Accepting request 255744 from network:ha-clustering:Factory

-------------------------------------------------------------------- - Backport security and bug fixes (bnc#900879) (CVE-2014-0104) - fence_rhevm: Use https:// prefix also with --ssl-secure and --ssl-insecure - fence_apc: --shell-timeout was used instead of --power-timeout - fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622 - fence_wti: Fix invalid "eol" - fence_pve: Add support for --ssl-secure and --ssl-insecure - Added patches: - 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch - 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch - 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch - 0015-fence_wti-Fix-invalid-eol.patch - 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch OBS-URL: https://build.opensuse.org/request/show/255744 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fence-agents?expand=0&rev=11
2014-10-14 05:12:15 +00:00 · 2014-10-14 05:12:15 +00:00 · f521658645
commit f521658645
parent a414182b51 3c0834f5b5
7 changed files with 231 additions and 0 deletions
--- a/0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch
+++ b/0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch
@ -0,0 +1,26 @@
+From 3c1b6bfb4e0ee7dc583a95c94228003209f3add4 Mon Sep 17 00:00:00 2001
+From: Marek 'marx' Grac <mgrac@redhat.com>
+Date: Wed, 17 Sep 2014 14:28:25 +0200
+Subject: [PATCH 12/16] fence_rhevm: Use https:// prefix also with --ssl-secure
+ and --ssl-insecure
+
+---
+ fence/agents/rhevm/fence_rhevm.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fence/agents/rhevm/fence_rhevm.py b/fence/agents/rhevm/fence_rhevm.py
+index 444fb56..1002097 100644
+--- a/fence/agents/rhevm/fence_rhevm.py
+++ b/fence/agents/rhevm/fence_rhevm.py
+@@ -76,7 +76,7 @@ def get_list(conn, options):
+ 
+ def send_command(opt, command, method="GET"):
+ 	## setup correct URL
+-	if opt.has_key("--ssl"):
+	if opt.has_key("--ssl") or opt.has_key("--ssl-secure") or opt.has_key("--ssl-insecure"):
+ 		url = "https:"
+ 	else:
+ 		url = "http:"
+-- 
+1.8.4.5
+
--- a/0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch
+++ b/0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch
@ -0,0 +1,29 @@
+From 7300cecce3fcb4cc7b4eab2167470cf70b4e295e Mon Sep 17 00:00:00 2001
+From: Marek 'marx' Grac <mgrac@redhat.com>
+Date: Mon, 22 Sep 2014 14:46:43 +0200
+Subject: [PATCH 13/16] fence_apc: --shell-timeout was used instead of
+ --power-timeout
+
+---
+ fence/agents/apc/fence_apc.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fence/agents/apc/fence_apc.py b/fence/agents/apc/fence_apc.py
+index 83bfe07..f2080f1 100644
+--- a/fence/agents/apc/fence_apc.py
+++ b/fence/agents/apc/fence_apc.py
+@@ -170,9 +170,9 @@ def set_power_status(conn, options):
+ 	conn.send_eol(action)
+ 	conn.log_expect(options, "Enter 'YES' to continue or <ENTER> to cancel :", int(options["--shell-timeout"]))
+ 	conn.send_eol("YES")
+-	conn.log_expect(options, "Press <ENTER> to continue...", int(options["--shell-timeout"]))
+	conn.log_expect(options, "Press <ENTER> to continue...", int(options["--power-timeout"]))
+ 	conn.send_eol("")
+-	conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"]))
+	conn.log_expect(options, options["--command-prompt"], int(options["--power-timeout"]))
+ 	conn.send(chr(03))
+ 	conn.log_expect(options, "- Logout", int(options["--shell-timeout"]))
+ 	conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"]))
+-- 
+1.8.4.5
+
--- a/0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch
+++ b/0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch
@ -0,0 +1,27 @@
+From a8fb1956465a6b50fd3f4cbb106b192d707f4c8a Mon Sep 17 00:00:00 2001
+From: Marek 'marx' Grac <mgrac@redhat.com>
+Date: Thu, 2 Oct 2014 16:08:26 +0200
+Subject: [PATCH 14/16] fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622
+
+Patch was not incorporated correctly from older version.
