diff --git a/Build-fix-unability-to-build-with-Inkscape-1.0-beta-.patch b/Build-fix-unability-to-build-with-Inkscape-1.0-beta-.patch deleted file mode 100644 index 317314b2b567f587859d90e73d33036e5fe11917..0000000000000000000000000000000000000000 --- a/Build-fix-unability-to-build-with-Inkscape-1.0-beta-.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 47ecd21b9acb108eb4e024c51cdefadac2d74a64 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= -Date: Tue, 26 Nov 2019 20:07:36 +0100 -Subject: [PATCH] Build: fix unability to build with Inkscape 1.0 beta - version(s) - -...and possibly beyond. - -References: -https://gitlab.com/inkscape/inbox/issues/1244 ---- - doc/Makefile.am | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/doc/Makefile.am b/doc/Makefile.am -index 257f5cdf5..d8c846830 100644 ---- a/doc/Makefile.am -+++ b/doc/Makefile.am -@@ -84,14 +84,19 @@ PNGS = $(PNGS_ORIGINAL) $(PNGS_GENERATED) - - graphics: $(PNGS) - -+ -+# two-phased attempts for Inkscape pre-1.0 and 1.0+ (upcoming) discrepancy - %.png: %.svg -- $(AM_V_GEN)$(INKSCAPE) --file=$< --export-dpi=90 -C --export-png=$@ $(PCMK_quiet) -+ $(AM_V_GEN) { $(INKSCAPE) --export-dpi=90 -C --export-png=$@ $< \ -+ || $(INKSCAPE) --export-dpi=90 -C --export-file=$@ $<; } $(PCMK_quiet) - - %-small.png: %.svg -- $(AM_V_GEN)$(INKSCAPE) --file=$< --export-dpi=45 -C --export-png=$@ $(PCMK_quiet) -+ $(AM_V_GEN) { $(INKSCAPE) --export-dpi=45 -C --export-png=$@ $< \ -+ || $(INKSCAPE) --export-dpi=45 -C --export-file=$@ $<; } $(PCMK_quiet) - - %-large.png: %.svg -- $(AM_V_GEN)$(INKSCAPE) --file=$< --export-dpi=180 -C --export-png=$@ $(PCMK_quiet) -+ $(AM_V_GEN) { $(INKSCAPE) --export-dpi=180 -C --export-png=$@ $< \ -+ || $(INKSCAPE) --export-dpi=180 -C --export-file=$@ $<; } $(PCMK_quiet) - - if IS_ASCIIDOC - ASCIIDOC_HTML_ARGS = --unsafe --backend=xhtml11 --- -2.24.0 - diff --git a/CVE-2020-25654.patch b/CVE-2020-25654.patch deleted file mode 100644 index 048810aae7b1cc439cb5f58f98ba34c282bf64cb..0000000000000000000000000000000000000000 --- a/CVE-2020-25654.patch +++ /dev/null @@ -1,514 +0,0 @@ -From 3d1a7dc0c545c1ffba216df5c82b5ee3e3c7b3bf Mon Sep 17 00:00:00 2001 -From: Ken Gaillot -Date: Fri, 9 Oct 2020 09:56:03 -0500 -Subject: [PATCH 1/7] Log: executor: show CRM_OP_REGISTER rc in debug message - -Previously, process_lrmd_signon() would add the rc to the client reply -but not pass it back to process_lrmd_message(), which would always log "OK" in -its debug message, even if the sign-on was rejected. ---- - daemons/execd/execd_commands.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - -diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c -index 9ded90c..aadbc4d 100644 ---- a/daemons/execd/execd_commands.c -+++ b/daemons/execd/execd_commands.c -@@ -1517,10 +1517,10 @@ free_rsc(gpointer data) - free(rsc); - } - --static xmlNode * --process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id) -+static int -+process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id, -+ xmlNode **reply) - { -- xmlNode *reply = NULL; - int rc = pcmk_ok; - const char *is_ipc_provider = crm_element_value(request, F_LRMD_IS_IPC_PROVIDER); - const char *protocol_version = crm_element_value(request, F_LRMD_PROTOCOL_VERSION); -@@ -1531,18 +1531,19 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id) - rc = -EPROTO; - } - -- reply = create_lrmd_reply(__FUNCTION__, rc, call_id); -- crm_xml_add(reply, F_LRMD_OPERATION, CRM_OP_REGISTER); -- crm_xml_add(reply, F_LRMD_CLIENTID, client->id); -- crm_xml_add(reply, F_LRMD_PROTOCOL_VERSION, LRMD_PROTOCOL_VERSION); -- - if (crm_is_true(is_ipc_provider)) { - // This is a remote connection from a cluster node's controller - #ifdef SUPPORT_REMOTE - ipc_proxy_add_provider(client); - #endif - } -- return reply; -+ -+ *reply = create_lrmd_reply(__func__, rc, call_id); -+ crm_xml_add(*reply, F_LRMD_OPERATION, CRM_OP_REGISTER); -+ crm_xml_add(*reply, F_LRMD_CLIENTID, client->id); -+ crm_xml_add(*reply, F_LRMD_PROTOCOL_VERSION, LRMD_PROTOCOL_VERSION); -+ -+ return rc; - } - - static int -@@ -1854,7 +1855,7 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request) - #endif - do_reply = 1; - } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) { -- reply = process_lrmd_signon(client, request, call_id); -+ rc = process_lrmd_signon(client, request, call_id, &reply); - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) { - rc = process_lrmd_rsc_register(client, id, request); --- -1.8.3.1 - - -From d4cc1949292aaa42368e2871a04e67f65f22c154 Mon Sep 17 00:00:00 2001 -From: Ken Gaillot -Date: Fri, 9 Oct 2020 15:16:39 -0500 -Subject: [PATCH 2/7] Low: executor: mark controller connections to - pacemaker-remoted as privileged - -Previously, crm_client_flag_ipc_privileged was only set when local clients connected -(as root or hacluster). Now, set it when pacemaker-remoted successfully -completes the TLS handshake with a remote client (i.e., the controller on a -cluster node). - -This has no effect as of this commit but will with later commits. ---- - daemons/execd/remoted_tls.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/daemons/execd/remoted_tls.c b/daemons/execd/remoted_tls.c -index cd7cbe5..ea9cf3e 100644 ---- a/daemons/execd/remoted_tls.c -+++ b/daemons/execd/remoted_tls.c -@@ -74,6 +74,11 @@ remoted__read_handshake_data(crm_client_t *client) - client->remote->tls_handshake_complete = TRUE; - crm_notice("Remote client connection accepted"); - -+ /* Only a client with access to the TLS key can connect, so we can treat -+ * it as privileged. -+ */ -+ set_bit(client->flags, crm_client_flag_ipc_privileged); -+ - // Alert other clients of the new connection - notify_of_new_client(client); - return 0; --- -1.8.3.1 - - -From bb6ae415a534fa9f1bd1ec06e0a0b4c64b1e8530 Mon Sep 17 00:00:00 2001 -From: Ken Gaillot -Date: Thu, 15 Oct 2020 15:33:13 -0500 -Subject: [PATCH 3/7] Low: executor: return appropriate error code when no - remote support - ---- - daemons/execd/execd_commands.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c -index aadbc4d..84e9c40 100644 ---- a/daemons/execd/execd_commands.c -+++ b/daemons/execd/execd_commands.c -@@ -1532,9 +1532,11 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id, - } - - if (crm_is_true(is_ipc_provider)) { -- // This is a remote connection from a cluster node's controller - #ifdef SUPPORT_REMOTE -+ // This is a remote connection from a cluster node's controller - ipc_proxy_add_provider(client); -+#else -+ rc = -EPROTONOSUPPORT; - #endif - } - -@@ -1852,6 +1854,8 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request) - if (crm_str_eq(op, CRM_OP_IPC_FWD, TRUE)) { - #ifdef SUPPORT_REMOTE - ipc_proxy_forward_client(client, request); -+#else -+ rc = -EPROTONOSUPPORT; - #endif - do_reply = 1; - } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) { --- -1.8.3.1 - - -From 6fdf576fe506837099561a0fc6409fc315a9f2b7 Mon Sep 17 00:00:00 2001 -From: Ken Gaillot -Date: Thu, 15 Oct 2020 15:33:57 -0500 -Subject: [PATCH 4/7] High: executor: restrict certain IPC requests to - Pacemaker daemons - -The executor IPC API allows clients to register resources, request agent -execution, and so forth. - -If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs and -execute any code as root. (If ACLs are not enabled, users in the haclient group -have full access to the CIB, which already gives them that ability, so there is -no additional exposure in that case.) - -When ACLs are supported, this commit effectively disables the executor IPC API -for clients that aren't connecting as root or hacluster. Such clients can only -register and poke now. ---- - daemons/execd/execd_commands.c | 91 +++++++++++++++++++++++++++++++++--------- - 1 file changed, 73 insertions(+), 18 deletions(-) - -diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c -index 84e9c40..e217ce7 100644 ---- a/daemons/execd/execd_commands.c -+++ b/daemons/execd/execd_commands.c -@@ -1533,8 +1533,12 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id, - - if (crm_is_true(is_ipc_provider)) { - #ifdef SUPPORT_REMOTE -- // This is a remote connection from a cluster node's controller -- ipc_proxy_add_provider(client); -+ if ((client->remote != NULL) && client->remote->tls_handshake_complete) { -+ // This is a remote connection from a cluster node's controller -+ ipc_proxy_add_provider(client); -+ } else { -+ rc = -EACCES; -+ } - #else - rc = -EPROTONOSUPPORT; - #endif -@@ -1848,12 +1852,26 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request) - int do_notify = 0; - xmlNode *reply = NULL; - -+ bool allowed = true; -+ -+#if ENABLE_ACL -+ /* Certain IPC commands may be done only by privileged users (i.e. root or -+ * hacluster) when ACLs are enabled, because they would otherwise provide a -+ * means of bypassing ACLs. -+ */ -+ allowed = is_set(client->flags, crm_client_flag_ipc_privileged); -+#endif -+ - crm_trace("Processing %s operation from %s", op, client->id); - crm_element_value_int(request, F_LRMD_CALLID, &call_id); - - if (crm_str_eq(op, CRM_OP_IPC_FWD, TRUE)) { - #ifdef SUPPORT_REMOTE -- ipc_proxy_forward_client(client, request); -+ if (allowed) { -+ ipc_proxy_forward_client(client, request); -+ } else { -+ rc = -EACCES; -+ } - #else - rc = -EPROTONOSUPPORT; - #endif -@@ -1862,38 +1880,70 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request) - rc = process_lrmd_signon(client, request, call_id, &reply); - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) { -- rc = process_lrmd_rsc_register(client, id, request); -- do_notify = 1; -+ if (allowed) { -+ rc = process_lrmd_rsc_register(client, id, request); -+ do_notify = 1; -+ } else { -+ rc = -EACCES; -+ } - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_RSC_INFO, TRUE)) { -- reply = process_lrmd_get_rsc_info(request, call_id); -+ if (allowed) { -+ reply = process_lrmd_get_rsc_info(request, call_id); -+ } else { -+ rc = -EACCES; -+ } - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_RSC_UNREG, TRUE)) { -- rc = process_lrmd_rsc_unregister(client, id, request); -- /* don't notify anyone about failed un-registers */ -- if (rc == pcmk_ok || rc == -EINPROGRESS) { -- do_notify = 1; -+ if (allowed) { -+ rc = process_lrmd_rsc_unregister(client, id, request); -+ /* don't notify anyone about failed un-registers */ -+ if (rc == pcmk_ok || rc == -EINPROGRESS) { -+ do_notify = 1; -+ } -+ } else { -+ rc = -EACCES; - } - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_RSC_EXEC, TRUE)) { -- rc = process_lrmd_rsc_exec(client, id, request); -+ if (allowed) { -+ rc = process_lrmd_rsc_exec(client, id, request); -+ } else { -+ rc = -EACCES; -+ } - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_RSC_CANCEL, TRUE)) { -- rc = process_lrmd_rsc_cancel(client, id, request); -+ if (allowed) { -+ rc = process_lrmd_rsc_cancel(client, id, request); -+ } else { -+ rc = -EACCES; -+ } - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_POKE, TRUE)) { - do_notify = 1; - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_CHECK, TRUE)) { -- xmlNode *data = get_message_xml(request, F_LRMD_CALLDATA); -- const char *timeout = crm_element_value(data, F_LRMD_WATCHDOG); -- CRM_LOG_ASSERT(data != NULL); -- check_sbd_timeout(timeout); -+ if (allowed) { -+ xmlNode *data = get_message_xml(request, F_LRMD_CALLDATA); -+ -+ CRM_LOG_ASSERT(data != NULL); -+ check_sbd_timeout(crm_element_value(data, F_LRMD_WATCHDOG)); -+ } else { -+ rc = -EACCES; -+ } - } else if (crm_str_eq(op, LRMD_OP_ALERT_EXEC, TRUE)) { -- rc = process_lrmd_alert_exec(client, id, request); -+ if (allowed) { -+ rc = process_lrmd_alert_exec(client, id, request); -+ } else { -+ rc = -EACCES; -+ } - do_reply = 1; - } else if (crm_str_eq(op, LRMD_OP_GET_RECURRING, TRUE)) { -- reply = process_lrmd_get_recurring(request, call_id); -+ if (allowed) { -+ reply = process_lrmd_get_recurring(request, call_id); -+ } else { -+ rc = -EACCES; -+ } - do_reply = 1; - } else { - rc = -EOPNOTSUPP; -@@ -1902,6 +1952,11 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request) - crm_log_xml_warn(request, "UnknownOp"); - } - -+ if (rc == -EACCES) { -+ crm_warn("Rejecting IPC request '%s' from unprivileged client %s", -+ op, crm_client_name(client)); -+ } -+ - crm_debug("Processed %s operation from %s: rc=%d, reply=%d, notify=%d", - op, client->id, rc, do_reply, do_notify); - --- -1.8.3.1 - - -From 38397e6a04a4b8a16771e57b5b19fc0f7111063b Mon Sep 17 00:00:00 2001 -From: Ken Gaillot -Date: Fri, 9 Oct 2020 11:16:43 -0500 -Subject: [PATCH 5/7] Low: pacemakerd: check client for NULL before using it - -... to guard against bugs in client tracking ---- - daemons/pacemakerd/pacemakerd.