Debrand logo

2026-04-16 08:11:15 +00:00 · 2026-04-16 08:11:15 +00:00 · f03d6cacd4
commit f03d6cacd4
parent 3fc286b44a f6cb5cc9b5
4 changed files with 65 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -19,4 +19,4 @@ SOURCES/rexml-3.4.1.gem
 SOURCES/ruby2_keywords-0.0.5.gem
 SOURCES/sinatra-2.2.4.gem
 SOURCES/tilt-2.3.0.gem
-SOURCES/tornado-v6.1.0.pcs.3.tar.gz
+SOURCES/tornado-v6.1.0.pcs.4.tar.gz
--- a/.pcs.metadata
+++ b/.pcs.metadata
@ -19,4 +19,4 @@ ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
 d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
 fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
 4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
-1f4e55c234da0b22aac09cca5a971c4ec2cb500a SOURCES/tornado-v6.1.0.pcs.3.tar.gz
+bf4020626453c8db65d1817bed7b1884ea530e92 SOURCES/tornado-v6.1.0.pcs.4.tar.gz
--- a/SOURCES/RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
+++ b/SOURCES/RHEL-155293-01-disable-multipart-requests-in-Tornado.patch
@ -0,0 +1,54 @@
+From 7fc3db518798cbbd4d11028d52837d460640fb06 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Posp=C3=AD=C5=A1il?= <mpospisi@redhat.com>
+Date: Wed, 25 Mar 2026 22:01:21 +0100
+Subject: [PATCH] disable multipart requests in Tornado
+
+Pcsd doesn't use multipart requests and recently, there have been
+vulnerabilities targeting both Rack and Tornado. Since we use Tornado as
+a proxy for our Ruby daemon, this also helps mitigate future Rack multipart
+vulnerabilities.
+
+Multipart vulnerabilities:
+https://www.cve.org/CVERecord?id=CVE-2026-31958
+https://www.cve.org/CVERecord?id=CVE-2025-61771
+https://www.cve.org/CVERecord?id=CVE-2025-61770
+---
+ pcs/daemon/run.py | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/pcs/daemon/run.py b/pcs/daemon/run.py
+index 0a6b1b211..19586b18a 100644
+--- a/pcs/daemon/run.py
+++ b/pcs/daemon/run.py
+@@ -3,6 +3,11 @@ import signal
+ import socket
+ from pathlib import Path
+ 
+from tornado.httputil import (
+    ParseBodyConfig,
+    ParseMultipartConfig,
+    set_parse_body_config,
+)
+ from tornado.ioloop import IOLoop
+ from tornado.locks import Lock
+ from tornado.web import Application
+@@ -71,6 +76,16 @@ def configure_app(
+             reload its SSL certificates). A relevant handler should get this
+             object via the method `initialize`.
+         """
+
+        # Disable multipart requests to enhance security due to recent CVEs
+        # https://www.cve.org/CVERecord?id=CVE-2026-31958
+        # https://www.cve.org/CVERecord?id=CVE-2025-61771
+        # https://www.cve.org/CVERecord?id=CVE-2025-61770
+        # https://www.tornadoweb.org/en/stable/httputil.html#tornado.httputil.set_parse_body_config
+        set_parse_body_config(
+            ParseBodyConfig(multipart=ParseMultipartConfig(enabled=False))
+        )
+
+         routes = sinatra_remote.get_routes(
+             ruby_pcsd_wrapper,
+             sync_config_lock,
+-- 
+2.53.0
+
--- a/SPECS/pcs.spec
+++ b/SPECS/pcs.spec
@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.8.alma.1
+Release: 2%{?dist}.9.alma.1
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64

 # DO NOT UPDATE
 # Tornado 6.2 requires Python 3.7+
-%global tornado_version    6.1.0.pcs.3
+%global tornado_version    6.1.0.pcs.4

 %global pcs_bundled_dir pcs_bundled
 %global pcsd_public_dir pcsd/public
@ -117,6 +117,7 @@ Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-17280-01-disable-new-webui-routes.patch
 Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
 Patch4: RHEL-90147-support-for-query-limits-in-rack.patch
+Patch5: RHEL-155293-01-disable-multipart-requests-in-Tornado.patch

 # git for patches
 BuildRequires: git-core
@ -309,6 +310,7 @@ update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
 update_times_patch %{PATCH3}
 update_times_patch %{PATCH4}
+update_times_patch %{PATCH5}

 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@ -565,9 +567,13 @@ remove_all_tests
 %license pyagentx_LICENSE.txt

 %changelog
-* Fri Jan 23 2026 Eduard Abdullin <eabdullin@almalinux.org> - 0.10.18-2.8.alma.1
+* Thu Apr 16 2026 Eduard Abdullin <eabdullin@almalinux.org> - 0.10.18-2.9.alma.1
 - Debrand logo

+* Thu Mar 26 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.9
+- Fixed CVE-2026-31958 by patching bundled Tornado
+  Resolves: RHEL-155293
+
 * Mon Jan 19 2026 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.8
 - Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado
  Resolves: RHEL-136415, RHEL-136420