From 4d1f2885d62f9104f6b4306bc4fd0aeada245d07 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 9 Apr 2026 08:45:09 +0000 Subject: [PATCH] import OL resource-agents-4.9.0-54.el8_10.27 --- ...-fix-bundled-urllib3-CVE-2026-21441.patch} | 38 +---- ...48-fix-bundled-pyasn1-CVE-2026-23490.patch | 28 ---- ...52316-portblock-check-inverse-action.patch | 156 ------------------ SPECS/resource-agents.spec | 24 +-- 4 files changed, 4 insertions(+), 242 deletions(-) rename SOURCES/{RHEL-140787-RHEL-146289-fix-bundled-urllib3-CVE-2026-21441.patch => RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch} (50%) delete mode 100644 SOURCES/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch delete mode 100644 SOURCES/RHEL-152316-portblock-check-inverse-action.patch diff --git a/SOURCES/RHEL-140787-RHEL-146289-fix-bundled-urllib3-CVE-2026-21441.patch b/SOURCES/RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch similarity index 50% rename from SOURCES/RHEL-140787-RHEL-146289-fix-bundled-urllib3-CVE-2026-21441.patch rename to SOURCES/RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch index 8acda54..a5e5811 100644 --- a/SOURCES/RHEL-140787-RHEL-146289-fix-bundled-urllib3-CVE-2026-21441.patch +++ b/SOURCES/RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch @@ -1,14 +1,6 @@ --- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 +++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100 -@@ -350,6 +350,7 @@ - self.reason = reason - self.strict = strict - self.decode_content = decode_content -+ self._has_decoded_content = False - self.retries = retries - self.enforce_content_length = enforce_content_length - self.auto_close = auto_close -@@ -414,7 +415,11 @@ +@@ -292,7 +292,11 @@ Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. """ try: @@ -20,27 +12,10 @@ + ) except (HTTPError, SocketError, BaseSSLError, HTTPException): pass - -@@ -536,6 +541,7 @@ - try: - if self._decoder: - data = self._decoder.decompress(data, max_length=max_length) -+ self._has_decoded_content = True - except self.DECODER_ERROR_CLASSES as e: - content_encoding = self.headers.get("content-encoding", "").lower() - raise DecodeError( --- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 +++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100 -@@ -350,6 +350,7 @@ - self.reason = reason - self.strict = strict - self.decode_content = decode_content -+ self._has_decoded_content = False - self.retries = retries - self.enforce_content_length = enforce_content_length - self.auto_close = auto_close -@@ -414,7 +415,11 @@ +@@ -292,7 +292,11 @@ Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. """ try: @@ -52,12 +27,3 @@ + ) except (HTTPError, SocketError, BaseSSLError, HTTPException): pass - -@@ -536,6 +541,7 @@ - try: - if self._decoder: - data = self._decoder.decompress(data, max_length=max_length) -+ self._has_decoded_content = True - except self.DECODER_ERROR_CLASSES as e: - content_encoding = self.headers.get("content-encoding", "").lower() - raise DecodeError( diff --git a/SOURCES/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch b/SOURCES/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch deleted file mode 100644 index df70e18..0000000 --- a/SOURCES/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py 2019-10-17 07:00:19.000000000 +0200 -+++ b/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py 2026-01-27 10:43:12.757563432 +0100 -@@ -22,6 +22,10 @@ - - noValue = base.noValue - -+# Maximum number of continuation octets (high-bit set) allowed per OID arc. -+# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs -+MAX_OID_ARC_CONTINUATION_OCTETS = 20 -+ - - class AbstractDecoder(object): - protoComponent = None -@@ -342,7 +346,14 @@ - # Construct subid from a number of octets - nextSubId = subId - subId = 0 -+ continuationOctetCount = 0 - while nextSubId >= 128: -+ continuationOctetCount += 1 -+ if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS: -+ raise error.PyAsn1Error( -+ 'OID arc exceeds maximum continuation octets limit (%d) ' -+ 