From e977f9116e7de4bd5bd42e8cbc4b9362d41c90f0 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Tue, 27 Jan 2026 13:58:48 +0100 Subject: [PATCH] - bundled pyasn1: fix CVE-2026-23490 Resolves: RHEL-142448 --- ...48-fix-bundled-pyasn1-CVE-2026-23490.patch | 28 +++++++++++++++++++ resource-agents.spec | 9 +++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch diff --git a/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch b/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch new file mode 100644 index 0000000..df70e18 --- /dev/null +++ b/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch @@ -0,0 +1,28 @@ +--- a/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py 2019-10-17 07:00:19.000000000 +0200 ++++ b/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py 2026-01-27 10:43:12.757563432 +0100 +@@ -22,6 +22,10 @@ + + noValue = base.noValue + ++# Maximum number of continuation octets (high-bit set) allowed per OID arc. ++# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs ++MAX_OID_ARC_CONTINUATION_OCTETS = 20 ++ + + class AbstractDecoder(object): + protoComponent = None +@@ -342,7 +346,14 @@ + # Construct subid from a number of octets + nextSubId = subId + subId = 0 ++ continuationOctetCount = 0 + while nextSubId >= 128: ++ continuationOctetCount += 1 ++ if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS: ++ raise error.PyAsn1Error( ++ 'OID arc exceeds maximum continuation octets limit (%d) ' ++ 'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index) ++ ) + subId = (subId << 7) + (nextSubId & 0x7F) + if index >= substrateLen: + raise error.SubstrateUnderrunError( diff --git a/resource-agents.spec b/resource-agents.spec index 90f4592..1d9d3b9 100644 --- a/resource-agents.spec +++ b/resource-agents.spec @@ -73,7 +73,7 @@ Name: resource-agents Summary: Open Source HA Reusable Cluster Resource Scripts Version: 4.9.0 -Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.27 +Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.28 License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/resource-agents %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} @@ -199,6 +199,7 @@ Patch1012: RHEL-50360-setuptools-fix-CVE-2024-6345.patch Patch1013: RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch Patch1014: RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch Patch1015: RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch +Patch1016: RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch Obsoletes: heartbeat-resources <= %{version} Provides: heartbeat-resources = %{version} @@ -757,6 +758,7 @@ pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1013} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1014} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1015} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1016} popd %endif @@ -1051,6 +1053,11 @@ ccs_update_schema > /dev/null 2>&1 ||: %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm %changelog +* Tue Jan 27 2026 Oyvind Albrigtsen - 4.9.0-54.28 +- bundled pyasn1: fix CVE-2026-23490 + + Resolves: RHEL-142448 + * Tue Jan 20 2026 Oyvind Albrigtsen - 4.9.0-54.27 - bundled urllib3: fix CVE-2025-66471 - bundled urllib3: fix CVE-2026-21441