.gitignore

@@ -12,11 +12,11 @@ SOURCES/pcs-0.10.18.tar.gz
 SOURCES/puma-6.4.0.gem
 SOURCES/pyagentx-0.4.pcs.2.tar.gz
 SOURCES/python-dateutil-2.8.2.tar.gz
-SOURCES/rack-2.2.20.gem
+SOURCES/rack-2.2.8.gem
 SOURCES/rack-protection-2.2.4.gem
 SOURCES/rack-test-2.1.0.gem
-SOURCES/rexml-3.4.1.gem
+SOURCES/rexml-3.2.6.gem
 SOURCES/ruby2_keywords-0.0.5.gem
 SOURCES/sinatra-2.2.4.gem
 SOURCES/tilt-2.3.0.gem
-SOURCES/tornado-6.1.0.pcs.2.tar.gz
+SOURCES/tornado-6.1.0.tar.gz

.pcs.metadata

@@ -1,4 +1,4 @@
-b15d48d01ccd5a2a481e3a0c66928eed4bd98b8f SOURCES/HAM-logo.png
+679a4ce22a33ffd4d704261a17c00cff98d9499a SOURCES/HAM-logo.png
 0ef72a288913e220695ad62718aeb75171924028 SOURCES/backports-3.24.1.gem
 07b26abbf7ff0dcba5c7f9e814ff7eebafefb058 SOURCES/dacite-1.8.1.tar.gz
 8b7598273d2ae6dad2b88466aefac55071a41926 SOURCES/dataclasses-0.8.tar.gz
@@ -12,11 +12,11 @@ b3cd873042b17021355b68f1f7aa313f0c1f3fee SOURCES/pcs-0.10.18.tar.gz
 d6049c4555f3c9d198e6eb1d7e53ce9b68e175ff SOURCES/puma-6.4.0.gem
 3176b2f2b332c2b6bf79fe882e83feecf3d3f011 SOURCES/pyagentx-0.4.pcs.2.tar.gz
 c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
-4c52ad6f798e78d4a1800257ef0d7fc5ac254712 SOURCES/rack-2.2.20.gem
+f0cdb53d6ed96f91851c32bccf9b21c4662afd2d SOURCES/rack-2.2.8.gem
 5347315a7283f0b04443e924ed4eaa17807432c8 SOURCES/rack-protection-2.2.4.gem
 ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
-966b1564a77719483eb61068ed1dfb638e5e8eb0 SOURCES/rexml-3.4.1.gem
+c88fc3ffdbde9dd49b24b4d9876673533b4aba76 SOURCES/rexml-3.2.6.gem
 d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
 fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
 4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
-3e0fc1e17c45a8e25bdd6ade8dbbc522f64f2ae1 SOURCES/tornado-6.1.0.pcs.2.tar.gz
+c23c617c7a0205e465bebad5b8cdf289ae8402a2 SOURCES/tornado-6.1.0.tar.gz

SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch

@@ -1,52 +0,0 @@
-From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001
-From: Ivan Devat <idevat@redhat.com>
-Date: Thu, 7 Mar 2024 16:51:13 +0100
-Subject: [PATCH] stop sending http headers to ruby part of pcsd
-
----
- pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++-
- 1 file changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py
-index 4b3b0ea1..e07e17cc 100644
---- a/pcs/daemon/ruby_pcsd.py
-+++ b/pcs/daemon/ruby_pcsd.py
-@@ -87,13 +87,34 @@ class RubyDaemonRequest(
-         http_request: HTTPServerRequest = None,
-         payload=None,
-     ):
--        headers = http_request.headers if http_request else HTTPHeaders()
-+        # Headers from request are not propagated to ruby part. Ruby part doesn't
-+        # work with standard headers in any special way. So, we send only path,
-+        # method, query, body and special headers for communication between
-+        # python part and ruby part. Tornado then adds necessary default
-+        # headers. The motivation here is to prevent processing potentially
-+        # maliciously crafted headers by rack.
-+        headers = HTTPHeaders()
-         headers.add("X-Pcsd-Type", request_type)
-         if payload:
-             headers.add(
-                 "X-Pcsd-Payload",
-                 b64encode(json.dumps(payload).encode()).decode(),
-             )
-+        if http_request:
-+            for key, val in http_request.headers.get_all():
-+                # From webui, POST request can come with either
-+                # application/x-www-form-urlencoded or application/json content
-+                # type. When we remove original HTTP headers, content type is
-+                # added by tornado. But in the case of original application/json,
-+                # tornado puts application/x-www-form-urlencoded there. To fix
-+                # this let's keep the original header here in this case.
-+                #
-+                # The token, CIB_user and CIB_user_groups are transferred by the
-+                # "Cookie" header and these information are evaluated in ruby.
-+                if (
-+                    key.lower() == "content-type" and val == "application/json"
-+                ) or key.lower() == "cookie":
-+                    headers.add(key, val)
-         return super(RubyDaemonRequest, cls).__new__(
-             cls,
-             request_type,
--- 
-2.47.0
-

SOURCES/RHEL-90147-support-for-query-limits-in-rack.patch

@@ -1,45 +0,0 @@
-From 0ad47ec40b7a9a2cb6bdbdf11e1e5b3c59f49b8b Mon Sep 17 00:00:00 2001
-From: Miroslav Lisik <mlisik@redhat.com>
-Date: Tue, 20 May 2025 16:34:18 +0200
-Subject: [PATCH] support for query limits in rack
-
----
- pcsd/conf/pcsd | 6 ++++++
- pcsd/pcsd.rb   | 5 +++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/pcsd/conf/pcsd b/pcsd/conf/pcsd
-index 98df4744..65a9c9a9 100644
---- a/pcsd/conf/pcsd
-+++ b/pcsd/conf/pcsd
-@@ -45,5 +45,11 @@ PCSD_SESSION_LIFETIME=3600
- # is 50 (even if set lower).
- PCSD_RESTART_AFTER_REQUESTS=200
- 
-+# These environment variables set the maximum query string bytesize and the
-+# maximum number of query parameters that pcsd will attempt to parse.
-+# See CVE-2025-46727 for details.
-+#RACK_QUERY_PARSER_BYTESIZE_LIMIT=4194304
-+#RACK_QUERY_PARSER_PARAMS_LIMIT=4096
-+
- # Do not change
- RACK_ENV=production
-diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
-index 11698f54..a2634e4e 100644
---- a/pcsd/pcsd.rb
-+++ b/pcsd/pcsd.rb
-@@ -90,6 +90,11 @@ configure do
-   CAPABILITIES_PCSD = capabilities_pcsd.freeze
- end
- 
-+error Rack::QueryParser::QueryLimitError do
-+  $logger.warn(env['sinatra.error'].message)
-+  return 400, env['sinatra.error'].message
-+end
-+
- def run_cfgsync
-   node_connected = true
-   if Cfgsync::ConfigSyncControl.sync_thread_allowed?()
--- 
-2.49.0
-

SPECS/pcs.spec

@@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.7
+Release: 1%{?dist}
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@@ -39,10 +39,10 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 %global version_rubygem_nio4r 2.5.9
 %global version_rubygem_open4  1.3.4
 %global version_rubygem_puma 6.4.0
-%global version_rubygem_rack  2.2.20
+%global version_rubygem_rack  2.2.8
 %global version_rubygem_rack_protection  2.2.4
 %global version_rubygem_rack_test  2.1.0
-%global version_rubygem_rexml  3.4.1
+%global version_rubygem_rexml  3.2.6
 %global version_rubygem_ruby2_keywords  0.0.5
 %global version_rubygem_sinatra  2.2.4
 %global version_rubygem_tilt  2.3.0
@@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 
 # DO NOT UPDATE
 # Tornado 6.2 requires Python 3.7+
-%global tornado_version    6.1.0.pcs.2
+%global tornado_version    6.1.0
 