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/daemons/pacemakerd/pacemakerd.c b/daemons/pacemakerd/pacemakerd.c -index d8ff53d..278b48b 100644 ---- a/daemons/pacemakerd/pacemakerd.c -+++ b/daemons/pacemakerd/pacemakerd.c -@@ -560,9 +560,12 @@ pcmk_ipc_dispatch(qb_ipcs_connection_t * qbc, void *data, size_t size) - uint32_t id = 0; - uint32_t flags = 0; - const char *task = NULL; -+ xmlNode *msg = NULL; - crm_client_t *c = crm_client_get(qbc); -- xmlNode *msg = crm_ipcs_recv(c, data, size, &id, &flags); - -+ CRM_CHECK(c != NULL, return 0); -+ -+ msg = crm_ipcs_recv(c, data, size, &id, &flags); - crm_ipcs_send_ack(c, id, flags, "ack", __FUNCTION__, __LINE__); - if (msg == NULL) { - return 0; --- -1.8.3.1 - - -From 03d1f5861229b3b28728fa0eabfc99ddc9bccaa4 Mon Sep 17 00:00:00 2001 -From: Ken Gaillot -Date: Fri, 9 Oct 2020 11:17:18 -0500 -Subject: [PATCH 6/7] High: pacemakerd: ignore shutdown requests from - unprivileged users - -The pacemakerd IPC API supports a shutdown request, along with a -command-line interface for using it (pacemakerd --shutdown). - -Only the haclient group has access to the IPC. Without ACLs, that group can -already shut down Pacemaker via the CIB, so there's no security implication. - -However, it might not be desired to allow ACL-restricted users to shut down -Pacemaker, so block users other than root or hacluster if ACLs are supported. ---- - daemons/pacemakerd/pacemakerd.c | 24 ++++++++++++++++++++---- - 1 file changed, 20 insertions(+), 4 deletions(-) - -diff --git a/daemons/pacemakerd/pacemakerd.c b/daemons/pacemakerd/pacemakerd.c -index 278b48b..ebb14e8 100644 ---- a/daemons/pacemakerd/pacemakerd.c -+++ b/daemons/pacemakerd/pacemakerd.c -@@ -573,10 +573,26 @@ pcmk_ipc_dispatch(qb_ipcs_connection_t * qbc, void *data, size_t size) - - task = crm_element_value(msg, F_CRM_TASK); - if (crm_str_eq(task, CRM_OP_QUIT, TRUE)) { -- /* Time to quit */ -- crm_notice("Shutting down in response to ticket %s (%s)", -- crm_element_value(msg, F_CRM_REFERENCE), crm_element_value(msg, F_CRM_ORIGIN)); -- pcmk_shutdown(15); -+ bool allowed = true; -+ -+#if ENABLE_ACL -+ /* Only allow privileged users (i.e. root or hacluster) -+ * to shut down Pacemaker from the command line (or direct IPC). -+ * -+ * We only check when ACLs are enabled, because without them, any client -+ * with IPC access could shut down Pacemaker via the CIB anyway. -+ */ -+ allowed = is_set(c->flags, crm_client_flag_ipc_privileged); -+#endif -+ if (allowed) { -+ crm_notice("Shutting down in response to IPC request %s from %s", -+ crm_element_value(msg, F_CRM_REFERENCE), -+ crm_element_value(msg, F_CRM_ORIGIN)); -+ pcmk_shutdown(15); -+ } else { -+ crm_warn("Ignoring shutdown request from unprivileged client %s", -+ crm_client_name(c)); -+ } - - } else if (crm_str_eq(task, CRM_OP_RM_NODE_CACHE, TRUE)) { - /* Send to everyone */ --- -1.8.3.1 - - -From 5fcb1e923d2e900da672306fb82a946a0af5e641 Mon Sep 17 00:00:00 2001 -From: Ken Gaillot -Date: Fri, 9 Oct 2020 11:55:26 -0500 -Subject: [PATCH 7/7] Fix: fencer: restrict certain IPC requests to privileged - users - -The fencer IPC API allows clients to register fence devices. - -If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs to -configure fencing. If the user is able to install executables to the standard -fencing agent locations, have arbitrary code executed as root (the standard -locations generally require root for write access, so that is unlikely to be an -issue). - -If ACLs are not enabled, users in the haclient group have full access to the -CIB, which already gives them these capabilities, so there is no additional -exposure in that case. - -This commit does not restrict unprivileged users from using other fencing API, -such as requesting actual fencing. ---- - daemons/fenced/fenced_commands.c | 41 ++++++++++++++++++++++++++++++++++++---- - 1 file changed, 37 insertions(+), 4 deletions(-) - -diff --git a/daemons/fenced/fenced_commands.c b/daemons/fenced/fenced_commands.c -index 9d3f924..d965d7c 100644 ---- a/daemons/fenced/fenced_commands.c -+++ b/daemons/fenced/fenced_commands.c -@@ -2455,6 +2455,18 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req - const char *op = crm_element_value(request, F_STONITH_OPERATION); - const char *client_id = crm_element_value(request, F_STONITH_CLIENTID); - -+ bool allowed = true; -+ -+#if ENABLE_ACL -+ /* IPC commands related to fencing configuration may be done only by -+ * privileged users (i.e. root or hacluster) when ACLs are supported, -+ * because all other users should go through the CIB to have ACLs applied. -+ */ -+ if (client != NULL) { -+ allowed = is_set(client->flags, crm_client_flag_ipc_privileged); -+ } -+#endif -+ - crm_element_value_int(request, F_STONITH_CALLOPTS, &call_options); - - if (is_set(call_options, st_opt_sync_call)) { -@@ -2604,27 +2616,43 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req - } else if (crm_str_eq(op, STONITH_OP_DEVICE_ADD, TRUE)) { - const char *device_id = NULL; - -- rc = stonith_device_register(request, &device_id, FALSE); -+ if (allowed) { -+ rc = stonith_device_register(request, &device_id, FALSE); -+ } else { -+ rc = -EACCES; -+ } - do_stonith_notify_device(call_options, op, rc, device_id); - - } else if (crm_str_eq(op, STONITH_OP_DEVICE_DEL, TRUE)) { - xmlNode *dev = get_xpath_object("//" F_STONITH_DEVICE, request, LOG_ERR); - const char *device_id = crm_element_value(dev, XML_ATTR_ID); - -- rc = stonith_device_remove(device_id, FALSE); -+ if (allowed) { -+ rc = stonith_device_remove(device_id, FALSE); -+ } else { -+ rc = -EACCES; -+ } - do_stonith_notify_device(call_options, op, rc, device_id); - - } else if (crm_str_eq(op, STONITH_OP_LEVEL_ADD, TRUE)) { - char *device_id = NULL; - -- rc = stonith_level_register(request, &device_id); -+ if (allowed) { -+ rc = stonith_level_register(request, &device_id); -+ } else { -+ rc = -EACCES; -+ } - do_stonith_notify_level(call_options, op, rc, device_id); - free(device_id); - - } else if (crm_str_eq(op, STONITH_OP_LEVEL_DEL, TRUE)) { - char *device_id = NULL; - -- rc = stonith_level_remove(request, &device_id); -+ if (allowed) { -+ rc = stonith_level_remove(request, &device_id); -+ } else { -+ rc = -EACCES; -+ } - do_stonith_notify_level(call_options, op, rc, device_id); - - } else if(safe_str_eq(op, CRM_OP_RM_NODE_CACHE)) { -@@ -2644,6 +2672,11 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req - - done: - -+ if (rc == -EACCES) { -+ crm_warn("Rejecting IPC request '%s' from unprivileged client %s", -+ crm_str(op), crm_client_name(client)); -+ } -+ - /* Always reply unless the request is in process still. - * If in progress, a reply will happen async after the request - * processing is finished */ --- -1.8.3.1 - diff --git a/Resolve-the-failure-of-time-matching-in-test-cases.patch b/Resolve-the-failure-of-time-matching-in-test-cases.patch deleted file mode 100644 index 269244c5197a3f02e1efb7938ebb46349da6cb80..0000000000000000000000000000000000000000 --- a/Resolve-the-failure-of-time-matching-in-test-cases.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/cts/cts-cli.in b/cts/cts-cli.in -index cff4bbf..707403f 100644 ---- a/cts/cts-cli.in -+++ b/cts/cts-cli.in -@@ -947,7 +947,7 @@ EOF - if [ "$(uname)" == "FreeBSD" ]; then - tomorrow=$(date -v+1d +"%F %T %z") - else -- tomorrow=$(date --date=tomorrow +"%F %T %z") -+ tomorrow=$(date --date=tomorrow +"%F %T") - fi - - TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX) diff --git a/fix-function-declaration-error.patch b/fix-function-declaration-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..d4935f41cc89f640b95fcb462ff0f9736f677f2d --- /dev/null +++ b/fix-function-declaration-error.patch @@ -0,0 +1,10 @@ +--- configure.ac 2020-12-03 01:08:53.000000000 +0800 ++++ configure.ac 2022-02-16 06:04:06.770474753 +0800 +@@ -1728,7 +1728,6 @@ dnl otherwise none of both + -Wno-long-long + -Wno-strict-aliasing + -Wpointer-arith +- -Wstrict-prototypes + -Wwrite-strings + -Wunused-but-set-variable + -Wunsigned-char" diff --git a/nagios-agents-metadata-105ab8a7b2c16b9a29cf1c1596b80136eeef332b.tar.gz b/nagios-agents-metadata-105ab8a7b2c16b9a29cf1c1596b80136eeef332b.tar.gz index ed5b139851f8aabf7c800aabadb334737efd0348..427ae714157e37198f976b6e519455b66594b0fc 100644 Binary files a/nagios-agents-metadata-105ab8a7b2c16b9a29cf1c1596b80136eeef332b.tar.gz and b/nagios-agents-metadata-105ab8a7b2c16b9a29cf1c1596b80136eeef332b.tar.gz differ diff --git a/pacemaker-2.0.3.tar.gz b/pacemaker-Pacemaker-2.0.5.tar.gz similarity index 41% rename from pacemaker-2.0.3.tar.gz rename to pacemaker-Pacemaker-2.0.5.tar.gz index a70ab0caff4a38ba79ac76429690a27d3c054a09..8d8fc8e3e628f2394932003175b09dda87964b2f 100644 Binary files a/pacemaker-2.0.3.tar.gz and b/pacemaker-Pacemaker-2.0.5.tar.gz differ diff --git a/pacemaker.spec b/pacemaker.spec index a993a5740e8c5e41f393777f067cf3a8bbefbc40..12c2e63d5726e5dee108ead3b8a2561527503bd9 100644 --- a/pacemaker.spec +++ b/pacemaker.spec @@ -3,6 +3,7 @@ ## User and group to use for nonprivileged services %global uname hacluster %global gname