diff --git a/CVE-2023-43804-aws-awscli-azure-google-fix-bundled-urllib3.patch b/CVE-2023-43804-aws-awscli-azure-google-fix-bundled-urllib3.patch new file mode 100644 index 0000000000000000000000000000000000000000..1d6feb9bacd90ea781c443433359efa3ec280e3b --- /dev/null +++ b/CVE-2023-43804-aws-awscli-azure-google-fix-bundled-urllib3.patch @@ -0,0 +1,59 @@ +From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 2 Oct 2023 19:46:16 +0400 +Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f + +--- + CHANGES.rst | 5 ++++ + docs/user-guide.rst | 3 +++ + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 4 +-- + test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++----- + 5 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index ea48afe3ca..7572bfd26a 100644 +--- a/aws/urllib3/util/retry.py ++++ b/aws/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/awscli/urllib3/util/retry.py ++++ b/awscli/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/azure/urllib3/util/retry.py ++++ b/azure/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/google/urllib3/util/retry.py ++++ b/google/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/CVE-2023-43804-kubevirt-fix-bundled-urllib3.patch b/CVE-2023-43804-kubevirt-fix-bundled-urllib3.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7e5004381eadd05758259fe2114e4208fb8e5b9 --- /dev/null +++ b/CVE-2023-43804-kubevirt-fix-bundled-urllib3.patch @@ -0,0 +1,26 @@ +From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 2 Oct 2023 19:46:16 +0400 +Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f + +--- + CHANGES.rst | 5 ++++ + docs/user-guide.rst | 3 +++ + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 4 +-- + test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++----- + 5 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index ea48afe3ca..7572bfd26a 100644 +--- a/kubevirt/urllib3/util/retry.py ++++ b/kubevirt/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/certifi-2021.10.8.tar.gz b/certifi-2021.10.8.tar.gz deleted file mode 100644 index 9e1581b8e08fbbaad11e4413dac9324c03104754..0000000000000000000000000000000000000000 Binary files a/certifi-2021.10.8.tar.gz and /dev/null differ diff --git a/certifi-2023.7.22.tar.gz b/certifi-2023.7.22.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..7f62db5cedcd41fcbbf20e94c7bbcca99c1f58fe Binary files /dev/null and b/certifi-2023.7.22.tar.gz differ diff --git a/fence-agents.spec b/fence-agents.spec index 793d76f7fe57b59fe10ebc20b6d24e8d3e77d975..a070fddcd2801691dd2847ab1c57886430e2022b 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -6,8 +6,6 @@ # keep around ready for later user ## global alphatag git0a6184070 -# bundles -%global bundled_lib_dir bundled # kubevirt %global openshift openshift %global openshift_version 0.12.1 @@ -16,7 +14,7 @@ %global kubernetes kubernetes %global kubernetes_version 12.0.1 %global certifi certifi -%global certifi_version 2021.10.8 +%global certifi_version 2023.7.22 %global googleauth google-auth %global googleauth_version 2.3.0 %global cachetools cachetools @@ -59,7 +57,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 20%{?alphatag:.%{alphatag}}%{?dist}.2 +Release: 20%{?alphatag:.%{alphatag}}%{?dist}.3 License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -244,6 +242,12 @@ Patch17: bz2042496-fence_ibm_vpc-fence_ibm_powervs.patch Patch18: bz2022334-fence_zvmip-add-disable-ssl.patch Patch19: bz2086839-1-fence_apc-fence_ilo_moonshot-import-logging.patch Patch20: bz2086839-2-fence_lpar-fix-import-fail_usage.patch +# all arch +# https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d +Patch1001: CVE-2023-43804-kubevirt-fix-bundled-urllib3.patch +# cloud (x86_64 only) +# https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d +Patch2001: CVE-2023-43804-aws-awscli-azure-google-fix-bundled-urllib3.patch %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %ifarch x86_64 @@ -410,6 +414,25 @@ done # sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/support/awscli')" support/awscli/bin/aws # %endif + +# regular patch doesnt work in build-section +# Patch2001 +%ifarch x86_64 +pushd support +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001} +popd +%endif + +# kubevirt +%{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm MarkupSafe +%{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift +rm -rf kubevirt/rsa* +# Patch1001 +pushd support +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1001} +popd + + ./autogen.sh %{configure} --disable-libvirt-qmf-plugin PYTHONPATH="support/aliyun:support/aws:support/azure:support/google:support/openstack:support/common" --with-agents='%{supportedagents} %{testagents}' CFLAGS="$(echo '%{optflags}')" make %{_smp_mflags} @@ -433,10 +456,6 @@ install -m 0644 agents/virt/fence_virtd.service %{buildroot}/%{_unitdir}/ %endif # XXX unsure if /usr/sbin/fence_* should be compiled as well -# kubevirt -%{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm MarkupSafe -%{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt --no-index --find-links %{_sourcedir} openshift -rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt/rsa* ## tree fix up # fix libfence permissions @@ -1169,7 +1188,7 @@ Fence agent for KubeVirt platform. %{_sbindir}/fence_kubevirt %{_mandir}/man8/fence_kubevirt.8* # bundled libraries -/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt +%{_usr}/lib/%{name}/support/kubevirt %package lpar License: GPLv2+ and LGPLv2+ @@ -1468,6 +1487,10 @@ are located on corosync cluster nodes. %endif %changelog +* Fri Jan 26 2024 Zhiyuan Zhao - 4.10.0-20.3 +- Update certifi-2023.7.22 to fix CVE-2023-37920 +- Fix CVE-2023-43804 from urllib3 + * Tue May 17 2022 Oyvind Albrigtsen - 4.10.0-20.2 - fence_apc/fence_ilo_moonshot/fence_lpar: add missing "import logging" Resolves: rhbz#2086839