!77 fix CVE-2020-35497

From: @addrexist 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

0009-fix-engine-setup-problem.patch

@@ -0,0 +1,228 @@
+From ed6bf930fc3177f920908e2421adf980710ec57f Mon Sep 17 00:00:00 2001
+From: Super User <root@localhost.localdomain>
+Date: Wed, 8 Mar 2023 11:36:07 +0800
+Subject: [PATCH] fix engine-setup problem
+
+---
+ packaging/bin/engine-backup.sh.in                          | 3 ++-
+ packaging/setup/bin/ovirt-engine-upgrade-check.in          | 6 ++----
+ .../setup/ovirt_engine_setup/engine_common/postgres.py     | 6 ++----
+ .../ovirt-engine-common/base/core/offlinepackager.py       | 6 ++----
+ .../ovirt-engine-common/core/offlinepackager.py            | 6 ++----
+ .../ovirt-engine-common/dialog/titles.py                   | 6 ++----
+ .../ovirt-engine-common/distro-rpm/packages.py             | 6 ++----
+ .../ovirt-engine-common/distro-rpm/versionlock_config.py   | 7 ++++---
+ .../plugins/ovirt-engine-setup/ovirt-engine/system/nfs.py  | 6 ++----
+ 9 files changed, 20 insertions(+), 32 deletions(-)
+
+diff --git a/packaging/bin/engine-backup.sh.in b/packaging/bin/engine-backup.sh.in
+index fd3151b..25120e8 100755
+--- a/packaging/bin/engine-backup.sh.in
++++ b/packaging/bin/engine-backup.sh.in
+@@ -994,7 +994,8 @@ dobackup() {
+ }
+ 
+ getOSVersion() {
+-	python@PY_VERSION@ -c 'import platform; d = platform.linux_distribution(full_distribution_name=0); print("%s%s" % (d[0], d[1].split(".")[0]))'
++#	python@PY_VERSION@ -c 'import platform; d = platform.linux_distribution(full_distribution_name=0); print("%s%s" % (d[0], d[1].split(".")[0]))'
++        python@PY_VERSION@ -c 'import distro; print("%s%s" % (distro.id(), distrio.version().split(".")[0]))'
+ }
+ 
+ createtar() {
+diff --git a/packaging/setup/bin/ovirt-engine-upgrade-check.in b/packaging/setup/bin/ovirt-engine-upgrade-check.in
+index f357f01..2bae272 100755
+--- a/packaging/setup/bin/ovirt-engine-upgrade-check.in
++++ b/packaging/setup/bin/ovirt-engine-upgrade-check.in
+@@ -15,7 +15,7 @@ import platform
+ import optparse
+ import gettext
+ import glob
+-
++import distro
+ 
+ from otopi import common
+ from otopi import constants as otopicons
+@@ -118,9 +118,7 @@ def main():
+     setup_packages = get_setup_packages()
+ 
+     try:
+-        if platform.linux_distribution(
+-            full_distribution_name=0
+-        )[0] not in ('redhat', 'fedora', 'centos'):
++        if distro.id() not in ('redhat', 'fedora', 'centos','openeuler'):
+             raise RuntimeError(_('Unsupported distribution'))
+ 
+         exit = 1
+diff --git a/packaging/setup/ovirt_engine_setup/engine_common/postgres.py b/packaging/setup/ovirt_engine_setup/engine_common/postgres.py
+index 51c9c4b..bd8ba4b 100644
+--- a/packaging/setup/ovirt_engine_setup/engine_common/postgres.py
++++ b/packaging/setup/ovirt_engine_setup/engine_common/postgres.py
+@@ -15,7 +15,7 @@ import random
+ import re
+ import shutil
+ import time
+-
++import distro
+ from otopi import base
+ from otopi import constants as otopicons
+ from otopi import filetransaction
+@@ -449,9 +449,7 @@ class Provisioning(base.Base):
+         self.command.detect('psql')
+ 
+     def supported(self):
+-        return platform.linux_distribution(
+-            full_distribution_name=0
+-        )[0] in ('redhat', 'fedora', 'centos')
++        return distro.id() in ('redhat', 'fedora', 'centos','openeuler') 
+ 
+     def validate(self):
+         if not self.services.exists(
+diff --git a/packaging/setup/plugins/ovirt-engine-common/base/core/offlinepackager.py b/packaging/setup/plugins/ovirt-engine-common/base/core/offlinepackager.py
+index 7108668..629930a 100644
+--- a/packaging/setup/plugins/ovirt-engine-common/base/core/offlinepackager.py
++++ b/packaging/setup/plugins/ovirt-engine-common/base/core/offlinepackager.py
+@@ -12,7 +12,7 @@
+ 
+ import gettext
+ import platform
+-
++import distro
+ from otopi import constants as otopicons
+ from otopi import packager
+ from otopi import plugin
+@@ -52,9 +52,7 @@ class Plugin(plugin.PluginBase, packager.PackagerBase):
+ 
+     def __init__(self, context):
+         super(Plugin, self).__init__(context=context)
+-        self._distribution = platform.linux_distribution(
+-            full_distribution_name=0
+-        )[0]
++        self._distribution = distro.id()
+ 
+     @plugin.event(
+         stage=plugin.Stages.STAGE_INIT,
+diff --git a/packaging/setup/plugins/ovirt-engine-provisiondb/ovirt-engine-common/core/offlinepackager.py b/packaging/setup/plugins/ovirt-engine-provisiondb/ovirt-engine-common/core/offlinepackager.py
