Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pacemaker for openSUSE:Factory checked in at 2026-05-13 17:18:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pacemaker (Old) and /work/SRC/openSUSE:Factory/.pacemaker.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pacemaker" Wed May 13 17:18:48 2026 rev:169 rq:1352714 version:3.0.2+20260511.6629f2e0 Changes: -------- --- /work/SRC/openSUSE:Factory/pacemaker/pacemaker.changes 2026-05-04 12:49:20.099148276 +0200 +++ /work/SRC/openSUSE:Factory/.pacemaker.new.1966/pacemaker.changes 2026-05-13 17:19:08.550813348 +0200 @@ -1,0 +2,14 @@ +Tue May 12 08:45:09 UTC 2026 - Yan Gao <[email protected]> + +- Update to version 3.0.2+20260511.6629f2e0 (Pacemaker-3.0.2-rc2): +- libcib: Handle cib_xpath_address for an XPath query for an attribute (gh#ClusterLabs/pacemaker#4108) +- libcib: Prevent based or cibadmin from crashing when handling an XPath query for an attribute (bsc#1249217, gh#ClusterLabs/pacemaker#4108) + +------------------------------------------------------------------- +Tue May 05 07:29:49 UTC 2026 - Yan Gao <[email protected]> + +- Update to version 3.0.2+20260504.2f55330a: +- libcrmcommon: Deprecate PCMK_dh_max_bits. +- libcib: Full-CIB replace op no longer segfaults with cib_xpath + +------------------------------------------------------------------- Old: ---- pacemaker-3.0.2+20260429.40d19b75.tar.xz New: ---- pacemaker-3.0.2+20260511.6629f2e0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pacemaker.spec ++++++ --- /var/tmp/diff_new_pack.e79M7U/_old 2026-05-13 17:19:09.986872927 +0200 +++ /var/tmp/diff_new_pack.e79M7U/_new 2026-05-13 17:19:09.990873093 +0200 @@ -128,7 +128,7 @@ %define with_regression_tests 0 Name: pacemaker -Version: 3.0.2+20260429.40d19b75 +Version: 3.0.2+20260511.6629f2e0 Release: 0 Summary: Scalable High-Availability cluster resource manager # AGPL-3.0 licensed extra/clustermon.sh is not present in the binary ++++++ _service ++++++ --- /var/tmp/diff_new_pack.e79M7U/_old 2026-05-13 17:19:10.038875084 +0200 +++ /var/tmp/diff_new_pack.e79M7U/_new 2026-05-13 17:19:10.042875250 +0200 @@ -11,7 +11,7 @@ <param name="version">3.0.2</param> --> <param name="versionformat">3.0.2+%cd.%h</param> - <param name="revision">40d19b75f1</param> + <param name="revision">Pacemaker-3.0.2-rc2</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.e79M7U/_old 2026-05-13 17:19:10.074876578 +0200 +++ /var/tmp/diff_new_pack.e79M7U/_new 2026-05-13 17:19:10.078876744 +0200 @@ -5,6 +5,6 @@ </service> <service name="tar_scm"> <param name="url">https://github.com/ClusterLabs/pacemaker.git</param> - <param name="changesrevision">40d19b75f1c040bbe01891dd6fc24d45d58bb153</param></service></servicedata> + <param name="changesrevision">6629f2e0e672280ca765324858f245fdcd85f22d</param></service></servicedata> (No newline at EOF) ++++++ pacemaker-3.0.2+20260429.40d19b75.tar.xz -> pacemaker-3.0.2+20260511.6629f2e0.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pacemaker-3.0.2+20260429.40d19b75/ChangeLog.md new/pacemaker-3.0.2+20260511.6629f2e0/ChangeLog.md --- old/pacemaker-3.0.2+20260429.40d19b75/ChangeLog.md 2026-04-29 22:42:12.000000000 +0200 +++ new/pacemaker-3.0.2+20260511.6629f2e0/ChangeLog.md 2026-05-11 23:20:47.000000000 +0200 @@ -1,3 +1,21 @@ +# Pacemaker-3.0.2 (11 May 2026) +* 45 commits with 49 files changed, 949 insertions(+), 867 deletions(-) + +## Fixes since Pacemaker-3.0.2-rc1 + +* **libcib:** Full-CIB replace op no longer segfaults with `cib_xpath` +* **libcib:** Handle `cib_xpath_address` for an XPath query for an attribute +* **libcib:** Prevent crashing when handling an XPath query for an attribute + *(regression introduced in 3.0.1)* +* **libcrmcommon:** Avoid leak in `pcmk__xe_dereference_children()` test +* **libpe_status:** Avoid leaking a `pcmk_resource_t's` xml/orig_xml + +## Public API changes since Pacemaker-3.0.2-rc1 + +* **libcrmcommon:** Deprecate `PCMK_dh_max_bits.