From a6e63391b59f9f6557b55d03e94ee827a1ba1714 Mon Sep 17 00:00:00 2001 From: Riken Maharjan <106988478+rikenm1@users.noreply.github.com> Date: Mon, 27 May 2024 10:51:43 -0700 Subject: [PATCH 01/12] update python h5py to fix build break caused by recent to HDF5 update (#9223) --- SPECS/keras/keras.spec | 6 ++++- .../python-h5py/h5py-3.7.0-ppc-float128.patch | 23 ------------------- SPECS/python-h5py/python-h5py.signatures.json | 4 ++-- SPECS/python-h5py/python-h5py.spec | 18 +++++++++------ .../python-tensorflow-estimator.spec | 6 ++++- cgmanifest.json | 4 ++-- 6 files changed, 25 insertions(+), 36 deletions(-) delete mode 100644 SPECS/python-h5py/h5py-3.7.0-ppc-float128.patch diff --git a/SPECS/keras/keras.spec b/SPECS/keras/keras.spec index 328383831f4..7aa2d3603e7 100644 --- a/SPECS/keras/keras.spec +++ b/SPECS/keras/keras.spec @@ -3,7 +3,7 @@ Summary: Keras is a high-level neural networks API. Name: keras Version: 2.11.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -25,6 +25,7 @@ BuildRequires: python3-wheel BuildRequires: tar BuildRequires: which BuildRequires: python3-tf-nightly = 2.11.0 +BuildRequires: python3-h5py ExclusiveArch: x86_64 %description @@ -69,6 +70,9 @@ bazel --batch build --verbose_explanations //keras/tools/pip_package:build_pip_ %changelog +* Fri May 24 2024 Riken Maharjan - 2.11.0-3 +- Explicitly BR python3-h5py. + * Tue Aug 01 2023 Riken Maharjan - 2.11.0-2 - Remove bazel version. diff --git a/SPECS/python-h5py/h5py-3.7.0-ppc-float128.patch b/SPECS/python-h5py/h5py-3.7.0-ppc-float128.patch deleted file mode 100644 index 71dbd80a879..00000000000 --- a/SPECS/python-h5py/h5py-3.7.0-ppc-float128.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up h5py-3.7.0/h5py/h5t.pyx.orig h5py-3.7.0/h5py/h5t.pyx ---- h5py-3.7.0/h5py/h5t.pyx.orig 2022-06-14 16:31:22.964458579 +0000 -+++ h5py-3.7.0/h5py/h5t.pyx 2022-06-14 16:31:46.404768118 +0000 -@@ -282,18 +282,7 @@ cdef (int, int, int) _correct_float_info - nmant = finfo.nmant - maxexp = finfo.maxexp - minexp = finfo.minexp -- # workaround for numpy's buggy finfo on float128 on ppc64 archs -- if ftype_ == np.longdouble and MACHINE == 'ppc64': -- # values reported by hdf5 -- nmant = 116 -- maxexp = 1024 -- minexp = -1022 -- elif ftype_ == np.longdouble and MACHINE == 'ppc64le': -- # values reported by hdf5 -- nmant = 52 -- maxexp = 1024 -- minexp = -1022 -- elif nmant == 63 and finfo.nexp == 15: -+ if nmant == 63 and finfo.nexp == 15: - # This is an 80-bit float, correct mantissa size - nmant += 1 - diff --git a/SPECS/python-h5py/python-h5py.signatures.json b/SPECS/python-h5py/python-h5py.signatures.json index e1c9f054294..8afeb668e76 100644 --- a/SPECS/python-h5py/python-h5py.signatures.json +++ b/SPECS/python-h5py/python-h5py.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "h5py-3.7.0.tar.gz": "3fcf37884383c5da64846ab510190720027dca0768def34dd8dcb659dbe5cbf3" + "h5py-3.10.0.tar.gz": "d93adc48ceeb33347eb24a634fb787efc7ae4644e6ea4ba733d099605045c049" } -} \ No newline at end of file +} diff --git a/SPECS/python-h5py/python-h5py.spec b/SPECS/python-h5py/python-h5py.spec index 431525402ef..750113365e7 100644 --- a/SPECS/python-h5py/python-h5py.spec +++ b/SPECS/python-h5py/python-h5py.spec @@ -12,17 +12,14 @@ data types and data structures and their HDF5 equivalents vastly\ simplifies the process of reading and writing data from Python. Summary: A Python interface to the HDF5 library Name: h5py -Version: 3.7.0 -Release: 5%{?dist} +Version: 3.10.0 +Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner URL: https://www.h5py.org/ Source0: https://files.pythonhosted.org/packages/source/h/h5py/h5py-%{version}.tar.gz -# drop the unnecessary workaround for float128 type after -# https://fedoraproject.org/wiki/Changes/PPC64LE_Float128_Transition -# in F-36 -Patch0: h5py-3.7.0-ppc-float128.patch + BuildRequires: gcc BuildRequires: hdf5-devel >= 1.14.4 BuildRequires: liblzf-devel @@ -50,7 +47,7 @@ Requires: python%{python3_pkgversion}-six %prep %setup -q -c -n %{name}-%{version} -%patch0 + mv %{name}-%{version} serial cd serial %{__python3} api_gen.py @@ -69,7 +66,11 @@ export H5PY_SYSTEM_LZF=1 export CFLAGS="%{optflags} -fopenmp" cd serial %py3_build +cd - +# MPI +export CC=mpicc +export HDF5_MPI="ON" %install # Upstream requires a specific numpy without this @@ -92,6 +93,9 @@ cd - %{python3_sitearch}/%{name}-%{version}-*.egg-info %changelog +* Thu May 23 2024 Riken Maharjan - 3.10.0-1 +- Update to 3.10.0 to match hdf5 1.14.4 + * Mon May 20 2024 George Mileka - 3.7.0-5 - Bumping the release version so that this package is re-built with the newer 1.14.4 hdf5 libraries. This ensures that the matching 1.14.4 .so files Will diff --git a/SPECS/python-tensorflow-estimator/python-tensorflow-estimator.spec b/SPECS/python-tensorflow-estimator/python-tensorflow-estimator.spec index 66b0e2d8e6b..ac1863c68a6 100644 --- a/SPECS/python-tensorflow-estimator/python-tensorflow-estimator.spec +++ b/SPECS/python-tensorflow-estimator/python-tensorflow-estimator.spec @@ -7,7 +7,7 @@ A high-level TensorFlow API that greatly simplifies machine learning programming Summary: A high-level TensorFlow API that greatly simplifies machine learning programming Name: python-%{pypi_name} Version: 2.11.0 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -21,6 +21,7 @@ BuildRequires: python3-wheel BuildRequires: python3-six BuildRequires: python3-tf-nightly BuildRequires: python3-keras +BuildRequires: python3-h5py ExclusiveArch: x86_64 @@ -61,6 +62,9 @@ bazel --batch build //tensorflow_estimator/tools/pip_package:build_pip_package %{python3_sitelib}/* %changelog +* Fri May 24 2024 Riken Maharjan - 2.11.0-2 +- Explicitly BR python3-h5py. + * Fri Nov 11 2022 Riken Maharjan - 2.11.0-1 - Original version for CBL-Mariner. License Verified. diff --git a/cgmanifest.json b/cgmanifest.json index 2cd5798a483..307cb87746f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -5130,8 +5130,8 @@ "type": "other", "other": { "name": "h5py", - "version": "3.7.0", - "downloadUrl": "https://files.pythonhosted.org/packages/source/h/h5py/h5py-3.7.0.tar.gz" + "version": "3.10.0", + "downloadUrl": "https://files.pythonhosted.org/packages/source/h/h5py/h5py-3.10.0.tar.gz" } } }, From 61c7a0b9b42e002d99ed223688910ae4c916bb3d Mon Sep 17 00:00:00 2001 From: Bala Date: Tue, 28 May 2024 20:01:00 +0530 Subject: [PATCH 02/12] Fix CVE-2023-48795 in moby-compose by patching vendor packages (#9232) --- SPECS/moby-compose/CVE-2023-48795.patch | 232 ++++++++++++++++++++++++ SPECS/moby-compose/moby-compose.spec | 6 +- 2 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 SPECS/moby-compose/CVE-2023-48795.patch diff --git a/SPECS/moby-compose/CVE-2023-48795.patch b/SPECS/moby-compose/CVE-2023-48795.patch new file mode 100644 index 00000000000..1ed22ef4ae6 --- /dev/null +++ b/SPECS/moby-compose/CVE-2023-48795.patch @@ -0,0 +1,232 @@ +diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go +index 653dc4d..e7d4545 100644 +--- a/vendor/golang.org/x/crypto/ssh/handshake.go ++++ b/vendor/golang.org/x/crypto/ssh/handshake.go +@@ -34,6 +34,16 @@ type keyingTransport interface { + // direction will be effected if a msgNewKeys message is sent + // or received. + prepareKeyChange(*algorithms, *kexResult) error ++ ++ // setStrictMode sets the strict KEX mode, notably triggering ++ // sequence number resets on sending or receiving msgNewKeys. ++ // If the sequence number is already > 1 when setStrictMode ++ // is called, an error is returned. ++ setStrictMode() error ++ ++ // setInitialKEXDone indicates to the transport that the initial key exchange ++ // was completed ++ setInitialKEXDone() + } + + // handshakeTransport implements rekeying on top of a keyingTransport +@@ -94,6 +104,10 @@ type handshakeTransport struct { + + // The session ID or nil if first kex did not complete yet. + sessionID []byte ++ ++ // strictMode indicates if the other side of the handshake indicated ++ // that we should be following the strict KEX protocol restrictions. ++ strictMode bool + } + + type pendingKex struct { +@@ -201,7 +215,10 @@ func (t *handshakeTransport) readLoop() { + close(t.incoming) + break + } +- if p[0] == msgIgnore || p[0] == msgDebug { ++ // If this is the first kex, and strict KEX mode is enabled, ++ // we don't ignore any messages, as they may be used to manipulate ++ // the packet sequence numbers. ++ if !(t.sessionID == nil && t.strictMode) && (p[0] == msgIgnore || p[0] == msgDebug) { + continue + } + t.incoming <- p +@@ -432,6 +449,11 @@ func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) { + return successPacket, nil + } + ++const ( ++ kexStrictClient = "kex-strict-c-v00@openssh.com" ++ kexStrictServer = "kex-strict-s-v00@openssh.com" ++) ++ + // sendKexInit sends a key change message. + func (t *handshakeTransport) sendKexInit() error { + t.mu.Lock() +@@ -445,7 +467,6 @@ func (t *handshakeTransport) sendKexInit() error { + } + + msg := &kexInitMsg{ +- KexAlgos: t.config.KeyExchanges, + CiphersClientServer: t.config.Ciphers, + CiphersServerClient: t.config.Ciphers, + MACsClientServer: t.config.MACs, +@@ -455,6 +476,13 @@ func (t *handshakeTransport) sendKexInit() error { + } + io.ReadFull(rand.Reader, msg.Cookie[:]) + ++ // We mutate the KexAlgos slice, in order to add the kex-strict extension algorithm, ++ // and possibly to add the ext-info extension algorithm. Since the slice may be the ++ // user owned KeyExchanges, we create our own slice in order to avoid using user ++ // owned memory by mistake. ++ msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+2) // room for kex-strict and ext-info ++ msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...) ++ + isServer := len(t.hostKeys) > 0 + if isServer { + for _, k := range t.hostKeys { +@@ -474,17 +502,24 @@ func (t *handshakeTransport) sendKexInit() error { + msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, keyFormat) + } + } ++ ++ if t.sessionID == nil { ++ msg.KexAlgos = append(msg.KexAlgos, kexStrictServer) ++ } + } else { + msg.ServerHostKeyAlgos = t.hostKeyAlgorithms + + // As a client we opt in to receiving SSH_MSG_EXT_INFO so we know what + // algorithms the server supports for public key authentication. See RFC + // 8308, Section 2.1. ++ // ++ // We also send the strict KEX mode extension algorithm, in order to opt ++ // into the strict KEX mode. + if firstKeyExchange := t.sessionID == nil; firstKeyExchange { +- msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+1) +- msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...) + msg.KexAlgos = append(msg.KexAlgos, "ext-info-c") ++ msg.KexAlgos = append(msg.KexAlgos, kexStrictClient) + } ++ + } + + packet := Marshal(msg) +@@ -581,6 +616,13 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { + return err + } + ++ if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) { ++ t.strictMode = true ++ if err := t.conn.setStrictMode(); err != nil { ++ return err ++ } ++ } ++ + // We don't send FirstKexFollows, but we handle receiving it. + // + // RFC 4253 section 7 defines the kex and the agreement method for +@@ -615,7 +657,8 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { + return err + } + +- if t.sessionID == nil { ++ firstKeyExchange := t.sessionID == nil ++ if firstKeyExchange { + t.sessionID = result.H + } + result.SessionID = t.sessionID +@@ -632,6 +675,12 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { + return unexpectedMessageError(msgNewKeys, packet[0]) + } + ++ if firstKeyExchange { ++ // Indicates to the transport that the first key exchange is completed ++ // after receiving SSH_MSG_NEWKEYS. ++ t.conn.setInitialKEXDone() ++ } ++ + return nil + } + +diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go +index acf5a21..4df45fc 100644 +--- a/vendor/golang.org/x/crypto/ssh/transport.go ++++ b/vendor/golang.org/x/crypto/ssh/transport.go +@@ -48,6 +48,9 @@ type transport struct { + rand io.Reader + isClient bool + io.Closer ++ ++ strictMode bool ++ initialKEXDone bool + } + + // packetCipher represents a combination of SSH encryption/MAC +@@ -73,6 +76,18 @@ type connectionState struct { + pendingKeyChange chan packetCipher + } + ++func (t *transport) setStrictMode() error { ++ if t.reader.seqNum != 1 { ++ return errors.New("ssh: sequence number != 1 when strict KEX mode requested") ++ } ++ t.strictMode = true ++ return nil ++} ++ ++func (t *transport) setInitialKEXDone() { ++ t.initialKEXDone = true ++} ++ + // prepareKeyChange sets up key material for a keychange. The key changes in + // both directions are triggered by reading and writing a msgNewKey packet + // respectively. +@@ -111,11 +126,12 @@ func (t *transport) printPacket(p []byte, write bool) { + // Read and decrypt next packet. + func (t *transport) readPacket() (p []byte, err error) { + for { +- p, err = t.reader.readPacket(t.bufReader) ++ p, err = t.reader.readPacket(t.bufReader, t.strictMode) + if err != nil { + break + } +- if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) { ++ // in strict mode we pass through DEBUG and IGNORE packets only during the initial KEX ++ if len(p) == 0 || (t.strictMode && !t.initialKEXDone) || (p[0] != msgIgnore && p[0] != msgDebug) { + break + } + } +@@ -126,7 +142,7 @@ func (t *transport) readPacket() (p []byte, err error) { + return p, err + } + +-func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) { ++func (s *connectionState) readPacket(r *bufio.Reader, strictMode bool) ([]byte, error) { + packet, err := s.packetCipher.readCipherPacket(s.seqNum, r) + s.seqNum++ + if err == nil && len(packet) == 0 { +@@ -139,6 +155,9 @@ func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) { + select { + case cipher := <-s.pendingKeyChange: + s.packetCipher = cipher ++ if strictMode { ++ s.seqNum = 0 ++ } + default: + return nil, errors.New("ssh: got bogus newkeys message") + } +@@ -169,10 +188,10 @@ func (t *transport) writePacket(packet []byte) error { + if debugTransport { + t.printPacket(packet, true) + } +- return t.writer.writePacket(t.bufWriter, t.rand, packet) ++ return t.writer.writePacket(t.bufWriter, t.rand, packet, t.strictMode) + } + +-func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error { ++func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte, strictMode bool) error { + changeKeys := len(packet) > 0 && packet[0] == msgNewKeys + + err := s.packetCipher.writeCipherPacket(s.seqNum, w, rand, packet) +@@ -187,6 +206,9 @@ func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet [] + select { + case cipher := <-s.pendingKeyChange: + s.packetCipher = cipher ++ if strictMode { ++ s.seqNum = 0 ++ } + default: + panic("ssh: no key material for msgNewKeys") + } diff --git a/SPECS/moby-compose/moby-compose.spec b/SPECS/moby-compose/moby-compose.spec index 7e2d4402084..c0fba5cd3ea 100644 --- a/SPECS/moby-compose/moby-compose.spec +++ b/SPECS/moby-compose/moby-compose.spec @@ -1,7 +1,7 @@ Summary: Define and run multi-container applications with Docker Name: moby-compose Version: 2.17.3 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -18,6 +18,7 @@ Patch1: patch-server.go-to-support-single-serverWorkerChannel.patch Patch2: Change-server-stream-context-handling.patch Patch3: prohibit-more-than-MaxConcurrentStreams-handlers.patch Patch4: CVE-2023-45288.patch +Patch5: CVE-2023-48795.patch # Leverage the `generate_source_tarball.sh` to create the vendor sources # NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store. @@ -56,6 +57,9 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl %{_libexecdir}/docker/cli-plugins/docker-compose %changelog +* Tue May 28 2024 Bala - 2.17.3-4 +- Fix for CVE-2023-48795 + * Thu Apr 18 2024 Chris Gunn - 2.17.3-3 - Fix for CVE-2023-45288 From 4b86ac16fd467c163843280014db3aad77d24504 Mon Sep 17 00:00:00 2001 From: Lanze Liu <86434077+liulanze@users.noreply.github.com> Date: Tue, 28 May 2024 09:01:28 -0700 Subject: [PATCH 03/12] cups: patch CVE-2022-26691. (#9168) Co-authored-by: lanzeliu --- SPECS/cups/CVE-2022-26691.patch | 18 ++++++++++++++++++ SPECS/cups/cups.spec | 7 ++++++- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 SPECS/cups/CVE-2022-26691.patch diff --git a/SPECS/cups/CVE-2022-26691.patch b/SPECS/cups/CVE-2022-26691.patch new file mode 100644 index 00000000000..ae4185a55be --- /dev/null +++ b/SPECS/cups/CVE-2022-26691.patch @@ -0,0 +1,18 @@ +diff --git a/scheduler/cert.c b/scheduler/cert.c +index 258e8fc83..8043625fe 100644 +--- a/scheduler/cert.c ++++ b/scheduler/cert.c +@@ -434,5 +434,12 @@ + b ++; + } + +- return (result); ++ /* ++ * The while loop finishes when *a == '\0' or *b == '\0' ++ * so after the while loop either both *a and *b == '\0', ++ * or one points inside a string, so when we apply logical OR on *a, ++ * *b and result, we get a non-zero return value if the compared strings don't match. ++ */ ++ ++ return (result | *a | *b); + } diff --git a/SPECS/cups/cups.spec b/SPECS/cups/cups.spec index eb0d6c5cd9e..3b8ee8fb045 100644 --- a/SPECS/cups/cups.spec +++ b/SPECS/cups/cups.spec @@ -12,7 +12,7 @@ Summary: CUPS printing system Name: cups Version: 2.3.3%{OP_VER} -Release: 7%{?dist} +Release: 8%{?dist} License: ASL 2.0 with exceptions Vendor: Microsoft Corporation Distribution: Mariner @@ -63,6 +63,7 @@ Patch13: cups-dymo-deviceid.patch Patch14: CVE-2023-4504.patch Patch15: CVE-2023-32324.patch Patch16: CVE-2023-34241.patch +Patch17: CVE-2022-26691.patch #### UPSTREAM PATCHES (starts with 1000) #### ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal @@ -264,6 +265,7 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 # LSPP support. %patch100 -p1 -b .lspp @@ -655,6 +657,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Tue May 21 2024 Lanze Liu - 2.3.3op2-8 +- Add patch for CVE-2022-26691. + * Fri Apr 12 2024 Amrita Kohli - 2.3.3op2-7 - Add patch for CVE-2023-32324. - Add patch for CVE-2023-34241. From 14d8692ef97b5d3d195f52ae2a97aae561259347 Mon Sep 17 00:00:00 2001 From: J Camposeco <108859819+jcamposeco@users.noreply.github.com> Date: Tue, 28 May 2024 09:08:43 -0700 Subject: [PATCH 04/12] libvirt: Patch for CVE-2024-4418 (#9197) --- SPECS/libvirt/CVE-2024-4418.patch | 98 +++++++++++++++++++++++++++++++ SPECS/libvirt/libvirt.spec | 6 +- 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 SPECS/libvirt/CVE-2024-4418.patch diff --git a/SPECS/libvirt/CVE-2024-4418.patch b/SPECS/libvirt/CVE-2024-4418.patch new file mode 100644 index 00000000000..f7dd771ec4a --- /dev/null +++ b/SPECS/libvirt/CVE-2024-4418.patch @@ -0,0 +1,98 @@ +From 8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Apr 2024 11:51:15 +0100 +Subject: [PATCH] rpc: ensure temporary GSource is removed from client event + loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Users are seeing periodic segfaults from libvirt client apps, +especially thread heavy ones like virt-manager. A typical +stack trace would end up in the virNetClientIOEventFD method, +with illegal access to stale stack data. eg + +==238721==ERROR: AddressSanitizer: stack-use-after-return on address 0x75cd18709788 at pc 0x75cd3111f907 bp 0x75cd181ff550 sp 0x75cd181ff548 +WRITE of size 4 at 0x75cd18709788 thread T11 + #0 0x75cd3111f906 in virNetClientIOEventFD /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:1634:15 + #1 0x75cd3210d198 (/usr/lib/libglib-2.0.so.0+0x5a198) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2) + #2 0x75cd3216c3be (/usr/lib/libglib-2.0.so.0+0xb93be) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2) + #3 0x75cd3210ddc6 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x5adc6) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2) + #4 0x75cd3111a47c in virNetClientIOEventLoop /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:1722:9 + #5 0x75cd3111a47c in virNetClientIO /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2002:10 + #6 0x75cd3111a47c in virNetClientSendInternal /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2170:11 + #7 0x75cd311198a8 in virNetClientSendWithReply /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2198:11 + #8 0x75cd31111653 in virNetClientProgramCall /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclientprogram.c:318:9 + #9 0x75cd31241c8f in callFull /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/remote/remote_driver.c:6054:10 + #10 0x75cd31241c8f in call /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/remote/remote_driver.c:6076:12 + #11 0x75cd31241c8f in remoteNetworkGetXMLDesc /usr/src/debug/libvirt/libvirt-10.2.0/build/src/remote/remote_client_bodies.h:5959:9 + #12 0x75cd31410ff7 in virNetworkGetXMLDesc /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/libvirt-network.c:952:15 + +The root cause is a bad assumption in the virNetClientIOEventLoop +method. This method is run by whichever thread currently owns the +buck, and is responsible for handling I/O. Inside a for(;;) loop, +this method creates a temporary GSource, adds it to the event loop +and runs g_main_loop_run(). When I/O is ready, the GSource callback +(virNetClientIOEventFD) will fire and call g_main_loop_quit(), and +return G_SOURCE_REMOVE which results in the temporary GSource being +destroyed. A g_autoptr() will then remove the last reference. + +What was overlooked, is that a second thread can come along and +while it can't enter virNetClientIOEventLoop, it will register an +idle source that uses virNetClientIOWakeup to interrupt the +original thread's 'g_main_loop_run' call. When this happens the +virNetClientIOEventFD callback never runs, and so the temporary +GSource is not destroyed. The g_autoptr() will remove a reference, +but by virtue of still being attached to the event context, there +is an extra reference held causing GSource to be leaked. The +next time 'g_main_loop_run' is called, the original GSource will +trigger its callback, and access data that was allocated on the +stack by the previous thread, and likely SEGV. + +To solve this, the thread calling 'g_main_loop_run' must call +g_source_destroy, immediately upon return, to guarantee that +the temporary GSource is removed. + +CVE-2024-4418 +Reviewed-by: Ján Tomko +Reported-by: Martin Shirokov +Tested-by: Martin Shirokov +Signed-off-by: Daniel P. Berrangé +--- + src/rpc/virnetclient.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c +index 68098b1c8d..147b0d661a 100644 +--- a/src/rpc/virnetclient.c ++++ b/src/rpc/virnetclient.c +@@ -1657,7 +1657,7 @@ static int virNetClientIOEventLoop(virNetClient *client, + #endif /* !WIN32 */ + int timeout = -1; + virNetMessage *msg = NULL; +- g_autoptr(GSource) G_GNUC_UNUSED source = NULL; ++ g_autoptr(GSource) source = NULL; + GIOCondition ev = 0; + struct virNetClientIOEventData data = { + .client = client, +@@ -1721,6 +1721,18 @@ static int virNetClientIOEventLoop(virNetClient *client, + + g_main_loop_run(client->eventLoop); + ++ /* ++ * If virNetClientIOEventFD ran, this GSource will already be ++ * destroyed due to G_SOURCE_REMOVE. It is harmless to re-destroy ++ * it, since we still own a reference. ++ * ++ * If virNetClientIOWakeup ran, it will have interrupted the ++ * g_main_loop_run call, before virNetClientIOEventFD could ++ * run, and thus the GSource is still registered, and we need ++ * to destroy it since it is referencing stack memory for 'data' ++ */ ++ g_source_destroy(source); ++ + #ifndef WIN32 + ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL)); + #endif /* !WIN32 */ +-- +GitLab diff --git a/SPECS/libvirt/libvirt.spec b/SPECS/libvirt/libvirt.spec index 69eeb040570..f793ecf22f6 100644 --- a/SPECS/libvirt/libvirt.spec +++ b/SPECS/libvirt/libvirt.spec @@ -9,7 +9,7 @@ Summary: Virtualization API library that supports KVM, QEMU, Xen, ESX etc Name: libvirt Version: 7.10.0 -Release: 9%{?dist} +Release: 10%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -21,6 +21,7 @@ Patch1: CVE-2023-2700.patch Patch2: CVE-2024-1441.patch Patch3: CVE-2024-2496.patch Patch4: CVE-2024-2494.patch +Patch5: CVE-2024-4418.patch BuildRequires: audit-libs-devel BuildRequires: augeas @@ -1058,6 +1059,9 @@ exit 0 %{_libdir}/libnss_libvirt_guest.so.2 %changelog +* Wed May 22 2024 Juan Camposeco - 7.10.0-10 +- Patch to address CVE-2024-4418 + * Tue Apr 09 2024 Suresh Thelkar - 7.10.0-9 - Patch to address CVE-2024-2494 From 4c410bbcd114c9644268a7a1130a8e3336903548 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 28 May 2024 09:57:50 -0700 Subject: [PATCH 05/12] [AUTO-CHERRYPICK] python-werkzeug: Patch CVE-2024-34069 - branch main (#9118) Co-authored-by: Jonathan Behrens --- SPECS/python-werkzeug/CVE-2024-34069.patch | 203 +++++++++++++++++++++ SPECS/python-werkzeug/python-werkzeug.spec | 6 +- 2 files changed, 208 insertions(+), 1 deletion(-) create mode 100644 SPECS/python-werkzeug/CVE-2024-34069.patch diff --git a/SPECS/python-werkzeug/CVE-2024-34069.patch b/SPECS/python-werkzeug/CVE-2024-34069.patch new file mode 100644 index 00000000000..df95551e46a --- /dev/null +++ b/SPECS/python-werkzeug/CVE-2024-34069.patch @@ -0,0 +1,203 @@ +From 404082ffe6f1ef9541d01434aebb789363567df9 Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Thu, 2 May 2024 11:55:52 -0700 +Subject: [PATCH 1/2] restrict debugger trusted hosts + +Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios. + +The debugger UI uses the full `document.location` instead of only `document.location.pathname`. + +Either of these fixes on their own mitigates the reported vulnerability. +--- + src/werkzeug/debug/__init__.py | 10 ++++++++++ + src/werkzeug/debug/shared/debugger.js | 4 ++-- + src/werkzeug/serving.py | 3 +++ + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py +index 3b04b534..c5fffdec 100644 +--- a/src/werkzeug/debug/__init__.py ++++ b/src/werkzeug/debug/__init__.py +@@ -297,6 +297,14 @@ class DebuggedApplication: + else: + self.pin = None + ++ self.trusted_hosts: list[str] = [".localhost", "127.0.0.1"] ++ """List of domains to allow requests to the debugger from. A leading dot ++ allows all subdomains. This only allows ``".localhost"`` domains by ++ default. ++ ++ .. versionadded:: 3.0.3 ++ """ ++ + @property + def pin(self) -> str | None: + if not hasattr(self, "_pin"): +@@ -505,6 +513,8 @@ class DebuggedApplication: + # form data! Otherwise the application won't have access to that data + # any more! + request = Request(environ) ++ request.trusted_hosts = self.trusted_hosts ++ assert request.host # will raise 400 error if not trusted + response = self.debug_application + if request.args.get("__debugger__") == "yes": + cmd = request.args.get("cmd") +diff --git a/src/werkzeug/debug/shared/debugger.js b/src/werkzeug/debug/shared/debugger.js +index f463e9c7..18c65834 100644 +--- a/src/werkzeug/debug/shared/debugger.js ++++ b/src/werkzeug/debug/shared/debugger.js +@@ -48,7 +48,7 @@ function initPinBox() { + btn.disabled = true; + + fetch( +- `${document.location.pathname}?__debugger__=yes&cmd=pinauth&pin=${pin}&s=${encodedSecret}` ++ `${document.location}?__debugger__=yes&cmd=pinauth&pin=${pin}&s=${encodedSecret}` + ) + .then((res) => res.json()) + .then(({auth, exhausted}) => { +@@ -79,7 +79,7 @@ function promptForPin() { + if (!EVALEX_TRUSTED) { + const encodedSecret = encodeURIComponent(SECRET); + fetch( +- `${document.location.pathname}?__debugger__=yes&cmd=printpin&s=${encodedSecret}` ++ `${document.location}?