+index 911357c..fbdfc98 100644
+--- a/packaging/setup/plugins/ovirt-engine-provisiondb/ovirt-engine-common/core/offlinepackager.py
++++ b/packaging/setup/plugins/ovirt-engine-provisiondb/ovirt-engine-common/core/offlinepackager.py
+@@ -14,7 +14,7 @@
+ 
+ import gettext
+ import platform
+-
++import distro
+ from otopi import constants as otopicons
+ from otopi import packager
+ from otopi import plugin
+@@ -54,9 +54,7 @@ class Plugin(plugin.PluginBase, packager.PackagerBase):
+ 
+     def __init__(self, context):
+         super(Plugin, self).__init__(context=context)
+-        self._distribution = platform.linux_distribution(
+-            full_distribution_name=0
+-        )[0]
++        self._distribution = distro.id()
+ 
+     @plugin.event(
+         stage=plugin.Stages.STAGE_INIT,
+diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/dialog/titles.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/dialog/titles.py
+index 5f8d02f..9cc2958 100644
+--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/dialog/titles.py
++++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/dialog/titles.py
+@@ -12,7 +12,7 @@
+ 
+ import gettext
+ import platform
+-
++import distro
+ from otopi import plugin
+ from otopi import util
+ 
+@@ -35,9 +35,7 @@ class Plugin(plugin.PluginBase):
+ 
+     def __init__(self, context):
+         super(Plugin, self).__init__(context=context)
+-        self._distribution = platform.linux_distribution(
+-            full_distribution_name=0
+-        )[0]
++        self._distribution = distro.id()
+ 
+     @plugin.event(
+         stage=plugin.Stages.STAGE_CUSTOMIZATION,
+diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/distro-rpm/packages.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/distro-rpm/packages.py
+index 2987052..e7a29ef 100644
+--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/distro-rpm/packages.py
++++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/distro-rpm/packages.py
+@@ -15,7 +15,7 @@ import datetime
+ import gettext
+ import os
+ import platform
+-
++import distro
+ from otopi import constants as otopicons
+ from otopi import plugin
+ from otopi import transaction
+@@ -266,9 +266,7 @@ class Plugin(plugin.PluginBase):
+         super(Plugin, self).__init__(context=context)
+         self._shouldResultVersionLock = False
+         self._enabled = False
+-        self._distribution = platform.linux_distribution(
+-            full_distribution_name=0
+-        )[0]
++        self._distribution = distro.id()
+ 
+     @plugin.event(
+         stage=plugin.Stages.STAGE_INIT,
+diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/distro-rpm/versionlock_config.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/distro-rpm/versionlock_config.py
+index 7e9fd9b..47b1f09 100644
+--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/distro-rpm/versionlock_config.py
++++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/distro-rpm/versionlock_config.py
+@@ -12,7 +12,7 @@
+ 
+ import os
+ import platform
+-
++import distro
+ from otopi import constants as otopicons
+ from otopi import filetransaction
+ from otopi import plugin
+@@ -40,9 +40,10 @@ class Plugin(plugin.PluginBase):
+             os.path.exists(YUM_VERSIONLOCK_CONF) and
+             not self.environment[osetupcons.CoreEnv.DEVELOPER_MODE] and
+             not self.environment[osetupcons.CoreEnv.OFFLINE_PACKAGER] and
+-            platform.linux_distribution(full_distribution_name=0)[0] in (
++            distro.id() in (
+                 'redhat',
+-                'centos'
++                'centos',
++                'openeuler'
+             )
+         )
+     )
+diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/system/nfs.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/system/nfs.py
+index a09934d..e43a771 100644
+--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/system/nfs.py
++++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/system/nfs.py
+@@ -15,7 +15,7 @@ NFS and RPCbind services configuration plugin.
+ import gettext
+ import os
+ import platform
+-
++import distro
+ from otopi import constants as otopicons
+ from otopi import filetransaction
+ from otopi import plugin
+@@ -47,9 +47,7 @@ class Plugin(plugin.PluginBase):
+ 
+     def __init__(self, context):
+         super(Plugin, self).__init__(context=context)
+-        self._distribution = platform.linux_distribution(
+-            full_distribution_name=0
+-        )[0]
++        self._distribution = distro.id()
+ 
+     @plugin.event(
+         stage=plugin.Stages.STAGE_INIT,
+-- 
+2.39.1
+

