folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into 2.0

This commit is contained in:
jslobodzian 2024-08-23 21:44:58 -04:00
parent 2a0b6a584f 52e54efc1d
commit 9ce332f22c
152 changed files with 10574 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/go-test-coverage.yml vendored
View File

@ -12,7 +12,7 @@ on:
permissions: read-all
env:
EXPECTED_GO_VERSION: "1.20"
EXPECTED_GO_VERSION: "1.21"
jobs:
build:

7
.pipelines/prchecks/PackageBuildPRCheck.yml
View File

@ -22,6 +22,10 @@ parameters:
maxCPUs: "$(($(nproc) / 3))"
rawToolchainCacheURL: "$(rawToolchainCacheURL_ARM64)"
rawToolchainExpectedHash: "65de43b3bdcfdaac71df1f11fd1f830a8109b1eb9d7cb6cbc2e2d0e929d0ef76"
- name: debug
type: boolean
default: false
displayName: "Run in debug mode"
resources:
repositories:
@ -37,7 +41,7 @@ variables:
- name: toolchainArtifactNameBase
value: Toolchain
- name: system.debug
value: 'true'
value: '${{ parameters.debug }}'
extends:
template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
@ -103,6 +107,7 @@ extends:
steps:
- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
isCheckBuild: true
isQuickRebuildPackages: true

17
.pipelines/templates/PackageBuild.yml
View File

@ -6,6 +6,10 @@ parameters:
type: string
default: "$(Build.SourcesDirectory)"
- name: checkBuildRetries
type: string
default: ""
- name: concurrentPackageBuilds
type: number
default: 12
@ -22,10 +26,6 @@ parameters:
type: string
default: ""
- name: testRerunList
type: string
default: ""
- name: failOnTestFailures
type: boolean
default: true
@ -125,6 +125,10 @@ parameters:
type: string
default: ""
- name: testRerunList
type: string
default: ""
- name: testSuiteName
type: string
default: "Package test"
@ -176,6 +180,10 @@ steps:
displayName: "Populate cache RPMs"
- script: |
if [[ -n "${{ parameters.checkBuildRetries }}" ]]; then
check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}"
fi
if [[ ${{ parameters.isDeltaBuild }} == "true" ]]; then
delta_fetch_arg="DELTA_FETCH=y"
elif [[ ${{ parameters.isDeltaBuild }} == "false" ]]; then
@ -217,6 +225,7 @@ steps:
SPECS_DIR="${{ parameters.buildRepoRoot }}/${{ parameters.specsFolderPath }}" \
SRPM_PACK_LIST="${{ parameters.srpmPackList }}" \
TEST_RERUN_LIST="${{ parameters.testRerunList }}" \
$check_build_retries_arg \
$delta_fetch_arg \
$max_cascading_rebuilds_arg \
$quick_rebuild_packages_arg \

27
SPECS-EXTENDED/js-jquery/CVE-2019-20149.patch Normal file
View File

@ -0,0 +1,27 @@
From 638d1c5d1c33b4383a4e307f5bcb8b366dd36071 Mon Sep 17 00:00:00 2001
From: Amrita Kohli <amritakohli@microsoft.com>
Date: Fri, 9 Aug 2024 16:19:34 +0000
Subject: [PATCH] Modified upstream patch from PR https://github.com/jonschlinkert/kind-of/pull/31 with commit id
975c13a7cfaf25d811475823824af3a9c04b0ba8 for CVE-2019-20149. Modified by:
Amrita Kohli <amritakohli@microsoft.com>
---
node_modules/kind-of/index.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/node_modules/kind-of/index.js b/node_modules/kind-of/index.js
index dfa799b7..bdcfdc85 100644
--- a/node_modules/kind-of/index.js
+++ b/node_modules/kind-of/index.js
@@ -66,7 +66,7 @@ module.exports = function kindOf(val) {
};
function ctorName(val) {
- return typeof val.constructor === 'function' ? val.constructor.name : null;
+ return val.constructor && typeof val.constructor === 'function' ? val.constructor.name : null;
}
function isArray(val) {
--
2.34.1

13
SPECS-EXTENDED/js-jquery/js-jquery.spec
View File

@ -2,7 +2,7 @@ Vendor: Microsoft Corporation
Distribution: Mariner
Name: js-jquery
Version: 3.5.0
Release: 3%{?dist}
Release: 4%{?dist}
Summary: JavaScript DOM manipulation, event handling, and AJAX library
BuildArch: noarch
@ -18,6 +18,8 @@ Source1: jquery_%{version}_node_modules.tar.gz
# disable gzip-js during build
Patch1: %{name}-disable-gzip-js.patch
# Patch for CVE-2019-20149 in kind-of package https://github.com/jonschlinkert/kind-of/pull/31
Patch2: CVE-2019-20149.patch
BuildRequires: web-assets-devel
@ -45,14 +47,15 @@ browsers. With a combination of versatility and extensibility, jQuery has
changed the way that millions of people write JavaScript.
%prep
%autosetup -n jquery-%{version} -v -p1
%setup -n jquery-%{version}
%patch1 -p1
#remove precompiled stuff
rm -rf dist/*
# Install the cached node modules
tar xf %{SOURCE1}
%patch2 -p1
%build
./node_modules/grunt-cli/bin/grunt -v 'build:*:*' uglify
@ -83,6 +86,10 @@ ln -s %{version} %{installdir}/%{ver_x}.%{ver_y}
%changelog
* Fri Aug 9 2024 Amrita Kohli <amritakohli@microsoft.com> - 3.5.0-4
- Patch CVE-2019-20149 in kind-of package.
- License verified
* Mon Jun 14 2021 Thomas Crain <thcrain@microsoft.com> - 3.5.0-3
- Initial CBL-Mariner import from Fedora 32 (license: MIT).
- Add explicit build-time dependency on nodejs-devel

5
SPECS-EXTENDED/mosh/mosh.signatures.json Normal file
View File

@ -0,0 +1,5 @@
{
"Signatures": {
"mosh-1.4.0.tar.gz": "872e4b134e5df29c8933dff12350785054d2fd2839b5ae6b5587b14db1465ddd"
}
}