 %global pcs_bundled_dir pcs_bundled
 %global pcsd_public_dir pcsd/public
@@ -87,7 +87,7 @@ Source0: %{url}/archive/%{?v_prefix}%{version_or_commit}/%{pcs_source_name}.tar.
 Source1: HAM-logo.png
 
 Source41: https://github.com/ondrejmular/pyagentx/archive/v%{pyagentx_version}/pyagentx-%{pyagentx_version}.tar.gz
-Source42: https://github.com/CtrlZmaster/tornado/archive/v%{tornado_version}/tornado-%{tornado_version}.tar.gz
+Source42: https://github.com/tornadoweb/tornado/archive/v%{tornado_version}/tornado-%{tornado_version}.tar.gz
 Source43: https://github.com/ericvsmith/dataclasses/archive/%{dataclasses_version}/dataclasses-%{dataclasses_version}.tar.gz
 Source44: https://github.com/konradhalas/dacite/archive/v%{dacite_version}/dacite-%{dacite_version}.tar.gz
 Source45: https://pypi.python.org/packages/source/p/python-dateutil/python-dateutil-%{dateutil_version}.tar.gz
@@ -115,8 +115,6 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_
 # Patch1: bzNUMBER-01-name.patch
 Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-17280-01-disable-new-webui-routes.patch
-Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
-Patch4: RHEL-90147-support-for-query-limits-in-rack.patch
 
 # git for patches
 BuildRequires: git-core
@@ -205,32 +203,31 @@ Requires: redhat-logos
 # needs logrotate for /etc/logrotate.d/pcsd
 Requires: logrotate
 
-Provides: bundled(python3-tornado) = %{tornado_version}
-Provides: bundled(python3-dataclasses) = %{dataclasses_version}
-Provides: bundled(python3-dacite) = %{dacite_version}
-Provides: bundled(python3-dateutil) = %{dateutil_version}
-
-Provides: bundled(rubygem-backports) = %{version_rubygem_backports}
-Provides: bundled(rubygem-ethon) = %{version_rubygem_ethon}
-Provides: bundled(rubygem-ffi) = %{version_rubygem_ffi}
-Provides: bundled(rubygem-json) = %{version_rubygem_json}
-Provides: bundled(rubygem-mustermann) = %{version_rubygem_mustermann}
-Provides: bundled(rubygem-nio4r) = %{version_rubygem_nio4r}
-Provides: bundled(rubygem-open4) = %{version_rubygem_open4}
-Provides: bundled(rubygem-puma) = %{version_rubygem_puma}
-Provides: bundled(rubygem-rack) = %{version_rubygem_rack}
-Provides: bundled(rubygem-rack-protection) = %{version_rubygem_rack_protection}
-Provides: bundled(rubygem-rack-test) = %{version_rubygem_rack_test}
-Provides: bundled(rubygem-rexml) = %{version_rubygem_rexml}
-Provides: bundled(rubygem-ruby2_keywords) = %{version_rubygem_ruby2_keywords}
-Provides: bundled(rubygem-sinatra) = %{version_rubygem_sinatra}
-Provides: bundled(rubygem-tilt) = %{version_rubygem_tilt}
+Provides: bundled(tornado) = %{tornado_version}
+Provides: bundled(dataclasses) = %{dataclasses_version}
+Provides: bundled(dacite) = %{dacite_version}
+Provides: bundled(dateutil) = %{dateutil_version}
+Provides: bundled(backports) = %{version_rubygem_backports}
+Provides: bundled(ethon) = %{version_rubygem_ethon}
+Provides: bundled(ffi) = %{version_rubygem_ffi}
+Provides: bundled(json) = %{version_rubygem_json}
+Provides: bundled(mustermann) = %{version_rubygem_mustermann}
+Provides: bundled(nio4r) = %{version_rubygem_nio4r}
+Provides: bundled(open4) = %{version_rubygem_open4}
+Provides: bundled(puma) = %{version_rubygem_puma}
+Provides: bundled(rack) = %{version_rubygem_rack}
+Provides: bundled(rack_protection) = %{version_rubygem_rack_protection}
+Provides: bundled(rack_test) = %{version_rubygem_rack_test}
+Provides: bundled(rexml) = %{version_rubygem_rexml}
+Provides: bundled(ruby2_keywords) = %{version_rubygem_ruby2_keywords}
+Provides: bundled(sinatra) = %{version_rubygem_sinatra}
+Provides: bundled(tilt) = %{version_rubygem_tilt}
 
