pcs-0.10.18-2.el8_10.8

- Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado Resolves: RHEL-136415, RHEL-136420
2026-01-19 14:00:56 +01:00 · 2026-01-19 14:00:56 +01:00 · 6694ec7a40
commit 6694ec7a40
parent 3279be4dfc
3 changed files with 9 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -47,3 +47,4 @@
 /tornado-6.1.0.pcs.2.tar.gz
 /rexml-3.4.1.gem
 /rack-2.2.20.gem
+/tornado-v6.1.0.pcs.3.tar.gz
--- a/pcs.spec
+++ b/pcs.spec
@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.7
+Release: 2%{?dist}.8
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64

 # DO NOT UPDATE
 # Tornado 6.2 requires Python 3.7+
-%global tornado_version    6.1.0.pcs.2
+%global tornado_version    6.1.0.pcs.3

 %global pcs_bundled_dir pcs_bundled
 %global pcsd_public_dir pcsd/public
@ -87,7 +87,7 @@ Source0: %{url}/archive/%{?v_prefix}%{version_or_commit}/%{pcs_source_name}.tar.
 Source1: HAM-logo.png

 Source41: https://github.com/ondrejmular/pyagentx/archive/v%{pyagentx_version}/pyagentx-%{pyagentx_version}.tar.gz
-Source42: https://github.com/CtrlZmaster/tornado/archive/v%{tornado_version}/tornado-%{tornado_version}.tar.gz
+Source42: tornado-v%{tornado_version}.tar.gz
 Source43: https://github.com/ericvsmith/dataclasses/archive/%{dataclasses_version}/dataclasses-%{dataclasses_version}.tar.gz
 Source44: https://github.com/konradhalas/dacite/archive/v%{dacite_version}/dacite-%{dacite_version}.tar.gz
 Source45: https://pypi.python.org/packages/source/p/python-dateutil/python-dateutil-%{dateutil_version}.tar.gz
@ -565,6 +565,10 @@ remove_all_tests
 %license pyagentx_LICENSE.txt

 %changelog
+* Mon Jan 19 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.8
+- Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado
+  Resolves: RHEL-136415, RHEL-136420
+
 * Wed Oct 22 2025 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.7
 - Fixed CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919 by updating bundled rubygem rack
  Resolves: RHEL-120432, RHEL-120939, RHEL-121033, RHEL-123639, RHEL-124936
--- a/2
+++ b/2
@ -16,6 +16,6 @@ SHA512 (ffi-1.16.3.gem) = b3d823a03055412a85ae3dbc10c3b50615614f0b66830e144ca476
 SHA512 (puma-6.4.0.gem) = 3f481bd2bd34ed0d66d86f61d7522a48b4d8bfd36b807a1c47bb3b640bc6050a72f4f710fd4fad16260b560f98050e34faad044a54cb759c7ffe8371c3548c18
 SHA512 (tilt-2.3.0.gem) = 78a3de34e3d096e40cb245807bad07cc3ebfa192986addbd228c25153166808b379f3ce086ff68fa5959997946187fe8923e84100653b2b109007390969875b3
 SHA512 (pcs-0.10.18.tar.gz) = 5cadb8158bd97e6f20fdf5fc492e85febf596e813b2e64a6dfb13da803ef3d2a3c1fe63d8e26d9b18279f23bfab9a8ff40fab10c9a87fa84b1da302648533ba0
-SHA512 (tornado-6.1.0.pcs.2.tar.gz) = 85b7ff3cbfdff4cc4a9260f84c2c9704a32f5294f9dc61cd0a2fa779bde096a6925462658ef0558a833fab34e174abbb49108a37b7951f1ac9fd1c56b77312c0
 SHA512 (rexml-3.4.1.gem) = e5c104416c9f4695c124df90b39bda3ac8b39584b526fca9fbe57171ae25b13ee178a619fa1801934bd764d2c73f46316c14bc634e8efa8f7859c595ba055622
 SHA512 (rack-2.2.20.gem) = 11ad158b49bf7c3bbfe781d4f895eddbffbb66f0597b91459c33b99851607521f3366f515c1b72550b0384cf30eebf3021b68319f8fceac6d480a144596a8e79
+SHA512 (tornado-v6.1.0.pcs.3.tar.gz) = 11ea9ca160de1bd4014b90b1e6d64225d9d2768bd63ef01154cb90e7f28fe471977715fdaf39a2f63c46add392c2a2135f6c4c90dfbb13b0712438601e24d29d