226
SPECS-EXTENDED/mosh/mosh.spec Normal file
View File

@ -0,0 +1,226 @@
Name: mosh
Version: 1.4.0
Release: 6%{?dist}
Summary: Mobile shell that supports roaming and intelligent local echo
Vendor: Microsoft Corporation
Distribution: Mariner
License: GPLv3+
URL: https://mosh.mit.edu/
Source0: https://github.com/mobile-shell/mosh/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
BuildRequires: libutempter-devel
BuildRequires: ncurses-devel
BuildRequires: openssl-devel
BuildRequires: perl-diagnostics
BuildRequires: perl-generators
BuildRequires: protobuf-compiler
BuildRequires: protobuf-devel
BuildRequires: zlib-devel
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: make
Requires: openssh-clients
Requires: openssl
Requires: perl-IO-Socket-IP
%description
Mosh is a remote terminal application that supports:
- intermittent network connectivity,
- roaming to different IP address without dropping the connection, and
- intelligent local echo and line editing to reduce the effects
of "network lag" on high-latency connections.
%prep
%setup -q
%build
%configure --disable-silent-rules CC=gcc CXX=g++
%make_build
%install
%make_install
%files
%doc README.md ChangeLog
%license COPYING
%{_bindir}/mosh
%{_bindir}/mosh-client
%{_bindir}/mosh-server
%{_mandir}/man1/mosh.1.gz
%{_mandir}/man1/mosh-client.1.gz
%{_mandir}/man1/mosh-server.1.gz
%changelog
* Sun Aug 11 2024 Chris Co <chrco@microsoft.com> - 1.4.0-6
- Initial CBL-Mariner import from Fedora 40 (license: MIT)
- License verified
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Oct 26 2022 Alex Chernyakhovsky <achernya@mit.edu> - 1.4.0-1
- Update to mosh 1.4.0
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Apr 05 2022 Michal Josef Špaček <mspacek@redhat.com> - 1.3.2-14
- Remove dependency to obsolete IO::Socket::INET6
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-12
- Rebuilt for protobuf 3.19.0
* Tue Oct 26 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-11
- Rebuilt for protobuf 3.18.1
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.3.2-10
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Jan 14 08:32:44 CET 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-7
- Rebuilt for protobuf 3.14
* Thu Sep 24 2020 Adrian Reber <adrian@lisas.de> - 1.3.2-6
- Rebuilt for protobuf 3.13
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 1.3.2-4
- Rebuilt for protobuf 3.12
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Dec 19 2019 Orion Poplawski <orion@nwra.com> - 1.3.2-2
- Rebuild for protobuf 3.11
* Sun Sep 22 2019 Alex Chernyakhovsky <achernya@mit.edu> - 1.3.2-1
- Update to mosh 1.3.2
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Nov 21 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.0-9
- Rebuild for protobuf 3.6
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Nov 29 2017 Igor Gnatenko <ignatenko@redhat.com> - 1.3.0-6
- Rebuild for protobuf 3.5
* Mon Nov 13 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.0-5
- Rebuild for protobuf 3.4
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 13 2017 Orion Poplawski <orion@cora.nwra.com> - 1.3.0-2
- Rebuild for protobuf 3.3.1
* Sun Mar 26 2017 Alex Chernyakhovsky <achernya@mit.edu> - 1.3.0-1
- Update to mosh 1.3.0
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jan 26 2017 Orion Poplawski <orion@cora.nwra.com> - 1.2.6-3
- Rebuild for protobuf 3.2.0
* Sat Nov 19 2016 Orion Poplawski <orion@cora.nwra.com> - 1.2.6-2
- Rebuild for protobuf 3.1.0
* Wed Aug 10 2016 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.6-1
- Update to mosh 1.2.6
* Mon Feb 08 2016 Ralf Corsépius <corsepiu@fedoraproject.org> - 1.2.5-3
- Let package honor RPM_OPT_FLAGS (Fix F24FTBFS).
- Add %%license.
- Make building verbose.
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Aug 6 2015 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.5-1
- Update to mosh 1.2.5
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Sun Apr 26 2015 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.4-6
- Rebuild for protobuf version bump.
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 1.2.4-2
- Perl 5.18 rebuild
* Wed Mar 27 2013 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.4-1
- Update to mosh 1.2.4
* Sun Mar 10 2013 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.3-3
- Rebuilt for Protobuf API change from 2.4.1 to 2.5.0
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Fri Oct 19 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.3-1
- Update to mosh 1.2.3
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Wed Jun 13 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.2-1
- Update to mosh 1.2.2
* Sat Apr 28 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2-2
- Add -g and -O2 CFLAGS
* Fri Apr 27 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2-1
- Update to mosh 1.2.
* Mon Mar 26 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.1.1-1
- Update to mosh 1.1.1.
* Wed Mar 21 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.1-1
- Initial packaging for mosh.

5
SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec
View File

@ -9,7 +9,7 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for Azure
Name: kernel-azure-signed-%{buildarch}
Version: 5.15.162.2
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%exclude /module_info.ld
%changelog
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
- Auto-upgrade to 5.15.164.1
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
- Auto-upgrade to 5.15.162.2

5
SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec
View File

@ -4,7 +4,7 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for HCI
Name: kernel-hci-signed-%{buildarch}
Version: 5.15.162.2
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%exclude /module_info.ld
%changelog
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
- Auto-upgrade to 5.15.164.1
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
- Auto-upgrade to 5.15.162.2

5
SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec
View File

@ -4,7 +4,7 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for MOS systems
Name: kernel-mos-signed-%{buildarch}
Version: 5.15.161.1
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -150,6 +150,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%exclude /module_info.ld
%changelog
* Mon Aug 12 2024 Gary Swalling <gaswal@microsoft.com> - 5.15.164.1-1
- Update to 5.15.164.1
* Wed Jul 24 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.15.161.1-1
- Update to 5.15.161.1

5
SPECS-SIGNED/kernel-signed/kernel-signed.spec
View File

@ -9,7 +9,7 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for %{buildarch} systems
Name: kernel-signed-%{buildarch}
Version: 5.15.162.2
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%exclude /module_info.ld
%changelog
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
- Auto-upgrade to 5.15.164.1
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
- Auto-upgrade to 5.15.162.2

2
SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md generated
View File

File diff suppressed because one or more lines are too long

1
SPECS/LICENSES-AND-NOTICES/data/licenses.json
View File

@ -909,6 +909,7 @@
"mod_wsgi",
"mokutil",
"moreutils",
"mosh",
"mpage",
"mrtg",
"mstflint",