__debugger__=yes&cmd=printpin&s=${encodedSecret}` + ); + const pinPrompt = document.getElementsByClassName("pin-prompt")[0]; + fadeIn(pinPrompt); +diff --git a/src/werkzeug/serving.py b/src/werkzeug/serving.py +index c031dc45..f940ca38 100644 +--- a/src/werkzeug/serving.py ++++ b/src/werkzeug/serving.py +@@ -1066,6 +1066,9 @@ def run_simple( + from .debug import DebuggedApplication + + application = DebuggedApplication(application, evalex=use_evalex) ++ # Allow the specified hostname to use the debugger, in addition to ++ # localhost domains. ++ application.trusted_hosts.append(hostname) + + if not is_running_from_reloader(): + fd = None +-- +2.34.1 + + +From 813580c5d9c7b18d8df5cfe042034eba60f794f4 Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Fri, 3 May 2024 14:49:43 -0700 +Subject: [PATCH 2/2] only require trusted host for evalex + +--- + src/werkzeug/debug/__init__.py | 25 ++++++++++++++++++++----- + src/werkzeug/sansio/utils.py | 2 +- + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py +index c5fffdec..c90d94d7 100644 +--- a/src/werkzeug/debug/__init__.py ++++ b/src/werkzeug/debug/__init__.py +@@ -19,7 +19,9 @@ from zlib import adler32 + + from .._internal import _log + from ..exceptions import NotFound ++from ..exceptions import SecurityError + from ..http import parse_cookie ++from ..sansio.utils import host_is_trusted + from ..security import gen_salt + from ..utils import send_file + from ..wrappers.request import Request +@@ -351,7 +353,7 @@ class DebuggedApplication: + + is_trusted = bool(self.check_pin_trust(environ)) + html = tb.render_debugger_html( +- evalex=self.evalex, ++ evalex=self.evalex and self.check_host_trust(environ), + secret=self.secret, + evalex_trusted=is_trusted, + ) +@@ -379,6 +381,9 @@ class DebuggedApplication: + frame: DebugFrameSummary | _ConsoleFrame, + ) -> Response: + """Execute a command in a console.""" ++ if not self.check_host_trust(request.environ): ++ return SecurityError() # type: ignore[return-value] ++ + contexts = self.frame_contexts.get(id(frame), []) + + with ExitStack() as exit_stack: +@@ -389,6 +394,9 @@ class DebuggedApplication: + + def display_console(self, request: Request) -> Response: + """Display a standalone shell.""" ++ if not self.check_host_trust(request.environ): ++ return SecurityError() # type: ignore[return-value] ++ + if 0 not in self.frames: + if self.console_init_func is None: + ns = {} +@@ -441,12 +449,18 @@ class DebuggedApplication: + return None + return (time.time() - PIN_TIME) < ts + ++ def check_host_trust(self, environ: WSGIEnvironment) -> bool: ++ return host_is_trusted(environ.get("HTTP_HOST"), self.trusted_hosts) ++ + def _fail_pin_auth(self) -> None: + time.sleep(5.0 if self._failed_pin_auth > 5 else 0.5) + self._failed_pin_auth += 1 + + def pin_auth(self, request: Request) -> Response: + """Authenticates with the pin.""" ++ if not self.check_host_trust(request.environ): ++ return SecurityError() # type: ignore[return-value] ++ + exhausted = False + auth = False + trust = self.check_pin_trust(request.environ) +@@ -496,8 +510,11 @@ class DebuggedApplication: + rv.delete_cookie(self.pin_cookie_name) + return rv + +- def log_pin_request(self) -> Response: ++ def log_pin_request(self, request: Request) -> Response: + """Log the pin if needed.""" ++ if not self.check_host_trust(request.environ): ++ return SecurityError() # type: ignore[return-value] ++ + if self.pin_logging and self.pin is not None: + _log( + "info", " * To enable the debugger you need to enter the security pin:" +@@ -513,8 +530,6 @@ class DebuggedApplication: + # form data! Otherwise the application won't have access to that data + # any more! + request = Request(environ) +- request.trusted_hosts = self.trusted_hosts +- assert request.host # will raise 400 error if not trusted + response = self.debug_application + if request.args.get("__debugger__") == "yes": + cmd = request.args.get("cmd") +@@ -526,7 +541,7 @@ class DebuggedApplication: + elif cmd == "pinauth" and secret == self.secret: + response = self.pin_auth(request) # type: ignore + elif cmd == "printpin" and secret == self.secret: +- response = self.log_pin_request() # type: ignore ++ response = self.log_pin_request(request) # type: ignore + elif ( + self.evalex + and cmd is not None +diff --git a/src/werkzeug/sansio/utils.py b/src/werkzeug/sansio/utils.py +index 48ec1bfa..14fa0ac8 100644 +--- a/src/werkzeug/sansio/utils.py ++++ b/src/werkzeug/sansio/utils.py +@@ -8,7 +8,7 @@ from ..exceptions import SecurityError + from ..urls import uri_to_iri + + +-def host_is_trusted(hostname: str, trusted_list: t.Iterable[str]) -> bool: ++def host_is_trusted(hostname: str | None, trusted_list: t.Iterable[str]) -> bool: + """Check if a host matches a list of trusted names. + + :param hostname: The name to check. +-- +2.34.1 + diff --git a/SPECS/python-werkzeug/python-werkzeug.spec b/SPECS/python-werkzeug/python-werkzeug.spec index 9ccaab6ccc3..823ac53b461 100644 --- a/SPECS/python-werkzeug/python-werkzeug.spec +++ b/SPECS/python-werkzeug/python-werkzeug.spec @@ -1,7 +1,7 @@ Summary: The Swiss Army knife of Python web development Name: python-werkzeug Version: 2.3.7 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -18,6 +18,7 @@ Patch0: 0001-enable-tests-in-rpm-env.patch # and are excluded. Patch1: 0002-disable-stat-test.patch Patch2: CVE-2023-46136.patch +Patch3: CVE-2024-34069.patch BuildArch: noarch %description @@ -70,6 +71,9 @@ pip3 install -r requirements/tests.txt %license LICENSE.rst %changelog +* Tue May 14 2024 Jonathan Behrens - 2.3.7-2 +- Patch CVE-2024-34069 + * Mon Nov 06 2023 Nick Samson - 2.3.7-1 - Upgraded to version 2.3.7 - Migrated to pyproject build From a7e75e15aae70579bfba773fe21d84c056aed52f Mon Sep 17 00:00:00 2001 From: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com> Date: Tue, 28 May 2024 11:35:53 -0700 Subject: [PATCH 06/12] add azl-compliance package (#9213) Adds the azl-compliance package to our distro. This will be used to harden images for FIPS and FedRAMP. --- SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md | 2 +- SPECS/LICENSES-AND-NOTICES/data/licenses.json | 1 + .../azl-compliance.signatures.json | 5 ++ SPECS/azl-compliance/azl-compliance.spec | 58 +++++++++++++++++++ cgmanifest.json | 10 ++++ 5 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 SPECS/azl-compliance/azl-compliance.signatures.json create mode 100644 SPECS/azl-compliance/azl-compliance.spec diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md index 018bd1237f2..40d7da9f037 100644 --- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md +++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md @@ -9,7 +9,7 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | -| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-storage-cpp
azurelinux-sysinfo
bazel
blobfuse
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor
cmake-fedora
coredns
csi-driver-lvm
dcos-cli
debugedit
dejavu-fonts
distroless-packages
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
hvloader
hvloader-signed
installkernel
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-azure-signed
kernel-hci-signed
kernel-mos-signed
kernel-mshv-signed
kernel-signed
KeysInUse-OpenSSL
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
livepatch-5.15.102.1-1.cm2
livepatch-5.15.102.1-3.cm2
livepatch-5.15.107.1-1.cm2
livepatch-5.15.110.1-1.cm2
livepatch-5.15.111.1-1.cm2
livepatch-5.15.112.1-1.cm2
livepatch-5.15.112.1-2.cm2
livepatch-5.15.116.1-1.cm2
livepatch-5.15.116.1-2.cm2
livepatch-5.15.122.1-2.cm2
livepatch-5.15.125.1-1.cm2
livepatch-5.15.125.1-2.cm2
livepatch-5.15.126.1-1.cm2
livepatch-5.15.131.1-1.cm2
livepatch-5.15.131.1-3.cm2
livepatch-5.15.94.1-1.cm2
livepatch-5.15.94.1-1.cm2-signed
livepatch-5.15.95.1-1.cm2
livepatch-5.15.98.1-1.cm2
livepatching
lld
lld16
local-path-provisioner
lsb-release
ltp
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
maven3
mm-common
moby-buildx
moby-cli
moby-compose
moby-containerd
moby-containerd-cc
moby-engine
moby-runc
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
nmi
node-problem-detector
ntopng
opentelemetry-cpp
osslsigncode
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-logutils
python-nocasedict
python-opt-einsum
python-pecan
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-tensorflow-estimator
python-yamlloader
R
rabbitmq-server
reaper
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-aws-eventstream
rubygem-aws-partitions
rubygem-aws-sdk-core
rubygem-aws-sdk-kms
rubygem-aws-sdk-s3
rubygem-aws-sdk-sqs
rubygem-aws-sigv4
rubygem-bigdecimal
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-s3
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-td
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser.rb
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-td
rubygem-td-client
rubygem-td-logger
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
sdbus-cpp
sgx-backwards-compatability
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
swupdate
SymCrypt
SymCrypt-OpenSSL
tensorflow
terraform
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
verity-read-only-root
vnstat
zstd | +| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azl-compliance
azure-iot-sdk-c
azure-storage-cpp
azurelinux-sysinfo
bazel
blobfuse
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor
cmake-fedora
coredns
csi-driver-lvm
dcos-cli
debugedit
dejavu-fonts
distroless-packages
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
hvloader
hvloader-signed
installkernel
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-azure-signed
kernel-hci-signed
kernel-mos-signed
kernel-mshv-signed
kernel-signed
KeysInUse-OpenSSL
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
livepatch-5.15.102.1-1.cm2
livepatch-5.15.102.1-3.cm2
livepatch-5.15.107.1-1.cm2
livepatch-5.15.110.1-1.cm2
livepatch-5.15.111.1-1.cm2
livepatch-5.15.112.1-1.cm2
livepatch-5.15.112.1-2.cm2
livepatch-5.15.116.1-1.cm2
livepatch-5.15.116.1-2.cm2
livepatch-5.15.122.1-2.cm2
livepatch-5.15.125.1-1.cm2
livepatch-5.15.125.1-2.cm2
livepatch-5.15.126.1-1.cm2
livepatch-5.15.131.1-1.cm2
livepatch-5.15.131.1-3.cm2
livepatch-5.15.94.1-1.cm2
livepatch-5.15.94.1-1.cm2-signed
livepatch-5.15.95.1-1.cm2
livepatch-5.15.98.1-1.cm2
livepatching
lld
lld16
local-path-provisioner
lsb-release
ltp
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
maven3
mm-common
moby-buildx
moby-cli
moby-compose
moby-containerd
moby-containerd-cc
moby-engine
moby-runc
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
nmi
node-problem-detector
ntopng
opentelemetry-cpp
osslsigncode
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-logutils
python-nocasedict
python-opt-einsum
python-pecan
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-tensorflow-estimator
python-yamlloader
R
rabbitmq-server
reaper
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-aws-eventstream
rubygem-aws-partitions
rubygem-aws-sdk-core
rubygem-aws-sdk-kms
rubygem-aws-sdk-s3
rubygem-aws-sdk-sqs
rubygem-aws-sigv4
rubygem-bigdecimal
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-s3
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-td
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser.rb
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-td
rubygem-td-client
rubygem-td-logger
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
sdbus-cpp
sgx-backwards-compatability
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
swupdate
SymCrypt
SymCrypt-OpenSSL
tensorflow
terraform
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
verity-read-only-root
vnstat
zstd | | Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan | | Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad | | NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | knem
libnvidia-container
mlnx-ofa_kernel
mlnx-tools
mlx-bootctl
nvidia-container-runtime
nvidia-container-toolkit
nvidia-docker2
ofed-scripts