+
+Resolves: rhbz#1110428
+---
+ fence/agents/rsb/fence_rsb.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fence/agents/rsb/fence_rsb.py b/fence/agents/rsb/fence_rsb.py
+index bcad1de..d21093f 100755
+--- a/fence/agents/rsb/fence_rsb.py
+++ b/fence/agents/rsb/fence_rsb.py
+@@ -29,7 +29,6 @@ def set_power_status(conn, options):
+ 	conn.send("2")
+ 	conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"]))
+ 	conn.send_eol(action)
+-	conn.log_expect(options, ["want to power off", "'yes' or 'no'"], int(options["--shell-timeout"]))
+ 	conn.log_expect(options, ["want to power " + options["--action"], 
+ 			"yes/no", "'yes' or 'no'"], int(options["--shell-timeout"]))
+ 	conn.send_eol("yes")
+-- 
+1.8.4.5
+
--- a/0015-fence_wti-Fix-invalid-eol.patch
+++ b/0015-fence_wti-Fix-invalid-eol.patch
@ -0,0 +1,83 @@
+From c24d8afba32b1d46a517b4605ef951e83211bb6a Mon Sep 17 00:00:00 2001
+From: Marek 'marx' Grac <mgrac@redhat.com>
+Date: Thu, 2 Oct 2014 16:20:59 +0200
+Subject: [PATCH 15/16] fence_wti: Fix invalid "eol"
+
+Fence agent for WTI does not use standard telnet login because it is possible that username/password are not
+required. EOL is set by fence_login() function that is not used, so we set it manually and replace
+obsolete combination of send (+eol) to correct send_eol()
+
+Resolves: rhbz#1148762
+---
+ fence/agents/wti/fence_wti.py | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/fence/agents/wti/fence_wti.py b/fence/agents/wti/fence_wti.py
+index 78cd4e1..86f9a4d 100644
+--- a/fence/agents/wti/fence_wti.py
+++ b/fence/agents/wti/fence_wti.py
+@@ -27,7 +27,7 @@ BUILD_DATE="March, 2008"
+ def get_listing(conn, options, listing_command):
+ 	listing = ""
+ 
+-	conn.send(listing_command + "\r\n")
+	conn.send_eol(listing_command)
+ 
+ 	if isinstance(options["--command-prompt"], list):
+ 		re_all = list(options["--command-prompt"])
+@@ -39,7 +39,7 @@ def get_listing(conn, options, listing_command):
+ 	result = conn.log_expect(options, re_all, int(options["--shell-timeout"]))
+ 	listing = conn.before
+ 	if result == (len(re_all) - 1):
+-		conn.send("\r\n")
+		conn.send_eol("")
+ 		conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"]))
+ 		listing += conn.before
+ 
+@@ -174,7 +174,7 @@ def set_power_status(conn, options):
+ 		'off': "/off"
+ 	}[options["--action"]]
+ 
+-	conn.send(action + " " + options["--plug"] + ",y\r\n")
+	conn.send_eol(action + " " + options["--plug"] + ",y")
+ 	conn.log_expect(options, options["--command-prompt"], int(options["--power-timeout"]))
+ 
+ def main():
+@@ -207,6 +207,8 @@ is running because the connection will block any necessary fencing actions."
+ 			if options["--action"] in ["off", "reboot"]:
+ 				time.sleep(int(options["--delay"]))
+ 
+			options["eol"] = "\r\n"
+
+ 			conn = fspawn(options, TELNET_PATH)
+ 			conn.send("set binary\n")
+ 			conn.send("open %s -%s\n"%(options["--ip"], options["--ipport"]))
+@@ -217,14 +219,14 @@ is running because the connection will block any necessary fencing actions."
+ 			result = conn.log_expect(options, [re_login, "Password: ", re_prompt], int(options["--shell-timeout"]))
+ 			if result == 0:
+ 				if options.has_key("--username"):
+-					conn.send(options["--username"]+"\r\n")
+					conn.send_eol(options["--username"])
+ 					result = conn.log_expect(options, [re_login, "Password: ", re_prompt], int(options["--shell-timeout"]))
+ 				else:
+ 					fail_usage("Failed: You have to set login name")
+ 
+ 			if result == 1:
+ 				if options.has_key("--password"):
+-					conn.send(options["--password"]+"\r\n")
+					conn.send_eol(options["--password"])
+ 					conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"]))
+ 				else:
+ 					fail_usage("Failed: You have to enter password or password script")
+@@ -236,7 +238,7 @@ is running because the connection will block any necessary fencing actions."
