Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Release Team, Please unblock package fence-agents. Valentin Vidic has backported the fix to address CVE-2019-10153 (#930887): > fence-agents (4.3.3-2) unstable; urgency=high > > * fence_rhevm: add patch for CVE-2019-10153 (Closes: #930887) > Including non-ASCII characters in a guest VM's comment or other fields > would cause fence_rhevm to exit with an exception. > > -- Valentin Vidic <vvi...@debian.org> Sun, 23 Jun 2019 19:53:35 +0200 unblock fence-agents/4.3.3-2 Regards, Salvatore
diff -Nru fence-agents-4.3.3/debian/changelog fence-agents-4.3.3/debian/changelog --- fence-agents-4.3.3/debian/changelog 2018-12-03 19:32:54.000000000 +0100 +++ fence-agents-4.3.3/debian/changelog 2019-06-23 19:53:35.000000000 +0200 @@ -1,3 +1,11 @@ +fence-agents (4.3.3-2) unstable; urgency=high + + * fence_rhevm: add patch for CVE-2019-10153 (Closes: #930887) + Including non-ASCII characters in a guest VM's comment or other fields + would cause fence_rhevm to exit with an exception. + + -- Valentin Vidic <vvi...@debian.org> Sun, 23 Jun 2019 19:53:35 +0200 + fence-agents (4.3.3-1) unstable; urgency=medium * New upstream version 4.3.3 diff -Nru fence-agents-4.3.3/debian/patches/CVE-2019-10153 fence-agents-4.3.3/debian/patches/CVE-2019-10153 --- fence-agents-4.3.3/debian/patches/CVE-2019-10153 1970-01-01 01:00:00.000000000 +0100 +++ fence-agents-4.3.3/debian/patches/CVE-2019-10153 2019-06-23 19:52:19.000000000 +0200 @@ -0,0 +1,34 @@ +Description: fence_rhevm fix for CVE-2019-10153 + Import upstream security patches. +Author: Oyvind Albrigtsen <oalbr...@redhat.com> +Origin: upstream +Bug-RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=1716286 +Reviewed-by: Valentin Vidic <vvi...@debian.org> +Last-Update: 2019-06-23 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/agents/rhevm/fence_rhevm.py ++++ b/agents/rhevm/fence_rhevm.py +@@ -88,7 +88,7 @@ + ## send command through pycurl + conn = pycurl.Curl() + web_buffer = io.BytesIO() +- conn.setopt(pycurl.URL, url.encode("ascii")) ++ conn.setopt(pycurl.URL, url.encode("UTF-8")) + conn.setopt(pycurl.HTTPHEADER, [ + "Version: 3", + "Content-type: application/xml", +@@ -128,10 +128,10 @@ + + opt["cookie"] = cookie + +- result = web_buffer.getvalue().decode() ++ result = web_buffer.getvalue().decode("UTF-8") + +- logging.debug("%s\n", command) +- logging.debug("%s\n", result) ++ logging.debug("%s\n", command.encode("UTF-8")) ++ logging.debug("%s\n", result.encode("UTF-8")) + + return result + diff -Nru fence-agents-4.3.3/debian/patches/series fence-agents-4.3.3/debian/patches/series --- fence-agents-4.3.3/debian/patches/series 2018-10-18 09:00:43.000000000 +0200 +++ fence-agents-4.3.3/debian/patches/series 2019-06-23 19:47:30.000000000 +0200 @@ -1,3 +1,4 @@ remove-fence_amt_ws disable-network-access spelling +CVE-2019-10153