import OL resource-agents-4.9.0-54.el8_10.27

SOURCES/RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch

@@ -1,14 +1,6 @@
 --- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
 +++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-13 14:17:48.477104360 +0100
-@@ -350,6 +350,7 @@
-         self.reason = reason
-         self.strict = strict
-         self.decode_content = decode_content
-+        self._has_decoded_content = False
-         self.retries = retries
-         self.enforce_content_length = enforce_content_length
-         self.auto_close = auto_close
-@@ -414,7 +415,11 @@
+@@ -292,7 +292,11 @@
          Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
          """
          try:
@@ -20,27 +12,10 @@
 +            )
          except (HTTPError, SocketError, BaseSSLError, HTTPException):
              pass
- 
-@@ -536,6 +541,7 @@
-         try:
-             if self._decoder:
-                 data = self._decoder.decompress(data, max_length=max_length)
-+                self._has_decoded_content = True
-         except self.DECODER_ERROR_CLASSES as e:
-             content_encoding = self.headers.get("content-encoding", "").lower()
-             raise DecodeError(
 
 --- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
 +++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-13 14:17:48.477104360 +0100
-@@ -350,6 +350,7 @@
-         self.reason = reason
-         self.strict = strict
-         self.decode_content = decode_content
-+        self._has_decoded_content = False
-         self.retries = retries
-         self.enforce_content_length = enforce_content_length
-         self.auto_close = auto_close
-@@ -414,7 +415,11 @@
+@@ -292,7 +292,11 @@
          Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
          """
          try:
@@ -52,12 +27,3 @@
 +            )
          except (HTTPError, SocketError, BaseSSLError, HTTPException):
              pass
- 
-@@ -536,6 +541,7 @@
-         try:
-             if self._decoder:
-                 data = self._decoder.decompress(data, max_length=max_length)
-+                self._has_decoded_content = True
-         except self.DECODER_ERROR_CLASSES as e:
-             content_encoding = self.headers.get("content-encoding", "").lower()
-             raise DecodeError(

SOURCES/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch

@@ -1,28 +0,0 @@
---- a/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py	2019-10-17 07:00:19.000000000 +0200
-+++ b/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py	2026-01-27 10:43:12.757563432 +0100
-@@ -22,6 +22,10 @@
- 
- noValue = base.noValue
- 
-+# Maximum number of continuation octets (high-bit set) allowed per OID arc.
-+# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs
-+MAX_OID_ARC_CONTINUATION_OCTETS = 20
-+
- 
- class AbstractDecoder(object):
-     protoComponent = None
-@@ -342,7 +346,14 @@
-                 # Construct subid from a number of octets
-                 nextSubId = subId
-                 subId = 0
-+                continuationOctetCount = 0
-                 while nextSubId >= 128:
-+                    continuationOctetCount += 1
-+                    if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS:
-+                        raise error.PyAsn1Error(
-+                            'OID arc exceeds maximum continuation octets limit (%d) '
-+                            'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index)
-+                        )
-                     subId = (subId << 7) + (nextSubId & 0x7F)
-                     if index >= substrateLen:
-                         raise error.SubstrateUnderrunError(

