From 3c0834f5b53939bb0343c50576dd63679c1f7b566d08a87f75c1fe4330d5a66e Mon Sep 17 00:00:00 2001 From: Kristoffer Gronlund Date: Mon, 13 Oct 2014 11:50:26 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/network:ha-clustering:Factory/fence-agents?expand=0&rev=23 --- ...https-prefix-also-with-ssl-secure-an.patch | 26 ++++++ ...timeout-was-used-instead-of-power-ti.patch | 29 +++++++ ...d90e3a0827fcdc5be632bdf4103d3c08b396.patch | 27 ++++++ 0015-fence_wti-Fix-invalid-eol.patch | 83 +++++++++++++++++++ ...pport-for-ssl-secure-and-ssl-insecur.patch | 34 ++++++++ fence-agents.changes | 17 ++++ fence-agents.spec | 15 ++++ 7 files changed, 231 insertions(+) create mode 100644 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch create mode 100644 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch create mode 100644 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch create mode 100644 0015-fence_wti-Fix-invalid-eol.patch create mode 100644 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch diff --git a/0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch b/0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch new file mode 100644 index 0000000..a7d186c --- /dev/null +++ b/0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch @@ -0,0 +1,26 @@ +From 3c1b6bfb4e0ee7dc583a95c94228003209f3add4 Mon Sep 17 00:00:00 2001 +From: Marek 'marx' Grac +Date: Wed, 17 Sep 2014 14:28:25 +0200 +Subject: [PATCH 12/16] fence_rhevm: Use https:// prefix also with --ssl-secure + and --ssl-insecure + +--- + fence/agents/rhevm/fence_rhevm.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fence/agents/rhevm/fence_rhevm.py b/fence/agents/rhevm/fence_rhevm.py +index 444fb56..1002097 100644 +--- a/fence/agents/rhevm/fence_rhevm.py ++++ b/fence/agents/rhevm/fence_rhevm.py +@@ -76,7 +76,7 @@ def get_list(conn, options): + + def send_command(opt, command, method="GET"): + ## setup correct URL +- if opt.has_key("--ssl"): ++ if opt.has_key("--ssl") or opt.has_key("--ssl-secure") or opt.has_key("--ssl-insecure"): + url = "https:" + else: + url = "http:" +-- +1.8.4.5 + diff --git a/0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch b/0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch new file mode 100644 index 0000000..86478d1 --- /dev/null +++ b/0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch @@ -0,0 +1,29 @@ +From 7300cecce3fcb4cc7b4eab2167470cf70b4e295e Mon Sep 17 00:00:00 2001 +From: Marek 'marx' Grac +Date: Mon, 22 Sep 2014 14:46:43 +0200 +Subject: [PATCH 13/16] fence_apc: --shell-timeout was used instead of + --power-timeout + +--- + fence/agents/apc/fence_apc.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fence/agents/apc/fence_apc.py b/fence/agents/apc/fence_apc.py +index 83bfe07..f2080f1 100644 +--- a/fence/agents/apc/fence_apc.py ++++ b/fence/agents/apc/fence_apc.py +@@ -170,9 +170,9 @@ def set_power_status(conn, options): + conn.send_eol(action) + conn.log_expect(options, "Enter 'YES' to continue or to cancel :", int(options["--shell-timeout"])) + conn.send_eol("YES") +- conn.log_expect(options, "Press to continue...", int(options["--shell-timeout"])) ++ conn.log_expect(options, "Press to continue...", int(options["--power-timeout"])) + conn.send_eol("") +- conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) ++ conn.log_expect(options, options["--command-prompt"], int(options["--power-timeout"])) + conn.send(chr(03)) + conn.log_expect(options, "- Logout", int(options["--shell-timeout"])) + conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) +-- +1.8.4.5 + diff --git a/0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch b/0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch new file mode 100644 index 0000000..1af8d34 --- /dev/null +++ b/0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch @@ -0,0 +1,27 @@ +From a8fb1956465a6b50fd3f4cbb106b192d707f4c8a Mon Sep 17 00:00:00 2001 +From: Marek 'marx' Grac +Date: Thu, 2 Oct 2014 16:08:26 +0200 +Subject: [PATCH 14/16] fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622 + +Patch was not incorporated correctly from older version. + +Resolves: rhbz#1110428 +--- + fence/agents/rsb/fence_rsb.