8
SPECS/WALinuxAgent/WALinuxAgent.spec
View File

@ -1,7 +1,7 @@
Summary: The Windows Azure Linux Agent
Name: WALinuxAgent
Version: 2.3.1.1
Release: 3%{?dist}
Release: 4%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -11,6 +11,7 @@ Source0: https://github.com/Azure/WALinuxAgent/archive/refs/tags/v%{versi
Source1: ephemeral-disk-warning.service
Source2: ephemeral-disk-warning.conf
Source3: ephemeral-disk-warning
Patch0: add_firewall_rules.patch
BuildRequires: python3-distro
BuildRequires: python3-setuptools
BuildRequires: python3-xml
@ -38,7 +39,7 @@ VMs in the Windows Azure cloud. This package should be installed on Linux disk
images that are built to run in the Windows Azure environment.
%prep
%setup -q -n %{name}-%{version}
%autosetup -n %{name}-%{version} -p1
%pre -p /bin/sh
@ -90,6 +91,9 @@ python3 setup.py check && python3 setup.py test
%{python3_sitelib}/*
%changelog
* Tue Jan 30 2024 Nan Liu <liunan@microsoft.com> - 2.3.1.1-4
- Patch waagent.conf to add firewall rules to protect access to Azure host node
* Tue Nov 10 2022 Nan Liu <liunan@microsoft.com> - 2.3.1.1-3
- Add ephemeral-disk-warning.service

24
SPECS/WALinuxAgent/add_firewall_rules.patch Normal file
View File

@ -0,0 +1,24 @@
From 9ac40d805925f130283ed54f3cbb424afad41461 Mon Sep 17 00:00:00 2001
From: Nan Liu <liunan@microsoft.com>
Date: Tue, 30 Jan 2024 17:58:36 +0000
Subject: [PATCH] Add firewall rules to protect access to Azure host node
services
---
config/mariner/waagent.conf | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config/mariner/waagent.conf b/config/mariner/waagent.conf
index 65da131..cda61de 100644
--- a/config/mariner/waagent.conf
+++ b/config/mariner/waagent.conf
@@ -78,3 +78,6 @@ AutoUpdate.GAFamily=Prod
# handling until inVMArtifactsProfile.OnHold is false.
# Default is disabled
# EnableOverProvisioning=n
+
+# Add firewall rules to protect access to Azure host node services
+OS.EnableFirewall=y
--
2.25.1

4
SPECS/azcopy/azcopy.signatures.json
View File

@ -1,6 +1,6 @@
{
"Signatures": {
"azure-storage-azcopy-10.24.0-vendor.tar.gz": "b0b0436e8e8aa280007d2daf5cb1ea06346d54e070062042c792a9fbd110e690",
"azure-storage-azcopy-10.24.0.tar.gz": "bbb09bee00207eb6e6e80a3ecf58ac39beb956c94f500b62888ed3404580430d"
"azure-storage-azcopy-10.25.1-vendor.tar.gz": "2e51019e29834b9b4ea2480fa80eaa95d2ce09601eb1be2edcf5febd927e5a4e",
"azure-storage-azcopy-10.25.1.tar.gz": "d62f0a88e8899a611d9ef627252e4379bee8530177caca081f155e28917e70d3"
}
}

7
SPECS/azcopy/azcopy.spec
View File

@ -1,7 +1,7 @@
Summary: The new Azure Storage data transfer utility - AzCopy v10
Name: azcopy
Version: 10.24.0
Release: 3%{?dist}
Version: 10.25.1
Release: 1%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -63,6 +63,9 @@ go test -mod=vendor
%{_bindir}/azcopy
%changelog
* Thu Aug 01 2024 Archana Choudhary <archana1@microsoft.com> - 10.25.1-1
- Bump version to 10.25.1 to fix CVE-2024-35255
* Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 10.24.0-3
- Drop requirement on a specific version of golang