0010-fix-host-installation-failure.patch

@@ -0,0 +1,43 @@
+From 388c9a082697d1c736ad74d983671a85699c133d Mon Sep 17 00:00:00 2001
+From: wangdi <wangdi@kylinos.cn>
+Date: Tue, 14 Mar 2023 10:12:57 +0800
+Subject: [PATCH] fix host installation failure
+
+---
+ .../project/roles/ovirt-host-deploy-facts/tasks/host-os.yml    | 2 +-
+ .../plugins/ovirt-engine-setup/ovirt-engine/apache/runner.py   | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-facts/tasks/host-os.yml b/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-facts/tasks/host-os.yml
+index ef92743..f45415a 100644
+--- a/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-facts/tasks/host-os.yml
++++ b/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-facts/tasks/host-os.yml
+@@ -10,7 +10,7 @@
+ 
+ - name: Check if system is OpenEuler
+   set_fact:
+-    ansible_python_interpreter: "{{ 'usr/bin/python3' }}"
++    ansible_python_interpreter: "{{ '/usr/bin/python3' }}"
+   when:
+     ansible_distribution == 'openEuler'
+ 
+diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/apache/runner.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/apache/runner.py
+index 8a8be55..2b3c3a1 100644
+--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/apache/runner.py
++++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/apache/runner.py
+@@ -82,10 +82,11 @@ class Plugin(plugin.PluginBase):
+                 ),
+                 content=textwrap.dedent('''
+                 Listen {port}
++                WSGIRestrictEmbedded On
+                 <VirtualHost _default_:{port}>
+                   WSGIDaemonProcess runner user={user} group={group} threads=4
+                   WSGIProcessGroup runner
+-                  WSGIScriptAlias / {runner_wsgi_file}
++                  WSGIScriptAlias / {runner_wsgi_file} process-group=runner application-group=%{{GLOBAL}}
+                 </VirtualHost>
+                 ''').format(
+                     runner_wsgi_file=runner_wsgi_file,
+-- 
+2.39.1
+

