[ClusterLabs] resource-agents security update

Oyvind Albrigtsen oalbrigt at redhat.com
Thu Sep 19 10:42:03 UTC 2024 

If you're using RHEL9 it's bundled in ha-cloud-support and
fence-agents-kubevirt, so you can run "yum update fence-agents-*
ha-cloud-support" to upgrade all the packages that could contain the
CVE on RHEL9.


Oyvind

On 19/09/24 10:22 GMT, S Sathish S wrote:
>Hi Albrigtsen,
>
>Python3-urllib3 package used from redhat and reported CVE-2024-37891 mitigated version available will upgrade to latest version in the system. As per below your statement update urllib3 package will mitigate this vulnerability no need to update resource-agents module. This is our understanding correct me if I am wrong.
>
>Thanks and Regards,
>S Sathish S
>-----Original Message-----
>From: Oyvind Albrigtsen <oalbrigt at redhat.com>
>Sent: Thursday, September 19, 2024 12:35 PM
>To: Cluster Labs - All topics related to open-source clustering welcomed <users at clusterlabs.org>
>Cc: Tomas Jelinek <tojeline at redhat.com>; S Sathish S <s.s.sathish at ericsson.com>; Kohilavani G <kohilavani.g at ericsson.com>
>Subject: Re: [ClusterLabs] resource-agents security update
>
>[You don't often get email from oalbrigt at redhat.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
>Hi,
>
>This is a urllib3 CVE (bundled with resource-agents on RHEL8), so on other distros you'll have to check if the python-urllib3 package is version 1.26.19, 2.2.2 or later. If not you can check the distro-specific changelog to see if the CVE has been fixed in the version you're using.
>
>https://access.redhat.com/errata/RHSA-2024:5309
>https://www.tenable.com/plugins/nessus/200807
>
>
>Oyvind
>
>On 19/09/24 06:32 GMT, S Sathish S via Users wrote:
>>Thanks Tomas for your response.
>>
>>@Clusterlab team : can you check on below query and update us.
>>
>>Regards,
>>S Sathish S
>>-----Original Message-----
>>From: Tomas Jelinek <tojeline at redhat.com>
>>Sent: Wednesday, September 18, 2024 9:19 PM
>>To: S Sathish S <s.s.sathish at ericsson.com>; users at clusterlabs.org
>>Cc: Kohilavani G <kohilavani.g at ericsson.com>
>>Subject: Re: resource-agents security update
>>
>>Hi,
>>
>>Sorry, I don't work on resource agents, so I'm not the right person to answer this question.
>>
>>Regards,
>>Tomas
>>
>>
>>Dne 17. 09. 24 v 14:16 S Sathish S napsal(a):
>>> Hi Tomas/Team,
>>>
>>> In our application we are using resource-agent-4.12.0
>>> <https://gi/
>>> t%2F&data=05%7C02%7Cs.s.sathish%40ericsson.com%7C7362a4ae49434b4bbe0a
>>> 08dcd879560e%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C63862326285
>>> 9655867%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
>>> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9vNDpoXa31hSP4PCdf35
>>> 9LKi1ir9x1fMRYz2GCSWrfY%3D&reserved=0
>>> hub.com%2FClusterLabs%2Fresource-agents%2Ftree%2Fv4.12.0&data=05%7C02
>>> %
>>> 7Cs.s.sathish%40ericsson.com%7Cb2d3854e7d1240dff21708dcd7f96808%7C92e
>>> 8
>>> 4cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638622713399244865%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3ThxwAAaiOfBcPTLUKeYQBP2w9XHix1ZXmK0KrU4Xvs%3D&reserved=0> version and that module has vulnerability(CVE-2024-37891) reported and fixed on below RHSA Errata. can you check and provided fixed on resource-agent latest version on upstream also.
>>>
>>> https://acc/
>>> e%2F&data=05%7C02%7Cs.s.sathish%40ericsson.com%7C7362a4ae49434b4bbe0a
>>> 08dcd879560e%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C63862326285
>>> 9672823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
>>> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sMArNs1F0EhkWKOZoQGM
>>> 27ky82Ih%2BoW6NbWLQgzI3bo%3D&reserved=0
>>> ss.redhat.com%2Ferrata%2FRHSA-2024%3A6310&data=05%7C02%7Cs.s.sathish%
>>> 4
>>> 0ericsson.com%7Cb2d3854e7d1240dff21708dcd7f96808%7C92e84cebfbfd47abbe
>>> 5
>>> 2080c6b87953f%7C0%7C0%7C638622713399254190%7CUnknown%7CTWFpbGZsb3d8ey
>>> J
>>> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7
>>> C
>>> %7C%7C&sdata=nXfNx6aeV1AcJJ7U0VVcztbm%2BGUHcC9QgK%2FdiKLgz7E%3D&reser
>>> v
>>> ed=0
>>>
>>> Thanks and Regards,
>>> S Sathish S
>>>
>>
>>_______________________________________________
>>Manage your subscription:
>>https://lists/
>>.clusterlabs.org%2Fmailman%2Flistinfo%2Fusers&data=05%7C02%7Cs.s.sathis
>>h%40ericsson.com%7C7362a4ae49434b4bbe0a08dcd879560e%7C92e84cebfbfd47abb
>>e52080c6b87953f%7C0%7C0%7C638623262859687084%7CUnknown%7CTWFpbGZsb3d8ey
>>JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C
>>%7C%7C&sdata=wiZLjXCM743n24lC8ddorB5URDAZ9LDaJPFYVhQV%2FiQ%3D&reserved=
>>0
>>
>>ClusterLabs home:
>>https://www.c/
>>lusterlabs.org%2F&data=05%7C02%7Cs.s.sathish%40ericsson.com%7C7362a4ae49434b4bbe0a08dcd879560e%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638623262859699515%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=q3NA%2FrA7X5m4ZIZH9zuSPm8E9AgdYMhw757i%2FOh5sDw%3D&reserved=0
>>
>

More information about the Users mailing list