521
SPECS/bind/CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,521 @@
From 835ce6a069a1741b5df6977a10ef824598b5c027 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 1 Mar 2024 08:26:07 +0100
Subject: [PATCH 1/6] Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.
The fix for end-of-life branches make the limit compile-time only for
simplicity and the limit can be changed at the compile time by adding
following define to CFLAGS:
-DDNS_RDATASET_MAX_RECORDS=<limit>
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
configure | 2 +-
configure.ac | 2 +-
lib/dns/rdataslab.c | 12 ++++++++++++
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/configure b/configure
index 1b436d6..30e65f1 100755
--- a/configure
+++ b/configure
@@ -12341,7 +12341,7 @@ fi
XTARGETS=
if test "$enable_developer" = "yes"; then :
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/configure.ac b/configure.ac
index fb6f172..ffe087e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -96,7 +96,7 @@ AC_ARG_ENABLE([developer],
XTARGETS=
AS_IF([test "$enable_developer" = "yes"],
- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index 14c4381..d74e84c 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -112,6 +112,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
}
#endif /* if DNS_RDATASET_FIXED */
+#ifndef DNS_RDATASET_MAX_RECORDS
+#define DNS_RDATASET_MAX_RECORDS 100
+#endif /* DNS_RDATASET_MAX_RECORDS */
+
isc_result_t
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
isc_region_t *region, unsigned int reservelen) {
@@ -156,6 +160,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
return (ISC_R_SUCCESS);
}
+ if (nitems > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
if (nitems > 0xffff) {
return (ISC_R_NOSPACE);
}
@@ -524,6 +532,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
#endif /* if DNS_RDATASET_FIXED */
INSIST(ocount > 0 && ncount > 0);
+ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
#if DNS_RDATASET_FIXED
oncount = ncount;
#endif /* if DNS_RDATASET_FIXED */
--
2.40.1
From c2309258b876feb7d818da89312e5af385790eaf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 29 May 2024 08:43:39 +0200
Subject: [PATCH 2/6] Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k). As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).
Add a hard-coded limit (100) to cap the number of the RR types for a single
owner. The limit can be changed at the compile time by adding following
define to CFLAGS:
-DDNS_RBTDB_MAX_RTYPES=<limit>
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
configure | 2 +-
configure.ac | 2 +-
lib/dns/rbtdb.c | 17 +++++++++++++++++
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/configure b/configure
index 30e65f1..835cd94 100755
--- a/configure
+++ b/configure
@@ -12341,7 +12341,7 @@ fi
XTARGETS=
if test "$enable_developer" = "yes"; then :
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/configure.ac b/configure.ac
index ffe087e..6db4250 100644
--- a/configure.ac
+++ b/configure.ac
@@ -96,7 +96,7 @@ AC_ARG_ENABLE([developer],
XTARGETS=
AS_IF([test "$enable_developer" = "yes"],
- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 3f06545..b35e101 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6240,6 +6240,10 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
}
+#ifndef DNS_RBTDB_MAX_RTYPES
+#define DNS_RBTDB_MAX_RTYPES 100
+#endif /* DNS_RBTDB_MAX_RTYPES */
+
/*
* write lock on rbtnode must be held.
*/
@@ -6261,6 +6265,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
+ uint32_t ntypes;
/*
* Add an rdatasetheader_t to a node.
@@ -6325,6 +6330,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
set_ttl(rbtdb, topheader, 0);
mark_header_ancient(rbtdb, topheader);
}
+ ntypes = 0;
goto find_header;
}
/*
@@ -6348,9 +6354,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
* check for an extant non-ancient NODATA ncache
* entry which covers the same type as the RRSIG.
*/
+ ntypes = 0;
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next)
{
+ ntypes++;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
@@ -6395,9 +6403,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
}
}
+ ntypes = 0;
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next)
{
+ ntypes++;
if (prio_type(topheader->type)) {
prioheader = topheader;
}
@@ -6755,6 +6765,13 @@ find_header:
/*
* No rdatasets of the given type exist at the node.
*/
+
+ if (ntypes > DNS_RBTDB_MAX_RTYPES) {
+ free_rdataset(rbtdb, rbtdb->common.mctx,
+ newheader);
+ return (ISC_R_QUOTA);
+ }
+
newheader->down = NULL;
if (prio_type(newheader->type)) {
--
2.40.1
From 23797a4f5db6698baf98bdeaeb1e6095e67772a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= <nicki@isc.org>
Date: Thu, 6 Jun 2024 15:29:14 +0200
Subject: [PATCH 3/6] Revert "Build gcc:oraclelinux9:amd64 CI jobs with
--disable-developer"
This reverts commit 6a7ec0c01cf9df31cc29b81883be3304c07ffafd.
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
.gitlab-ci.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 06b17c3..9e10eca 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -733,7 +733,7 @@ gcc:oraclelinux9:amd64:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "--with-libidn2 --disable-developer"
+ EXTRA_CONFIGURE: "--with-libidn2"
<<: *oraclelinux_9_amd64_image
<<: *build_job
--
2.40.1
From 03b3c1c24cb2758814b61ce65d6cd300d161ab6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 17 Jun 2024 11:40:40 +0200
Subject: [PATCH 4/6] Expand the list of the priority types
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
the priority types that are put at the beginning of the slabheader list
for faster access and to avoid eviction when there are more types than
the max-types-per-name limit.
(cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
lib/dns/rbtdb.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index b35e101..0932453 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -990,6 +990,8 @@ prio_type(rbtdb_rdatatype_t type) {
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
case dns_rdatatype_a:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
+ case dns_rdatatype_mx:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
case dns_rdatatype_aaaa:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
case dns_rdatatype_nsec:
@@ -1002,6 +1004,22 @@ prio_type(rbtdb_rdatatype_t type) {
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
case dns_rdatatype_cname:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
+ case dns_rdatatype_dname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
+ case dns_rdatatype_svcb:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_svcb):
+ case dns_rdatatype_https:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_https):
+ case dns_rdatatype_dnskey:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
+ case dns_rdatatype_srv:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
+ case dns_rdatatype_txt:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
+ case dns_rdatatype_ptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
+ case dns_rdatatype_naptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
return (true);
}
return (false);
--
2.40.1
From 3798953881077eae1cc6992d0bce27e2637b942e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 17 Jun 2024 17:54:09 +0200
Subject: [PATCH 5/6] Make the resolver qtype ANY test order agnostic
Instead of relying on a specific order of the RR types in the databases
pick the first RR type as returned from the cache.
(cherry picked from commit 58f660cf2b800963fa649bc9823a626009db3a7e)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
bin/tests/system/resolver/tests.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index fc05635..2e089fa 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -596,18 +596,18 @@ n=$((n + 1))
echo_i "check prefetch qtype * (${n})"
ret=0
dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.1.${n} || ret=1
-ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n})
+ttl1=$(awk '/^fetchall.tld/ { print $2 - 3; exit }' dig.out.1.${n})
# sleep so we are in prefetch range
sleep "${ttl1:-0}"
# trigger prefetch
dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.2.${n} || ret=1
-ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n})
+ttl2=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.2.${n})
sleep 1
# check that prefetch occurred;
-# note that only one record is prefetched, which is the AAAA record in this case,
+# note that only the first record is prefetched,
# because of the order of the records in the cache
dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.3.${n} || ret=1
-ttl3=$(awk '/::1/ { print $2 }' dig.out.3.${n})
+ttl3=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.3.${n})
test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
--
2.40.1
From 84ce66c3491df6f31225b50d27e9a9e5fa93eaed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 17 Jun 2024 11:40:40 +0200
Subject: [PATCH 6/6] Be smarter about refusing to add many RR types to the
database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:
1. If the new header type is in our priority list, we always add either
positive or negative entry at the beginning of the list.
2. If the new header type is negative entry, and we are over the limit,
we mark it as ancient immediately, so it gets evicted from the cache
as soon as possible.
3. Otherwise add the new header after the priority headers (or at the
head of the list).
4. If we are over the limit, evict the last entry on the normal header
list.
(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
lib/dns/rbtdb.c | 68 +++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 57 insertions(+), 11 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 0932453..9670671 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6262,6 +6262,26 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
#define DNS_RBTDB_MAX_RTYPES 100
#endif /* DNS_RBTDB_MAX_RTYPES */
+static bool
+overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
+ UNUSED(rbtdb);
+
+ if (DNS_RBTDB_MAX_RTYPES == 0) {
+ return (false);
+ }
+
+ return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+}
+
+static bool
+prio_header(rdatasetheader_t *header) {
+ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
+ return (true);
+ }
+
+ return (prio_type(header->type));
+}
+
/*
* write lock on rbtnode must be held.
*/
@@ -6273,7 +6293,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader = NULL, *topheader_prev = NULL;
rdatasetheader_t *header = NULL, *sigheader = NULL;
- rdatasetheader_t *prioheader = NULL;
+ rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
unsigned char *merged = NULL;
isc_result_t result;
bool header_nx;
@@ -6283,7 +6303,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
- uint32_t ntypes;
+ uint32_t ntypes = 0;
/*
* Add an rdatasetheader_t to a node.
@@ -6348,7 +6368,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
set_ttl(rbtdb, topheader, 0);
mark_header_ancient(rbtdb, topheader);
}
- ntypes = 0;
goto find_header;
}
/*
@@ -6360,6 +6379,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
{
if (topheader->type == sigtype) {
sigheader = topheader;
+ break;
}
}
negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
@@ -6372,11 +6392,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
* check for an extant non-ancient NODATA ncache
* entry which covers the same type as the RRSIG.
*/
- ntypes = 0;
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next)
{
- ntypes++;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
@@ -6421,12 +6439,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
}
}
- ntypes = 0;
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next)
{
- ntypes++;
- if (prio_type(topheader->type)) {
+ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
+ ++ntypes;
+ expireheader = topheader;
+ } else if (!IS_CACHE(rbtdb)) {
+ ++ntypes;
+ }
+ if (prio_header(topheader)) {
prioheader = topheader;
}
if (topheader->type == newheader->type ||
@@ -6783,8 +6805,7 @@ find_header:
/*
* No rdatasets of the given type exist at the node.
*/
-
- if (ntypes > DNS_RBTDB_MAX_RTYPES) {
+ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
free_rdataset(rbtdb, rbtdb->common.mctx,
newheader);
return (ISC_R_QUOTA);
@@ -6792,7 +6813,7 @@ find_header:
newheader->down = NULL;
- if (prio_type(newheader->type)) {
+ if (prio_header(newheader)) {
/* This is a priority type, prepend it */
newheader->next = rbtnode->data;
rbtnode->data = newheader;
@@ -6805,6 +6826,31 @@ find_header:
newheader->next = rbtnode->data;
rbtnode->data = newheader;
}
+
+ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ if (expireheader == NULL) {
+ expireheader = newheader;
+ }
+ if (NEGATIVE(newheader) &&
+ !prio_header(newheader))
+ {
+ /*
+ * Add the new non-priority negative
+ * header to the database only
+ * temporarily.
+ */
+ expireheader = newheader;
+ }
+
+ set_ttl(rbtdb, expireheader, 0);
+ mark_header_ancient(rbtdb, expireheader);
+ /*
+ * FIXME: In theory, we should mark the RRSIG
+ * and the header at the same time, but there is
+ * no direct link between those two header, so
+ * we would have to check the whole list again.
+ */
+ }
}
}
--
2.40.1