perftest | diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json index eff809859d1..3b89138790c 100644 --- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json +++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json @@ -2150,6 +2150,7 @@ "application-gateway-kubernetes-ingress", "asc", "azcopy", + "azl-compliance", "azure-iot-sdk-c", "azure-storage-cpp", "azurelinux-sysinfo", diff --git a/SPECS/azl-compliance/azl-compliance.signatures.json b/SPECS/azl-compliance/azl-compliance.signatures.json new file mode 100644 index 00000000000..99d442b4d5d --- /dev/null +++ b/SPECS/azl-compliance/azl-compliance.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "azl-compliance-1.0.1.tar.gz": "1d96b99ec755500383e5ff6bad01f1ac85848f067488f3ce29a99e6eb57a86b7" + } +} diff --git a/SPECS/azl-compliance/azl-compliance.spec b/SPECS/azl-compliance/azl-compliance.spec new file mode 100644 index 00000000000..47502aea8b7 --- /dev/null +++ b/SPECS/azl-compliance/azl-compliance.spec @@ -0,0 +1,58 @@ +Summary: Azure Linux compliance package to meet all sorts of compliance rules +Name: azl-compliance +Version: 1.0.1 +Release: 1%{?dist} +License: BSD-3-Clause +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment/Base +URL: https://aka.ms/mariner +Source0: %{_mariner_sources_url}/%{name}-%{version}.tar.gz +Requires: dnf +Requires: gnutls +Requires: grub2 +Requires: grubby +Requires: rpm +Requires: rsyslog +Requires: sudo +BuildRequires: rust + +%description +Azure Linux compliance package to configure systems to meet FIPS and FedRAMP compliance. + +%prep +%autosetup + +%build +cd azl-compliance +cargo build --release --offline + +%install +mkdir -p %{buildroot}%{_sysconfdir}/azl-compliance/ +mkdir -p %{buildroot}%{_bindir} +install -m 0755 ./azl-compliance/target/release/azl-compliance %{buildroot}%{_bindir}/azl-compliance +mkdir -p %{buildroot}%{_sysconfdir}/azl-compliance/fips +mkdir -p %{buildroot}%{_sysconfdir}/azl-compliance/fedramp/remediation_scripts +install -m 0755 fips/*.sh %{buildroot}%{_sysconfdir}/azl-compliance/fips/ +install -m 0755 fedramp/*.sh %{buildroot}%{_sysconfdir}/azl-compliance/fedramp/ +install -m 0644 fedramp/*.txt %{buildroot}%{_sysconfdir}/azl-compliance/fedramp/ +install -m 0755 fedramp/remediation_scripts/* %{buildroot}%{_sysconfdir}/azl-compliance/fedramp/remediation_scripts/ +install -m 0644 azl-compliance-fips.json %{buildroot}%{_sysconfdir}/azl-compliance/ +install -m 0644 azl-compliance-fedramp.json %{buildroot}%{_sysconfdir}/azl-compliance/ + +%files +%license LICENSE +%{_bindir}/azl-compliance +%{_sysconfdir}/azl-compliance/fips +%{_sysconfdir}/azl-compliance/azl-compliance-fips.json +%{_sysconfdir}/azl-compliance/fedramp +%{_sysconfdir}/azl-compliance/azl-compliance-fedramp.json + +%check +cd azl-compliance +cargo test --release --offline + +%changelog +* Tue Mar 19 2024 Tobias Brick 1.0.1-1 +- Original version for CBL-Mariner. +- License verified diff --git a/cgmanifest.json b/cgmanifest.json index 307cb87746f..d0d66b19419 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -860,6 +860,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "azl-compliance", + "version": "1.0.1", + "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/azl-compliance-1.0.1.tar.gz" + } + } + }, { "component": { "type": "other", From c5d244ff28582d674d742181cb4b0b28915f3c1c Mon Sep 17 00:00:00 2001 From: Henry Li <69694695+henryli001@users.noreply.github.com> Date: Tue, 28 May 2024 12:41:17 -0700 Subject: [PATCH 07/12] [2.0] Upgrade cri-o to v1.22.3 to resolve regressed CVE-2022-0811 (#9191) Co-authored-by: Henry Li --- SPECS/cri-o/CVE-2021-3602.patch | 79 ------------------ SPECS/cri-o/CVE-2021-44716.patch | 18 +--- SPECS/cri-o/CVE-2022-1708.patch | 133 ++++-------------------------- SPECS/cri-o/CVE-2022-27651.patch | 23 ++---- SPECS/cri-o/CVE-2022-29526.patch | 16 +--- SPECS/cri-o/CVE-2023-44487.patch | 94 +++++++++++---------- SPECS/cri-o/CVE-2024-21626.patch | 33 ++------ SPECS/cri-o/CVE-2024-28180.patch | 20 +---- SPECS/cri-o/cri-o.signatures.json | 4 +- SPECS/cri-o/cri-o.spec | 12 ++- cgmanifest.json | 4 +- 11 files changed, 98 insertions(+), 338 deletions(-) diff --git a/SPECS/cri-o/CVE-2021-3602.patch b/SPECS/cri-o/CVE-2021-3602.patch index 5aa911ce0c4..80429765f10 100644 --- a/SPECS/cri-o/CVE-2021-3602.patch +++ b/SPECS/cri-o/CVE-2021-3602.patch @@ -1,82 +1,3 @@ -From 8716daa06e9eb421438b338f18b6b650b082b208 Mon Sep 17 00:00:00 2001 -From: Cameron Baird -Date: Tue, 16 Apr 2024 22:33:46 +0000 -Subject: [PATCH 4/4] CVE-2021-3602 - ---- - .../github.com/containers/buildah/chroot/run.go | 15 +++++---------- - .../podman/v3/pkg/specgen/generate/security.go | 7 +++++-- - 2 files changed, 10 insertions(+), 12 deletions(-) - -diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go -index a93f97dcd..643f5c91d 100644 ---- a/vendor/github.com/containers/buildah/chroot/run.go -+++ b/vendor/github.com/containers/buildah/chroot/run.go -@@ -160,7 +160,7 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade - cmd := unshare.Command(runUsingChrootCommand) - cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr - cmd.Dir = "/" -- cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...) -+ cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())} - - logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd) - confwg.Add(1) -@@ -206,7 +206,7 @@ func runUsingChrootMain() { - os.Exit(1) - } - -- if options.Spec == nil { -+ if options.Spec == nil || options.Spec.Process == nil { - fmt.Fprintf(os.Stderr, "invalid options spec in runUsingChrootMain\n") - os.Exit(1) - } -@@ -572,7 +572,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io - cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...) - cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr - cmd.Dir = "/" -- cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...) -+ cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())} - cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS - requestedUserNS := false - for _, ns := range spec.Linux.Namespaces { -@@ -662,7 +662,7 @@ func runUsingChrootExecMain() { - // Set the hostname. We're already in a distinct UTS namespace and are admins in the user - // namespace which created it, so we shouldn't get a permissions error, but seccomp policy - // might deny our attempt to call sethostname() anyway, so log a debug message for that. -- if options.Spec == nil { -+ if options.Spec == nil || options.Spec.Process == nil { - fmt.Fprintf(os.Stderr, "invalid options spec passed in\n") - os.Exit(1) - } -@@ -818,7 +818,6 @@ func runUsingChrootExecMain() { - // Output debug messages when that differs from what we're being asked to do. - func logNamespaceDiagnostics(spec *specs.Spec) { - sawMountNS := false -- sawUserNS := false - sawUTSNS := false - for _, ns := range spec.Linux.Namespaces { - switch ns.Type { -@@ -853,9 +852,8 @@ func logNamespaceDiagnostics(spec *specs.Spec) { - } - case specs.UserNamespace: - if ns.Path != "" { -- logrus.Debugf("unable to join user namespace %q, creating a new one", ns.Path) -+ logrus.Debugf("unable to join user namespace, sorry about that") - } -- sawUserNS = true - case specs.UTSNamespace: - if ns.Path != "" { - logrus.Debugf("unable to join UTS namespace %q, creating a new one", ns.Path) -@@ -866,9 +864,6 @@ func logNamespaceDiagnostics(spec *specs.Spec) { - if !sawMountNS { - logrus.Debugf("mount namespace not requested, but creating a new one anyway") - } -- if !sawUserNS { -- logrus.Debugf("user namespace not requested, but creating a new one anyway") -- } - if !sawUTSNS { - logrus.Debugf("UTS namespace not requested, but creating a new one anyway") - } diff --git a/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go b/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go index e0e4a47a4..3cda89a32 100644 --- a/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go diff --git a/SPECS/cri-o/CVE-2021-44716.patch b/SPECS/cri-o/CVE-2021-44716.patch index 294d0476e44..053e77b964e 100644 --- a/SPECS/cri-o/CVE-2021-44716.patch +++ b/SPECS/cri-o/CVE-2021-44716.patch @@ -1,17 +1,8 @@ -From deb00def7d110f1b4edbe5d03044a9d9f2516151 Mon Sep 17 00:00:00 2001 -From: Cameron Baird -Date: Wed, 17 Apr 2024 20:57:05 +0000 -Subject: [PATCH 2/2] CVE-2021-44716 - ---- - vendor/golang.org/x/net/http2/server.go | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go -index e125bbd2a..5f417b444 100644 +index 09bc705..23058b6 100644 --- a/vendor/golang.org/x/net/http2/server.go +++ b/vendor/golang.org/x/net/http2/server.go -@@ -720,7 +720,15 @@ func (sc *serverConn) canonicalHeader(v string) string { +@@ -714,7 +714,15 @@ func (sc *serverConn) canonicalHeader(v string) string { sc.canonHeader = make(map[string]string) } cv = http.CanonicalHeaderKey(v) @@ -28,7 +19,7 @@ index e125bbd2a..5f417b444 100644 return cv } -@@ -2530,8 +2538,9 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) { +@@ -2524,8 +2532,9 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) { // prior to the headers being written. If the set of trailers is fixed // or known before the header is written, the normal Go trailers mechanism // is preferred: @@ -40,6 +31,3 @@ index e125bbd2a..5f417b444 100644 const TrailerPrefix = "Trailer:" // promoteUndeclaredTrailers permits http.Handlers to set trailers --- -2.33.8 - diff --git a/SPECS/cri-o/CVE-2022-1708.patch b/SPECS/cri-o/CVE-2022-1708.patch index 6885a743779..be715b7492e 100644 --- a/SPECS/cri-o/CVE-2022-1708.patch +++ b/SPECS/cri-o/CVE-2022-1708.patch @@ -1,30 +1,5 @@ -Modified patch to apply to version 1.21.7. -Modified-by: sumsharma@microsoft.com - -commit f032cf649ecc7e0c46718bd9e7814bfb317cb544 (from afab4b78d1d66fb5144ef003b20eba5e53833336) -Merge: afab4b78d 79e404fa5 -Author: Peter Hunt -Date: Mon Jun 6 13:54:06 2022 -0400 - - Merge pull request from GHSA-fcm2-6c3h-pg6j - - oci: add support for capping memory and disk usage from exec sync output ---- - internal/config/conmonmgr/conmonmgr.go | 32 +++++- - internal/config/conmonmgr/conmonmgr_test.go | 106 +++++++++++++++++- - internal/oci/oci.go | 5 + - internal/oci/runtime_oci.go | 19 +++- - internal/oci/runtime_oci_test.go | 39 +++++++ - internal/oci/runtime_vm.go | 5 +- - pkg/config/config.go | 4 + - test/ctr.bats | 8 ++ - .../pkg/kubelet/util/ioutils/ioutils.go | 70 ++++++++++++ - vendor/modules.txt | 1 + - 10 files changed, 282 insertions(+), 7 deletions(-) - create mode 100644 vendor/k8s.io/kubernetes/pkg/kubelet/util/ioutils/ioutils.go - diff --git a/internal/config/conmonmgr/conmonmgr.go b/internal/config/conmonmgr/conmonmgr.go -index 9aef7ef..5276039 100644 +index 857437c..e95e274 100644 --- a/internal/config/conmonmgr/conmonmgr.go +++ b/internal/config/conmonmgr/conmonmgr.go @@ -1,6 +1,7 @@ @@ -212,7 +187,7 @@ index a097312..e804c62 100644 + }) }) diff --git a/internal/oci/oci.go b/internal/oci/oci.go -index 478726d..d992e90 100644 +index 6c4efa9..89ecfb2 100644 --- a/internal/oci/oci.go +++ b/internal/oci/oci.go @@ -35,6 +35,11 @@ const ( @@ -228,10 +203,10 @@ index 478726d..d992e90 100644 // Runtime is the generic structure holding both global and specific diff --git a/internal/oci/runtime_oci.go b/internal/oci/runtime_oci.go -index 4bf66ee..37f62c6 100644 +index 6295ff9..1ed9131 100644 --- a/internal/oci/runtime_oci.go +++ b/internal/oci/runtime_oci.go -@@ -458,6 +458,9 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman +@@ -461,6 +461,9 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman if r.config.ConmonSupportsSync() { args = append(args, "--sync") } @@ -241,7 +216,7 @@ index 4bf66ee..37f62c6 100644 if c.terminal { args = append(args, "-t") } -@@ -564,7 +567,7 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman +@@ -567,7 +570,7 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman // ExecSyncResponse we have to read the logfile. // XXX: Currently runC dups the same console over both stdout and stderr, // so we can't differentiate between the two. @@ -250,7 +225,7 @@ index 4bf66ee..37f62c6 100644 if err != nil { return nil, &ExecSyncError{ Stdout: stdoutBuf, -@@ -583,6 +586,20 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman +@@ -586,6 +589,20 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman }, nil } @@ -329,10 +304,10 @@ index 3385e30..90901e8 100644 func waitContainerStopAndFailAfterTimeout(ctx context.Context, diff --git a/internal/oci/runtime_vm.go b/internal/oci/runtime_vm.go -index 6f10cfc..be8a0fa 100644 +index 394b750..51465da 100644 --- a/internal/oci/runtime_vm.go +++ b/internal/oci/runtime_vm.go -@@ -33,6 +33,7 @@ import ( +@@ -36,6 +36,7 @@ import ( "golang.org/x/sys/unix" "k8s.io/client-go/tools/remotecommand" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" @@ -340,8 +315,8 @@ index 6f10cfc..be8a0fa 100644 utilexec "k8s.io/utils/exec" ) -@@ -309,8 +310,8 @@ func (r *runtimeVM) ExecSyncContainer(ctx context.Context, c *Container, command - defer log.Debugf(ctx, "runtimeVM.ExecSyncContainer() end") +@@ -339,8 +340,8 @@ func (r *runtimeVM) ExecSyncContainer(ctx context.Context, c *Container, command + defer log.Debugf(ctx, "RuntimeVM.ExecSyncContainer() end") var stdoutBuf, stderrBuf bytes.Buffer - stdout := cioutil.NewNopWriteCloser(&stdoutBuf) @@ -352,10 +327,10 @@ index 6f10cfc..be8a0fa 100644 exitCode, err := r.execContainerCommon(ctx, c, command, timeout, nil, stdout, stderr, c.terminal, nil) if err != nil { diff --git a/pkg/config/config.go b/pkg/config/config.go -index 25c51e2..606c7a9 100644 +index 7a75ff8..591623a 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go -@@ -1011,6 +1011,10 @@ func (c *RuntimeConfig) ConmonSupportsSync() bool { +@@ -1065,6 +1065,10 @@ func (c *RuntimeConfig) ConmonSupportsSync() bool { return c.conmonManager.SupportsSync() } @@ -367,7 +342,7 @@ index 25c51e2..606c7a9 100644 var err error c.PinnsPath, err = validateExecutablePath(executable, c.PinnsPath) diff --git a/test/ctr.bats b/test/ctr.bats -index 31cf6c7..a9f9393 100644 +index 3e7577d..ea7b635 100644 --- a/test/ctr.bats +++ b/test/ctr.bats @@ -487,6 +487,14 @@ function check_oci_annotation() { @@ -385,87 +360,11 @@ index 31cf6c7..a9f9393 100644 @test "ctr device add" { # In an user namespace we can only bind mount devices from the host, not mknod # https://github.com/opencontainers/runc/blob/master/libcontainer/rootfs_linux.go#L480-L481 -diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/util/ioutils/ioutils.go b/vendor/k8s.io/kubernetes/pkg/kubelet/util/ioutils/ioutils.go -new file mode 100644 -index 0000000..1b2b5a6 ---- /dev/null -+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/util/ioutils/ioutils.go -@@ -0,0 +1,70 @@ -+/* -+Copyright 2016 The Kubernetes Authors. -+ -+Licensed under the Apache License, Version 2.0 (the "License"); -+you may not use this file except in compliance with the License. -+You may obtain a copy of the License at -+ -+ http://www.apache.org/licenses/LICENSE-2.0 -+ -+Unless required by applicable law or agreed to in writing, software -+distributed under the License is distributed on an "AS IS" BASIS, -+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+See the License for the specific language governing permissions and -+limitations under the License. -+*/ -+ -+package ioutils -+ -+import "io" -+ -+// writeCloserWrapper represents a WriteCloser whose closer operation is noop. -+type writeCloserWrapper struct { -+ Writer io.Writer -+} -+ -+func (w *writeCloserWrapper) Write(buf []byte) (int, error) { -+ return w.Writer.Write(buf) -+} -+ -+func (w *writeCloserWrapper) Close() error { -+ return nil -+} -+ -+// WriteCloserWrapper returns a writeCloserWrapper. -+func WriteCloserWrapper(w io.Writer) io.WriteCloser { -+ return &writeCloserWrapper{w} -+} -+ -+// LimitWriter is a copy of the standard library ioutils.LimitReader, -+// applied to the writer interface. -+// LimitWriter returns a Writer that writes to w -+// but stops with EOF after n bytes. -+// The underlying implementation is a *LimitedWriter. -+func LimitWriter(w io.Writer, n int64) io.Writer { return &LimitedWriter{w, n} } -+ -+// A LimitedWriter writes to W but limits the amount of -+// data returned to just N bytes. Each call to Write -+// updates N to reflect the new amount remaining. -+// Write returns EOF when N <= 0 or when the underlying W returns EOF. -+type LimitedWriter struct { -+ W io.Writer // underlying writer -+ N int64 // max bytes remaining -+} -+ -+func (l *LimitedWriter) Write(p []byte) (n int, err error) { -+ if l.N <= 0 { -+ return 0, io.ErrShortWrite -+ } -+ truncated := false -+ if int64(len(p)) > l.N { -+ p = p[0:l.N] -+ truncated = true -+ } -+ n, err = l.W.Write(p) -+ l.N -= int64(n) -+ if err == nil && truncated { -+ err = io.ErrShortWrite -+ } -+ return -+} diff --git a/vendor/modules.txt b/vendor/modules.txt -index 030e1d1..d911968 100644 +index 6f8a08b..1899c90 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt -@@ -1373,6 +1373,7 @@ k8s.io/kubernetes/pkg/kubelet/cri/streaming +@@ -1517,6 +1517,7 @@ k8s.io/kubernetes/pkg/kubelet/cri/streaming k8s.io/kubernetes/pkg/kubelet/cri/streaming/portforward k8s.io/kubernetes/pkg/kubelet/cri/streaming/remotecommand k8s.io/kubernetes/pkg/kubelet/types @@ -473,5 +372,3 @@ index 030e1d1..d911968 100644 k8s.io/kubernetes/pkg/proxy k8s.io/kubernetes/pkg/proxy/config k8s.io/kubernetes/pkg/proxy/healthcheck --- -2.25.1 diff --git a/SPECS/cri-o/CVE-2022-27651.patch b/SPECS/cri-o/CVE-2022-27651.patch index bdccf8fc9fc..a3bb60f52a3 100644 --- a/SPECS/cri-o/CVE-2022-27651.patch +++ b/SPECS/cri-o/CVE-2022-27651.patch @@ -1,18 +1,8 @@ -From a3b181b667b8bd408c036e94f2b2f61295610ed6 Mon Sep 17 00:00:00 2001 -From: Cameron Baird -Date: Tue, 16 Apr 2024 22:27:00 +0000 -Subject: [PATCH 3/4] CVE-2022-27651 - ---- - vendor/github.com/containers/buildah/chroot/run.go | 2 +- - vendor/github.com/containers/buildah/run_linux.go | 6 ------ - 2 files changed, 1 insertion(+), 7 deletions(-) - diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go -index 39ad88b2b..a93f97dcd 100644 +index 5910035..e533e2f 100644 --- a/vendor/github.com/containers/buildah/chroot/run.go +++ b/vendor/github.com/containers/buildah/chroot/run.go -@@ -898,7 +898,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error { +@@ -894,7 +894,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error { capMap := map[capability.CapType][]string{ capability.BOUNDING: spec.Process.Capabilities.Bounding, capability.EFFECTIVE: spec.Process.Capabilities.Effective, @@ -22,10 +12,10 @@ index 39ad88b2b..a93f97dcd 100644 capability.AMBIENT: spec.Process.Capabilities.Ambient, } diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go -index ffbb36b7b..1d0646612 100644 +index 81af8ee..f82c52f 100644 --- a/vendor/github.com/containers/buildah/run_linux.go +++ b/vendor/github.com/containers/buildah/run_linux.go -@@ -1850,9 +1850,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error { +@@ -1898,9 +1898,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error { if err := g.AddProcessCapabilityEffective(cap); err != nil { return errors.Wrapf(err, "error adding %q to the effective capability set", cap) } @@ -35,7 +25,7 @@ index ffbb36b7b..1d0646612 100644 if err := g.AddProcessCapabilityPermitted(cap); err != nil { return errors.Wrapf(err, "error adding %q to the permitted capability set", cap) } -@@ -1871,9 +1868,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error { +@@ -1919,9 +1916,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error { if err := g.DropProcessCapabilityEffective(cap); err != nil { return errors.Wrapf(err, "error removing %q from the effective capability set", cap) } @@ -45,6 +35,3 @@ index ffbb36b7b..1d0646612 100644 if err := g.DropProcessCapabilityPermitted(cap); err != nil { return errors.Wrapf(err, "error removing %q from the permitted capability set", cap) } --- -2.33.8 - diff --git a/SPECS/cri-o/CVE-2022-29526.patch b/SPECS/cri-o/CVE-2022-29526.patch index 53c70bdc4f0..296dd7fd26e 100644 --- a/SPECS/cri-o/CVE-2022-29526.patch +++ b/SPECS/cri-o/CVE-2022-29526.patch @@ -1,17 +1,8 @@ -From 3536be6d44bea94361fb9a993d4948cd378672d8 Mon Sep 17 00:00:00 2001 -From: Cameron Baird -Date: Wed, 17 Apr 2024 20:51:35 +0000 -Subject: [PATCH 1/2] CVE-2022-29526 - ---- - vendor/golang.org/x/sys/unix/syscall_linux.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - diff --git a/vendor/golang.org/x/sys/unix/syscall_linux.go b/vendor/golang.org/x/sys/unix/syscall_linux.go -index 2dd7c8e34..1a3ee718d 100644 +index 41b91fd..3b1e2f9 100644 --- a/vendor/golang.org/x/sys/unix/syscall_linux.go +++ b/vendor/golang.org/x/sys/unix/syscall_linux.go -@@ -2110,7 +2110,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) { +@@ -2181,7 +2181,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) { gid = Getgid() } @@ -20,6 +11,3 @@ index 2dd7c8e34..1a3ee718d 100644 fmode = (st.Mode >> 3) & 7 } else { fmode = st.Mode & 7 --- -2.33.8 - diff --git a/SPECS/cri-o/CVE-2023-44487.patch b/SPECS/cri-o/CVE-2023-44487.patch index dcd7e7a7997..11cf54133d9 100644 --- a/SPECS/cri-o/CVE-2023-44487.patch +++ b/SPECS/cri-o/CVE-2023-44487.patch @@ -1,21 +1,8 @@ -From f2180b4d5403d2210b30b93098eb7da31c05c721 Mon Sep 17 00:00:00 2001 -From: Doug Fawley -Date: Tue, 10 Oct 2023 10:51:45 -0700 -Subject: [PATCH] server: prohibit more than MaxConcurrentStreams handlers from - running at once (#6703) - ---- - internal/transport/http2_server.go | 11 +-- - server.go | 47 +++++++++++++++++++++++-- - server_ext_test.go | 99 +++++++++++++++++++++++++ - 5 files changed, 210 insertions(+), 45 deletions(-) - create mode 100644 server_ext_test.go - -diff --git a/vendor/google.golang.org/grpc/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go -index 57475d27977..6fa1eb41992 100644 +diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go +index e3799d5..586c85f 100644 --- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go +++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go -@@ -171,15 +171,10 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, +@@ -145,15 +145,10 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, ID: http2.SettingMaxFrameSize, Val: http2MaxFrameLen, }} @@ -33,7 +20,7 @@ index 57475d27977..6fa1eb41992 100644 }) } dynamicWindow := true -@@ -258,7 +253,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, +@@ -226,7 +221,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, framer: framer, readerDone: make(chan struct{}), writerDone: make(chan struct{}), @@ -43,10 +30,10 @@ index 57475d27977..6fa1eb41992 100644 fc: &trInFlow{limit: uint32(icwz)}, state: reachable, diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go -index 0d75cb109..d795b5f73 100644 +index 0251f48..2277846 100644 --- a/vendor/google.golang.org/grpc/server.go +++ b/vendor/google.golang.org/grpc/server.go -@@ -134,6 +134,7 @@ type serverOptions struct { +@@ -168,6 +168,7 @@ type serverOptions struct { } var defaultServerOptions = serverOptions{ @@ -54,7 +41,7 @@ index 0d75cb109..d795b5f73 100644 maxReceiveMessageSize: defaultServerMaxReceiveMessageSize, maxSendMessageSize: defaultServerMaxSendMessageSize, connectionTimeout: 120 * time.Second, -@@ -287,6 +288,9 @@ func MaxSendMsgSize(m int) ServerOption { +@@ -361,6 +362,9 @@ func MaxSendMsgSize(m int) ServerOption { // MaxConcurrentStreams returns a ServerOption that will apply a limit on the number // of concurrent streams to each ServerTransport. func MaxConcurrentStreams(n uint32) ServerOption { @@ -64,29 +51,56 @@ index 0d75cb109..d795b5f73 100644 return newFuncServerOption(func(o *serverOptions) { o.maxConcurrentStreams = n }) -@@ -715,12 +719,18 @@ func (s *Server) newHTTP2Transport(c net.Conn, authInfo credentials.AuthInfo) tr +@@ -918,35 +922,29 @@ func (s *Server) newHTTP2Transport(c net.Conn, authInfo credentials.AuthInfo) tr + } + func (s *Server) serveStreams(st transport.ServerTransport) { - defer st.Close() +- defer st.Close() ++ defer st.Close(errors.New("finished serving streams for the server transport")) var wg sync.WaitGroup + +- var roundRobinCounter uint32 + streamQuota := newHandlerQuota(s.opts.maxConcurrentStreams) st.HandleStreams(func(stream *transport.Stream) { wg.Add(1) -- go func() { -+ ++ + streamQuota.acquire() + f := func() { + defer streamQuota.release() - defer wg.Done() -- s.handleStream(st, stream, s.traceInfo(st, stream)) -- }() -+ s.handleStream(st, stream, s.traceInfo(st, stream)) ++ defer wg.Done() ++ s.handleStream(st, stream) + } -+ go f() + - }, func(ctx context.Context, method string) context.Context { - if !EnableTracing { - return ctx -@@ -1546,3 +1556,34 @@ type channelzServer struct { + if s.opts.numServerWorkers > 0 { +- data := &serverWorkerData{st: st, wg: &wg, stream: stream} + select { +- case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data: ++ case s.serverWorkerChannel <- f: ++ return + default: + // If all stream workers are busy, fallback to the default code path. +- go func() { +- s.handleStream(st, stream, s.traceInfo(st, stream)) +- wg.Done() +- }() + } +- } else { +- go func() { +- defer wg.Done() +- s.handleStream(st, stream, s.traceInfo(st, stream)) +- }() +- } +- }, func(ctx context.Context, method string) context.Context { +- if !EnableTracing { +- return ctx + } +- tr := trace.New("grpc.Recv."+methodFamily(method), method) +- return trace.NewContext(ctx, tr) ++ go f() + }) + wg.Wait() + } +@@ -1875,3 +1873,34 @@ type channelzServer struct { func (c *channelzServer) ChannelzMetric() *channelz.ServerInternalMetric { return c.s.channelzMetric() } @@ -121,9 +135,9 @@ index 0d75cb109..d795b5f73 100644 + a.n.Store(int64(n)) + return a +} -diff --git a/vendor/google.golang.org/grpc/vendor/google.golang.org/grpc/server_ext_test.go b/vendor/google.golang.org/grpc/server_ext_test.go +diff --git a/vendor/google.golang.org/grpc/server_ext_test.go b/vendor/google.golang.org/grpc/server_ext_test.go new file mode 100644 -index 00000000000..df79755f325 +index 0000000..df79755 --- /dev/null +++ b/vendor/google.golang.org/grpc/server_ext_test.go @@ -0,0 +1,99 @@ @@ -226,16 +240,8 @@ index 00000000000..df79755f325 + t.Fatal("Received unexpected RPC error:", err) + } +} -From 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb Mon Sep 17 00:00:00 2001 -From: Monis Khan -Date: Sat, 7 Oct 2023 21:50:37 -0400 -Subject: [PATCH] Prevent rapid reset http2 DOS on API server - ---- - .../apimachinery/pkg/util/runtime/runtime.go | 15 +- - diff --git a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -index 035c52811..c3241ea0d 100644 +index 035c528..c3241ea 100644 --- a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go +++ b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go @@ -125,14 +125,17 @@ type rudimentaryErrorBackoff struct { diff --git a/SPECS/cri-o/CVE-2024-21626.patch b/SPECS/cri-o/CVE-2024-21626.patch index 668c894e775..00b5e8fa3df 100644 --- a/SPECS/cri-o/CVE-2024-21626.patch +++ b/SPECS/cri-o/CVE-2024-21626.patch @@ -36,34 +36,13 @@ Adapted for Azure Linux .../runc/libcontainer/utils/utils_unix.go | 74 ++++++++++++++++--- 2 files changed, 72 insertions(+), 15 deletions(-) -diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go -index 49af83b3c..a178b349a 100644 ---- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go -+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go -@@ -19,7 +19,7 @@ var ( - // TestMode is set to true by unit tests that need "fake" cgroupfs. - TestMode bool - -- cgroupFd int = -1 -+ cgroupRootHandle *os.File - prepOnce sync.Once - prepErr error - resolveFlags uint64 -@@ -28,7 +28,7 @@ var ( - func prepareOpenat2() error { - prepOnce.Do(func() { - fd, err := unix.Openat2(-1, cgroupfsDir, &unix.OpenHow{ -- Flags: unix.O_DIRECTORY | unix.O_PATH}) -+ Flags: unix.O_DIRECTORY | unix.O_PATH | unix.O_CLOEXEC}) - if err != nil { - prepErr = &os.PathError{Op: "openat2", Path: cgroupfsDir, Err: err} - if err != unix.ENOSYS { -@@ -38,15 +38,16 @@ func prepareOpenat2() error { - } +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go +index 5f6ab9f..53f5f2d 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go +@@ -89,14 +89,13 @@ func prepareOpenat2() error { return } -+ file := os.NewFile(uintptr(fd), cgroupfsDir) -+ var st unix.Statfs_t - if err = unix.Fstatfs(fd, &st); err != nil { + if err := unix.Fstatfs(int(file.Fd()), &st); err != nil { @@ -78,7 +57,7 @@ index 49af83b3c..a178b349a 100644 resolveFlags = unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS if st.Type == unix.CGROUP2_SUPER_MAGIC { // cgroupv2 has a single mountpoint and no "cpu,cpuacct" symlinks -@@ -79,7 +80,7 @@ func OpenFile(dir, file string, flags int) (*os.File, error) { +@@ -125,7 +124,7 @@ func openFile(dir, file string, flags int) (*os.File, error) { } relname := reldir + "/" + file diff --git a/SPECS/cri-o/CVE-2024-28180.patch b/SPECS/cri-o/CVE-2024-28180.patch index c623c6a27d4..740072c364c 100644 --- a/SPECS/cri-o/CVE-2024-28180.patch +++ b/SPECS/cri-o/CVE-2024-28180.patch @@ -1,20 +1,8 @@ -From 95facc981124058b1e460216e84c678472223f4c Mon Sep 17 00:00:00 2001 -From: Jacob Hoffman-Andrews -Date: Thu, 7 Mar 2024 13:35:47 -0800 -Subject: [PATCH] v2: backport decompression limit fix - -Backport from #107. ---- - crypter.go | 6 ++++ - encoding.go | 21 +++++++++--- - 4 files changed, 141 insertions(+), 4 deletions(-) - - diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go -index 73aab0f..0ae2e5e 100644 +index d24cabf..a628386 100644 --- a/vendor/gopkg.in/square/go-jose.v2/crypter.go +++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go -@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions { +@@ -405,6 +405,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions { // Decrypt and validate the object and return the plaintext. Note that this // function does not support multi-recipient, if you desire multi-recipient // decryption use DecryptMulti instead. @@ -24,7 +12,7 @@ index 73aab0f..0ae2e5e 100644 func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { headers := obj.mergedHeaders(nil) -@@ -470,6 +473,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) +@@ -469,6 +472,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) // with support for multiple recipients. It returns the index of the recipient // for which the decryption was successful, the merged headers for that recipient, // and the plaintext. @@ -35,7 +23,7 @@ index 73aab0f..0ae2e5e 100644 globalHeaders := obj.mergedHeaders(nil) diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go -index 40b688b..636f6c8 100644 +index 70f7385..ab9e086 100644 --- a/vendor/gopkg.in/square/go-jose.v2/encoding.go +++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go @@ -21,6 +21,7 @@ import ( diff --git a/SPECS/cri-o/cri-o.signatures.json b/SPECS/cri-o/cri-o.signatures.json index 57ef05b8252..9da127adb29 100644 --- a/SPECS/cri-o/cri-o.signatures.json +++ b/SPECS/cri-o/cri-o.