0011-get-vdsm-id-from-dmidecode-system-uuid-on-aarch64.patch

@@ -0,0 +1,41 @@
+From a8dd9ed10a3f272c4ba8c5f619c66eaf243e7112 Mon Sep 17 00:00:00 2001
+From: wangdi <wangdi@kylinos.cn>
+Date: Tue, 14 Mar 2023 17:11:34 +0800
+Subject: [PATCH] get vdsm id from dmidecode system-uuid on aarch64
+
+---
+ .../project/roles/ovirt-host-deploy-vdsm/tasks/vdsmid.yml   | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-vdsm/tasks/vdsmid.yml b/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-vdsm/tasks/vdsmid.yml
+index 87c7d87..c3612b9 100644
+--- a/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-vdsm/tasks/vdsmid.yml
++++ b/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-vdsm/tasks/vdsmid.yml
+@@ -23,13 +23,13 @@
+       name: dmidecode
+       state: present
+ 
+-  - name: Detect vdsm id for x86_64 or i686
++  - name: Detect vdsm id for x86_64 or i686 or aarch64
+     shell: dmidecode -s system-uuid
+     register: vdsm_id_res
+     tags:
+       - skip_ansible_lint # E305
+ 
+-  - name: Set vdsm id for x86_64 or i686
++  - name: Set vdsm id for x86_64 or i686 or aarch64
+     set_fact:
+       vdsm_id: "{{ vdsm_id_res.stdout }}"
+     when:
+@@ -39,7 +39,7 @@
+   when:
+     - not vdsm_id_stat.stat.exists
+     - not vdsm_id
+-    - (ansible_facts.architecture == 'x86_64' or ansible_facts.architecture == 'i686')
++    - (ansible_facts.architecture == 'x86_64' or ansible_facts.architecture == 'i686' or ansible_facts.architecture == 'aarch64')
+ 
+ - block:
+   - name: Verify ppc system id path exists
+-- 
+2.39.1
+

CVE-2020-35497.patch

@@ -0,0 +1,98 @@
+From d663972f8a144b283591e46693f0aa27a9f2e859 Mon Sep 17 00:00:00 2001
+From: Eli Mesika <emesika@redhat.com>
+Date: Wed, 23 Dec 2020 13:15:39 +0200
+Subject: [PATCH] core: prevent non-admin users see other users data
+
+This patch fixes a security hole that enables regular users to access
+other user data including administrators.
+The problem was in the DAO that accesses the users data according to the
+user permission, the wrong logic was to get all the user data if any
+permission is found for the given user.
+
+This patch modifies the relevant queries in the BLL level to return only
+the information that the user allowed to see
+
+CVE-2020-35497
+
+Change-Id: I5130799027ab79f03b4e25c5f2f2ca4150887719
+Bug-Id: https://bugzilla.redhat.com/show_bug.cgi?id=1899938
+Signed-off-by: Eli Mesika <emesika@redhat.com>
+(cherry picked from commit 40160e6f678d632937a22a8e23370086024f9994)
+---
+ .../engine/core/bll/aaa/GetAllDbUsersQuery.java | 17 +++++++++++++++--
+ .../core/bll/aaa/GetDbUserByUserIdQuery.java    | 14 +++++++++++++-
+ 2 files changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
+index e799dbd8f76..4d964b110a9 100644
+--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
++++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
+@@ -1,12 +1,17 @@
+ package org.ovirt.engine.core.bll.aaa;
+ 
+-import javax.inject.Inject;
++import java.util.ArrayList;
++
++import  javax.inject.Inject;
+ 
+ import org.ovirt.engine.core.bll.QueriesCommandBase;
+ import org.ovirt.engine.core.bll.context.EngineContext;
++import org.ovirt.engine.core.common.businessentities.aaa.DbUser;
+ import org.ovirt.engine.core.common.queries.QueryParametersBase;
+ import org.ovirt.engine.core.dao.DbUserDao;
+ 
++
++
+ public class GetAllDbUsersQuery<P extends QueryParametersBase>
+         extends QueriesCommandBase<P> {
+     @Inject
+@@ -18,6 +23,14 @@ public class GetAllDbUsersQuery<P extends QueryParametersBase>
+ 
+     @Override
+     protected void executeQueryCommand() {
+-        getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered()));
++        DbUser currentUser = getUser();
++        // A non-admin trying to get other user data will get its own data
++        if (!currentUser.isAdmin()) {
++            ArrayList<DbUser> users = new ArrayList<>();
++            users.add(currentUser);
++            getQueryReturnValue().setReturnValue(users);
++        } else {
++            getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered()));
++        }
+     }
+ }
+diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
+index 52f88740da6..df491489a80 100644
+--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
++++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
+@@ -4,6 +4,7 @@ import javax.inject.Inject;
+ 
+ import org.ovirt.engine.core.bll.QueriesCommandBase;
+ import org.ovirt.engine.core.bll.context.EngineContext;
++import org.ovirt.engine.core.common.businessentities.aaa.DbUser;
+ import org.ovirt.engine.core.common.queries.IdQueryParameters;
+ import org.ovirt.engine.core.dao.DbUserDao;
+ 
+@@ -19,6 +20,17 @@ public class GetDbUserByUserIdQuery<P extends IdQueryParameters>
+ 
+     @Override
+     protected void executeQueryCommand() {
+-        getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered()));
++        DbUser currentUser = getUser();
++        if (!currentUser.isAdmin()) {
++            // unauthorized access
++            if (!currentUser.getId().equals(getParameters().getId())) {
++                getQueryReturnValue().setReturnValue(null);
++            } else {
++                // A non-admin user can get only its own data
++                getQueryReturnValue().setReturnValue(dbUserDao.get(currentUser.getId(), false));
++            }
++        } else {
++            getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered()));
++        }
+     }
+ }
+-- 
+2.27.0
+