432
SPECS/bind/CVE-2024-1975.patch Normal file
View File

@ -0,0 +1,432 @@
From 6a4565566db942eb660e421786f73bc5baffc7b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 16 May 2024 12:10:41 +0200
Subject: [PATCH 1/5] Remove support for SIG(0) message verification
(cherry picked from commit 857fd5c346e3309ee8e280c29174b46579af5a13)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
lib/dns/message.c | 99 +++--------------------------------------------
lib/ns/client.c | 7 ++++
2 files changed, 13 insertions(+), 93 deletions(-)
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 22aa552..12331ab 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3301,111 +3301,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
isc_result_t
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
- isc_buffer_t b, msgb;
+ isc_buffer_t msgb;
REQUIRE(DNS_MESSAGE_VALID(msg));
- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL) {
+ if (msg->tsigkey == NULL && msg->tsig == NULL) {
return (ISC_R_SUCCESS);
}
INSIST(msg->saved.base != NULL);
isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
isc_buffer_add(&msgb, msg->saved.length);
- if (msg->tsigkey != NULL || msg->tsig != NULL) {
#ifdef SKAN_MSG_DEBUG
- dns_message_dumpsig(msg, "dns_message_checksig#1");
+ dns_message_dumpsig(msg, "dns_message_checksig#1");
#endif /* ifdef SKAN_MSG_DEBUG */
- if (view != NULL) {
- return (dns_view_checksig(view, &msgb, msg));
- } else {
- return (dns_tsig_verify(&msgb, msg, NULL, NULL));
- }
+ if (view != NULL) {
+ return (dns_view_checksig(view, &msgb, msg));
} else {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_sig_t sig;
- dns_rdataset_t keyset;
- isc_result_t result;
-
- result = dns_rdataset_first(msg->sig0);
- INSIST(result == ISC_R_SUCCESS);
- dns_rdataset_current(msg->sig0, &rdata);
-
- /*
- * This can occur when the message is a dynamic update, since
- * the rdata length checking is relaxed. This should not
- * happen in a well-formed message, since the SIG(0) is only
- * looked for in the additional section, and the dynamic update
- * meta-records are in the prerequisite and update sections.
- */
- if (rdata.length == 0) {
- return (ISC_R_UNEXPECTEDEND);
- }
-
- result = dns_rdata_tostruct(&rdata, &sig, NULL);
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
-
- dns_rdataset_init(&keyset);
- if (view == NULL) {
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- }
- result = dns_view_simplefind(view, &sig.signer,
- dns_rdatatype_key /* SIG(0) */, 0,
- 0, false, &keyset, NULL);
-
- if (result != ISC_R_SUCCESS) {
- /* XXXBEW Should possibly create a fetch here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- } else if (keyset.trust < dns_trust_secure) {
- /* XXXBEW Should call a validator here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- }
- result = dns_rdataset_first(&keyset);
- INSIST(result == ISC_R_SUCCESS);
- for (; result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&keyset))
- {
- dst_key_t *key = NULL;
-
- dns_rdata_reset(&rdata);
- dns_rdataset_current(&keyset, &rdata);
- isc_buffer_init(&b, rdata.data, rdata.length);
- isc_buffer_add(&b, rdata.length);
-
- result = dst_key_fromdns(&sig.signer, rdata.rdclass, &b,
- view->mctx, &key);
- if (result != ISC_R_SUCCESS) {
- continue;
- }
- if (dst_key_alg(key) != sig.algorithm ||
- dst_key_id(key) != sig.keyid ||
- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
- dst_key_proto(key) == DNS_KEYPROTO_ANY))
- {
- dst_key_free(&key);
- continue;
- }
- result = dns_dnssec_verifymessage(&msgb, msg, key);
- dst_key_free(&key);
- if (result == ISC_R_SUCCESS) {
- break;
- }
- }
- if (result == ISC_R_NOMORE) {
- result = DNS_R_KEYUNAUTHORIZED;
- }
-
- freesig:
- if (dns_rdataset_isassociated(&keyset)) {
- dns_rdataset_disassociate(&keyset);
- }
- dns_rdata_freestruct(&sig);
- return (result);
+ return (dns_tsig_verify(&msgb, msg, NULL, NULL));
}
}
diff --git a/lib/ns/client.c b/lib/ns/client.c
index d4ce000..2679a5e 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -2041,6 +2041,13 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request is signed by a nonauthoritative key");
+ } else if (result == DNS_R_NOTVERIFIEDYET &&
+ client->message->sig0 != NULL)
+ {
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ "request has a SIG(0) signature but its support "
+ "was removed (CVE-2024-1975)");
} else {
char tsigrcode[64];
isc_buffer_t b;
--
2.40.1
From afd9c8976d78a5145a92ff0cccc2954083042555 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 16 May 2024 12:15:23 +0200
Subject: [PATCH 2/5] Document SIG(0) verification removal
(cherry picked from commit 654ba34d80b8b6ed805461d7ada2466f8c19a6f1)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
doc/arm/advanced.rst | 18 +++---------------
doc/arm/general.rst | 6 ++----
doc/arm/reference.rst | 4 ++--
doc/arm/security.rst | 4 ++--
4 files changed, 9 insertions(+), 23 deletions(-)
diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst
index 4405b5c..f3325d9 100644
--- a/doc/arm/advanced.rst
+++ b/doc/arm/advanced.rst
@@ -537,7 +537,7 @@ zone).
The TKEY process is initiated by a client or server by sending a query
of type TKEY to a TKEY-aware server. The query must include an
appropriate KEY record in the additional section, and must be signed
-using either TSIG or SIG(0) with a previously established key. The
+using either TSIG with a previously established key. The
server's response, if successful, contains a TKEY record in its
answer section. After this transaction, both participants have
enough information to calculate a shared secret using Diffie-Hellman key
@@ -555,20 +555,8 @@ deletion" mode.
SIG(0)
------
-BIND partially supports DNSSEC SIG(0) transaction signatures as
-specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to
-authenticate messages. Access control is performed in the same manner as with
-TSIG keys; privileges can be granted or denied in ACL directives based
-on the key name.
-
-When a SIG(0) signed message is received, it is only verified if
-the key is known and trusted by the server. The server does not attempt
-to recursively fetch or validate the key.
-
-SIG(0) signing of multiple-message TCP streams is not supported.
-
-The only tool shipped with BIND 9 that generates SIG(0) signed messages
-is ``nsupdate``.
+Support for DNSSEC SIG(0) transaction signatures was removed.
+This is a countermeasure for CVE-2024-1975.
.. include:: managed-keys.rst
.. include:: pkcs11.rst
diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index d7b7c20..136e806 100644
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -367,10 +367,8 @@ Notes
.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a
feature.
-.. [#rfc2931] When receiving a query signed with a SIG(0), the server is
- only able to verify the signature if it has the key in its local
- authoritative data; it cannot do recursion or validation to
- retrieve unknown keys.
+.. [#rfc2931] Support for SIG(0) message verification was removed
+ as a countermeasure for CVE-2024-1975.
.. [#rfc2874] Compliance is with loading and serving of A6 records only.
A6 records were moved to the experimental category by :rfc:`3363`.
