diff --git a/.gitignore b/.gitignore index 0be9218..65e1103 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz SOURCES/colorama-0.3.3.tar.gz SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz SOURCES/httplib2-0.20.4.tar.gz -SOURCES/pycryptodome-3.6.4.tar.gz +SOURCES/pycryptodome-3.20.0.tar.gz SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl SOURCES/pyroute2-0.4.13.tar.gz +SOURCES/urllib3-1.26.18.tar.gz diff --git a/.resource-agents.metadata b/.resource-agents.metadata index 72a2f70..b562fa0 100644 --- a/.resource-agents.metadata +++ b/.resource-agents.metadata @@ -6,6 +6,7 @@ f14647a4d37a9a254c4e711b95a7654fc418e41e SOURCES/aliyun-python-sdk-vpc-3.0.2.tar 0fe5bd8bca54dd71223778a1e0bcca9af324abb1 SOURCES/colorama-0.3.3.tar.gz 81f039cf075e9c8b70d5af99c189296a9e031de3 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz 7caf4412d9473bf17352316249a8133fa70b7e37 SOURCES/httplib2-0.20.4.tar.gz -326a73f58a62ebee00c11a12cfdd838b196e0e8e SOURCES/pycryptodome-3.6.4.tar.gz +c55d177e9484d974c95078d4ae945f89ba2c7251 SOURCES/pycryptodome-3.20.0.tar.gz c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl 147149db11104c06d405fd077dcd2aa1c345f109 SOURCES/pyroute2-0.4.13.tar.gz +84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 SOURCES/urllib3-1.26.18.tar.gz diff --git a/SOURCES/bz2040110-IPaddr2-IPsrcaddr-3-dont-use-table-parameter.patch b/SOURCES/bz2040110-IPaddr2-IPsrcaddr-3-dont-use-table-parameter.patch new file mode 100644 index 0000000..ef5d8d5 --- /dev/null +++ b/SOURCES/bz2040110-IPaddr2-IPsrcaddr-3-dont-use-table-parameter.patch @@ -0,0 +1,79 @@ +From cf2fd2a9cf06dc2e915f2fb5dbcc5e09e907a6df Mon Sep 17 00:00:00 2001 +From: Oyvind Albrigtsen +Date: Thu, 5 Oct 2023 11:53:18 +0200 +Subject: [PATCH] findif.sh: dont use table parameter as it returns no netmask + (tested with main/local/custom tables) + +--- + heartbeat/IPaddr2 | 12 ------------ + heartbeat/findif.sh | 8 ++++---- + 2 files changed, 4 insertions(+), 16 deletions(-) + +diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2 +index e8384c5866..97a7431a24 100755 +--- a/heartbeat/IPaddr2 ++++ b/heartbeat/IPaddr2 +@@ -73,7 +73,6 @@ OCF_RESKEY_ip_default="" + OCF_RESKEY_cidr_netmask_default="" + OCF_RESKEY_broadcast_default="" + OCF_RESKEY_iflabel_default="" +-OCF_RESKEY_table_default="" + OCF_RESKEY_cidr_netmask_default="" + OCF_RESKEY_lvs_support_default=false + OCF_RESKEY_lvs_ipv6_addrlabel_default=false +@@ -98,7 +97,6 @@ OCF_RESKEY_network_namespace_default="" + : ${OCF_RESKEY_cidr_netmask=${OCF_RESKEY_cidr_netmask_default}} + : ${OCF_RESKEY_broadcast=${OCF_RESKEY_broadcast_default}} + : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}} +-: ${OCF_RESKEY_table=${OCF_RESKEY_table_default}} + : ${OCF_RESKEY_lvs_support=${OCF_RESKEY_lvs_support_default}} + : ${OCF_RESKEY_lvs_ipv6_addrlabel=${OCF_RESKEY_lvs_ipv6_addrlabel_default}} + : ${OCF_RESKEY_lvs_ipv6_addrlabel_value=${OCF_RESKEY_lvs_ipv6_addrlabel_value_default}} +@@ -241,16 +239,6 @@ If a label is specified in nic name, this parameter has no effect. + + + +- +- +-Table to use to lookup which interface to use for the IP. +- +-This can be used for policy based routing. See man ip-rule(8). +- +-Table +- +- +- + + + Enable support for LVS Direct Routing configurations. In case a IP +diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh +index 6c04c98c19..5f1c19ec3c 100644 +--- a/heartbeat/findif.sh ++++ b/heartbeat/findif.sh +@@ -32,7 +32,7 @@ prefixcheck() { + getnetworkinfo() + { + local line netinfo +- ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line; ++ ip -o -f inet route list match $OCF_RESKEY_ip scope host | (while read line; + do + netinfo=`echo $line | awk '{print $2}'` + case $netinfo in +@@ -210,14 +210,14 @@ findif() + fi + findif_check_params $family || return $? + +- if [ -n "$netmask" ] ; then ++ if [ -n "$netmask" ]; then + match=$match/$netmask + fi + if [ -n "$nic" ] ; then + # NIC supports more than two. +- set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}') ++ set -- $(ip -o -f $family route list match $match $scope | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}') + else +- set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}') ++ set -- $(ip -o -f $family route list match $match $scope | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}') + fi + if [ $# = 0 ] ; then + case $OCF_RESKEY_ip in diff --git a/SOURCES/python3-syntax-fixes.patch b/SOURCES/python3-syntax-fixes.patch index a34e312..c669dd5 100644 --- a/SOURCES/python3-syntax-fixes.patch +++ b/SOURCES/python3-syntax-fixes.patch @@ -590,116 +590,3 @@ diff -uNr a/bundled/aliyun/colorama/demos/demo07.py b/bundled/aliyun/colorama/de if __name__ == '__main__': -diff -uNr a/bundled/aliyun/pycryptodome/Doc/conf.py b/bundled/aliyun/pycryptodome/Doc/conf.py ---- a/bundled/aliyun/pycryptodome/Doc/conf.py 2018-07-10 21:32:46.000000000 +0200 -+++ b/bundled/aliyun/pycryptodome/Doc/conf.py 2018-10-08 12:08:11.122188094 +0200 -@@ -15,7 +15,7 @@ - - # Modules to document with autodoc are in another directory - sys.path.insert(0, os.path.abspath('../lib')) --print sys.path -+print(sys.path) - - # Mock existance of native modules - from Crypto.Util import _raw_api -diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py ---- a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py 2018-07-10 21:32:46.000000000 +0200 -+++ b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py 2018-10-08 12:08:11.123188075 +0200 -@@ -302,7 +302,7 @@ - randfunc = kwargs.pop("randfunc", None) - prime_filter = kwargs.pop("prime_filter", lambda x: True) - if kwargs: -- print "Unknown parameters:", kwargs.keys() -+ print("Unknown parameters:", kwargs.keys()) - - if exact_bits is None: - raise ValueError("Missing exact_bits parameter") -@@ -341,7 +341,7 @@ - exact_bits = kwargs.pop("exact_bits", None) - randfunc = kwargs.pop("randfunc", None) - if kwargs: -- print "Unknown parameters:", kwargs.keys() -+ print("Unknown parameters:", kwargs.keys()) - - if randfunc is None: - randfunc = Random.new().read -diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py ---- a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py 2018-07-10 21:32:46.000000000 +0200 -+++ b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py 2018-10-08 12:08:11.124188057 +0200 -@@ -912,4 +912,4 @@ - count = 30 - for x in xrange(count): - _ = point * d -- print (time.time() - start) / count * 1000, "ms" -+ print((time.time() - start) / count * 1000, "ms") -diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py ---- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py 2018-07-10 21:32:46.000000000 +0200 -+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py 2018-10-08 12:08:11.124188057 +0200 -@@ -1276,7 +1276,7 @@ - tests += make_block_tests(AES, "AESNI", test_data, {'use_aesni': True}) - tests += [ TestMultipleBlocks(True) ] - else: -- print "Skipping AESNI tests" -+ print("Skipping AESNI tests") - return tests - - if __name__ == '__main__': -diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py ---- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py 