CVE-2024-0822.patch

@@ -0,0 +1,71 @@
+From 7c60429f6c7a7c132725a789c8901aa5f29cad46 Mon Sep 17 00:00:00 2001
+From: Martin Perina <mperina@redhat.com>
+Date: Tue, 5 Mar 2024 10:10:37 +0800
+Subject: [PATCH] CVE-2024-0822
+
+commit 08daf9d2f17024d603a241cca85d00adf153a2f2 upstream
+
+Disable execution of CreateUserSession from GWT code
+
+CreateUserSesssion should be executed only as a part of login flow, so
+explicitly disable execution from GWT code.
+
+Signed-off-by: Martin Perina <mperina@redhat.com>
+---
+ .../server/gwt/GenericApiGWTServiceImpl.java  | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java
+index 476a018..00a886d 100644
+--- a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java
++++ b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java
+@@ -2,6 +2,7 @@ package org.ovirt.engine.ui.frontend.server.gwt;
+ 
+ import java.io.IOException;
+ import java.util.ArrayList;
++import java.util.Arrays;
+ import java.util.List;
+ import java.util.UUID;
+ import java.util.regex.Pattern;
+@@ -17,6 +18,7 @@ import org.ovirt.engine.core.common.action.ActionParametersBase;
+ import org.ovirt.engine.core.common.action.ActionReturnValue;
+ import org.ovirt.engine.core.common.action.ActionType;
+ import org.ovirt.engine.core.common.constants.SessionConstants;
++import org.ovirt.engine.core.common.errors.EngineFault;
+ import org.ovirt.engine.core.common.interfaces.BackendLocal;
+ import org.ovirt.engine.core.common.queries.QueryParametersBase;
+ import org.ovirt.engine.core.common.queries.QueryReturnValue;
+@@ -149,6 +151,14 @@ public class GenericApiGWTServiceImpl extends OvirtXsrfProtectedServiceServlet i
+             ArrayList<ActionParametersBase> multipleParams, boolean isRunOnlyIfAllValidationPass, boolean isWaitForResult) {
+         log.debug("Server: RunMultipleAction invoked! [amount of actions: {}]", multipleParams.size()); //$NON-NLS-1$
+ 
++        // CreateUserSession should never be invoked from GWT code
++        if (actionType == ActionType.CreateUserSession) {
++            ActionReturnValue error = new ActionReturnValue();
++            error.setSucceeded(false);
++            error.setFault(new EngineFault(new RuntimeException("Command cannot be executed from client"))); //$NON-NLS-1$
++            return Arrays.asList(error);
++        }
++
+         String correlationId = CorrelationIdTracker.getCorrelationId();
+         for (ActionParametersBase params : multipleParams) {
+             params.setSessionId(getEngineSessionId());
+@@ -168,6 +178,15 @@ public class GenericApiGWTServiceImpl extends OvirtXsrfProtectedServiceServlet i
+             ActionParametersBase params) {
+         log.debug("Server: RunAction invoked!"); //$NON-NLS-1$
+         debugAction(actionType, params);
++
++        // CreateUserSession should never be invoked from GWT code
++        if (actionType == ActionType.CreateUserSession) {
++            ActionReturnValue error = new ActionReturnValue();
++            error.setSucceeded(false);
++            error.setFault(new EngineFault(new RuntimeException("Command cannot be executed from client"))); //$NON-NLS-1$
++            return error;
++        }
++
+         params.setSessionId(getEngineSessionId());
+         if (params.getCorrelationId() == null) {
+             params.setCorrelationId(CorrelationIdTracker.getCorrelationId());
+-- 
+2.27.0
+