+ 		conn = fence_login(options)
+ 
+ 	result = fence_action(conn, options, set_power_status, get_power_status, get_power_status)
+-	fence_logout(conn, "/X\r\n")
+	fence_logout(conn, "/X")
+ 	sys.exit(result)
+ 
+ if __name__ == "__main__":
+-- 
+1.8.4.5
+
--- a/0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch
+++ b/0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch
@ -0,0 +1,34 @@
+From 1a51916d64f48995b324e0c8f0977366956896b1 Mon Sep 17 00:00:00 2001
+From: Marek 'marx' Grac <mgrac@redhat.com>
+Date: Mon, 13 Oct 2014 10:33:18 +0200
+Subject: [PATCH 16/16] fence_pve: Add support for --ssl-secure and
+ --ssl-insecure
+
+Resolves: rhbz#1151515
+---
+ fence/agents/pve/fence_pve.py | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fence/agents/pve/fence_pve.py b/fence/agents/pve/fence_pve.py
+index 132234e..bb59a9b 100644
+--- a/fence/agents/pve/fence_pve.py
+++ b/fence/agents/pve/fence_pve.py
+@@ -106,8 +106,13 @@ def send_cmd(options, cmd, post=None):
+ 		conn.setopt(pycurl.POSTFIELDS, urllib.urlencode(post))
+ 	conn.setopt(pycurl.WRITEFUNCTION, output_buffer.write)
+ 	conn.setopt(pycurl.TIMEOUT, int(options["--shell-timeout"]))
+-	conn.setopt(pycurl.SSL_VERIFYPEER, 0)
+-	conn.setopt(pycurl.SSL_VERIFYHOST, 0)
+	if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
+		conn.setopt(pycurl.SSL_VERIFYPEER, 1)
+		conn.setopt(pycurl.SSL_VERIFYHOST, 2)
+
+	if opt.has_key("--ssl-insecure"):
+		conn.setopt(pycurl.SSL_VERIFYPEER, 0)
+		conn.setopt(pycurl.SSL_VERIFYHOST, 0)
+ 
+ 	logging.debug("URL: " + url)
+ 
+-- 
+1.8.4.5
+
--- a/fence-agents.changes
+++ b/fence-agents.changes
@ -1,3 +1,20 @@
+--------------------------------------------------------------------
+Mon Oct 13 11:06:22 UTC 2014 - kgronlund@suse.com
+
+- Backport security and bug fixes (bnc#900879) (CVE-2014-0104)
+  - fence_rhevm: Use https:// prefix also with --ssl-secure and --ssl-insecure
+  - fence_apc: --shell-timeout was used instead of --power-timeout
+  - fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622
+  - fence_wti: Fix invalid "eol"
+  - fence_pve: Add support for --ssl-secure and --ssl-insecure
+
+- Added patches:
+  - 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch
+  - 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch
+  - 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch
+  - 0015-fence_wti-Fix-invalid-eol.patch
+  - 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch 
+
 -------------------------------------------------------------------
 Fri Oct  3 17:43:37 UTC 2014 - kgronlund@suse.com

--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -49,6 +49,16 @@ Patch9:         0009-fence_cisco_ucs-fence_vmware_soap-Logout-has-to-be-p.patch
 Patch10:        0010-fence_zvm-Fixes-for-better-upstream-inclusion.patch
 # PATCH-FIX-UPSTREAM: fence_zvm: Add support for 'on', improve documentation
 Patch11:        0011-fence_zvm-Add-support-for-on-improve-documentation.patch
+# PATCH-FIX-UPSTREAM: fence_rhevm: Use https:// prefix also with --ssl-secure and --ssl-insecure 
+Patch12:        0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch
+# PATCH-FIX-UPSTREAM: fence_apc: --shell-timeout was used instead of --power-timeout
+Patch13:        0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch
+# PATCH-FIX-UPSTREAM: fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622
+Patch14:        0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch
+# PATCH-FIX-UPSTREAM: fence_wti: Fix invalid "eol"
+Patch15:        0015-fence_wti-Fix-invalid-eol.patch
+# PATCH-FIX-UPSTREAM: fence_pve: Add support for --ssl-secure and --ssl-insecure
+Patch16:        0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch

 Requires:       python-curl
 Requires:       python-openssl
@ -189,6 +199,11 @@ Authors:
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1

 %build
 CFLAGS="${CFLAGS} ${RPM_OPT_FLAGS}"