Bug#931028: unblock: fence-agents/4.3.3-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team,
Please unblock package fence-agents. Valentin Vidic has backported the
fix to address CVE-2019-10153 (#930887):
> fence-agents (4.3.3-2) unstable; urgency=high
>
> * fence_rhevm: add patch for CVE-2019-10153 (Closes: #930887)
> Including non-ASCII characters in a guest VM's comment or other fields
> would cause fence_rhevm to exit with an exception.
>
> -- Valentin Vidic <vvidic@debian.org> Sun, 23 Jun 2019 19:53:35 +0200
unblock fence-agents/4.3.3-2
Regards,
Salvatore
diff -Nru fence-agents-4.3.3/debian/changelog fence-agents-4.3.3/debian/changelog
--- fence-agents-4.3.3/debian/changelog 2018-12-03 19:32:54.000000000 +0100
+++ fence-agents-4.3.3/debian/changelog 2019-06-23 19:53:35.000000000 +0200
@@ -1,3 +1,11 @@
+fence-agents (4.3.3-2) unstable; urgency=high
+
+ * fence_rhevm: add patch for CVE-2019-10153 (Closes: #930887)
+ Including non-ASCII characters in a guest VM's comment or other fields
+ would cause fence_rhevm to exit with an exception.
+
+ -- Valentin Vidic <vvidic@debian.org> Sun, 23 Jun 2019 19:53:35 +0200
+
fence-agents (4.3.3-1) unstable; urgency=medium
* New upstream version 4.3.3
diff -Nru fence-agents-4.3.3/debian/patches/CVE-2019-10153 fence-agents-4.3.3/debian/patches/CVE-2019-10153
--- fence-agents-4.3.3/debian/patches/CVE-2019-10153 1970-01-01 01:00:00.000000000 +0100
+++ fence-agents-4.3.3/debian/patches/CVE-2019-10153 2019-06-23 19:52:19.000000000 +0200
@@ -0,0 +1,34 @@
+Description: fence_rhevm fix for CVE-2019-10153
+ Import upstream security patches.
+Author: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Origin: upstream
+Bug-RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=1716286
+Reviewed-by: Valentin Vidic <vvidic@debian.org>
+Last-Update: 2019-06-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/agents/rhevm/fence_rhevm.py
++++ b/agents/rhevm/fence_rhevm.py
+@@ -88,7 +88,7 @@
+ ## send command through pycurl
+ conn = pycurl.Curl()
+ web_buffer = io.BytesIO()
+- conn.setopt(pycurl.URL, url.encode("ascii"))
++ conn.setopt(pycurl.URL, url.encode("UTF-8"))
+ conn.setopt(pycurl.HTTPHEADER, [
+ "Version: 3",
+ "Content-type: application/xml",
+@@ -128,10 +128,10 @@
+
+ opt["cookie"] = cookie
+
+- result = web_buffer.getvalue().decode()
++ result = web_buffer.getvalue().decode("UTF-8")
+
+- logging.debug("%s\n", command)
+- logging.debug("%s\n", result)
++ logging.debug("%s\n", command.encode("UTF-8"))
++ logging.debug("%s\n", result.encode("UTF-8"))
+
+ return result
+
diff -Nru fence-agents-4.3.3/debian/patches/series fence-agents-4.3.3/debian/patches/series
--- fence-agents-4.3.3/debian/patches/series 2018-10-18 09:00:43.000000000 +0200
+++ fence-agents-4.3.3/debian/patches/series 2019-06-23 19:47:30.000000000 +0200
@@ -1,3 +1,4 @@
remove-fence_amt_ws
disable-network-access
spelling
+CVE-2019-10153
Reply to: