diff --git a/CVE-2023-43804-aws-awscli-azure-google-fix-bundled-urllib3.patch b/CVE-2023-43804-aws-awscli-azure-google-fix-bundled-urllib3.patch new file mode 100644 index 0000000000000000000000000000000000000000..1d6feb9bacd90ea781c443433359efa3ec280e3b --- /dev/null +++ b/CVE-2023-43804-aws-awscli-azure-google-fix-bundled-urllib3.patch @@ -0,0 +1,59 @@ +From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 2 Oct 2023 19:46:16 +0400 +Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f + +--- + CHANGES.rst | 5 ++++ + docs/user-guide.rst | 3 +++ + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 4 +-- + test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++----- + 5 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index ea48afe3ca..7572bfd26a 100644 +--- a/aws/urllib3/util/retry.py ++++ b/aws/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/awscli/urllib3/util/retry.py ++++ b/awscli/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/azure/urllib3/util/retry.py ++++ b/azure/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +--- a/google/urllib3/util/retry.py ++++ b/google/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/CVE-2023-43804-kubevirt-fix-bundled-urllib3.patch b/CVE-2023-43804-kubevirt-fix-bundled-urllib3.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7e5004381eadd05758259fe2114e4208fb8e5b9 --- /dev/null +++ b/CVE-2023-43804-kubevirt-fix-bundled-urllib3.patch @@ -0,0 +1,26 @@ +From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 2 Oct 2023 19:46:16 +0400 +Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f + +--- + CHANGES.rst | 5 ++++ + docs/user-guide.rst | 3 +++ + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 4 +-- + test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++----- + 5 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index ea48afe3ca..7572bfd26a 100644 +--- a/kubevirt/urllib3/util/retry.py ++++ b/kubevirt/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/certifi-2023.7.22.tar.gz b/certifi-2023.7.22.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..7f62db5cedcd41fcbbf20e94c7bbcca99c1f58fe Binary files /dev/null and b/certifi-2023.7.22.tar.gz differ diff --git a/fence-agents.spec b/fence-agents.spec index 173b359a81c4eede3705a1a618bb4e4ca41f81e0..2a0295e52405518a7a36cbd8fc0edb55e9a25e15 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -19,7 +19,7 @@ %global kubernetes kubernetes %global kubernetes_version 12.0.1 %global certifi certifi -%global certifi_version 2021.10.8 +%global certifi_version 2023.7.22 %global googleauth google-auth %global googleauth_version 2.3.0 %global cachetools cachetools @@ -60,7 +60,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 55%{?alphatag:.%{alphatag}}%{anolis_release}%{?dist} +Release: 56%{?alphatag:.%{alphatag}}%{anolis_release}%{?dist} License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -250,8 +250,15 @@ Patch45: bz2221643-fence_ibm_powervs-performance-improvements.patch Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch ### HA support libs/utils ### -Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch -Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch +# all archs +Patch1000: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch +# https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d +Patch1001: CVE-2023-43804-kubevirt-fix-bundled-urllib3.patch +# cloud (x86_64 only) +Patch2000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch +# https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d +Patch2001: CVE-2023-43804-aws-awscli-azure-google-fix-bundled-urllib3.patch + %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %ifarch x86_64 @@ -442,10 +449,11 @@ done # %endif # regular patch doesnt work in build-section -# Patch1000 +# Patch2000 Patch2001 %ifarch x86_64 pushd support -/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001} popd %endif @@ -453,9 +461,10 @@ popd %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm %{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift rm -rf kubevirt/rsa* -# Patch1001 +# Patch1000 Patch1001 pushd support -/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1001} popd ./autogen.sh @@ -613,7 +622,7 @@ Provides: bundled(python-azure-core) = 1.15.0 Provides: bundled(python-azure-mgmt-compute) = 21.0.0 Provides: bundled(python-azure-mgmt-core) = 1.2.2 Provides: bundled(python-azure-mgmt-network) = 19.0.0 -Provides: bundled(python-certifi) = 2021.5.30 +Provides: bundled(python-certifi) = %{certifi_version} Provides: bundled(python-chardet) = 4.0.0 Provides: bundled(python-idna) = 2.10 Provides: bundled(python-isodate) = 0.6.0 @@ -1490,6 +1499,10 @@ are located on corosync cluster nodes. %endif %changelog +* Fri Jan 5 2024 Zhiyuan Zhao - 4.10.0-56.0.1 +- Update certifi-2023.7.22 to fix CVE-2023-37920 +- Fix CVE-2023-43804 from urllib3 + * Mon Dec 11 2023 Chang Gao - 4.10.0-55.0.1 - Replace some packages with build env - Update CVE-2007-4559 patches