haclient +%global hacluster_id 189 ## Where to install Pacemaker documentation %global pcmk_docdir %{_docdir}/%{name} @@ -13,12 +14,12 @@ ## Upstream pacemaker version, and its package version (specversion ## can be incremented to build packages reliably considered "newer" ## than previously built packages with the same pcmkversion) -%global pcmkversion 2.0.3 -%global specversion 3 +%global pcmkversion 2.0.5 +%global specversion 1 ## Upstream commit (or git tag, such as "Pacemaker-" plus the ## {pcmkversion} macro for an official release) to use for this package -%global commit Pacemaker-2.0.3 +%global commit Pacemaker-2.0.5 ## Since git v2.11, the extent of abbreviation is autoscaled by default ## (used to be constant of 7), so we need to convey it for non-tags, too. %global commit_abbrev 9 @@ -26,7 +27,7 @@ ## Nagios source control identifiers %global nagios_name nagios-agents-metadata %global nagios_hash 105ab8a7b2c16b9a29cf1c1596b80136eeef332b - +%global nagios_archive_github_url %{nagios_hash}#/%{nagios_name}-%{nagios_hash}.tar.gz # Define globals for convenient use later @@ -34,18 +35,26 @@ %global lparen ( %global rparen ) -## Short version of git commit -%define shortcommit %(c=%{commit}; case ${c} in - Pacemaker-*%{rparen} echo ${c:10};; - *%{rparen} echo ${c:0:%{commit_abbrev}};; esac) - -## Whether this is a tagged release -%define tag_release %([ %{commit} != Pacemaker-%{shortcommit} ]; echo $?) - -## Whether this is a release candidate (in case of a tagged release) -%define pre_release %([ "%{tag_release}" -eq 0 ] || { - case "%{shortcommit}" in *-rc[[:digit:]]*%{rparen} false;; - esac; }; echo $?) +## Whether this is a tagged release (final or release candidate) +%define tag_release %(c=%{commit}; case ${c} in Pacemaker-*%{rparen} echo 1 ;; + *%{rparen} echo 0 ;; esac) + +## Portion of export/dist tarball name after "pacemaker-", and release version +%if 0%{tag_release} +%define archive_version %{commit} +%define archive_github_url %{commit}#/%{name}-%{archive_version}.tar.gz +%define pcmk_release %(c=%{commit}; case $c in *-rc[[:digit:]]*%{rparen} + echo 0.%{specversion}.${c: -3} ;; + *%{rparen} echo %{specversion} ;; esac) +%else +%define archive_version %(c=%{commit}; echo ${c:0:%{commit_abbrev}}) +%define archive_github_url %{archive_version}#/%{name}-%{archive_version}.tar.gz +%if %{with pre_release} +%define pcmk_release 0.%{specversion}.%{archive_version}.git +%else +%define pcmk_release %{specversion}.%{archive_version}.git +%endif +%endif ## Heuristic used to infer bleeding-edge deployments that are ## less likely to have working versions of the documentation tools @@ -72,16 +81,19 @@ ## Values that differ by Python major version %global python_path /usr/bin/python%{?python3_pkgversion}%{!?python3_pkgversion:3} -%global python_pkg python3 +%global python_name python3 %global python_min 3.2 -%define py_site %{?python3_sitelib}%{!?python3_sitelib:%( - python3 -c 'from distutils.sysconfig import get_python_lib as gpl; print(gpl(1))' 2>/dev/null)} +%define python_site %{?python3_sitelib}%{!?python3_sitelib:%( + %{python_path} -c 'from distutils.sysconfig import get_python_lib as gpl; print(gpl(1))' 2>/dev/null)} # Define conditionals so that "rpmbuild --with " and # "rpmbuild --without " can enable and disable specific features -## NOTE: skip --with stonith +## NOTE: skip --with stonithd + +## Add option to enable support for storing sensitive information outside CIB +%bcond_with cibsecrets ## Add option to create binaries suitable for use with profiling tools %bcond_with profiling @@ -89,7 +101,7 @@ ## Add option to create binaries with coverage analysis %bcond_with coverage -## Add option to skip generating documentation +## Add option to skip/enable generating documentation ## (the build tools aren't available everywhere) %bcond_without doc @@ -115,33 +127,30 @@ %endif -%define pcmk_release %{specversion} - Name: pacemaker Summary: Scalable High-Availability cluster resource manager Version: %{pcmkversion} Release: %{pcmk_release} License: GPLv2+ and LGPLv2+ -Url: http://www.clusterlabs.org +Url: https://www.clusterlabs.org # Hint: use "spectool -s 0 pacemaker.spec" (rpmdevtools) to check the final URL -Source0: https://github.com/%{github_owner}/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz -Source1: https://github.com/%{github_owner}/%{nagios_name}/archive/%{nagios_hash}/%{nagios_name}-%{nagios_hash}.tar.gz +Source0: https://codeload.github.com/%{github_owner}/%{name}/tar.gz/%{archive_github_url} +Source1: https://codeload.github.com/%{github_owner}/%{nagios_name}/tar.gz/%{nagios_archive_github_url} # --- -Patch0: Build-fix-unability-to-build-with-Inkscape-1.0-beta-.patch -Patch1: Resolve-the-failure-of-time-matching-in-test-cases.patch -Patch2: CVE-2020-25654.patch +Patch0: fix-function-declaration-error.patch Requires: resource-agents -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-cluster-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Requires: %{name}-cluster-libs = %{version}-%{release} Requires: %{name}-cli = %{version}-%{release} %{?systemd_requires} # Pacemaker requires a minimum Python functionality -Requires: %{python_pkg} >= %{python_min} -BuildRequires: %{python_pkg}-devel >= %{python_min} +Requires: %{python_name} >= %{python_min} +BuildRequires: make +BuildRequires: %{python_name}-devel >= %{python_min} # Pacemaker requires a minimum libqb functionality Requires: libqb >= 0.13.0 @@ -169,17 +178,17 @@ BuildRequires: corosynclib-devel >= 2.0.0 #BuildRequires: pkgconfig(libcfg) ## (note no avoiding effect when building through non-customized mock) -#%%if !%%{bleeding} -#%%if %%{with doc} -#BuildRequires: asciidoc inkscape publican -#%%endif -#%%endif +# %if !%{bleeding} +# %if %{with doc} +# BuildRequires: asciidoc inkscape publican +# %endif +# %endif # git-style patch application -BuildRequires: git +# BuildRequires: git Provides: pcmk-cluster-manager = %{version}-%{release} -Provides: pcmk-cluster-manager%{?_isa} = %{version}-%{release} +Provides: pcmk-cluster-manager = %{version}-%{release} # Pacemaker uses the crypto/md5 module from gnulib Provides: bundled(gnulib) @@ -196,15 +205,16 @@ when related resources fail and can be configured to periodically check resource health. Available rpmbuild rebuild options: - --with(out) : coverage doc hardening pre_release profiling + --with(out) : cibsecrets coverage doc hardening pre_release profiling %package cli License: GPLv2+ and LGPLv2+ Summary: Command line tools for controlling Pacemaker clusters -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -%if 0%{?fedora} > 22 || 0%{?rhel} > 7 +Requires: %{name}-libs = %{version}-%{release} Recommends: pcmk-cluster-manager = %{version}-%{release} -%endif +# For crm_report +Recommends: tar +Recommends: bzip2 Requires: perl-TimeDate Requires: procps-ng Requires: psmisc @@ -236,7 +246,7 @@ nodes and those just running the CLI tools. %package cluster-libs License: GPLv2+ and LGPLv2+ Summary: Cluster Libraries used by Pacemaker -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} %description cluster-libs Pacemaker is an advanced, scalable High-Availability cluster resource @@ -248,13 +258,13 @@ libraries needed for nodes that will form part of the cluster nodes. %package remote License: GPLv2+ and LGPLv2+ Summary: Pacemaker remote daemon for non-cluster nodes -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} Requires: %{name}-cli = %{version}-%{release} Requires: resource-agents # -remote can be fully independent of systemd %{?systemd_ordering}%{!?systemd_ordering:%{?systemd_requires}} Provides: pcmk-cluster-manager = %{version}-%{release} -Provides: pcmk-cluster-manager%{?_isa} = %{version}-%{release} +Provides: pcmk-cluster-manager = %{version}-%{release} %description remote Pacemaker is an advanced, scalable High-Availability cluster resource @@ -267,13 +277,13 @@ nodes not running the full corosync/cluster stack. %package libs-devel License: GPLv2+ and LGPLv2+ Summary: Pacemaker development package -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-cluster-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Requires: %{name}-cluster-libs = %{version}-%{release} Requires: libtool-ltdl-devel libuuid-devel -Requires: libxml2-devel%{?_isa} libxslt-devel%{?_isa} -Requires: bzip2-devel%{?_isa} glib2-devel%{?_isa} -Requires: libqb-devel%{?_isa} -Requires: corosynclib-devel%{?