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index ecc84d4..f982e0a 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -5900,7 +5900,7 @@ The ``update-policy`` clause allows more fine-grained control over which
updates are allowed. It specifies a set of rules, in which each rule
either grants or denies permission for one or more names in the zone to
be updated by one or more identities. Identity is determined by the key
-that signed the update request, using either TSIG or SIG(0). In most
+that signed the update request, using either TSIG. In most
cases, ``update-policy`` rules only apply to key-based identities. There
is no way to specify update permissions based on the client source address.
@@ -5957,7 +5957,7 @@ field), and the type of the record to be updated matches the ``types``
field. Details for each rule type are described below.
The ``identity`` field must be set to a fully qualified domain name. In
-most cases, this represents the name of the TSIG or SIG(0) key that
+most cases, this represents the name of the TSIG key that
must be used to sign the update request. If the specified name is a
wildcard, it is subject to DNS wildcard expansion, and the rule may
apply to multiple identities. When a TKEY exchange has been used to
diff --git a/doc/arm/security.rst b/doc/arm/security.rst
index 817ebd0..92b1668 100644
--- a/doc/arm/security.rst
+++ b/doc/arm/security.rst
@@ -83,7 +83,7 @@ Limiting access to the server by outside parties can help prevent
spoofing and denial of service (DoS) attacks against the server.
ACLs match clients on the basis of up to three characteristics: 1) The
-client's IP address; 2) the TSIG or SIG(0) key that was used to sign the
+client's IP address; 2) the TSIG key that was used to sign the
request, if any; and 3) an address prefix encoded in an EDNS
Client-Subnet option, if any.
@@ -124,7 +124,7 @@ and no queries at all from the networks specified in ``bogusnets``.
In addition to network addresses and prefixes, which are matched against
the source address of the DNS request, ACLs may include ``key``
-elements, which specify the name of a TSIG or SIG(0) key.
+elements, which specify the name of a TSIG key.
When BIND 9 is built with GeoIP support, ACLs can also be used for
geographic access restrictions. This is done by specifying an ACL
--
2.40.1
From d58461e425e61c1740ff4e914c7d41513c972850 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Tue, 21 May 2024 08:45:48 +0000
Subject: [PATCH 3/5] Enable stdout autoflush in authsock.pl
With enabled buffering the output gets lost when the process
receives a TERM signal. Disable the buffering.
(cherry picked from commit a0311dfb6e2a51f89dfa8b200b96a0f4675fb654)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
bin/tests/system/tsiggss/authsock.pl | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
index d629c65..d181b1a 100644
--- a/bin/tests/system/tsiggss/authsock.pl
+++ b/bin/tests/system/tsiggss/authsock.pl
@@ -33,6 +33,10 @@ if (!defined($path)) {
exit(1);
}
+# Enable output autoflush so that it's not lost when the parent sends TERM.
+select STDOUT;
+$| = 1;
+
unlink($path);
my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
die "unable to create socket $path";
--
2.40.1
From d8431d0c68df185077cf656edf46a985f3291a30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Fri, 17 May 2024 12:23:05 +0200
Subject: [PATCH 4/5] Adapt the tsiggss test to the SIG(0) removal
Test that SIG(0) signer is NOT sent to the external socket for
authorization. It MUST NOT be considered a valid signature by
any chance.
Also check that the signer's name does not appear in authsock.pl
output.
(cherry picked from commit cf8838085905171fbc00747eb210e8b8284ca0e1)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
bin/tests/system/tsiggss/authsock.pl | 1 +
bin/tests/system/tsiggss/clean.sh | 2 +-
bin/tests/system/tsiggss/tests.sh | 12 +++++++-----
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
index d181b1a..b3888fb 100644
--- a/bin/tests/system/tsiggss/authsock.pl
+++ b/bin/tests/system/tsiggss/authsock.pl
@@ -59,6 +59,7 @@ if ($timeout != 0) {
}
while (my $client = $server->accept()) {
+ printf("accept()\n");
$client->recv(my $buf, 8, 0);
my ($version, $req_len) = unpack('N N', $buf);
diff --git a/bin/tests/system/tsiggss/clean.sh b/bin/tests/system/tsiggss/clean.sh
index 0ace209..ce885d5 100644
--- a/bin/tests/system/tsiggss/clean.sh
+++ b/bin/tests/system/tsiggss/clean.sh
@@ -21,7 +21,7 @@ rm -f ns1/_default.tsigkeys
rm -f */named.memstats
rm -f */named.conf
rm -f */named.run
-rm -f authsock.pid
+rm -f authsock.log authsock.pid
rm -f ns1/core
rm -f nsupdate.out*
rm -f ns*/named.lock
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
index a665703..34b8c89 100644
--- a/bin/tests/system/tsiggss/tests.sh
+++ b/bin/tests/system/tsiggss/tests.sh
@@ -116,7 +116,7 @@ status=$((status + ret))
echo_i "testing external update policy (CNAME) with auth sock ($n)"
ret=0
-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >/dev/null 2>&1 &
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 &
sleep 1
test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
n=$((n + 1))
@@ -130,17 +130,19 @@ n=$((n + 1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
-echo_i "testing external policy with SIG(0) key ($n)"
+echo_i "testing external policy with unsupported SIG(0) key ($n)"
ret=0
-$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END >/dev/null 2>&1 || ret=1
+$NSUPDATE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
+debug
server 10.53.0.1 ${PORT}
zone example.nil
update add fred.example.nil 120 cname foo.bar.
send
END
output=$($DIG $DIGOPTS +short cname fred.example.nil.)
-[ -n "$output" ] || ret=1
-[ $ret -eq 0 ] || echo_i "failed"
+# update must have failed - SIG(0) signer is not supported
+[ -n "$output" ] && ret=1
+grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
n=$((n + 1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
--
2.40.1
From db69c8bb093a19eafb016b14aff45b69803f0065 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Tue, 21 May 2024 09:29:35 +0000
Subject: [PATCH 5/5] Adapt the upforwd test to the SIG(0) removal
Change the check so that update with SIG(0) is expected to fail.
(cherry picked from commit 5f7558f6dbb0527c08caf281299245ab8de268cd)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
bin/tests/system/upforwd/tests.sh | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 9165ba9..89e2241 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -262,10 +262,12 @@ if $FEATURETEST --enable-dnstap; then
fi
if test -f keyname; then
- echo_i "checking update forwarding to with sig0 ($n)"
+ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
ret=0
keyname=$(cat keyname)
- $NSUPDATE -k $keyname.private -- - <<EOF
+ # SIG(0) is removed, update is expected to fail.
+ {
+ $NSUPDATE -k $keyname.private -- - <<EOF
local 10.53.0.1
server 10.53.0.3 ${PORT}
zone example2
@@ -273,8 +275,9 @@ if test -f keyname; then
update add unsigned.example2. 600 TXT Foo
send
EOF
+ } >nsupdate.out.$n 2>&1 && ret=1
$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 >dig.out.ns1.test$n || ret=1
- grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
+ grep "status: NOERROR" dig.out.ns1.test$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$(expr $status + $ret)
n=$(expr $n + 1)
--
2.40.1

