fence security update

CentOS Errata and Security Advisory CESA-2020:5003

The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster.

Security Fix(es):

• python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function (CVE-2020-11078)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• fence_lpar: Long username, HMC hostname, or managed system name causes failures [RHEL 7] (BZ#1860545)

• InstanceHA does not evacuate instances created with private flavor in tenant project (RHEL7) (BZ#1862024)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2020-November/085987.html

Affected packages:
fence-agents-aliyun
fence-agents-all
fence-agents-amt-ws
fence-agents-apc
fence-agents-apc-snmp
fence-agents-aws
fence-agents-azure-arm
fence-agents-bladecenter
fence-agents-brocade
fence-agents-cisco-mds
fence-agents-cisco-ucs
fence-agents-common
fence-agents-compute
fence-agents-drac5
fence-agents-eaton-snmp
fence-agents-emerson
fence-agents-eps
fence-agents-gce
fence-agents-heuristics-ping
fence-agents-hpblade
fence-agents-ibmblade
fence-agents-ifmib
fence-agents-ilo-moonshot
fence-agents-ilo-mp
fence-agents-ilo-ssh
fence-agents-ilo2
fence-agents-intelmodular
fence-agents-ipdu
fence-agents-ipmilan
fence-agents-kdump
fence-agents-lpar
fence-agents-mpath
fence-agents-redfish
fence-agents-rhevm
fence-agents-rsa
fence-agents-rsb
fence-agents-sbd
fence-agents-scsi
fence-agents-virsh
fence-agents-vmware-rest
fence-agents-vmware-soap
fence-agents-wti

Upstream details at:
https://access.redhat.com/errata/RHSA-2020:5003