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fence/agents/rsb/fence_rsb.py b/fence/agents/rsb/fence_rsb.py +index bcad1de..d21093f 100755 +--- a/fence/agents/rsb/fence_rsb.py ++++ b/fence/agents/rsb/fence_rsb.py +@@ -29,7 +29,6 @@ def set_power_status(conn, options): + conn.send("2") + conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) + conn.send_eol(action) +- conn.log_expect(options, ["want to power off", "'yes' or 'no'"], int(options["--shell-timeout"])) + conn.log_expect(options, ["want to power " + options["--action"], + "yes/no", "'yes' or 'no'"], int(options["--shell-timeout"])) + conn.send_eol("yes") +-- +1.8.4.5 + diff --git a/0015-fence_wti-Fix-invalid-eol.patch b/0015-fence_wti-Fix-invalid-eol.patch new file mode 100644 index 0000000..8d457e5 --- /dev/null +++ b/0015-fence_wti-Fix-invalid-eol.patch @@ -0,0 +1,83 @@ +From c24d8afba32b1d46a517b4605ef951e83211bb6a Mon Sep 17 00:00:00 2001 +From: Marek 'marx' Grac +Date: Thu, 2 Oct 2014 16:20:59 +0200 +Subject: [PATCH 15/16] fence_wti: Fix invalid "eol" + +Fence agent for WTI does not use standard telnet login because it is possible that username/password are not +required. EOL is set by fence_login() function that is not used, so we set it manually and replace +obsolete combination of send (+eol) to correct send_eol() + +Resolves: rhbz#1148762 +--- + fence/agents/wti/fence_wti.py | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fence/agents/wti/fence_wti.py b/fence/agents/wti/fence_wti.py +index 78cd4e1..86f9a4d 100644 +--- a/fence/agents/wti/fence_wti.py ++++ b/fence/agents/wti/fence_wti.py +@@ -27,7 +27,7 @@ BUILD_DATE="March, 2008" + def get_listing(conn, options, listing_command): + listing = "" + +- conn.send(listing_command + "\r\n") ++ conn.send_eol(listing_command) + + if isinstance(options["--command-prompt"], list): + re_all = list(options["--command-prompt"]) +@@ -39,7 +39,7 @@ def get_listing(conn, options, listing_command): + result = conn.log_expect(options, re_all, int(options["--shell-timeout"])) + listing = conn.before + if result == (len(re_all) - 1): +- conn.send("\r\n") ++ conn.send_eol("") + conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) + listing += conn.before + +@@ -174,7 +174,7 @@ def set_power_status(conn, options): + 'off': "/off" + }[options["--action"]] + +- conn.send(action + " " + options["--plug"] + ",y\r\n") ++ conn.send_eol(action + " " + options["--plug"] + ",y") + conn.log_expect(options, options["--command-prompt"], int(options["--power-timeout"])) + + def main(): +@@ -207,6 +207,8 @@ is running because the connection will block any necessary fencing actions." + if options["--action"] in ["off", "reboot"]: + time.sleep(int(options["--delay"])) + ++ options["eol"] = "\r\n" ++ + conn = fspawn(options, TELNET_PATH) + conn.send("set binary\n") + conn.send("open %s -%s\n"%(options["--ip"], options["--ipport"])) +@@ -217,14 +219,14 @@ is running because the connection will block any necessary fencing actions." + result = conn.log_expect(options, [re_login, "Password: ", re_prompt], int(options["--shell-timeout"])) + if result == 0: + if options.has_key("--username"): +- conn.send(options["--username"]+"\r\n") ++ conn.send_eol(options["--username"]) + result = conn.log_expect(options, [re_login, "Password: ", re_prompt], int(options["--shell-timeout"])) + else: + fail_usage("Failed: You have to set login name") + + if result == 1: + if options.has_key("--password"): +- conn.send(options["--password"]+"\r\n") ++ conn.send_eol(options["--password"]) + conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) + else: + fail_usage("Failed: You have to enter password or password script") +@@ -236,7 +238,7 @@ is running because the connection will block any necessary fencing actions." + conn = fence_login(options) + + result = fence_action(conn, options, set_power_status, get_power_status, get_power_status) +- fence_logout(conn, "/X\r\n") ++ fence_logout(conn, "/X") + sys.exit(result) + + if __name__ == "__main__": +-- +1.8.4.5 + diff --git a/0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch b/0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch new file mode 100644 index 0000000..ffd5b95 --- /dev/null +++ b/0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch @@ -0,0 +1,34 @@ +From 1a51916d64f48995b324e0c8f0977366956896b1 Mon Sep 17 00:00:00 2001 +From: Marek 'marx' Grac +Date: Mon, 13 Oct 2014 10:33:18 +0200 +Subject: [PATCH 16/16] fence_pve: Add support for --ssl-secure and + --ssl-insecure + +Resolves: rhbz#1151515 +--- + fence/agents/pve/fence_pve.py | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fence/agents/pve/fence_pve.py b/fence/agents/pve/fence_pve.py +index 132234e..bb59a9b 100644 +--- a/fence/agents/pve/fence_pve.py ++++ b/fence/agents/pve/fence_pve.py +@@ -106,8 +106,13 @@ def send_cmd(options, cmd, post=None): + conn.setopt(pycurl.POSTFIELDS, urllib.urlencode(post)) + conn.setopt(pycurl.WRITEFUNCTION, output_buffer.write) + conn.setopt(pycurl.TIMEOUT, int(options["--shell-timeout"])) +- conn.setopt(pycurl.SSL_VERIFYPEER, 0) +- conn.setopt(pycurl.SSL_VERIFYHOST, 0) ++ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"): ++ conn.setopt(pycurl.SSL_VERIFYPEER, 1) ++ conn.setopt(pycurl.SSL_VERIFYHOST, 2) ++ ++ if opt.has_key("--ssl-insecure"): ++ conn.setopt(pycurl.SSL_VERIFYPEER, 0) ++ conn.setopt(pycurl.SSL_VERIFYHOST, 0) + + logging.debug("URL: " + url) + +-- +1.8.4.5 + diff --git a/fence-agents.changes b/fence-agents.changes index d5a6f96..7d7b556 100644 --- a/fence-agents.changes +++ b/fence-agents.changes @@ -1,3 +1,20 @@ +-------------------------------------------------------------------- +Mon Oct 13 11:06:22 UTC 2014 - kgronlund@suse.com + +- Backport security and bug fixes (bnc#900879) (CVE-2014-0104) + - fence_rhevm: Use https:// prefix also with --ssl-secure and --ssl-insecure + - fence_apc: --shell-timeout was used instead of --power-timeout + - fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622 + - fence_wti: Fix invalid "eol" + - fence_pve: Add support for --ssl-secure and --ssl-insecure + +- Added patches: + - 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch + - 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch + - 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch + - 0015-fence_wti-Fix-invalid-eol.patch + - 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch + ------------------------------------------------------------------- Fri Oct 3 17:43:37 UTC 2014 - kgronlund@suse.com diff --git a/fence-agents.spec b/fence-agents.spec index 5a8671d..f76e6dd 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -49,6 +49,16 @@ Patch9: 0009-fence_cisco_ucs-fence_vmware_soap-Logout-has-to-be-p.patch Patch10: 0010-fence_zvm-Fixes-for-better-upstream-inclusion.patch # PATCH-FIX-UPSTREAM: fence_zvm: Add support for 'on', improve documentation Patch11: 0011-fence_zvm-Add-support-for-on-improve-documentation.patch +# PATCH-FIX-UPSTREAM: fence_rhevm: Use https:// prefix also with --ssl-secure and --ssl-insecure +Patch12: 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch +# PATCH-FIX-UPSTREAM: fence_apc: --shell-timeout was used instead of --power-timeout +Patch13: 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch +# PATCH-FIX-UPSTREAM: fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622 +Patch14: 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch +# PATCH-FIX-UPSTREAM: fence_wti: Fix invalid "eol" +Patch15: 0015-fence_wti-Fix-invalid-eol.patch +# PATCH-FIX-UPSTREAM: fence_pve: Add support for --ssl-secure and --ssl-insecure +Patch16: 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch Requires: python-curl Requires: python-openssl @@ -189,6 +199,11 @@ Authors: %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 %build CFLAGS="${CFLAGS} ${RPM_OPT_FLAGS}"