Hello community, here is the log from the commit of package fence-agents for openSUSE:Factory checked in at 2014-10-14 07:12:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fence-agents (Old) and /work/SRC/openSUSE:Factory/.fence-agents.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fence-agents" Changes: -------- --- /work/SRC/openSUSE:Factory/fence-agents/fence-agents.changes 2014-10-06 22:04:54.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.fence-agents.new/fence-agents.changes 2014-10-14 07:13:02.000000000 +0200 @@ -0,0 +1,17 @@ +-------------------------------------------------------------------- +Mon Oct 13 11:06:22 UTC 2014 - [email protected] + +- Backport security and bug fixes (bnc#900879) (CVE-2014-0104) + - fence_rhevm: Use https:// prefix also with --ssl-secure and --ssl-insecure + - fence_apc: --shell-timeout was used instead of --power-timeout + - fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622 + - fence_wti: Fix invalid "eol" + - fence_pve: Add support for --ssl-secure and --ssl-insecure + +- Added patches: + - 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch + - 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch + - 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch + - 0015-fence_wti-Fix-invalid-eol.patch + - 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch + New: ---- 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch 0015-fence_wti-Fix-invalid-eol.patch 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fence-agents.spec ++++++ --- /var/tmp/diff_new_pack.6GU7k3/_old 2014-10-14 07:13:04.000000000 +0200 +++ /var/tmp/diff_new_pack.6GU7k3/_new 2014-10-14 07:13:04.000000000 +0200 @@ -49,6 +49,16 @@ Patch10: 0010-fence_zvm-Fixes-for-better-upstream-inclusion.patch # PATCH-FIX-UPSTREAM: fence_zvm: Add support for 'on', improve documentation Patch11: 0011-fence_zvm-Add-support-for-on-improve-documentation.patch +# PATCH-FIX-UPSTREAM: fence_rhevm: Use https:// prefix also with --ssl-secure and --ssl-insecure +Patch12: 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch +# PATCH-FIX-UPSTREAM: fence_apc: --shell-timeout was used instead of --power-timeout +Patch13: 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch +# PATCH-FIX-UPSTREAM: fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622 +Patch14: 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch +# PATCH-FIX-UPSTREAM: fence_wti: Fix invalid "eol" +Patch15: 0015-fence_wti-Fix-invalid-eol.patch +# PATCH-FIX-UPSTREAM: fence_pve: Add support for --ssl-secure and --ssl-insecure +Patch16: 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch Requires: python-curl Requires: python-openssl @@ -189,6 +199,11 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 %build CFLAGS="${CFLAGS} ${RPM_OPT_FLAGS}" ++++++ 0012-fence_rhevm-Use-https-prefix-also-with-ssl-secure-an.patch ++++++ >From 3c1b6bfb4e0ee7dc583a95c94228003209f3add4 Mon Sep 17 00:00:00 2001 From: Marek 'marx' Grac <[email protected]> Date: Wed, 17 Sep 2014 14:28:25 +0200 Subject: [PATCH 12/16] fence_rhevm: Use https:// prefix also with --ssl-secure and --ssl-insecure --- fence/agents/rhevm/fence_rhevm.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fence/agents/rhevm/fence_rhevm.py b/fence/agents/rhevm/fence_rhevm.py index 444fb56..1002097 100644 --- a/fence/agents/rhevm/fence_rhevm.py +++ b/fence/agents/rhevm/fence_rhevm.py @@ -76,7 +76,7 @@ def get_list(conn, options): def send_command(opt, command, method="GET"): ## setup correct URL - if opt.has_key("--ssl"): + if opt.has_key("--ssl") or opt.has_key("--ssl-secure") or opt.has_key("--ssl-insecure"): url = "https:" else: url = "http:" -- 1.8.4.5 ++++++ 0013-fence_apc-shell-timeout-was-used-instead-of-power-ti.patch ++++++ >From 7300cecce3fcb4cc7b4eab2167470cf70b4e295e Mon Sep 17 00:00:00 2001 From: Marek 'marx' Grac <[email protected]> Date: Mon, 22 Sep 2014 14:46:43 +0200 Subject: [PATCH 13/16] fence_apc: --shell-timeout was used instead of --power-timeout --- fence/agents/apc/fence_apc.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fence/agents/apc/fence_apc.py b/fence/agents/apc/fence_apc.py index 83bfe07..f2080f1 100644 --- a/fence/agents/apc/fence_apc.py +++ b/fence/agents/apc/fence_apc.py @@ -170,9 +170,9 @@ def set_power_status(conn, options): conn.send_eol(action) conn.log_expect(options, "Enter 'YES' to continue or <ENTER> to cancel :", int(options["--shell-timeout"])) conn.send_eol("YES") - conn.log_expect(options, "Press <ENTER> to continue...", int(options["--shell-timeout"])) + conn.log_expect(options, "Press <ENTER> to continue...", int(options["--power-timeout"])) conn.send_eol("") - conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) + conn.log_expect(options, options["--command-prompt"], int(options["--power-timeout"])) conn.send(chr(03)) conn.log_expect(options, "- Logout", int(options["--shell-timeout"])) conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) -- 1.8.4.5 ++++++ 0014-fence_rsb-Fix-62d90e3a0827fcdc5be632bdf4103d3c08b396.patch ++++++ >From a8fb1956465a6b50fd3f4cbb106b192d707f4c8a Mon Sep 17 00:00:00 2001 From: Marek 'marx' Grac <[email protected]> Date: Thu, 2 Oct 2014 16:08:26 +0200 Subject: [PATCH 14/16] fence_rsb: Fix 62d90e3a0827fcdc5be632bdf4103d3c08b39622 Patch was not incorporated correctly from older version. Resolves: rhbz#1110428 --- fence/agents/rsb/fence_rsb.py | 1 - 1 file changed, 1 deletion(-) diff --git a/fence/agents/rsb/fence_rsb.py b/fence/agents/rsb/fence_rsb.py index bcad1de..d21093f 100755 --- a/fence/agents/rsb/fence_rsb.py +++ b/fence/agents/rsb/fence_rsb.py @@ -29,7 +29,6 @@ def set_power_status(conn, options): conn.send("2") conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) conn.send_eol(action) - conn.log_expect(options, ["want to power off", "'yes' or 'no'"], int(options["--shell-timeout"])) conn.log_expect(options, ["want to power " + options["--action"], "yes/no", "'yes' or 'no'"], int(options["--shell-timeout"])) conn.send_eol("yes") -- 1.8.4.5 ++++++ 0015-fence_wti-Fix-invalid-eol.patch ++++++ >From c24d8afba32b1d46a517b4605ef951e83211bb6a Mon Sep 17 00:00:00 2001 From: Marek 'marx' Grac <[email protected]> Date: Thu, 2 Oct 2014 16:20:59 +0200 Subject: [PATCH 15/16] fence_wti: Fix invalid "eol" Fence agent for WTI does not use standard telnet login because it is possible that username/password are not required. EOL is set by fence_login() function that is not used, so we set it manually and replace obsolete combination of send (+eol) to correct send_eol() Resolves: rhbz#1148762 --- fence/agents/wti/fence_wti.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fence/agents/wti/fence_wti.py b/fence/agents/wti/fence_wti.py index 78cd4e1..86f9a4d 100644 --- a/fence/agents/wti/fence_wti.py +++ b/fence/agents/wti/fence_wti.py @@ -27,7 +27,7 @@ BUILD_DATE="March, 2008" def get_listing(conn, options, listing_command): listing = "" - conn.send(listing_command + "\r\n") + conn.send_eol(listing_command) if isinstance(options["--command-prompt"], list): re_all = list(options["--command-prompt"]) @@ -39,7 +39,7 @@ def get_listing(conn, options, listing_command): result = conn.log_expect(options, re_all, int(options["--shell-timeout"])) listing = conn.before if result == (len(re_all) - 1): - conn.send("\r\n") + conn.send_eol("") conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) listing += conn.before @@ -174,7 +174,7 @@ def set_power_status(conn, options): 'off': "/off" }[options["--action"]] - conn.send(action + " " + options["--plug"] + ",y\r\n") + conn.send_eol(action + " " + options["--plug"] + ",y") conn.log_expect(options, options["--command-prompt"], int(options["--power-timeout"])) def main(): @@ -207,6 +207,8 @@ is running because the connection will block any necessary fencing actions." if options["--action"] in ["off", "reboot"]: time.sleep(int(options["--delay"])) + options["eol"] = "\r\n" + conn = fspawn(options, TELNET_PATH) conn.send("set binary\n") conn.send("open %s -%s\n"%(options["--ip"], options["--ipport"])) @@ -217,14 +219,14 @@ is running because the connection will block any necessary fencing actions." result = conn.log_expect(options, [re_login, "Password: ", re_prompt], int(options["--shell-timeout"])) if result == 0: if options.has_key("--username"): - conn.send(options["--username"]+"\r\n") + conn.send_eol(options["--username"]) result = conn.log_expect(options, [re_login, "Password: ", re_prompt], int(options["--shell-timeout"])) else: fail_usage("Failed: You have to set login name") if result == 1: if options.has_key("--password"): - conn.send(options["--password"]+"\r\n") + conn.send_eol(options["--password"]) conn.log_expect(options, options["--command-prompt"], int(options["--shell-timeout"])) else: fail_usage("Failed: You have to enter password or password script") @@ -236,7 +238,7 @@ is running because the connection will block any necessary fencing actions." conn = fence_login(options) result = fence_action(conn, options, set_power_status, get_power_status, get_power_status) - fence_logout(conn, "/X\r\n") + fence_logout(conn, "/X") sys.exit(result) if __name__ == "__main__": -- 1.8.4.5 ++++++ 0016-fence_pve-Add-support-for-ssl-secure-and-ssl-insecur.patch ++++++ >From 1a51916d64f48995b324e0c8f0977366956896b1 Mon Sep 17 00:00:00 2001 From: Marek 'marx' Grac <[email protected]> Date: Mon, 13 Oct 2014 10:33:18 +0200 Subject: [PATCH 16/16] fence_pve: Add support for --ssl-secure and --ssl-insecure Resolves: rhbz#1151515 --- fence/agents/pve/fence_pve.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fence/agents/pve/fence_pve.py b/fence/agents/pve/fence_pve.py index 132234e..bb59a9b 100644 --- a/fence/agents/pve/fence_pve.py +++ b/fence/agents/pve/fence_pve.py @@ -106,8 +106,13 @@ def send_cmd(options, cmd, post=None): conn.setopt(pycurl.POSTFIELDS, urllib.urlencode(post)) conn.setopt(pycurl.WRITEFUNCTION, output_buffer.write) conn.setopt(pycurl.TIMEOUT, int(options["--shell-timeout"])) - conn.setopt(pycurl.SSL_VERIFYPEER, 0) - conn.setopt(pycurl.SSL_VERIFYHOST, 0) + if opt.has_key("--ssl") or opt.has_key("--ssl-secure"): + conn.setopt(pycurl.SSL_VERIFYPEER, 1) + conn.setopt(pycurl.SSL_VERIFYHOST, 2) + + if opt.has_key("--ssl-insecure"): + conn.setopt(pycurl.SSL_VERIFYPEER, 0) + conn.setopt(pycurl.SSL_VERIFYHOST, 0) logging.debug("URL: " + url) -- 1.8.4.5 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
