pcs-0.10.18-2.el8_10.5

- Fixed CVE-2024-52804 by patching bundled Tornado Resolves: RHEL-93167 - Fixed CVE-2025-46727 by updating bundled rubygem rack Resolves: RHEL-90147
2025-05-22 15:35:02 +02:00 · 2025-05-22 15:35:02 +02:00 · c49b50b798
commit c49b50b798
parent 87d0506098
4 changed files with 61 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -43,3 +43,5 @@
 /rexml-3.3.2.gem
 /rexml-3.3.6.gem
 /tornado-6.1.0.pcs.1.tar.gz
+/rack-2.2.16.gem
+/tornado-6.1.0.pcs.2.tar.gz
--- a/RHEL-90147-support-for-query-limits-in-rack.patch
+++ b/RHEL-90147-support-for-query-limits-in-rack.patch
@ -0,0 +1,45 @@
+From 0ad47ec40b7a9a2cb6bdbdf11e1e5b3c59f49b8b Mon Sep 17 00:00:00 2001
+From: Miroslav Lisik <mlisik@redhat.com>
+Date: Tue, 20 May 2025 16:34:18 +0200
+Subject: [PATCH] support for query limits in rack
+
+---
+ pcsd/conf/pcsd | 6 ++++++
+ pcsd/pcsd.rb   | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/pcsd/conf/pcsd b/pcsd/conf/pcsd
+index 98df4744..65a9c9a9 100644
+--- a/pcsd/conf/pcsd
+++ b/pcsd/conf/pcsd
+@@ -45,5 +45,11 @@ PCSD_SESSION_LIFETIME=3600
+ # is 50 (even if set lower).
+ PCSD_RESTART_AFTER_REQUESTS=200
+ 
+# These environment variables set the maximum query string bytesize and the
+# maximum number of query parameters that pcsd will attempt to parse.
+# See CVE-2025-46727 for details.
+#RACK_QUERY_PARSER_BYTESIZE_LIMIT=4194304
+#RACK_QUERY_PARSER_PARAMS_LIMIT=4096
+
+ # Do not change
+ RACK_ENV=production
+diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
+index 11698f54..a2634e4e 100644
+--- a/pcsd/pcsd.rb
+++ b/pcsd/pcsd.rb
+@@ -90,6 +90,11 @@ configure do
+   CAPABILITIES_PCSD = capabilities_pcsd.freeze
+ end
+ 
+error Rack::QueryParser::QueryLimitError do
+  $logger.warn(env['sinatra.error'].message)
+  return 400, env['sinatra.error'].message
+end
+
+ def run_cfgsync
+   node_connected = true
+   if Cfgsync::ConfigSyncControl.sync_thread_allowed?()
+-- 
+2.49.0
+
--- a/pcs.spec
+++ b/pcs.spec
@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.4
+Release: 2%{?dist}.5
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@ -39,7 +39,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 %global version_rubygem_nio4r 2.5.9
 %global version_rubygem_open4  1.3.4
 %global version_rubygem_puma 6.4.0
-%global version_rubygem_rack  2.2.8.1
+%global version_rubygem_rack  2.2.16
 %global version_rubygem_rack_protection  2.2.4
 %global version_rubygem_rack_test  2.1.0
 %global version_rubygem_rexml  3.3.6
@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64

 # DO NOT UPDATE
 # Tornado 6.2 requires Python 3.7+
-%global tornado_version    6.1.0.pcs.1
+%global tornado_version    6.1.0.pcs.2

 %global pcs_bundled_dir pcs_bundled
 %global pcsd_public_dir pcsd/public
@ -116,6 +116,7 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_
 Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-17280-01-disable-new-webui-routes.patch
 Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
+Patch4: RHEL-90147-support-for-query-limits-in-rack.patch

 # git for patches
 BuildRequires: git-core
@ -306,6 +307,7 @@ update_times_patch(){
 update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
 update_times_patch %{PATCH3}
+update_times_patch %{PATCH4}

 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@ -562,7 +564,13 @@ remove_all_tests
 %license pyagentx_LICENSE.txt

 %changelog
-* Tue Mar 4 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%dist.3
+* Thu May 22 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%dist.5
+- Fixed CVE-2024-52804 by patching bundled Tornado
+  Resolves: RHEL-93167
+- Fixed CVE-2025-46727 by updating bundled rubygem rack
+  Resolves: RHEL-90147
+
+* Tue Mar 4 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%dist.4
 - Fixed CVE-2024-52804 by patching bundled Tornado
  Resolves: RHEL-81924

--- a/4
+++ b/4
@ -16,6 +16,6 @@ SHA512 (ffi-1.16.3.gem) = b3d823a03055412a85ae3dbc10c3b50615614f0b66830e144ca476
 SHA512 (puma-6.4.0.gem) = 3f481bd2bd34ed0d66d86f61d7522a48b4d8bfd36b807a1c47bb3b640bc6050a72f4f710fd4fad16260b560f98050e34faad044a54cb759c7ffe8371c3548c18
 SHA512 (tilt-2.3.0.gem) = 78a3de34e3d096e40cb245807bad07cc3ebfa192986addbd228c25153166808b379f3ce086ff68fa5959997946187fe8923e84100653b2b109007390969875b3
 SHA512 (pcs-0.10.18.tar.gz) = 5cadb8158bd97e6f20fdf5fc492e85febf596e813b2e64a6dfb13da803ef3d2a3c1fe63d8e26d9b18279f23bfab9a8ff40fab10c9a87fa84b1da302648533ba0
-SHA512 (rack-2.2.8.1.gem) = 98a92950a4ca81c51313bca88cdb2a299aa570c3818e8372014b521ef0f6d2347594d456a7ad30eaa972b0bae864d3eb324263870cdcb8f2ffdc5ba08594aada
 SHA512 (rexml-3.3.6.gem) = 0e7f34771f56519b4aa8770b05821a4620a54db1d8f6f547c925de5adf255b717911e197e364d1c270400f7996f583c769a835719b55af475979efdc05ca579b
-SHA512 (tornado-6.1.0.pcs.1.tar.gz) = e9fb1825f45dab3e96479e5104b9ee3cb0b41cfae9facfa9f9f92e35a15792d91665f1f3817d4227a4a8dc46894d65d74c122e4c97fbe4f82f381b226e680cbf
+SHA512 (rack-2.2.16.gem) = 593ad143ac53cf8d7e46410999c210156b455af947e7139659167a99937da9a657c9cb564ef8413b7556ecc5a5c51865b1353608e2bade3f59999f734e72aff3
+SHA512 (tornado-6.1.0.pcs.2.tar.gz) = 85b7ff3cbfdff4cc4a9260f84c2c9704a32f5294f9dc61cd0a2fa779bde096a6925462658ef0558a833fab34e174abbb49108a37b7951f1ac9fd1c56b77312c0