` +* **libcrmcommon:** Deprecate `pcmk_unpack_nvpair_blocks()` +* **libpe_status:** `get_meta_attributes()` rsc argument is now const + # Pacemaker-3.0.2 (23 Apr 2026) * 1806 commits with 607 files changed, 38242 insertions(+), 30786 deletions(-) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pacemaker-3.0.2+20260429.40d19b75/doc/sphinx/Pacemaker_Explained/local-options.rst new/pacemaker-3.0.2+20260511.6629f2e0/doc/sphinx/Pacemaker_Explained/local-options.rst --- old/pacemaker-3.0.2+20260429.40d19b75/doc/sphinx/Pacemaker_Explained/local-options.rst 2026-04-29 22:42:12.000000000 +0200 +++ new/pacemaker-3.0.2+20260511.6629f2e0/doc/sphinx/Pacemaker_Explained/local-options.rst 2026-05-11 23:20:47.000000000 +0200 @@ -663,6 +663,8 @@ Clients do not use ``PCMK_dh_max_bits``. + *(Deprecated since 3.0.2)* + * - .. _pcmk_ipc_type: .. index:: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pacemaker-3.0.2+20260429.40d19b75/etc/sysconfig/pacemaker.in new/pacemaker-3.0.2+20260511.6629f2e0/etc/sysconfig/pacemaker.in --- old/pacemaker-3.0.2+20260429.40d19b75/etc/sysconfig/pacemaker.in 2026-04-29 22:42:12.000000000 +0200 +++ new/pacemaker-3.0.2+20260511.6629f2e0/etc/sysconfig/pacemaker.in 2026-05-11 23:20:47.000000000 +0200 @@ -317,7 +317,7 @@ # Default: PCMK_tls_priorities="@PCMK__GNUTLS_PRIORITIES@" # Example: PCMK_tls_priorities="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2" -# PCMK_dh_max_bits (Advanced Use Only) +# PCMK_dh_max_bits (DEPRECATED; Advanced Use Only) # # Set an upper bound on the bit length of the prime number generated for # Diffie-Hellman parameters needed by TLS connections. The default is no @@ -332,6 +332,8 @@ # # Clients do not use PCMK_dh_max_bits. # +# This variable is deprecated as of Pacemaker 3.0.2. +# # Default: PCMK_dh_max_bits="0" (no maximum) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pacemaker-3.0.2+20260429.40d19b75/include/crm/common/options_internal.h new/pacemaker-3.0.2+20260511.6629f2e0/include/crm/common/options_internal.h --- old/pacemaker-3.0.2+20260429.40d19b75/include/crm/common/options_internal.h 2026-04-29 22:42:12.000000000 +0200 +++ new/pacemaker-3.0.2+20260511.6629f2e0/include/crm/common/options_internal.h 2026-05-11 23:20:47.000000000 +0200 @@ -151,7 +151,6 @@ #define PCMK__ENV_CLUSTER_TYPE "cluster_type" #define PCMK__ENV_CRL_FILE "crl_file" #define PCMK__ENV_DEBUG "debug" -#define PCMK__ENV_DH_MAX_BITS "dh_max_bits" #define PCMK__ENV_FAIL_FAST "fail_fast" #define PCMK__ENV_IPC_TYPE "ipc_type" #define PCMK__ENV_KEY_FILE "key_file" @@ -178,6 +177,9 @@ #define PCMK__ENV_TRACE_TAGS "trace_tags" #define PCMK__ENV_VALGRIND_ENABLED "valgrind_enabled" +// @COMPAT Deprecated since 3.0.2 +#define PCMK__ENV_DH_MAX_BITS "dh_max_bits" + // Constants for meta-attribute names #define PCMK__META_CLONE "clone" #define PCMK__META_CONTAINER "container" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pacemaker-3.0.2+20260429.40d19b75/include/crm/common/tls_internal.h new/pacemaker-3.0.2+20260511.6629f2e0/include/crm/common/tls_internal.h --- old/pacemaker-3.0.2+20260429.40d19b75/include/crm/common/tls_internal.h 2026-04-29 22:42:12.000000000 +0200 +++ new/pacemaker-3.0.2+20260511.6629f2e0/include/crm/common/tls_internal.h 2026-05-11 23:20:47.000000000 +0200 @@ -83,23 +83,6 @@ /*! * \internal - * \brief Initialize Diffie-Hellman parameters for a TLS server - * - * \param[out] dh_params Parameter object to initialize - * - * \return Standard Pacemaker return code - * \todo The current best practice is to allow the client and server to - * negotiate the Diffie-Hellman parameters via a TLS extension (RFC 7919). - * However, we have to support both older versions of GnuTLS (<3.6) that - * don't support the extension on