'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index) -+ ) - subId = (subId << 7) + (nextSubId & 0x7F) - if index >= substrateLen: - raise error.SubstrateUnderrunError( diff --git a/SOURCES/RHEL-152316-portblock-check-inverse-action.patch b/SOURCES/RHEL-152316-portblock-check-inverse-action.patch deleted file mode 100644 index bbba366..0000000 --- a/SOURCES/RHEL-152316-portblock-check-inverse-action.patch +++ /dev/null @@ -1,156 +0,0 @@ ---- a/heartbeat/portblock 2026-02-27 08:43:50.813925268 +0100 -+++ b/heartbeat/portblock 2026-02-27 08:44:40.481824601 +0100 -@@ -29,12 +29,17 @@ - OCF_RESKEY_direction_default="in" - OCF_RESKEY_action_default="" - OCF_RESKEY_method_default="drop" --OCF_RESKEY_status_check_default="rule" - OCF_RESKEY_ip_default="0.0.0.0/0" - OCF_RESKEY_reset_local_on_unblock_stop_default="false" - OCF_RESKEY_tickle_dir_default="" - OCF_RESKEY_sync_script_default="" - -+if ocf_is_ms; then -+ OCF_RESKEY_status_check_default="rule" -+else -+ OCF_RESKEY_status_check_default="pseudo" -+fi -+ - : ${OCF_RESKEY_protocol=${OCF_RESKEY_protocol_default}} - : ${OCF_RESKEY_portno=${OCF_RESKEY_portno_default}} - : ${OCF_RESKEY_direction=${OCF_RESKEY_direction_default}} -@@ -401,6 +406,10 @@ - done - } - -+# A long time ago, these messages needed to go to stdout, -+# "running" / "OK" being the trigger string -+# for heartbeat in haresources mode. -+# Now they are still useful for debugging. - SayActive() - { - ocf_log debug "$CMD $method rule [$*] is running (OK)" -@@ -416,6 +425,11 @@ - ocf_log debug "$CMD $method rule [$*] is inactive" - } - -+SayConsideredInactive() -+{ -+ ocf_log debug "$CMD $method rule [$*] considered to be inactive" -+} -+ - #IptablesStatus {udp|tcp} portno,portno ip {in|out|both} {block|unblock} - IptablesStatus() { - local rc -@@ -441,8 +455,17 @@ - fi - ;; - *) -- SayInactive $* -- rc=$OCF_NOT_RUNNING -+ if [ "$OCF_RESKEY_status_check" != "rule" ] \ -+ && test -e "$state_file" && test "$inverse_state_file" -nt "$state_file"; then -+ # rule present, action=unblock, unblock statefile present, -+ # block state file more recent. -+ # apparently an unusual setup: unblock first, block later -+ SayConsideredActive $* -+ rc=$OCF_SUCCESS -+ else -+ SayInactive $* -+ rc=$OCF_NOT_RUNNING -+ fi - ;; - esac - elif [ "$OCF_RESKEY_status_check" = "rule" ]; then -@@ -454,6 +477,7 @@ - *) - SayActive $* - if [ "$__OCF_ACTION" = "monitor" ] && [ "$promotion_score" = "$SCORE_PROMOTED" ]; then -+ save_tcp_connections - rc=$OCF_RUNNING_MASTER - else - rc=$OCF_SUCCESS -@@ -463,7 +487,10 @@ - else - case $5 in - block) -- if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then -+ if test -e "$state_file" && test "$inverse_state_file" -nt "$state_file"; then -+ # rule NOT present, action=block, block state file present, -+ # unblock state file more recent. -+ # expected setup: block first, unblock later - SayConsideredActive $* - rc=$OCF_SUCCESS - else -@@ -472,13 +499,15 @@ - fi - ;; - *) -- if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then -+ if test -e "$state_file" ; then -+ # rule NOT present, action=unblock, unblock state file present - SayActive $* -- #This is only run on real monitor events. -+ # This is only run on real monitor events (state file present). - save_tcp_connections - rc=$OCF_SUCCESS - else -- SayInactive $* -+ # rule NOT present, action=unblock, unblock state file NOT present -+ SayConsideredInactive $* - rc=$OCF_NOT_RUNNING - fi - ;; -@@ -562,7 +591,7 @@ - #IptablesStart {udp|tcp} portno,portno ip {in|out|both} {block|unblock} - IptablesStart() - { -- ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start -+ ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start "$state_file" - case $5 in - block) IptablesBLOCK "$@" - rc=$? -@@ -584,7 +613,8 @@ - #IptablesStop {udp|tcp} portno,portno ip {in|out|both} {block|unblock} - IptablesStop() - { -- ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop -+ ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop "$state_file" -+ - case $5 in - block) IptablesUNBLOCK "$@" - rc=$? -@@ -797,6 +827,33 @@ - - IptablesValidateAll - -+# State file name for ha_pseudo_resource -+# -+# The expected usage of this agent is to pair a "block" with an "unblock", -+# and order startup and configuration of some service between these. -+# -+# The established idiom is to have two separate instances with inverse actions. -+# To "reliably" report the status of "block" during a monitor action, -+# it is not sufficient to check the existence of the blocking rule. -+# -+# It is also insufficient to rely on the pseudo resource state file -+# of this instance only. -+# -+# To know our actual expectation, we need to check the state file of the -+# "inverse" instance as well. -+# -+# Because we don't know the OCF_RESOURCE_INSTANCE value of the other instance, -+# we override the state file name for both instances to something derived from -+# our parameters. -+# -+# This should give use the same "global state" view as the "promotion score" -+# does for the promotable clone variant of this agent. -+# -+[ "$action" = block ] && inverse_action=unblock || inverse_action=block -+state_file_base=$(echo "portblock_${protocol}_${portno}_${ip}_${direction}" | tr -c '0-9a-zA-Z._' _) -+state_file=${HA_RSCTMP}/${state_file_base}_${action} -+inverse_state_file=${HA_RSCTMP}/${state_file_base}_${inverse_action} -+ - case $__OCF_ACTION in - start) - IptablesStart "$protocol" "$portno" "$ip" "$direction" "$action" diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec index ca358a9..90f4592 100644 --- a/SPECS/resource-agents.spec +++ b/SPECS/resource-agents.spec @@ -73,7 +73,7 @@ Name: resource-agents Summary: Open Source HA Reusable Cluster Resource Scripts Version: 4.9.0 -Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.30 +Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.27 License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/resource-agents %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} @@ -181,7 +181,6 @@ Patch84: RHEL-116150-3-portblock-fixes-add-method-and-status_check-parameters.pa Patch85: RHEL-124815-db2-fix-variable-name.patch Patch86: RHEL-102979-1-nfsserver-support-non-clustered-kerberized-mounts.patch Patch87: RHEL-102979-2-nfsserver-fix-error-message.patch -Patch88: RHEL-152316-portblock-check-inverse-action.patch # bundle patches Patch1000: 7-gcp-bundled.patch @@ -199,8 +198,7 @@ Patch1011: RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch Patch1012: RHEL-50360-setuptools-fix-CVE-2024-6345.patch Patch1013: RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch Patch1014: RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch -Patch1015: RHEL-140787-RHEL-146289-fix-bundled-urllib3-CVE-2026-21441.patch -Patch1016: RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch +Patch1015: RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch Obsoletes: heartbeat-resources <= %{version} Provides: heartbeat-resources = %{version} @@ -458,7 +456,6 @@ exit 1 %patch -p1 -P 85 %patch -p1 -P 86 %patch -p1 -P 87 -%patch -p1 -P 88 chmod 755 heartbeat/nova-compute-wait chmod 755 heartbeat/NovaEvacuate @@ -760,7 +757,6 @@ pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1013} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1014} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1015} -/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1016} popd %endif @@ -1055,22 +1051,6 @@ ccs_update_schema > /dev/null 2>&1 ||: %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm %changelog -* Fri Feb 27 2026 Oyvind Albrigtsen - 4.9.0-54.30 -- portblock: check inverse action state file for non-promotable - resources to avoid issues when doing e.g. block followed by unblock - - Resolves: RHEL-152316 - -* Thu Feb 5 2026 Oyvind Albrigtsen - 4.9.0-54.29 -- bundled urllib3: fix issue with CVE-2026-21441 patch - - Resolves: RHEL-146289 - -* Tue Jan 27 2026 Oyvind Albrigtsen - 4.9.0-54.28 -- bundled pyasn1: fix CVE-2026-23490 - - Resolves: RHEL-142448 - * Tue Jan 20 2026 Oyvind Albrigtsen - 4.9.0-54.27 - bundled urllib3: fix CVE-2025-66471 - bundled urllib3: fix CVE-2026-21441