SOURCES/RHEL-152316-portblock-check-inverse-action.patch

@@ -1,156 +0,0 @@
---- a/heartbeat/portblock	2026-02-27 08:43:50.813925268 +0100
-+++ b/heartbeat/portblock	2026-02-27 08:44:40.481824601 +0100
-@@ -29,12 +29,17 @@
- OCF_RESKEY_direction_default="in"
- OCF_RESKEY_action_default=""
- OCF_RESKEY_method_default="drop"
--OCF_RESKEY_status_check_default="rule"
- OCF_RESKEY_ip_default="0.0.0.0/0"
- OCF_RESKEY_reset_local_on_unblock_stop_default="false"
- OCF_RESKEY_tickle_dir_default=""
- OCF_RESKEY_sync_script_default=""
- 
-+if ocf_is_ms; then
-+  OCF_RESKEY_status_check_default="rule"
-+else
-+  OCF_RESKEY_status_check_default="pseudo"
-+fi
-+
- : ${OCF_RESKEY_protocol=${OCF_RESKEY_protocol_default}}
- : ${OCF_RESKEY_portno=${OCF_RESKEY_portno_default}}
- : ${OCF_RESKEY_direction=${OCF_RESKEY_direction_default}}
-@@ -401,6 +406,10 @@
- 	done
- }
- 
-+# A long time ago, these messages needed to go to stdout,
-+# "running" / "OK" being the trigger string
-+# for heartbeat in haresources mode.
-+# Now they are still useful for debugging.
- SayActive()
- {
-   ocf_log debug "$CMD $method rule [$*] is running (OK)"
-@@ -416,6 +425,11 @@
-   ocf_log debug "$CMD $method rule [$*] is inactive"
- }
- 
-+SayConsideredInactive()
-+{
-+  ocf_log debug "$CMD $method rule [$*] considered to be inactive"
-+}
-+
- #IptablesStatus  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStatus() {
-   local rc
-@@ -441,8 +455,17 @@
-         fi
-         ;;
-       *)
--        SayInactive $*
--        rc=$OCF_NOT_RUNNING
-+        if [ "$OCF_RESKEY_status_check" != "rule" ] \
-+        && test -e "$state_file" && test "$inverse_state_file" -nt "$state_file"; then
-+          # rule present, action=unblock, unblock statefile present,
-+          # block state file more recent.
-+          # apparently an unusual setup: unblock first, block later
-+          SayConsideredActive $*
-+          rc=$OCF_SUCCESS
-+        else
-+          SayInactive $*
-+          rc=$OCF_NOT_RUNNING
-+        fi
-         ;;
-     esac
-   elif [ "$OCF_RESKEY_status_check" = "rule" ]; then
-@@ -454,6 +477,7 @@
-       *)
-         SayActive $*
-         if [ "$__OCF_ACTION" = "monitor" ] && [ "$promotion_score" = "$SCORE_PROMOTED" ]; then
-+          save_tcp_connections
-           rc=$OCF_RUNNING_MASTER
-         else
-           rc=$OCF_SUCCESS
-@@ -463,7 +487,10 @@
-   else
-     case $5 in
-       block)
--        if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
-+        if test -e "$state_file" && test "$inverse_state_file" -nt "$state_file"; then
-+          # rule NOT present, action=block, block state file present,
-+          # unblock state file more recent.
-+          # expected setup: block first, unblock later
-           SayConsideredActive $*
-           rc=$OCF_SUCCESS
-         else
-@@ -472,13 +499,15 @@
-         fi
-         ;;
-       *)
--        if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
-+        if test -e "$state_file" ; then
-+          # rule NOT present, action=unblock, unblock state file present
-           SayActive $*
--          #This is only run on real monitor events.
-+          # This is only run on real monitor events (state file present).
-           save_tcp_connections
-           rc=$OCF_SUCCESS
-         else
--          SayInactive $*
-+          # rule NOT present, action=unblock, unblock state file NOT present
-+          SayConsideredInactive $*
-           rc=$OCF_NOT_RUNNING
-         fi
-         ;;
-@@ -562,7 +591,7 @@
- #IptablesStart  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStart()
- {
--  ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start
-+  ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start "$state_file"
-   case $5 in
-     block)	IptablesBLOCK "$@"
- 		rc=$?
-@@ -584,7 +613,8 @@
- #IptablesStop  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStop()
- {
--  ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop
-+  ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop "$state_file"
-+
-   case $5 in
-     block)	IptablesUNBLOCK "$@"
- 		rc=$?
-@@ -797,6 +827,33 @@
- 
- IptablesValidateAll
- 
-+# State file name for ha_pseudo_resource
-+#
-+#  The expected usage of this agent is to pair a "block" with an "unblock",
-+#  and order startup and configuration of some service between these.
-+#
-+#  The established idiom is to have two separate instances with inverse actions.
-+#  To "reliably" report the status of "block" during a monitor action,
-+#  it is not sufficient to check the existence of the blocking rule.
-+#
-+#  It is also insufficient to rely on the pseudo resource state file
-+#  of this instance only.
-+#
-+#  To know our actual expectation, we need to check the state file of the
-+#  "inverse" instance as well.
-+#
-+#  Because we don't know the OCF_RESOURCE_INSTANCE value of the other instance,
-+#  we override the state file name for both instances to something derived from
-+#  our parameters.
-+#
-+#  This should give use the same "global state" view as the "promotion score"
-+#  does for the promotable clone variant of this agent.
-+#
-+[ "$action" = block ] && inverse_action=unblock || inverse_action=block
-+state_file_base=$(echo "portblock_${protocol}_${portno}_${ip}_${direction}" | tr -c '0-9a-zA-Z._' _)
-+state_file=${HA_RSCTMP}/${state_file_base}_${action}
-+inverse_state_file=${HA_RSCTMP}/${state_file_base}_${inverse_action}
-+
- case $__OCF_ACTION in
-   start)
- 			IptablesStart "$protocol" "$portno" "$ip" "$direction" "$action"

SPECS/resource-agents.spec

@@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.30
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.27
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -181,7 +181,6 @@ Patch84:	RHEL-116150-3-portblock-fixes-add-method-and-status_check-parameters.pa
 Patch85:	RHEL-124815-db2-fix-variable-name.patch
 Patch86:	RHEL-102979-1-nfsserver-support-non-clustered-kerberized-mounts.patch
 Patch87:	RHEL-102979-2-nfsserver-fix-error-message.patch
-Patch88:	RHEL-152316-portblock-check-inverse-action.patch
 
 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@@ -199,8 +198,7 @@ Patch1011:	RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch
 Patch1012:	RHEL-50360-setuptools-fix-CVE-2024-6345.patch
 Patch1013:	RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch
 Patch1014:	RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
-Patch1015:	RHEL-140787-RHEL-146289-fix-bundled-urllib3-CVE-2026-21441.patch
-Patch1016:	RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch
+Patch1015:	RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch
 
 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@@ -458,7 +456,6 @@ exit 1
 %patch -p1 -P 85
 %patch -p1 -P 86
 %patch -p1 -P 87
-%patch -p1 -P 88
 
 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@@ -760,7 +757,6 @@ pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1013}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1014}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1015}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1016}
 popd
 %endif
 
@@ -1055,22 +1051,6 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
-* Fri Feb 27 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.30
-- portblock: check inverse action state file for non-promotable
-  resources to avoid issues when doing e.g. block followed by unblock
-
-  Resolves: RHEL-152316
-
-* Thu Feb  5 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.29
-- bundled urllib3: fix issue with CVE-2026-21441 patch
-
-  Resolves: RHEL-146289
-
-* Tue Jan 27 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.28
-- bundled pyasn1: fix CVE-2026-23490
-
-  Resolves: RHEL-142448
-
 * Tue Jan 20 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.27
 - bundled urllib3: fix CVE-2025-66471
 - bundled urllib3: fix CVE-2026-21441