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { - "cri-o-1.21.7-vendor.tar.gz": "64edd6277f2e4d0540151e38d8e637904130726ef68cf82826e2624686e758b4", - "cri-o-1.21.7.tar.gz": "171342a882cfb8d8600f0c5e928924aa86cf2ae124277aa1b18ff1cf3da76cfa", + "cri-o-1.22.3-vendor.tar.gz": "2a5500d54ee9a3c28637aba887fd5e6462973c7746649dbff45c3c821a8863d0", + "cri-o-1.22.3.tar.gz": "52836549cfa27a688659576be9266f4837357a6fa162b1d0a05fa8da62c724b3", "cri-o-rpmlintrc": "851a8f7e0b91e011d19a123c2ec703590f3261bfc3fedc41f058dc7556de86cc", "crio.conf": "0b4d11a34542656ad1077fefefdbd0782c15ea521da914bfed0fc7bf84215f0e", "crio.service": "aa19713bbb91d0871de67a4a36a75e9558a31b5b4952b8cf81a667c41f0a7c0c", diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec index 6adadb52c24..2d8784c9fa6 100644 --- a/SPECS/cri-o/cri-o.spec +++ b/SPECS/cri-o/cri-o.spec @@ -25,8 +25,8 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interface # Define macros for further referenced sources Name: cri-o -Version: 1.21.7 -Release: 3%{?dist} +Version: 1.22.3 +Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -110,8 +110,8 @@ This package provides the CRI-O container runtime configuration for kubeadm %prep %setup -q -tar -xf %{SOURCE1} --no-same-owner %autopatch -p1 +tar -xf %{SOURCE1} --no-same-owner %build @@ -215,6 +215,12 @@ mkdir -p /opt/cni/bin %{_fillupdir}/sysconfig.kubelet %changelog +* Thu May 21 2024 Henry Li - 1.22.3-1 +- Upgrade to 1.22.3 to resolve regressed CVE-2022-0811 +- Updated vendor source tar +- Update patches for CVE-2022-1708, CVE-2021-3602, CVE-2021-44716, + CVE-2022-27651, CVE-2022-29526, CVE-2023-44487, CVE-2024-21626 and CVE-2024-28180 + * Fri Apr 26 2024 Dallas Delaney - 1.21.7-3 - Apply patch to fix CVE-2024-21626 and update patch for CVE-2023-44487 diff --git a/cgmanifest.json b/cgmanifest.json index d0d66b19419..a4c6131c960 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2257,8 +2257,8 @@ "type": "other", "other": { "name": "cri-o", - "version": "1.21.7", - "downloadUrl": "https://github.com/cri-o/cri-o/archive/refs/tags/v1.21.7.tar.gz" + "version": "1.22.3", + "downloadUrl": "https://github.com/cri-o/cri-o/archive/refs/tags/v1.22.3.tar.gz" } } }, From dc5da04c2b9a15202c84a77ba5ed38e5ccbfe067 Mon Sep 17 00:00:00 2001 From: Henry Li <69694695+henryli001@users.noreply.github.com> Date: Tue, 28 May 2024 12:41:26 -0700 Subject: [PATCH 08/12] [2.0] Resolve telegraf CVE-2024-27289 (#9235) Co-authored-by: Henry Li --- SPECS/telegraf/CVE-2024-27289.patch | 15 +++++++++++++++ SPECS/telegraf/telegraf.spec | 6 +++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 SPECS/telegraf/CVE-2024-27289.patch diff --git a/SPECS/telegraf/CVE-2024-27289.patch b/SPECS/telegraf/CVE-2024-27289.patch new file mode 100644 index 00000000000..8ef3e58b2fb --- /dev/null +++ b/SPECS/telegraf/CVE-2024-27289.patch @@ -0,0 +1,15 @@ +diff --git a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go +index 5eef456..4c345d5 100644 +--- a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go ++++ b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go +@@ -58,6 +58,10 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) { + return "", fmt.Errorf("invalid arg type: %T", arg) + } + argUse[argIdx] = true ++ ++ // Prevent SQL injection via Line Comment Creation ++ // https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p ++ str = "(" + str + ")" + default: + return "", fmt.Errorf("invalid Part type: %T", part) + } diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index 4dc15c30b37..a9cdd96af68 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.29.4 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -12,6 +12,7 @@ Source0: %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2023-45288.patch Patch1: CVE-2024-28110.patch +Patch2: CVE-2024-27289.patch BuildRequires: golang BuildRequires: iana-etc BuildRequires: systemd-devel @@ -82,6 +83,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Fri May 24 2024 Henry Li - 1.29.4-4 +- Add patch to resolve CVE-2024-27289 + * Mon May 06 2024 Henry Li - 1.29.4-3 - Re-add patch for CVE-2024-28110 From f3440240659523ab7fb37d96de7df207a4d1a77a Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 28 May 2024 15:00:50 -0700 Subject: [PATCH 09/12] [AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade fluent-bit to 2.2.3 to fix CVE-2024-4323 - branch main (#9237) --- SPECS/fluent-bit/fluent-bit.signatures.json | 2 +- SPECS/fluent-bit/fluent-bit.spec | 5 ++++- cgmanifest.json | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/SPECS/fluent-bit/fluent-bit.signatures.json b/SPECS/fluent-bit/fluent-bit.signatures.json index 7b9bc7b5a62..bf91d54c81c 100644 --- a/SPECS/fluent-bit/fluent-bit.signatures.json +++ b/SPECS/fluent-bit/fluent-bit.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "fluent-bit-2.2.2.tar.gz": "8e7e951b2907e9d29508699c71c8949a4a22d750d54ffa5ee5b96537e59371dd" + "fluent-bit-2.2.3.tar.gz": "006ed94d34e4036fb7fb5a02016ccf3a55d7f5ccdefd5df756d1ba2206cfc55d" } } diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index a475a47f4de..df3c7a6defb 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,6 +1,6 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit -Version: 2.2.2 +Version: 2.2.3 Release: 1%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation @@ -80,6 +80,9 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Tue May 28 2024 CBL-Mariner Servicing Account - 2.2.3-1 +- Auto-upgrade to 2.2.3 - CVE-2024-4323 + * Wed Apr 03 2024 CBL-Mariner Servicing Account - 2.2.2-1 - Auto-upgrade to 2.2.2 - CVE-2024-23722 diff --git a/cgmanifest.json b/cgmanifest.json index a4c6131c960..e46f6833cdc 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -3698,8 +3698,8 @@ "type": "other", "other": { "name": "fluent-bit", - "version": "2.2.2", - "downloadUrl": "https://github.com/fluent/fluent-bit/archive/refs/tags/v2.2.2.tar.gz" + "version": "2.2.3", + "downloadUrl": "https://github.com/fluent/fluent-bit/archive/refs/tags/v2.2.3.tar.gz" } } }, From e86c9c1d13190bc3790baafb5d2c5db2ffcf00f3 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 28 May 2024 15:01:09 -0700 Subject: [PATCH 10/12] [AUTO-CHERRYPICK] pytorch: Add patch for CVE-2024-27318 - branch main (#9130) Co-authored-by: Sumynwa --- SPECS/pytorch/CVE-2024-27318.patch | 377 +++++++++++++++++++++++++++++ SPECS/pytorch/pytorch.spec | 6 +- 2 files changed, 382 insertions(+), 1 deletion(-) create mode 100644 SPECS/pytorch/CVE-2024-27318.patch diff --git a/SPECS/pytorch/CVE-2024-27318.patch b/SPECS/pytorch/CVE-2024-27318.patch new file mode 100644 index 00000000000..d3008ce10c9 --- /dev/null +++ b/SPECS/pytorch/CVE-2024-27318.patch @@ -0,0 +1,377 @@ +Modified patch to apply to vendored onnx sources +Modified by: sumsharma@microsoft.com + +From 66b7fb630903fdcf3e83b6b6d56d82e904264a20 Mon Sep 17 00:00:00 2001 +From: liqun Fu +Date: Mon, 19 Feb 2024 11:12:40 -0800 +Subject: [PATCH] Fix path sanitization bypass leading to arbitrary read + (#5917) + +Signed-off-by: liqunfu +Signed-off-by: liqun Fu +Co-authored-by: Justin Chu +--- + third_party/onnx/onnx/checker.cc | 163 ++++++++++-------- + third_party/onnx/onnx/checker.h | 5 +- + third_party/onnx/onnx/common/path.h | 17 +- + third_party/onnx/onnx/cpp2py_export.cc | 2 + + third_party/onnx/onnx/external_data_helper.py | 17 +- + .../onnx/onnx/test/test_external_data.py | 47 +++++ + 6 files changed, 160 insertions(+), 91 deletions(-) + +diff --git a/third_party/onnx/onnx/checker.cc b/third_party/onnx/onnx/checker.cc +index 0c81c87e..38a068dd 100644 +--- a/third_party/onnx/onnx/checker.cc ++++ b/third_party/onnx/onnx/checker.cc +@@ -4,7 +4,6 @@ + + #include "onnx/checker.h" + #include "onnx/common/file_utils.h" +-#include "onnx/common/path.h" + #include "onnx/defs/schema.h" + #include "onnx/defs/tensor_proto_util.h" + #include "onnx/proto_utils.h" +@@ -129,80 +128,7 @@ void check_tensor(const TensorProto& tensor, const CheckerContext& ctx) { + for (const StringStringEntryProto& entry : tensor.external_data()) { + if (entry.has_key() && entry.has_value() && entry.key() == "location") { + has_location = true; +-#ifdef _WIN32 +- auto file_path = std::filesystem::path(utf8str_to_wstring(entry.value())); +- if (file_path.is_absolute()) { +- fail_check( +- "Location of external TensorProto ( tensor name: ", +- tensor.name(), +- ") should be a relative path, but it is an absolute path: ", +- entry.value()); +- } +- auto relative_path = file_path.lexically_normal().make_preferred().wstring(); +- // Check that normalized relative path contains ".." on Windows. +- if (relative_path.find(L"..", 0) != std::string::npos) { +- fail_check( +- "Data of TensorProto ( tensor name: ", +- tensor.name(), +- ") should be file inside the ", +- ctx.get_model_dir(), +- ", but the '", +- entry.value(), +- "' points outside the directory"); +- } +- std::wstring data_path = path_join(utf8str_to_wstring(ctx.get_model_dir()), relative_path); +- struct _stat buff; +- if (_wstat(data_path.c_str(), &buff) != 0) { +- fail_check( +- "Data of TensorProto ( tensor name: ", +- tensor.name(), +- ") should be stored in ", +- entry.value(), +- ", but it doesn't exist or is not accessible."); +- } +-#else // POSIX +- if (entry.value().empty()) { +- fail_check("Location of external TensorProto ( tensor name: ", tensor.name(), ") should not be empty."); +- } else if (entry.value()[0] == '/') { +- fail_check( +- "Location of external TensorProto ( tensor name: ", +- tensor.name(), +- ") should be a relative path, but it is an absolute path: ", +- entry.value()); +- } +- std::string relative_path = clean_relative_path(entry.value()); +- // Check that normalized relative path contains ".." on POSIX +- if (relative_path.find("..", 0) != std::string::npos) { +- fail_check( +- "Data of TensorProto ( tensor name: ", +- tensor.name(), +- ") should be file inside the ", +- ctx.get_model_dir(), +- ", but the '", +- entry.value(), +- "' points outside the directory"); +- } +- std::string data_path = path_join(ctx.get_model_dir(), relative_path); +- // use stat to check whether the file exists +- struct stat buffer; +- if (stat((data_path).c_str(), &buffer) != 0) { +- fail_check( +- "Data of TensorProto ( tensor name: ", +- tensor.name(), +- ") should be stored in ", +- data_path, +- ", but it doesn't exist or is not accessible."); +- } +- // Do not allow symlinks or directories. +- if (!S_ISREG(buffer.st_mode)) { +- fail_check( +- "Data of TensorProto ( tensor name: ", +- tensor.name(), +- ") should be stored in ", +- data_path, +- ", but it is not regular file."); +- } +-#endif ++ resolve_external_data_location(ctx.get_model_dir(), entry.value(), tensor.name()); + } + } + if (!has_location) { +@@ -1028,6 +954,93 @@ void check_model(const ModelProto& model, bool full_check) { + } + } + ++std::string resolve_external_data_location( ++ const std::string& base_dir, ++ const std::string& location, ++ const std::string& tensor_name) { ++#ifdef _WIN32 ++ auto file_path = std::filesystem::path(utf8str_to_wstring(location)); ++ if (file_path.is_absolute()) { ++ fail_check( ++ "Location of external TensorProto ( tensor name: ", ++ tensor_name, ++ ") should be a relative path, but it is an absolute path: ", ++ location); ++ } ++ auto relative_path = file_path.lexically_normal().make_preferred().wstring(); ++ // Check that normalized relative path contains ".." on Windows. ++ if (relative_path.find(L"..", 0) != std::string::npos) { ++ fail_check( ++ "Data of TensorProto ( tensor name: ", ++ tensor_name, ++ ") should be file inside the ", ++ base_dir, ++ ", but the '", ++ location, ++ "' points outside the directory"); ++ } ++ std::wstring data_path = path_join(utf8str_to_wstring(base_dir), relative_path); ++ struct _stat64 buff; ++ if (data_path.empty() || (data_path[0] != '#' && _wstat64(data_path.c_str(), &buff) != 0)) { ++ fail_check( ++ "Data of TensorProto ( tensor name: ", ++ tensor_name, ++ ") should be stored in ", ++ location, ++ ", but it doesn't exist or is not accessible."); ++ } ++ return wstring_to_utf8str(data_path); ++#else // POSIX ++ if (location.empty()) { ++ fail_check("Location of external TensorProto ( tensor name: ", tensor_name, ") should not be empty."); ++ } else if (location[0] == '/') { ++ fail_check( ++ "Location of external TensorProto ( tensor name: ", ++ tensor_name, ++ ") should be a relative path, but it is an absolute path: ", ++ location); ++ } ++ std::string relative_path = clean_relative_path(location); ++ // Check that normalized relative path contains ".." on POSIX ++ if (relative_path.find("..", 0) != std::string::npos) { ++ fail_check( ++ "Data of TensorProto ( tensor name: ", ++ tensor_name, ++ ") should be file inside the ", ++ base_dir, ++ ", but the '", ++ location, ++ "' points outside the directory"); ++ } ++ std::string data_path = path_join(base_dir, relative_path); ++ // use stat64 to check whether the file exists ++#if defined(__APPLE__) || defined(__wasm__) || !defined(__GLIBC__) ++ struct stat buffer; // APPLE, wasm and non-glic stdlibs do not have stat64 ++ if (data_path.empty() || (data_path[0] != '#' && stat((data_path).c_str(), &buffer) != 0)) { ++#else ++ struct stat64 buffer; // All POSIX under glibc except APPLE and wasm have stat64 ++ if (data_path.empty() || (data_path[0] != '#' && stat64((data_path).c_str(), &buffer) != 0)) { ++#endif ++ fail_check( ++ "Data of TensorProto ( tensor name: ", ++ tensor_name, ++ ") should be stored in ", ++ data_path, ++ ", but it doesn't exist or is not accessible."); ++ } ++ // Do not allow symlinks or directories. ++ if (data_path.empty() || (data_path[0] != '#' && !S_ISREG(buffer.st_mode))) { ++ fail_check( ++ "Data of TensorProto ( tensor name: ", ++ tensor_name, ++ ") should be stored in ", ++ data_path, ++ ", but it is not regular file."); ++ } ++ return data_path; ++#endif ++} ++ + std::set experimental_ops = { + "ATen", + "Affine", +diff --git a/third_party/onnx/onnx/checker.h b/third_party/onnx/onnx/checker.h +index 05eeaad0..50381aae 100644 +--- a/third_party/onnx/onnx/checker.h ++++ b/third_party/onnx/onnx/checker.h +@@ -148,7 +148,10 @@ void check_model_local_functions( + + void check_model(const ModelProto& model, bool full_check = false); + void check_model(const std::string& model_path, bool full_check = false); +- ++std::string resolve_external_data_location( ++ const std::string& base_dir, ++ const std::string& location, ++ const std::string& tensor_name); + bool check_is_experimental_op(const NodeProto& node); + + } // namespace checker +diff --git a/third_party/onnx/onnx/common/path.h b/third_party/onnx/onnx/common/path.h +index f71b5b12..3d69e448 100644 +--- a/third_party/onnx/onnx/common/path.h ++++ b/third_party/onnx/onnx/common/path.h +@@ -30,12 +30,23 @@ inline std::wstring utf8str_to_wstring(const std::string& utf8str) { + if (utf8str.size() > INT_MAX) { + fail_check("utf8str_to_wstring: string is too long for converting to wstring."); + } +- int size_required = MultiByteToWideChar(CP_UTF8, 0, utf8str.c_str(), (int)utf8str.size(), NULL, 0); ++ int size_required = MultiByteToWideChar(CP_UTF8, 0, utf8str.c_str(), static_cast(utf8str.size()), NULL, 0); + std::wstring ws_str(size_required, 0); +- MultiByteToWideChar(CP_UTF8, 0, utf8str.c_str(), (int)utf8str.size(), &ws_str[0], size_required); ++ MultiByteToWideChar(CP_UTF8, 0, utf8str.c_str(), static_cast(utf8str.size()), &ws_str[0], size_required); + return ws_str; + } +- ++inline std::string wstring_to_utf8str(const std::wstring& ws_str) { ++ if (ws_str.size() > INT_MAX) { ++ fail_check("wstring_to_utf8str: string is too long for converting to UTF-8."); ++ } ++ int size_required = ++ WideCharToMultiByte(CP_UTF8, 0, ws_str.c_str(), static_cast(ws_str.size()), NULL, 0, NULL, NULL); ++ std::string utf8str(size_required, 0); ++ WideCharToMultiByte( ++ CP_UTF8, 0, ws_str.c_str(), static_cast(ws_str.size()), &utf8str[0], size_required, NULL, NULL); ++ return utf8str; ++} ++ + #else + std::string path_join(const std::string& origin, const std::string& append); + // TODO: also use std::filesystem::path for clean_relative_path after ONNX has supported C++17 for POSIX +diff --git a/third_party/onnx/onnx/cpp2py_export.cc b/third_party/onnx/onnx/cpp2py_export.cc +index f6e1738e..02aabcab 100644 +--- a/third_party/onnx/onnx/cpp2py_export.cc ++++ b/third_party/onnx/onnx/cpp2py_export.cc +@@ -395,6 +395,8 @@ PYBIND11_MODULE(onnx_cpp2py_export, onnx_cpp2py_export) { + "path"_a, + "full_check"_a = false); + ++ checker.def("_resolve_external_data_location", &checker::resolve_external_data_location); ++ + // Submodule `version_converter` + auto version_converter = onnx_cpp2py_export.def_submodule("version_converter"); + version_converter.doc() = "VersionConverter submodule"; +diff --git a/third_party/onnx/onnx/external_data_helper.py b/third_party/onnx/onnx/external_data_helper.py +index 54c0f403..6763b11d 100644 +--- a/third_party/onnx/onnx/external_data_helper.py ++++ b/third_party/onnx/onnx/external_data_helper.py +@@ -5,7 +5,8 @@ import sys + import uuid + from itertools import chain + from typing import Callable, Iterable, Optional +- ++ ++import onnx.onnx_cpp2py_export.checker as c_checker + from .onnx_pb import AttributeProto, GraphProto, ModelProto, TensorProto + + +@@ -37,9 +38,9 @@ def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None: + base_dir: directory that contains the external data. + """ + info = ExternalDataInfo(tensor) +- file_location = _sanitize_path(info.location) +- external_data_file_path = os.path.join(base_dir, file_location) +- ++ external_data_file_path = c_checker._resolve_external_data_location( # type: ignore[attr-defined] ++ base_dir, info.location, tensor.name ++ ) + with open(external_data_file_path, "rb") as data_file: + if info.offset: + data_file.seek(info.offset) +@@ -251,14 +252,6 @@ def _get_attribute_tensors(onnx_model_proto: ModelProto) -> Iterable[TensorProto + yield from _get_attribute_tensors_from_graph(onnx_model_proto.graph) + + +-def _sanitize_path(path: str) -> str: +- """Remove path components which would allow traversing up a directory tree from a base path. +- +- Note: This method is currently very basic and should be expanded. +- """ +- return path.lstrip("/.") +- +- + def _is_valid_filename(filename: str) -> bool: + """Utility to check whether the provided filename is valid.""" + exp = re.compile('^[^<>:;,?"*|/]+$') +diff --git a/third_party/onnx/onnx/test/test_external_data.py b/third_party/onnx/onnx/test/test_external_data.py +index 5ba6b9cf..6e06312b 100644 +--- a/third_party/onnx/onnx/test/test_external_data.py ++++ b/third_party/onnx/onnx/test/test_external_data.py +@@ -1,4 +1,5 @@ + # SPDX-License-Identifier: Apache-2.0 ++import itertools + import os + import os.path as Path + import shutil +@@ -186,6 +187,52 @@ class TestLoadExternalDataSingleFile(TestLoadExternalDataBase): + attribute_tensor = new_model.graph.node[0].attribute[0].t + self.assertTrue(np.allclose(to_array(attribute_tensor), self.attribute_value)) + ++ @parameterized.parameterized.expand(itertools.product((True, False), (True, False))) ++ def test_save_external_invalid_single_file_data_and_check( ++ self, use_absolute_path: bool, use_model_path: bool ++ ) -> None: ++ model = onnx.load_model(self.model_filename, self.serialization_format) ++ ++ model_dir = os.path.join(self.temp_dir, "save_copy") ++ os.mkdir(model_dir) ++ ++ traversal_external_data_dir = os.path.join( ++ self.temp_dir, "invlid_external_data" ++ ) ++ os.mkdir(traversal_external_data_dir) ++ ++ if use_absolute_path: ++ traversal_external_data_location = os.path.join( ++ traversal_external_data_dir, "tensors.bin" ++ ) ++ else: ++ traversal_external_data_location = "../invlid_external_data/tensors.bin" ++ ++ external_data_dir = os.path.join(self.temp_dir, "external_data") ++ os.mkdir(external_data_dir) ++ new_model_filepath = os.path.join(model_dir, "model.onnx") ++ ++ def convert_model_to_external_data_no_check(model: ModelProto, location: str): ++ for tensor in model.graph.initializer: ++ if tensor.HasField("raw_data"): ++ set_external_data(tensor, location) ++ ++ convert_model_to_external_data_no_check( ++ model, ++ location=traversal_external_data_location, ++ ) ++ ++ onnx.save_model(model, new_model_filepath, self.serialization_format) ++ if use_model_path: ++ with self.assertRaises(onnx.checker.ValidationError): ++ _ = onnx.load_model(new_model_filepath, self.serialization_format) ++ else: ++ onnx_model = onnx.load_model( ++ new_model_filepath, self.serialization_format, load_external_data=False ++ ) ++ with self.assertRaises(onnx.checker.ValidationError): ++ load_external_data_for_model(onnx_model, external_data_dir) ++ + + class TestSaveAllTensorsAsExternalData(TestLoadExternalDataBase): + def setUp(self) -> None: +-- +2.25.1 + diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec index ddbac5bdb27..45caf0a87f4 100644 --- a/SPECS/pytorch/pytorch.spec +++ b/SPECS/pytorch/pytorch.spec @@ -2,7 +2,7 @@ Summary: Tensors and Dynamic neural networks in Python with strong GPU acceleration. Name: pytorch Version: 2.0.0 -Release: 5%{?dist} +Release: 6%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation Distribution: Mariner @@ -15,6 +15,7 @@ Patch0: CVE-2024-31580.patch Patch1: CVE-2024-31583.patch Patch2: CVE-2024-27319.patch Patch3: CVE-2024-31584.patch +Patch4: CVE-2024-27318.patch BuildRequires: cmake BuildRequires: gcc @@ -87,6 +88,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir} %{_docdir}/* %changelog +* Wed May 15 2024 Sumedh Sharma - 2.0.0-6 +- patch CVE-2024-27318 + * Tue Apr 30 2024 Sindhu Karri - 2.0.0-5 - patch CVE-2024-31584 From ac45317296f266bc499e29b9e7a181cefad53cae Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 28 May 2024 15:01:40 -0700 Subject: [PATCH 11/12] [AUTO-CHERRYPICK] graphviz: address CVE-2023-46045 & CVE-2020-18032 - branch main (#9129) Co-authored-by: Muhammad Falak R Wani --- SPECS/graphviz/CVE-2023-46045.patch | 34 ++++++++++++++++++++++++++ SPECS/graphviz/graphviz.spec | 11 ++++++--- SPECS/python-sphinx/python-sphinx.spec | 24 ++++++++++++++++-- 3 files changed, 63 insertions(+), 6 deletions(-) create mode 100644 SPECS/graphviz/CVE-2023-46045.patch diff --git a/SPECS/graphviz/CVE-2023-46045.patch b/SPECS/graphviz/CVE-2023-46045.patch new file mode 100644 index 00000000000..ba6f2240afa --- /dev/null +++ b/SPECS/graphviz/CVE-2023-46045.patch @@ -0,0 +1,34 @@ +From 197f3149a5753d6bc994a21b98a70c7f76f548b5 Mon Sep 17 00:00:00 2001 +From: Muhammad Falak R Wani +Date: Tue, 14 May 2024 10:47:34 +0530 +Subject: [PATCH] gvc: detect plugin installation failure and display an error + +Gitlab: fixes #2441 +Reported-by: GJDuck + +Backported to v2.42.4 by @mfrw + +Signed-off-by: Matthew Fernandez +Signed-off-by: Muhammad Falak R Wani +--- + lib/gvc/gvconfig.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c +index 59c4614..35c1b60 100644 +--- a/lib/gvc/gvconfig.c ++++ b/lib/gvc/gvconfig.c +@@ -186,6 +186,10 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) + do { + api = token(&nest, &s); + gv_api = gvplugin_api(api); ++ if (gv_api == (api_t)-1) { ++ agerr(AGERR, "config error: %s %s not found\n", path, api); ++ return 0; ++ } + do { + if (nest == 2) { + type = token(&nest, &s); +-- +2.40.1 + diff --git a/SPECS/graphviz/graphviz.spec b/SPECS/graphviz/graphviz.spec index 838bd583b79..a2794835741 100644 --- a/SPECS/graphviz/graphviz.spec +++ b/SPECS/graphviz/graphviz.spec @@ -45,7 +45,7 @@ Summary: Graph Visualization Tools Name: graphviz Version: 2.42.4 -Release: 9%{?dist} +Release: 10%{?dist} License: EPL-1.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -55,6 +55,7 @@ Source0: https://gitlab.com/%{name}/%{name}/-/archive/%{version}/%{name}- Patch0: graphviz-2.42.2-dotty-menu-fix.patch Patch1: graphviz-2.42.2-coverity-scan-fixes.patch Patch2: CVE-2020-18032.patch +Patch3: CVE-2023-46045.