 # javascript bundled libraries for old web-ui
-Provides: bundled(js-ember) = %{ember_version}
-Provides: bundled(js-handlebars) = %{handlebars_version}
-Provides: bundled(js-jquery) = %{jquery_version}
-Provides: bundled(js-jquery-ui) = %{jquery_ui_version}
+Provides: bundled(ember) = %{ember_version}
+Provides: bundled(handlebars) = %{handlebars_version}
+Provides: bundled(jquery) = %{jquery_version}
+Provides: bundled(jquery-ui) = %{jquery_ui_version}
 
 %description
 pcs is a corosync and pacemaker configuration tool.  It permits users to
@@ -243,7 +240,7 @@ Summary: Pacemaker cluster SNMP agent
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
 # BSD-2-Clause: pyagentx
-License: GPL-2.0-only AND BSD-2-Clause
+License: GPL-2.0-only and BSD-2-Clause
 URL: https://github.com/ClusterLabs/pcs
 
 # tar for unpacking pyagentx source tarball
@@ -253,7 +250,7 @@ Requires: pcs = %{version}-%{release}
 Requires: pacemaker
 Requires: net-snmp
 
-Provides: bundled(python3-pyagentx) = %{pyagentx_version}
+Provides: bundled(pyagentx) = %{pyagentx_version}
 
 %description -n %{pcs_snmp_pkg_name}
 SNMP agent that provides information about pacemaker cluster to the master agent (snmpd)
@@ -307,8 +304,6 @@ update_times_patch(){
 # update_times_patch %%{PATCH1}
 update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
-update_times_patch %{PATCH3}
-update_times_patch %{PATCH4}
 
 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@@ -565,40 +560,6 @@ remove_all_tests
 %license pyagentx_LICENSE.txt
 
 %changelog
-* Wed Oct 22 2025 Michal Pospíšil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.7
-- Fixed CVE-2025-59830, CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919 by updating bundled rubygem rack
-  Resolves: RHEL-120432, RHEL-120939, RHEL-121033, RHEL-123639, RHEL-124936
-
-* Mon Jun 23 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.6
-- Fixed CVE-2024-49761 by updating rubygem rexml
-  Resolves: RHEL-98708
-
-* Thu May 22 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.5
-- Fixed CVE-2024-47287 by patching bundled Tornado
-  Resolves: RHEL-93167
-- Fixed CVE-2025-46727 by updating bundled rubygem rack
-  Resolves: RHEL-90147
-
-* Tue Mar 4 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%{?dist}.4
-- Fixed CVE-2024-52804 by patching bundled Tornado
-  Resolves: RHEL-81924
-
-* Wed Dec 4 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.3
-- Prevented any future HTTP header-based attacks on puma/sinatra by removing any headers not recognized by pcsd
-  Resolves: RHEL-65595
-
-* Thu Aug 29 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.2
-- Updated rubygem rexml
-  Resolves: RHEL-52409, RHEL-52788, RHEL-55997
-
-* Wed Mar 20 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2
-- Updated rubygem rexml
-  Resolves: RHEL-37883
-
-* Wed Mar 20 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2
-- Fixed CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 in bundled dependency rack
-  Resolves: RHEL-26445, RHEL-26447, RHEL-26449
-
 * Mon Jan 8 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-1
 - Rebased to the latest sources (see CHANGELOG.md)
   Resolves: RHEL-7741