31
SPECS/bind/CVE-2024-4076.patch Normal file
View File

@ -0,0 +1,31 @@
From 63fac0c45a583983847b17d1220dccf13d1cac7e Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 16 Jan 2024 14:25:27 +1100
Subject: [PATCH] Clear qctx->zversion
Clear qctx->zversion when clearing qctx->zrdataset et al in
lib/ns/query.c:qctx_freedata. The uncleared pointer could lead to
an assertion failure if zone data needed to be re-saved which could
happen with stale data support enabled.
(cherry picked from commit 179fb3532ab8d4898ab070b2db54c0ce872ef709)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
lib/ns/query.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 1290c30..ec9bf5b 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5260,6 +5260,7 @@ qctx_freedata(query_ctx_t *qctx) {
ns_client_releasename(qctx->client, &qctx->zfname);
dns_db_detachnode(qctx->zdb, &qctx->znode);
dns_db_detach(&qctx->zdb);
+ qctx->zversion = NULL;
}
if (qctx->event != NULL && !qctx->client->nodetach) {
--
2.40.1

34
SPECS/bind/bind.signatures.json
View File

@ -1,19 +1,19 @@
{
"Signatures": {
"generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422",
"named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c",
"named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a",
"named.empty": "44e2cc6e10328cd3604148763458978f547ee54c3ff46468944d535644fc6da1",
"named.localhost": "9a2aa18c87202a691cc641f0c7e027dff3a2bb30917990f1b04c237e667530c8",
"named.logrotate": "748dd5d967d309d69b44f5451e2ce9d982af1b62448182f38ff76e83e45a4d61",
"named.loopback": "58a0c65ef763372a1d85e63766194526bfe19f496a413db40d9febea777ba4c9",
"named.rfc1912.zones": "61d2e64b8523e7d83c7cf9908538bf74b2f8f6993d52d7ab9c56cad25c23a92a",
"named.root": "36bf9aa06206b6b82c58a55ab74920d8901938e4cf79b754b239bb0e5dc0951c",
"named.root.key": "2a91cc1a1c3dd805aa149d8df6d9849d5e2ac0ad2c2ed93ddaf0234358e8c383",
"named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735",
"named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816",
"setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a",
"setup-named-softhsm.sh": "3b243d9e48577acb95a08ae5dd7288c5eec4830bc02bd29b1f1724c497d12864",
"bind-9.16.48.tar.xz": "8d3814582348f90dead1ad410b1019094cd399d3d83930abebb2b3b1eb0b2bbb"
}
"Signatures": {
"bind-9.16.50.tar.xz": "816dbaa3c115019f30fcebd9e8ef8f7637f4adde91c79daa099b035255a15795",
"generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422",
"named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c",
"named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a",
"named.empty": "44e2cc6e10328cd3604148763458978f547ee54c3ff46468944d535644fc6da1",
"named.localhost": "9a2aa18c87202a691cc641f0c7e027dff3a2bb30917990f1b04c237e667530c8",
"named.logrotate": "748dd5d967d309d69b44f5451e2ce9d982af1b62448182f38ff76e83e45a4d61",
"named.loopback": "58a0c65ef763372a1d85e63766194526bfe19f496a413db40d9febea777ba4c9",
"named.rfc1912.zones": "61d2e64b8523e7d83c7cf9908538bf74b2f8f6993d52d7ab9c56cad25c23a92a",
"named.root": "36bf9aa06206b6b82c58a55ab74920d8901938e4cf79b754b239bb0e5dc0951c",
"named.root.key": "2a91cc1a1c3dd805aa149d8df6d9849d5e2ac0ad2c2ed93ddaf0234358e8c383",
"named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735",
"named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816",
"setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a",
"setup-named-softhsm.sh": "3b243d9e48577acb95a08ae5dd7288c5eec4830bc02bd29b1f1724c497d12864"
}
}