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -250,9 +251,7 @@ Requires: tcl >= 8.3 Various tcl packages (extensions) for the graphviz tools. %prep -%setup -q -%patch0 -p1 -b .dotty-menu-fix -%patch1 -p1 -b .coverity-scan-fixes +%autosetup -p1 # Attempt to fix rpmlint warnings about executable sources find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' @@ -518,6 +517,10 @@ php --no-php-ini \ %{_mandir}/man3/*.3tcl* %changelog +* Tue May 14 2024 Muhammad Falak - 2.42.4-10 +- Switch to autosetup to actually address CVE-2020-18032 +- Address CVE-2023-46045 + * Wed Sep 20 2023 Jon Slobodzian - 2.42.4-9 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/SPECS/python-sphinx/python-sphinx.spec b/SPECS/python-sphinx/python-sphinx.spec index bad6eef0967..ecbb12de494 100644 --- a/SPECS/python-sphinx/python-sphinx.spec +++ b/SPECS/python-sphinx/python-sphinx.spec @@ -11,7 +11,7 @@ Summary: Python documentation generator Name: python-sphinx Version: 4.4.0 -Release: 2%{?dist} +Release: 3%{?dist} # Unless otherwise noted, the license for code is BSD # sphinx/util/inspect.py has bits licensed with PSF license v2 (Python) # sphinx/themes/haiku/static/haiku.css_t has bits licensed with MIT @@ -37,10 +37,27 @@ BuildRequires: gettext BuildRequires: graphviz BuildRequires: python3-atomicwrites BuildRequires: python3-attrs +BuildRequires: python3-babel BuildRequires: python3-docutils +BuildRequires: python3-html5lib +BuildRequires: python3-imagesize +BuildRequires: python3-importlib-metadata +BuildRequires: python3-jinja2 +BuildRequires: python3-more-itertools +BuildRequires: python3-packaging BuildRequires: python3-pluggy +BuildRequires: python3-pygments BuildRequires: python3-pytest +BuildRequires: python3-requests BuildRequires: python3-six +BuildRequires: python3-snowballstemmer +BuildRequires: python3-sphinx-theme-alabaster +BuildRequires: python3-sphinxcontrib-applehelp +BuildRequires: python3-sphinxcontrib-devhelp +BuildRequires: python3-sphinxcontrib-htmlhelp +BuildRequires: python3-sphinxcontrib-jsmath +BuildRequires: python3-sphinxcontrib-qthelp +BuildRequires: python3-sphinxcontrib-serializinghtml BuildRequires: python3-test BuildRequires: texinfo @@ -237,7 +254,7 @@ mkdir %{buildroot}%{python3_sitelib}/sphinxcontrib >> sphinx.lang %check -pip3 install more-itertools +pip3 install webencodings %pytest %files -n python%{python3_pkgversion}-sphinx -f sphinx.lang @@ -252,6 +269,9 @@ pip3 install more-itertools %dir %{_datadir}/sphinx/locale/* %changelog +* Tue May 14 2024 Pawel Winogrodzki - 4.4.0-3 +- Added test-time dependencies to unblock tests. + * Fri Mar 25 2022 Pawel Winogrodzki - 4.4.0-2 - Initial CBL-Mariner import from Fedora 36 (license: MIT). - Removing epoch. From fea7c96a84bc0fb6507078488c7ce3ea5e4c0358 Mon Sep 17 00:00:00 2001 From: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> Date: Tue, 28 May 2024 17:05:34 -0700 Subject: [PATCH 12/12] moby-compose: Fix CVE-2024-24786, CVE-2024-23650, CVE-2023-2253 (#9239) --- SPECS/moby-compose/CVE-2023-2253.patch | 98 +++++++++++++++++++++++++ SPECS/moby-compose/CVE-2024-23650.patch | 82 +++++++++++++++++++++ SPECS/moby-compose/CVE-2024-24786.patch | 83 +++++++++++++++++++++ SPECS/moby-compose/moby-compose.spec | 22 +++++- 4 files changed, 283 insertions(+), 2 deletions(-) create mode 100644 SPECS/moby-compose/CVE-2023-2253.patch create mode 100644 SPECS/moby-compose/CVE-2024-23650.patch create mode 100644 SPECS/moby-compose/CVE-2024-24786.patch diff --git a/SPECS/moby-compose/CVE-2023-2253.patch b/SPECS/moby-compose/CVE-2023-2253.patch new file mode 100644 index 00000000000..ce4b49765ae --- /dev/null +++ b/SPECS/moby-compose/CVE-2023-2253.patch @@ -0,0 +1,98 @@ +Backported from distribution/distribution upstream: +https://github.com/distribution/distribution/commit/521ea3d973cb0c7089ebbcdd4ccadc34be941f54 + +Modified to apply to vendored code by: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> + - Adjusted paths + - Removed references to files which are not present in the vendored code + + +From 521ea3d973cb0c7089ebbcdd4ccadc34be941f54 Mon Sep 17 00:00:00 2001 +From: "Jose D. Gomez R" +Date: Mon, 24 Apr 2023 18:52:27 +0200 +Subject: [PATCH] Fix runaway allocation on /v2/_catalog +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Introduced a Catalog entry in the configuration struct. With it, +it's possible to control the maximum amount of entries returned +by /v2/catalog (`GetCatalog` in registry/handlers/catalog.go). + +It's set to a default value of 1000. + +`GetCatalog` returns 100 entries by default if no `n` is +provided. When provided it will be validated to be between `0` +and `MaxEntries` defined in Configuration. When `n` is outside +the aforementioned boundary, ErrorCodePaginationNumberInvalid is +returned. + +`GetCatalog` now handles `n=0` gracefully with an empty response +as well. + +Signed-off-by: José D. Gómez R. <1josegomezr@gmail.com> +Co-authored-by: Cory Snider +--- + vendor/github.com/docker/distribution/registry/api/v2/descriptors.go | 17 ++ + vendor/github.com/docker/distribution/registry/api/v2/errors.go | 9 + + 2 files changed, 26 insertions(+) + +diff --git a/vendor/github.com/docker/distribution/registry/api/v2/descriptors.go b/vendor/github.com/docker/distribution/registry/api/v2/descriptors.go +index a9616c58ad..c3bf90f71d 100644 +--- a/vendor/github.com/docker/distribution/registry/api/v2/descriptors.go ++++ b/vendor/github.com/docker/distribution/registry/api/v2/descriptors.go +@@ -134,6 +134,19 @@ var ( + }, + } + ++ invalidPaginationResponseDescriptor = ResponseDescriptor{ ++ Name: "Invalid pagination number", ++ Description: "The received parameter n was invalid in some way, as described by the error code. The client should resolve the issue and retry the request.", ++ StatusCode: http.StatusBadRequest, ++ Body: BodyDescriptor{ ++ ContentType: "application/json", ++ Format: errorsBody, ++ }, ++ ErrorCodes: []errcode.ErrorCode{ ++ ErrorCodePaginationNumberInvalid, ++ }, ++ } ++ + repositoryNotFoundResponseDescriptor = ResponseDescriptor{ + Name: "No Such Repository Error", + StatusCode: http.StatusNotFound, +@@ -490,6 +503,7 @@ var routeDescriptors = []RouteDescriptor{ + }, + }, + Failures: []ResponseDescriptor{ ++ invalidPaginationResponseDescriptor, + unauthorizedResponseDescriptor, + repositoryNotFoundResponseDescriptor, + deniedResponseDescriptor, +@@ -1578,6 +1592,9 @@ var routeDescriptors = []RouteDescriptor{ + }, + }, + }, ++ Failures: []ResponseDescriptor{ ++ invalidPaginationResponseDescriptor, ++ }, + }, + }, + }, +diff --git a/vendor/github.com/docker/distribution/registry/api/v2/errors.go b/vendor/github.com/docker/distribution/registry/api/v2/errors.go +index 97d6923aa0..87e9f3c14b 100644 +--- a/vendor/github.com/docker/distribution/registry/api/v2/errors.go ++++ b/vendor/github.com/docker/distribution/registry/api/v2/errors.go +@@ -133,4 +133,13 @@ var ( + longer proceed.`, + HTTPStatusCode: http.StatusNotFound, + }) ++ ++ ErrorCodePaginationNumberInvalid = errcode.Register(errGroup, errcode.ErrorDescriptor{ ++ Value: "PAGINATION_NUMBER_INVALID", ++ Message: "invalid number of results requested", ++ Description: `Returned when the "n" parameter (number of results ++ to return) is not an integer, "n" is negative or "n" is bigger than ++ the maximum allowed.`, ++ HTTPStatusCode: http.StatusBadRequest, ++ }) + ) diff --git a/SPECS/moby-compose/CVE-2024-23650.patch b/SPECS/moby-compose/CVE-2024-23650.patch new file mode 100644 index 00000000000..77ac7ff30f1 --- /dev/null +++ b/SPECS/moby-compose/CVE-2024-23650.patch @@ -0,0 +1,82 @@ +Backported from moby buildkit upstream: +https://github.com/moby/buildkit/commit/1981eb123dc979fc71d097adeb5bbb84110aa9f4 + +Modified to apply to vendored code by: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> + - Adjusted paths + - Removed reference to files not present in the vendored version + +From 8dfaf014d7f9721b501f99ab0aeb9f0ed957948d Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Sun, 17 Dec 2023 20:43:57 -0800 +Subject: [PATCH 3/5] exporter: add validation for platforms key value + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 432ece72ae124ce8a29ced6854a08206f09f3a73) +--- +vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go | 14 +++ + 1 files changed, 14 insertions(+) + +diff --git a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go +index 293a24ed0772..e8d9b7f0cb73 100644 +--- a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go ++++ b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go +@@ -17,6 +17,18 @@ func ParsePlatforms(meta map[string][]byte) (Platforms, error) { + return Platforms{}, errors.Wrapf(err, "failed to parse platforms passed to provenance processor") + } + } ++ if len(ps.Platforms) == 0 { ++ return Platforms{}, errors.Errorf("invalid empty platforms index for exporter") ++ } ++ for i, p := range ps.Platforms { ++ if p.ID == "" { ++ return Platforms{}, errors.Errorf("invalid empty platform key for exporter") ++ } ++ if p.Platform.OS == "" || p.Platform.Architecture == "" { ++ return Platforms{}, errors.Errorf("invalid platform value %v for exporter", p.Platform) ++ } ++ ps.Platforms[i].Platform = platforms.Normalize(p.Platform) ++ } + return ps, nil + } + +@@ -36,6 +48,8 @@ func ParsePlatforms(meta map[string][]byte) (Platforms, error) { + OSFeatures: img.OSFeatures, + Variant: img.Variant, + } ++ } else if img.OS != "" || img.Architecture != "" { ++ return Platforms{}, errors.Errorf("invalid image config: os and architecture must be specified together") + } + } + p = platforms.Normalize(p) + +From 5d7d85f5a0388bb0faa0d9250f96b35814cff1f9 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Sun, 17 Dec 2023 23:39:51 -0800 +Subject: [PATCH 5/5] pb: add extra validation to protobuf types + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 838635998dcae34bbde59e3eab129ab85bd37bef) +--- +vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go | 6 ++++++ + + 1 files changed, 6 insertions(+) + +diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go b/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go +index 5ffe67233c50..c5112db9db64 100644 +--- a/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go ++++ b/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go +@@ -30,8 +30,14 @@ func AttestationToPB[T any](a *result.Attestation[T]) (*pb.Attestation, error) { + } + + func AttestationFromPB[T any](a *pb.Attestation) (*result.Attestation[T], error) { ++ if a == nil { ++ return nil, errors.Errorf("invalid nil attestation") ++ } + subjects := make([]result.InTotoSubject, len(a.InTotoSubjects)) + for i, subject := range a.InTotoSubjects { ++ if subject == nil { ++ return nil, errors.Errorf("invalid nil attestation subject") ++ } + subjects[i] = result.InTotoSubject{ + Kind: subject.Kind, + Name: subject.Name, diff --git a/SPECS/moby-compose/CVE-2024-24786.patch b/SPECS/moby-compose/CVE-2024-24786.patch new file mode 100644 index 00000000000..84553a16b65 --- /dev/null +++ b/SPECS/moby-compose/CVE-2024-24786.patch @@ -0,0 +1,83 @@ +Backported from protobuf upstream: +https://go-review.googlesource.com/c/protobuf/+/569356 + +Modified to apply to vendored code by: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> + - Adjusted paths + - Removed references to protobuf/encoding/protojson/decode_test.go and + protobuf/internal/encoding/json/decode_test.go which are not present in the vendored code + - Modified json.EOF check to apply to our older version of skipJSONValue + + +From f01a588e5810b90996452eec4a28f22a0afae023 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 05 Mar 2024 08:54:24 -0800 +Subject: [PATCH] encoding/protojson, internal/encoding/json: handle missing object values + +In internal/encoding/json, report an error when encountering a } +when we are expecting an object field value. For example, the input +`{"":}` now correctly results in an error at the closing } token. + +In encoding/protojson, check for an unexpected EOF token in +skipJSONValue. This is redundant with the check in internal/encoding/json, +but adds a bit more defense against any other similar bugs that +might exist. + +Fixes CVE-2024-24786 + +Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d +Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356 +TryBot-Bypass: Damien Neil +Reviewed-by: Roland Shoemaker +Commit-Queue: Damien Neil +--- + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 25329b7..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error { + if err := d.skipJSONValue(); err != nil { + return err + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") + } + } + +@@ -341,6 +345,10 @@ func (d decoder) skipJSONValue() error { + case json.ArrayClose: + d.Read() + return nil ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") + default: + // Skip array item. + if err := d.skipJSONValue(); err != nil { +@@ -348,6 +356,10 @@ func (d decoder) skipJSONValue() error { + } + } + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") + } + return nil + } +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } diff --git a/SPECS/moby-compose/moby-compose.spec b/SPECS/moby-compose/moby-compose.spec index c0fba5cd3ea..d0007aabc42 100644 --- a/SPECS/moby-compose/moby-compose.spec +++ b/SPECS/moby-compose/moby-compose.spec @@ -1,7 +1,7 @@ Summary: Define and run multi-container applications with Docker Name: moby-compose Version: 2.17.3 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -19,6 +19,22 @@ Patch2: Change-server-stream-context-handling.patch Patch3: prohibit-more-than-MaxConcurrentStreams-handlers.patch Patch4: CVE-2023-45288.patch Patch5: CVE-2023-48795.patch +Patch6: CVE-2024-24786.patch +# Patch for CVE-2024-23650 (buildkit) must be redone if the package is updated and +# the vendored code begins including any of the following modules: +# github.com/moby/buildkit/control (for control.go) +# github.com/moby/buildkit/exporter/containerimage (for writer.go) +# github.com/moby/buildkit/frontend/gateway (for gateway.go) +# github.com/moby/buildkit/solver/llbsolver (for bridge.go and solver.go) +# github.com/moby/buildkit/sourcepolicy (for matcher.go) +# github.com/moby/buildkit/util/tracing/transform (for attribute.go and span.go) +Patch7: CVE-2024-23650.patch +# Patch for CVE-2023-2253 (distribution/distribution) must be redone if the package is updated and +# the vendored code begins including any of the following modules: +# github.com/docker/distribution/configuration (for configuration.go) +# github.com/docker/distribution/catalog (for catalog.go) +Patch8: CVE-2023-2253.patch + # Leverage the `generate_source_tarball.sh` to create the vendor sources # NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store. @@ -27,7 +43,6 @@ Source1: %{name}-%{version}-govendor-v1.tar.gz BuildRequires: golang Requires: moby-cli - %description Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. @@ -57,6 +72,9 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl %{_libexecdir}/docker/cli-plugins/docker-compose %changelog +* Tue May 28 2024 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 2.17.3-5 +- Fix for CVE-2024-24786, CVE-2024-23650, CVE-2023-2253 + * Tue May 28 2024 Bala - 2.17.3-4 - Fix for CVE-2023-48795