From 6694ec7a40937798c681e4e0cbbb13fcf21909fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Posp=C3=AD=C5=A1il?= Date: Mon, 19 Jan 2026 14:00:56 +0100 Subject: [PATCH] pcs-0.10.18-2.el8_10.8 - Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado Resolves: RHEL-136415, RHEL-136420 --- .gitignore | 1 + pcs.spec | 10 +++++++--- sources | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 69eca61..a93d15d 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,4 @@ /tornado-6.1.0.pcs.2.tar.gz /rexml-3.4.1.gem /rack-2.2.20.gem +/tornado-v6.1.0.pcs.3.tar.gz diff --git a/pcs.spec b/pcs.spec index 9c52d4f..007978c 100644 --- a/pcs.spec +++ b/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.10.18 -Release: 2%{?dist}.7 +Release: 2%{?dist}.8 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/ # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses # GPL-2.0-only: pcs @@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64 # DO NOT UPDATE # Tornado 6.2 requires Python 3.7+ -%global tornado_version 6.1.0.pcs.2 +%global tornado_version 6.1.0.pcs.3 %global pcs_bundled_dir pcs_bundled %global pcsd_public_dir pcsd/public @@ -87,7 +87,7 @@ Source0: %{url}/archive/%{?v_prefix}%{version_or_commit}/%{pcs_source_name}.tar. Source1: HAM-logo.png Source41: https://github.com/ondrejmular/pyagentx/archive/v%{pyagentx_version}/pyagentx-%{pyagentx_version}.tar.gz -Source42: https://github.com/CtrlZmaster/tornado/archive/v%{tornado_version}/tornado-%{tornado_version}.tar.gz +Source42: tornado-v%{tornado_version}.tar.gz Source43: https://github.com/ericvsmith/dataclasses/archive/%{dataclasses_version}/dataclasses-%{dataclasses_version}.tar.gz Source44: https://github.com/konradhalas/dacite/archive/v%{dacite_version}/dacite-%{dacite_version}.tar.gz Source45: https://pypi.python.org/packages/source/p/python-dateutil/python-dateutil-%{dateutil_version}.tar.gz @@ -565,6 +565,10 @@ remove_all_tests %license pyagentx_LICENSE.txt %changelog +* Mon Jan 19 2026 Michal Pospíšil - 0.10.18-2%{?dist}.8 +- Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado + Resolves: RHEL-136415, RHEL-136420 + * Wed Oct 22 2025 Michal Pospíšil - 0.10.18-2%{?dist}.7 - Fixed CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919 by updating bundled rubygem rack Resolves: RHEL-120432, RHEL-120939, RHEL-121033, RHEL-123639, RHEL-124936 diff --git a/sources b/sources index a139ceb..ae2a947 100644 --- a/sources +++ b/sources @@ -16,6 +16,6 @@ SHA512 (ffi-1.16.3.gem) = b3d823a03055412a85ae3dbc10c3b50615614f0b66830e144ca476 SHA512 (puma-6.4.0.gem) = 3f481bd2bd34ed0d66d86f61d7522a48b4d8bfd36b807a1c47bb3b640bc6050a72f4f710fd4fad16260b560f98050e34faad044a54cb759c7ffe8371c3548c18 SHA512 (tilt-2.3.0.gem) = 78a3de34e3d096e40cb245807bad07cc3ebfa192986addbd228c25153166808b379f3ce086ff68fa5959997946187fe8923e84100653b2b109007390969875b3 SHA512 (pcs-0.10.18.tar.gz) = 5cadb8158bd97e6f20fdf5fc492e85febf596e813b2e64a6dfb13da803ef3d2a3c1fe63d8e26d9b18279f23bfab9a8ff40fab10c9a87fa84b1da302648533ba0 -SHA512 (tornado-6.1.0.pcs.2.tar.gz) = 85b7ff3cbfdff4cc4a9260f84c2c9704a32f5294f9dc61cd0a2fa779bde096a6925462658ef0558a833fab34e174abbb49108a37b7951f1ac9fd1c56b77312c0 SHA512 (rexml-3.4.1.gem) = e5c104416c9f4695c124df90b39bda3ac8b39584b526fca9fbe57171ae25b13ee178a619fa1801934bd764d2c73f46316c14bc634e8efa8f7859c595ba055622 SHA512 (rack-2.2.20.gem) = 11ad158b49bf7c3bbfe781d4f895eddbffbb66f0597b91459c33b99851607521f3366f515c1b72550b0384cf30eebf3021b68319f8fceac6d480a144596a8e79 +SHA512 (tornado-v6.1.0.pcs.3.tar.gz) = 11ea9ca160de1bd4014b90b1e6d64225d9d2768bd63ef01154cb90e7f28fe471977715fdaf39a2f63c46add392c2a2135f6c4c90dfbb13b0712438601e24d29d