[ClusterLabs] resource-agents security update

S Sathish S s.s.sathish at ericsson.com
Thu Sep 19 10:22:46 UTC 2024 

Hi Albrigtsen,

Python3-urllib3 package used from redhat and reported CVE-2024-37891 mitigated version available will upgrade to latest version in the system. As per below your statement update urllib3 package will mitigate this vulnerability no need to update resource-agents module. This is our understanding correct me if I am wrong.

Thanks and Regards,
S Sathish S
-----Original Message-----
From: Oyvind Albrigtsen <oalbrigt at redhat.com>
Sent: Thursday, September 19, 2024 12:35 PM
To: Cluster Labs - All topics related to open-source clustering welcomed <users at clusterlabs.org>
Cc: Tomas Jelinek <tojeline at redhat.com>; S Sathish S <s.s.sathish at ericsson.com>; Kohilavani G <kohilavani.g at ericsson.com>
Subject: Re: [ClusterLabs] resource-agents security update

[You don't often get email from oalbrigt at redhat.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hi,

This is a urllib3 CVE (bundled with resource-agents on RHEL8), so on other distros you'll have to check if the python-urllib3 package is version 1.26.19, 2.2.2 or later. If not you can check the distro-specific changelog to see if the CVE has been fixed in the version you're using.

https://access.redhat.com/errata/RHSA-2024:5309
https://www.tenable.com/plugins/nessus/200807


Oyvind

On 19/09/24 06:32 GMT, S Sathish S via Users wrote:
>Thanks Tomas for your response.
>
>@Clusterlab team : can you check on below query and update us.
>
>Regards,
>S Sathish S
>-----Original Message-----
>From: Tomas Jelinek <tojeline at redhat.com>
>Sent: Wednesday, September 18, 2024 9:19 PM
>To: S Sathish S <s.s.sathish at ericsson.com>; users at clusterlabs.org
>Cc: Kohilavani G <kohilavani.g at ericsson.com>
>Subject: Re: resource-agents security update
>
>Hi,
>
>Sorry, I don't work on resource agents, so I'm not the right person to answer this question.
>
>Regards,
>Tomas
>
>
>Dne 17. 09. 24 v 14:16 S Sathish S napsal(a):
>> Hi Tomas/Team,
>>
>> In our application we are using resource-agent-4.12.0
>> <https://gi/
>> t%2F&data=05%7C02%7Cs.s.sathish%40ericsson.com%7C7362a4ae49434b4bbe0a
>> 08dcd879560e%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C63862326285
>> 9655867%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
>> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9vNDpoXa31hSP4PCdf35
>> 9LKi1ir9x1fMRYz2GCSWrfY%3D&reserved=0
>> hub.com%2FClusterLabs%2Fresource-agents%2Ftree%2Fv4.12.0&data=05%7C02
>> %
>> 7Cs.s.sathish%40ericsson.com%7Cb2d3854e7d1240dff21708dcd7f96808%7C92e
>> 8
>> 4cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638622713399244865%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3ThxwAAaiOfBcPTLUKeYQBP2w9XHix1ZXmK0KrU4Xvs%3D&reserved=0> version and that module has vulnerability(CVE-2024-37891) reported and fixed on below RHSA Errata. can you check and provided fixed on resource-agent latest version on upstream also.
>>
>> https://acc/
>> e%2F&data=05%7C02%7Cs.s.sathish%40ericsson.com%7C7362a4ae49434b4bbe0a
>> 08dcd879560e%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C63862326285
>> 9672823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
>> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sMArNs1F0EhkWKOZoQGM
>> 27ky82Ih%2BoW6NbWLQgzI3bo%3D&reserved=0
>> ss.redhat.com%2Ferrata%2FRHSA-2024%3A6310&data=05%7C02%7Cs.s.sathish%
>> 4
>> 0ericsson.com%7Cb2d3854e7d1240dff21708dcd7f96808%7C92e84cebfbfd47abbe
>> 5
>> 2080c6b87953f%7C0%7C0%7C638622713399254190%7CUnknown%7CTWFpbGZsb3d8ey
>> J
>> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7
>> C
>> %7C%7C&sdata=nXfNx6aeV1AcJJ7U0VVcztbm%2BGUHcC9QgK%2FdiKLgz7E%3D&reser
>> v
>> ed=0
>>
>> Thanks and Regards,
>> S Sathish S
>>
>
>_______________________________________________
>Manage your subscription:
>https://lists/
>.clusterlabs.org%2Fmailman%2Flistinfo%2Fusers&data=05%7C02%7Cs.s.sathis
>h%40ericsson.com%7C7362a4ae49434b4bbe0a08dcd879560e%7C92e84cebfbfd47abb
>e52080c6b87953f%7C0%7C0%7C638623262859687084%7CUnknown%7CTWFpbGZsb3d8ey
>JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C
>%7C%7C&sdata=wiZLjXCM743n24lC8ddorB5URDAZ9LDaJPFYVhQV%2FiQ%3D&reserved=
>0
>
>ClusterLabs home:
>https://www.c/
>lusterlabs.org%2F&data=05%7C02%7Cs.s.sathish%40ericsson.com%7C7362a4ae49434b4bbe0a08dcd879560e%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638623262859699515%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=q3NA%2FrA7X5m4ZIZH9zuSPm8E9AgdYMhw757i%2FOh5sDw%3D&reserved=0
>

More information about the Users mailing list