.1.gem
|
||||
/rack-2.2.20.gem
|
||||
/tornado-v6.1.0.pcs.3.tar.gz
|
||||
/tornado-v6.1.0.pcs.4.tar.gz
|
||||
|
||||
54
RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
Normal file
54
RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From 7fc3db518798cbbd4d11028d52837d460640fb06 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20Posp=C3=AD=C5=A1il?= <mpospisi@redhat.com>
|
||||
Date: Wed, 25 Mar 2026 22:01:21 +0100
|
||||
Subject: [PATCH] disable multipart requests in Tornado
|
||||
|
||||
Pcsd doesn't use multipart requests and recently, there have been
|
||||
vulnerabilities targeting both Rack and Tornado. Since we use Tornado as
|
||||
a proxy for our Ruby daemon, this also helps mitigate future Rack multipart
|
||||
vulnerabilities.
|
||||
|
||||
Multipart vulnerabilities:
|
||||
https://www.cve.org/CVERecord?id=CVE-2026-31958
|
||||
https://www.cve.org/CVERecord?id=CVE-2025-61771
|
||||
https://www.cve.org/CVERecord?id=CVE-2025-61770
|
||||
---
|
||||
pcs/daemon/run.py | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/pcs/daemon/run.py b/pcs/daemon/run.py
|
||||
index 0a6b1b211..19586b18a 100644
|
||||
--- a/pcs/daemon/run.py
|
||||
+++ b/pcs/daemon/run.py
|
||||
@@ -3,6 +3,11 @@ import signal
|
||||
import socket
|
||||
from pathlib import Path
|
||||
|
||||
+from tornado.httputil import (
|
||||
+ ParseBodyConfig,
|
||||
+ ParseMultipartConfig,
|
||||
+ set_parse_body_config,
|
||||
+)
|
||||
from tornado.ioloop import IOLoop
|
||||
from tornado.locks import Lock
|
||||
from tornado.web import Application
|
||||
@@ -71,6 +76,16 @@ def configure_app(
|
||||
reload its SSL certificates). A relevant handler should get this
|
||||
object via the method `initialize`.
|
||||
"""
|
||||
+
|
||||
+ # Disable multipart requests to enhance security due to recent CVEs
|
||||
+ # https://www.cve.org/CVERecord?id=CVE-2026-31958
|
||||
+ # https://www.cve.org/CVERecord?id=CVE-2025-61771
|
||||
+ # https://www.cve.org/CVERecord?id=CVE-2025-61770
|
||||
+ # https://www.tornadoweb.org/en/stable/httputil.html#tornado.httputil.set_parse_body_config
|
||||
+ set_parse_body_config(
|
||||
+ ParseBodyConfig(multipart=ParseMultipartConfig(enabled=False))
|
||||
+ )
|
||||
+
|
||||
routes = sinatra_remote.get_routes(
|
||||
ruby_pcsd_wrapper,
|
||||
sync_config_lock,
|
||||
--
|
||||
2.53.0
|
||||
|
||||
10
pcs.spec
10
pcs.spec
@ -1,6 +1,6 @@
|
||||
Name: pcs
|
||||
Version: 0.10.18
|
||||
Release: 2%{?dist}.8
|
||||
Release: 2%{?dist}.9
|
||||
# https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
|
||||
# https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
|
||||
# GPL-2.0-only: pcs
|
||||
@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
|
||||
|
||||
# DO NOT UPDATE
|
||||
# Tornado 6.2 requires Python 3.7+
|
||||
%global tornado_version 6.1.0.pcs.3
|
||||
%global tornado_version 6.1.0.pcs.4
|
||||
|
||||
%global pcs_bundled_dir pcs_bundled
|
||||
%global pcsd_public_dir pcsd/public
|
||||
@ -117,6 +117,7 @@ Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
|
||||
Patch2: RHEL-17280-01-disable-new-webui-routes.patch
|
||||
Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
|
||||
Patch4: RHEL-90147-support-for-query-limits-in-rack.patch
|
||||
Patch5: RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
|
||||
|
||||
# git for patches
|
||||
BuildRequires: git-core
|
||||
@ -309,6 +310,7 @@ update_times_patch %{PATCH1}
|
||||
update_times_patch %{PATCH2}
|
||||
update_times_patch %{PATCH3}
|
||||
update_times_patch %{PATCH4}
|
||||
update_times_patch %{PATCH5}
|
||||
|
||||
# generate .tarball-version if building from an untagged commit, not a released version
|
||||
# autogen uses git-version-gen which uses .tarball-version for generating version number
|
||||
@ -565,6 +567,10 @@ remove_all_tests
|
||||
%license pyagentx_LICENSE.txt
|
||||
|
||||
%changelog
|
||||
* Thu Mar 26 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.9
|
||||
- Fixed CVE-2026-31958 by patching bundled Tornado
|
||||
Resolves: RHEL-155293
|
||||
|
||||
* Mon Jan 19 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.8
|
||||
- Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado
|
||||
Resolves: RHEL-136415, RHEL-136420
|
||||
|
||||
2
sources
2
sources
@ -18,4 +18,4 @@ SHA512 (tilt-2.3.0.gem) = 78a3de34e3d096e40cb245807bad07cc3ebfa192986addbd228c25
|
||||
SHA512 (pcs-0.10.18.tar.gz) = 5cadb8158bd97e6f20fdf5fc492e85febf596e813b2e64a6dfb13da803ef3d2a3c1fe63d8e26d9b18279f23bfab9a8ff40fab10c9a87fa84b1da302648533ba0
|
||||
SHA512 (rexml-3.4.1.gem) = e5c104416c9f4695c124df90b39bda3ac8b39584b526fca9fbe57171ae25b13ee178a619fa1801934bd764d2c73f46316c14bc634e8efa8f7859c595ba055622
|
||||
SHA512 (rack-2.2.20.gem) = 11ad158b49bf7c3bbfe781d4f895eddbffbb66f0597b91459c33b99851607521f3366f515c1b72550b0384cf30eebf3021b68319f8fceac6d480a144596a8e79
|
||||
SHA512 (tornado-v6.1.0.pcs.3.tar.gz) = 11ea9ca160de1bd4014b90b1e6d64225d9d2768bd63ef01154cb90e7f28fe471977715fdaf39a2f63c46add392c2a2135f6c4c90dfbb13b0712438601e24d29d
|
||||
SHA512 (tornado-v6.1.0.pcs.4.tar.gz) = 03f15b475e1eba6064570ac77149a90db592d93b6755f685c1ca9e4f862ff42e0e33dfcbc2403af4fdb4e4e80f38688d67344e1d51217440fb104f94944e8fd0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user