_isa} >= 2.0.0 +Requires: libxml2-devel libxslt-devel +Requires: bzip2-devel glib2-devel +Requires: libqb-devel +Requires: corosynclib-devel >= 2.0.0 %description libs-devel Pacemaker is an advanced, scalable High-Availability cluster resource @@ -285,21 +295,24 @@ for developing tools for Pacemaker. %package cts License: GPLv2+ and LGPLv2+ Summary: Test framework for cluster-related technologies like Pacemaker -Requires: %{python_pkg} >= %{python_min} +Requires: %{python_name} >= %{python_min} +Requires: %{python_path} Requires: %{name}-libs = %{version}-%{release} Requires: procps-ng Requires: psmisc BuildArch: noarch -Requires: %{python_pkg}-systemd +Requires: %{python_name}-systemd %description cts Test framework for cluster-related technologies like Pacemaker %package doc -License: CC-BY-SA +License: CC-BY-SA-4.0 Summary: Documentation for Pacemaker BuildArch: noarch +Conflicts: %{name}-libs > %{version}-%{release} +Conflicts: %{name}-libs < %{version}-%{release} %description doc Documentation for Pacemaker. @@ -323,11 +336,11 @@ License: GPLv3 Summary: Pacemaker Nagios Metadata BuildArch: noarch # NOTE below are the plugins this metadata uses. -Requires: nagios-plugins-http -Requires: nagios-plugins-ldap -Requires: nagios-plugins-mysql -Requires: nagios-plugins-pgsql -Requires: nagios-plugins-tcp +# Requires: nagios-plugins-http +# Requires: nagios-plugins-ldap +# Requires: nagios-plugins-mysql +# Requires: nagios-plugins-pgsql +# Requires: nagios-plugins-tcp Requires: pcmk-cluster-manager %description nagios-plugins-metadata @@ -335,18 +348,10 @@ The metadata files required for Pacemaker to execute the nagios plugin monitor resources. %prep -%setup -q -a 1 -n %{name}-%{commit} -%global __scm git_am -%__scm_setup_git -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 +%setup -q -a 1 -n %{name}-%{archive_version} +%patch0 %build - -# Early versions of autotools (e.g. RHEL <= 5) do not support --docdir -export docdir=%{pcmk_docdir} - export systemdsystemunitdir=%{?_unitdir}%{!?_unitdir:no} %if %{with hardening} @@ -372,8 +377,10 @@ export CPPFLAGS="-UPCMK_TIME_EMERGENCY_CGT $CPPFLAGS" %{!?with_legacy_links: --disable-legacy-links} \ %{?with_profiling: --with-profiling} \ %{?with_coverage: --with-coverage} \ + %{?with_cibsecrets: --with-cibsecrets} \ %{!?with_doc: --with-brand=} \ %{?gnutls_priorities: --with-gnutls-priorities="%{gnutls_priorities}"} \ + --disable-static \ --with-initdir=%{_initrddir} \ --with-runstatedir=%{_rundir} \ --localstatedir=%{_var} \ @@ -386,6 +393,7 @@ export CPPFLAGS="-UPCMK_TIME_EMERGENCY_CGT $CPPFLAGS" make %{_smp_mflags} V=1 %check +make %{_smp_mflags} check { cts/cts-scheduler --run load-stopped-loop \ && cts/cts-cli \ && touch .CHECKED @@ -438,7 +446,7 @@ rm -f %{buildroot}/%{_initrddir}/pacemaker_remote %if %{defined py_byte_compile} && %{defined python_path} %{py_byte_compile %{python_path} %{buildroot}%{_datadir}/pacemaker/tests} %if !%{defined _python_bytecompile_extra} -%{py_byte_compile %{python_path} %{buildroot}%{py_site}/cts} +%{py_byte_compile %{python_path} %{buildroot}%{python_site}/cts} %endif %endif @@ -498,7 +506,7 @@ fi %post cli %systemd_post crm_mon.service -if [ "$1" = 2 ]; then +if [ "$1" -eq 2 ]; then # Package upgrade, not initial install: # Move any pre-2.0 logs to new location to ensure they get rotated { mv -fbS.rpmsave %{_var}/log/pacemaker.log* %{_var}/log/pacemaker \ @@ -516,8 +524,8 @@ fi # XXX keep an eye on https://fedoraproject.org/wiki/Changes/SystemdSysusers # reopened recently: # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/AETGESYR4IEQJMA6SKL7OERSDZFWFNEU/ -getent group %{gname} >/dev/null || groupadd -r %{gname} -g 189 -getent passwd %{uname} >/dev/null || useradd -r -g %{gname} -u 189 -s /sbin/nologin -c "cluster user" %{uname} +getent group %{gname} >/dev/null || groupadd -r %{gname} -g %{hacluster_id} +getent passwd %{uname} >/dev/null || useradd -r -g %{gname} -u %{hacluster_id} -s /sbin/nologin -c "cluster user" %{uname} exit 0 %ldconfig_scriptlets libs @@ -572,6 +580,9 @@ exit 0 %{_sbindir}/attrd_updater %{_sbindir}/cibadmin +%if %{with cibsecrets} +%{_sbindir}/cibsecret +%endif %{_sbindir}/crm_diff %{_sbindir}/crm_error %{_sbindir}/crm_failcount @@ -667,7 +678,7 @@ exit 0 %license licenses/CC-BY-SA-4.0 %files cts -%{py_site}/cts +%{python_site}/cts %{_datadir}/pacemaker/tests %{_libexecdir}/pacemaker/cts-log-watcher @@ -703,6 +714,9 @@ exit 0 %license %{nagios_name}-%{nagios_hash}/COPYING %changelog +* Mon Oct 10 2022 jiangxinyu - 2.0.5-1 +- upgrade to 2.0.5 + * Sat Sep 03 2022 jiangxinyu - 2.0.3-3 - Type:cves - ID:CVE-2020-25654