2018-07-10 21:32:46.000000000 +0200 -+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py 2018-10-08 12:08:11.125188038 +0200 -@@ -894,7 +894,7 @@ - if config.get('slow_tests'): - tests += list_test_cases(NISTTestVectorsGCM_no_clmul) - else: -- print "Skipping test of PCLMULDQD in AES GCM" -+ print("Skipping test of PCLMULDQD in AES GCM") - - return tests - -diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py ---- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py 2018-07-10 21:32:46.000000000 +0200 -+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py 2018-10-08 12:08:11.125188038 +0200 -@@ -39,7 +39,7 @@ - """Convert a text string with bytes in hex form to a byte string""" - clean = b(rws(t)) - if len(clean)%2 == 1: -- print clean -+ print(clean) - raise ValueError("Even number of characters expected") - return a2b_hex(clean) - -diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py ---- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py 2018-07-10 21:32:46.000000000 +0200 -+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py 2018-10-08 12:08:11.126188020 +0200 -@@ -25,11 +25,11 @@ - - slow_tests = not "--skip-slow-tests" in sys.argv - if not slow_tests: -- print "Skipping slow tests" -+ print("Skipping slow tests") - - wycheproof_warnings = "--wycheproof-warnings" in sys.argv - if wycheproof_warnings: -- print "Printing Wycheproof warnings" -+ print("Printing Wycheproof warnings") - - config = {'slow_tests' : slow_tests, 'wycheproof_warnings' : wycheproof_warnings } - SelfTest.run(stream=sys.stdout, verbosity=1, config=config) -diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py ---- a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py 2018-07-10 21:32:46.000000000 +0200 -+++ b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py 2018-10-08 12:08:11.126188020 +0200 -@@ -369,13 +369,13 @@ - ] - - for key, words in data: -- print 'Trying key', key -+ print('Trying key', key) - key=binascii.a2b_hex(key) - w2=key_to_english(key) - if w2!=words: -- print 'key_to_english fails on key', repr(key), ', producing', str(w2) -+ print('key_to_english fails on key', repr(key), ', producing', str(w2)) - k2=english_to_key(words) - if k2!=key: -- print 'english_to_key fails on key', repr(key), ', producing', repr(k2) -+ print('english_to_key fails on key', repr(key), ', producing', repr(k2)) diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec index 5630859..1825c8a 100644 --- a/SPECS/resource-agents.spec +++ b/SPECS/resource-agents.spec @@ -43,7 +43,7 @@ %global colorama_dir %{bundled_lib_dir}/aliyun/%{colorama} # python-pycryptodome bundle %global pycryptodome pycryptodome -%global pycryptodome_version 3.6.4 +%global pycryptodome_version 3.20.0 %global pycryptodome_dir %{bundled_lib_dir}/aliyun/%{pycryptodome} # python-aliyun-sdk-core bundle %global aliyunsdkcore aliyun-python-sdk-core @@ -61,6 +61,10 @@ %global aliyuncli aliyun-cli %global aliyuncli_version 2.1.10 %global aliyuncli_dir %{bundled_lib_dir}/aliyun/%{aliyuncli} +## fix CVEs +# urllib3 bundle +%global urllib3 urllib3 +%global urllib3_version 1.26.18 # determine the ras-set to process based on configure invokation %bcond_with rgmanager @@ -69,7 +73,7 @@ Name: resource-agents Summary: Open Source HA Reusable Cluster Resource Scripts Version: 4.9.0 -Release: 47%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist} +Release: 48%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.0.1 License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/resource-agents %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} @@ -88,6 +92,7 @@ Source7: %{aliyunsdkcore}-%{aliyunsdkcore_version}.tar.gz Source8: %{aliyunsdkecs}-%{aliyunsdkecs_version}.tar.gz Source9: %{aliyunsdkvpc}-%{aliyunsdkvpc_version}.tar.gz Source10: %{aliyuncli}-%{aliyuncli_version}.tar.gz +Source11: %{urllib3}-%{urllib3_version}.tar.gz Patch0: nova-compute-wait-NovaEvacuate.patch Patch1: bz1872754-pgsqlms-new-ra.patch Patch2: bz1995178-storage-mon-fix-typo.patch @@ -148,6 +153,7 @@ Patch56: bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch Patch57: bz2189243-Filesystem-1-improve-stop-action.patch Patch58: bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch Patch59: bz2189243-Filesystem-3-fix-signal_delay-default-value.patch +Patch60: bz2040110-IPaddr2-IPsrcaddr-3-dont-use-table-parameter.patch # bundle patches Patch1000: 7-gcp-bundled.patch @@ -254,6 +260,8 @@ Provides: bundled(python-aliyun-sdk-ecs) = %{aliyunsdkecs_version} Provides: bundled(python-aliyun-sdk-vpc) = %{aliyunsdkvpc_version} # aliyuncli bundle Provides: bundled(aliyuncli) = %{aliyuncli_version} +# urllib3 bundle +Provides: bundled(python-urllib3) = %{urllib3_version} %description aliyun Alibaba Cloud (Aliyun) resource agents allows Alibaba Cloud @@ -293,7 +301,7 @@ Provides: bundled(python-pyparsing) = 2.1.10 Provides: bundled(python-requests) = 2.10.0 Provides: bundled(python-six) = 1.11.0 Provides: bundled(python-uritemplate) = 3.0.0 -Provides: bundled(python-urllib3) = 1.15.1 +Provides: bundled(python-urllib3) = %{urllib3_version} Provides: bundled(python-websocket) = 0.47.0 Provides: bundled(python-yaml) = 3.12 # python-pyroute2 bundle @@ -387,6 +395,7 @@ exit 1 %patch57 -p1 %patch58 -p1 %patch59 -p1 +%patch60 -p1 chmod 755 heartbeat/nova-compute-wait chmod 755 heartbeat/NovaEvacuate @@ -621,6 +630,9 @@ make install DESTDIR=%{buildroot} # google-cloud-sdk bundle %ifarch x86_64 pushd %{googlecloudsdk_dir} +# fix urllib3 CVEs +rm -rf lib/third_party/urllib3 +%{__python3} -m pip install --target lib/third_party --no-index --find-links %{_sourcedir} urllib3 mkdir -p %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir} cp -a bin data lib %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir} mkdir %{buildroot}/%{_bindir} @@ -649,6 +661,9 @@ popd # python-aliyun-sdk-core bundle pushd %{aliyunsdkcore_dir} %{__python3} setup.py install -O1 --skip-build --root %{buildroot} --install-lib /usr/lib/%{name}/%{bundled_lib_dir}/aliyun +# fix urllib3 CVEs +rm -rf %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3 +%{__python3} -m pip install --target %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages --no-index --find-links %{_sourcedir} urllib3 popd # python-aliyun-sdk-ecs bundle @@ -962,17 +977,22 @@ ccs_update_schema > /dev/null 2>&1 ||: %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm %changelog +* Wed Feb 21 2024 Craig Guiller - 4.9.0-48.0.1 +- bundled urllib3: fix CVE-2023-45803 +- bundled pycryptodome: fix CVE-2023-52323 + + Resolves: RHEL-22431, RHEL-20916 +* Thu Oct 5 2023 Oyvind Albrigtsen - 4.9.0-48 +- IPaddr2/IPsrcaddr: support policy-based routing + + Resolves: rhbz#2040110 + * Thu Jul 20 2023 Oyvind Albrigtsen - 4.9.0-47 - Filesystem: improve stop-action and allow setting term/kill signals and signal_delay for large filesystems Resolves: rhbz#2189243 -* Wed Jun 21 2023 Oyvind Albrigtsen - 4.9.0-44 -- IPaddr2/IPsrcaddr: support policy-based routing - - Resolves: rhbz#2040110 - * Wed Jun 14 2023 Oyvind Albrigtsen - 4.9.0-43 - mysql: fix replication issues