our side, and older Pacemaker versions - * that don't support the extension on the other side. The next best - * practice would be to use a known good prime (see RFC 5114 section 2.2), - * possibly stored in a file distributed with Pacemaker. - */ -int pcmk__init_tls_dh(gnutls_dh_params_t *dh_params); - -/*! - * \internal * \brief Initialize a new TLS session * * \param[in] tls TLS environment object diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pacemaker-3.0.2+20260429.40d19b75/lib/cib/cib_ops.c new/pacemaker-3.0.2+20260511.6629f2e0/lib/cib/cib_ops.c --- old/pacemaker-3.0.2+20260429.40d19b75/lib/cib/cib_ops.c 2026-04-29 22:42:12.000000000 +0200 +++ new/pacemaker-3.0.2+20260511.6629f2e0/lib/cib/cib_ops.c 2026-05-11 23:20:47.000000000 +0200 @@ -636,6 +636,27 @@ pcmk__debug("Processing %s op for %s with %s", op, xpath, path); free(path); + if (match->type != XML_ELEMENT_NODE + && pcmk__is_set(options, cib_xpath_address)) { + /* @COMPAT cib_xpath_address is deprecated since 3.0.2 + * For a non-element, handle cib_xpath_address with its + * corresponding element. + */ + match = pcmk__xpath_match_element(match); + if (match == NULL) { + continue; + } + + } else if (match->type != XML_ELEMENT_NODE) { + // Create an element for a single match of a non-element + if (*answer == NULL) { + *answer = pcmk__xe_create(NULL, PCMK__XE_XPATH_QUERY); + } + + pcmk__xml_copy(*answer, match); + continue; + } + if (pcmk__is_set(options, cib_no_children)) { xmlNode *shallow = pcmk__xe_create(*answer, (const char *) match->name); @@ -738,50 +759,6 @@ return process_query_section(options, section, *cib, answer); } -static int -process_replace_xpath(const char *op, int options, const char *xpath, - xmlNode *input, xmlNode *cib) -{ - int num_results = 0; - int rc = pcmk_rc_ok; - xmlXPathObject *xpath_obj = pcmk__xpath_search(cib->doc, xpath); - - num_results = pcmk__xpath_num_results(xpath_obj); - if (num_results == 0) { - pcmk__debug("%s: %s does not exist", op, xpath); - rc = ENXIO; - goto done; - } - - for (int i = 0; i < num_results; i++) { - xmlNode *match = NULL; - xmlNode *parent = NULL; - xmlChar *path = NULL; - - match = pcmk__xpath_result(xpath_obj, i); - if (match == NULL) { - continue; - } - - path = xmlGetNodePath(match); - pcmk__debug("Processing %s op for %s with %s", op, xpath, path); - free(path); - - parent = match->parent; - - pcmk__xml_free(match); - pcmk__xml_copy(parent, input); - - if (!pcmk__is_set(options, cib_multiple)) { - break; - } - } - -done: - xmlXPathFreeObject(xpath_obj); - return rc; -} - static bool replace_cib_digest_matches(xmlNode *request, xmlNode *input) { @@ -868,6 +845,55 @@ } static int +process_replace_xpath(const char *op, int options, const char *xpath, + xmlNode *request, xmlNode *input, xmlNode **cib) +{ + int num_results = 0; + int rc = pcmk_rc_ok; + xmlXPathObject *xpath_obj = pcmk__xpath_search((*cib)->doc, xpath); + + num_results = pcmk__xpath_num_results(xpath_obj); + if (num_results == 0) { + pcmk__debug("%s: %s does not exist", op, xpath); + rc = ENXIO; + goto done; + } + + for (int i = 0; i < num_results; i++) { + xmlNode *match = NULL; + xmlNode *parent = NULL; + xmlChar *path = NULL; + + match = pcmk__xpath_result(xpath_obj, i); + if (match == NULL) { + continue; + } + + path = xmlGetNodePath(match); + pcmk__debug("Processing %s op for %s with %s", op, xpath, path); + free(path); + + if (match == *cib) { + rc = replace_cib(request, input, cib); + break; + } + + parent = match->parent; + + pcmk__xml_free(match); + pcmk__xml_copy(parent, input); + + if (!pcmk__is_set(options, cib_multiple)) { + break; + } + } + +done: + xmlXPathFreeObject(xpath_obj); + return rc; +} + +static int process_replace_section(const char *section, xmlNode *request, xmlNode *input, xmlNode **cib) { @@ -905,7 +931,7 @@ xmlNode **answer) { if (pcmk__is_set(options, cib_xpath)) { - return process_replace_xpath(op, options, section, input, *cib); + return process_replace_xpath(op, options, section, req, input, cib); } return process_replace_section(section, req, input, cib); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pacemaker-3.0.2+20260429.40d19b75/lib/common/tls.c new/pacemaker-3.0.2+20260511.6629f2e0/lib/common/tls.c --- old/pacemaker-3.0.2+20260429.40d19b75/lib/common/tls.c 2026-04-29 22:42:12.000000000 +0200 +++ new/pacemaker-3.0.2+20260511.6629f2e0/lib/common/tls.c 2026-05-11 23:20:47.000000000 +0200 @@ -31,6 +31,64 @@ #include <crm/common/logging.h> // CRM_CHECK #include <crm/common/results.h> // pcmk_rc_* +/*! + * \internal + * \brief Initialize Diffie-Hellman parameters for a TLS server + * + * \param[out] dh_params Parameter object to initialize + * + * \return Standard Pacemaker return code + * \todo The current best practice is to allow the client and server to + * negotiate the Diffie-Hellman parameters via a TLS extension (RFC 7919). + * However, we have to support both older versions of GnuTLS (<3.6) that + * don't support the extension on our side, and older Pacemaker versions + * that don't support the extension on the other side. The next best + * practice would be to use a known good prime (see RFC 5114 section 2.2), + * possibly stored in a file distributed with Pacemaker. + */ +static int +init_tls_dh(gnutls_dh_params_t *dh_params) +{ + int rc = GNUTLS_E_SUCCESS; + unsigned int dh_bits = 0; + int dh_max_bits = 0; + + rc = gnutls_dh_params_init(dh_params); + if (rc != GNUTLS_E_SUCCESS) { + goto error; + } + + dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, + GNUTLS_SEC_PARAM_NORMAL); + if (dh_bits == 0) { + rc = GNUTLS_E_DH_PRIME_UNACCEPTABLE; + goto error; + } + + pcmk__scan_min_int(pcmk__env_option(PCMK__ENV_DH_MAX_BITS), &dh_max_bits, 0); + if ((dh_max_bits > 0) && (dh_bits > dh_max_bits)) { + pcmk__warn("Support for the " PCMK__ENV_DH_MAX_BITS " " + "environment variable is deprecated and will be removed " + "in a future release"); + dh_bits = dh_max_bits; + } + + pcmk__info("Generating Diffie-Hellman parameters with %u-bit prime for TLS", + dh_bits); + rc = gnutls_dh_params_generate2(*dh_params, dh_bits); + if (rc != GNUTLS_E_SUCCESS) { + goto error; + } + + return pcmk_rc_ok; + +error: + pcmk__err("Could not initialize Diffie-Hellman parameters for TLS: %s " + QB_XS " rc=%d", + gnutls_strerror(rc), rc); + return EPROTO; +} + static char * get_gnutls_priorities(gnutls_credentials_type_t cred_type) { @@ -166,7 +224,7 @@ gnutls_global_set_log_function(_gnutls_log_func); if (server) { - rc = pcmk__init_tls_dh(&(*tls)->dh_params); + rc = init_tls_dh(&(*tls)->dh_params); if (rc != pcmk_rc_ok) { g_clear_pointer(tls, pcmk__free_tls); return rc; @@ -248,46 +306,6 @@ return rc; } -int -pcmk__init_tls_dh(gnutls_dh_params_t *dh_params) -{ - int rc = GNUTLS_E_SUCCESS; - unsigned int dh_bits = 0; - int dh_max_bits = 0; - - rc = gnutls_dh_params_init(dh_params); - if (rc != GNUTLS_E_SUCCESS) { - goto error; - } - - dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, - GNUTLS_SEC_PARAM_NORMAL); - if (dh_bits == 0) { - rc = GNUTLS_E_DH_PRIME_UNACCEPTABLE; - goto error; - } - - pcmk__scan_min_int(pcmk__env_option(PCMK__ENV_DH_MAX_BITS), &dh_max_bits, 0); - if ((dh_max_bits > 0) && (dh_bits > dh_max_bits)) { - dh_bits = dh_max_bits; - } - - pcmk__info("Generating Diffie-Hellman parameters with %u-bit prime for TLS", - dh_bits); - rc = gnutls_dh_params_generate2(*dh_params, dh_bits); - if (rc != GNUTLS_E_SUCCESS) { - goto error; - } - - return pcmk_rc_ok; - -error: - pcmk__err("Could not initialize Diffie-Hellman parameters for TLS: %s " - QB_XS " rc=%d", - gnutls_strerror(rc), rc); - return EPROTO; -} - gnutls_session_t pcmk__new_tls_session(pcmk__tls_t *tls, int csock) {