ovirt-engine.spec

@@ -176,7 +176,7 @@ getent passwd %1 >/dev/null || useradd -r -u %2 -g %3 -c %5 -s /sbin/nologin -d
 
 Name:		ovirt-engine
 Version:	4.4.4.1
-Release:	6
+Release:	11
 Summary:	Management server for Open Virtualization
 Group:		%{ovirt_product_group}
 License:	Apache 2.0
@@ -198,6 +198,11 @@ Patch5:         0005-fix-interface-report-an-error-when-emulatedMachine-is-null.
 Patch6:         0007-add-config-item-for-openeuler.patch
 Patch7:         CVE-2020-10775.patch
 Patch8:         0008-modify-sshd-core-version.patch
+Patch9:         0009-fix-engine-setup-problem.patch  
+Patch10:        0010-fix-host-installation-failure.patch
+Patch11:        0011-get-vdsm-id-from-dmidecode-system-uuid-on-aarch64.patch
+Patch12:        CVE-2024-0822.patch
+Patch13:        CVE-2020-35497.patch
 BuildArch:	noarch
 
 BuildRequires:	assertj-core >= 2.2.0
@@ -647,6 +652,11 @@ Setup imageio service.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
 sed -i '87s/@Test/\/\/@Test/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java
 sed -i '88s/@MockedConfig/\/\/@MockedConfig/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java
 sed -i '121s/@Test/\/\/@Test/g' backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AddClusterCommandTest.java
@@ -1295,6 +1305,21 @@ fi
 %{engine_data}/setup/bin/ovirt-engine-health
 
 %changelog
+* Fri Jun 07 2024 wangziliang <wangziliang@kylinos.cn> - 4.4.4.1-11
+- Fix CVE-2020-35497
+
+* Tue Mar 05 2024 yanjianqing <yanjianqing@kylinos.cn> - 4.4.4.1-10
+- Fix CVE-2024-0822
+
+* Tue Mar 14 2023 wangdi <wangdi@kylinos.cn> - 4.4.4.1-9
+- Set vdsm id as system uuid from dmidecode on aarch64
+
+* Tue Mar 14 2023 wangdi <wangdi@kylinos.cn> - 4.4.4.1-8
+- Fix host installation failure
+
+* Wed Mar 08 2023 yanjianqing <yanjianqing@kylinos.cn> - 4.4.4.1-7
+- Fix engine-setup problem
+
 * Fri Mar 03 2023 jiangxinyu <jiangxinyu@kylinos.cn> - 4.4.4.1-6
 - Remove OVN/OVS support