12
SPECS/bind/bind.spec
View File

@ -9,7 +9,7 @@
Summary: Domain Name System software
Name: bind
Version: 9.16.48
Version: 9.16.50
Release: 1%{?dist}
License: ISC
Vendor: Microsoft Corporation
@ -33,6 +33,9 @@ Source14: setup-named-softhsm.sh
Source15: named-chroot.files
Patch9: bind-9.14-config-pkcs11.patch
Patch10: bind-9.10-dist-native-pkcs11.patch
Patch11: CVE-2024-1737.patch
Patch12: CVE-2024-1975.patch
Patch13: CVE-2024-4076.patch
BuildRequires: gcc
BuildRequires: json-c-devel
@ -234,6 +237,9 @@ cp -r bin/dnssec{,-pkcs11}
cp -r lib/dns{,-pkcs11}
cp -r lib/ns{,-pkcs11}
%patch10 -p1 -b .dist_pkcs11
%patch11 -p1
%patch12 -p1
%patch13 -p1
libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
@ -613,6 +619,10 @@ fi;
%{_mandir}/man8/named-nzd2nzf.8*
%changelog
* Tue Aug 06 2024 Muhammad Falak <mwani@microsoft.com> - 9.16.50-1
- Bump version to 9.16.50
- Introduce patch to address CVE-2024-1737, CVE-2024-1975 & CVE-2024-4076
* Wed Feb 28 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 9.16.48-1
- Auto-upgrade to 9.16.48 - Fix CVE-2023-50387

83
SPECS/busybox/CVE-2021-42380.patch Normal file
View File

@ -0,0 +1,83 @@
From 5dcc443dba039b305a510c01883e9f34e42656ae Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Fri, 26 May 2023 19:36:58 +0200
Subject: [PATCH 01/19] awk: fix use-after-realloc (CVE-2021-42380), closes
15601
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
editors/awk.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/editors/awk.c b/editors/awk.c
index 728ee8685..2af823808 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -555,7 +555,7 @@ struct globals {
const char *g_progname;
int g_lineno;
int nfields;
- int maxfields; /* used in fsrealloc() only */
+ unsigned maxfields;
var *Fields;
char *g_pos;
char g_saved_ch;
@@ -1931,9 +1931,9 @@ static void fsrealloc(int size)
{
int i, newsize;
- if (size >= maxfields) {
- /* Sanity cap, easier than catering for overflows */
- if (size > 0xffffff)
+ if ((unsigned)size >= maxfields) {
+ /* Sanity cap, easier than catering for over/underflows */
+ if ((unsigned)size > 0xffffff)
bb_die_memory_exhausted();
i = maxfields;
@@ -2891,6 +2891,7 @@ static var *evaluate(node *op, var *res)
uint32_t opinfo;
int opn;
node *op1;
+ var *old_Fields_ptr;
opinfo = op->info;
opn = (opinfo & OPNMASK);
@@ -2899,10 +2900,16 @@ static var *evaluate(node *op, var *res)
debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn);
/* execute inevitable things */
+ old_Fields_ptr = NULL;
if (opinfo & OF_RES1) {
if ((opinfo & OF_REQUIRED) && !op1)
syntax_error(EMSG_TOO_FEW_ARGS);
L.v = evaluate(op1, TMPVAR0);
+ /* Does L.v point to $n variable? */
+ if ((size_t)(L.v - Fields) < maxfields) {
+ /* yes, remember where Fields[] is */
+ old_Fields_ptr = Fields;
+ }
if (opinfo & OF_STR1) {
L.s = getvar_s(L.v);
debug_printf_eval("L.s:'%s'\n", L.s);
@@ -2921,8 +2928,15 @@ static var *evaluate(node *op, var *res)
*/
if (opinfo & OF_RES2) {
R.v = evaluate(op->r.n, TMPVAR1);
- //TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
- //L.v = NULL;
+ /* Seen in $5=$$5=$0:
+ * Evaluation of R.v ($$5=$0 expression)
+ * made L.v ($5) invalid. It's detected here.
+ */
+ if (old_Fields_ptr) {
+ //if (old_Fields_ptr != Fields)
+ // debug_printf_eval("L.v moved\n");
+ L.v += Fields - old_Fields_ptr;
+ }
if (opinfo & OF_STR2) {
R.s = getvar_s(R.v);
debug_printf_eval("R.s:'%s'\n", R.s);
--
2.46.0

63
SPECS/busybox/CVE-2023-42363.patch Normal file
View File

@ -0,0 +1,63 @@
From fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Mon, 20 May 2024 17:55:28 +0200
Subject: [PATCH 19/19] awk: fix use after free (CVE-2023-42363)
function old new delta
evaluate 3377 3385 +8
Fixes https://bugs.busybox.net/show_bug.cgi?id=15865
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
editors/awk.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/editors/awk.c b/editors/awk.c
index 0981c6735..ff6d6350b 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -2981,19 +2981,14 @@ static var *evaluate(node *op, var *res)
/* yes, remember where Fields[] is */
old_Fields_ptr = Fields;
}
- if (opinfo & OF_STR1) {
- L.s = getvar_s(L.v);
- debug_printf_eval("L.s:'%s'\n", L.s);
- }
if (opinfo & OF_NUM1) {
L_d = getvar_i(L.v);
debug_printf_eval("L_d:%f\n", L_d);
}
}
- /* NB: Must get string/numeric values of L (done above)
- * _before_ evaluate()'ing R.v: if both L and R are $NNNs,
- * and right one is large, then L.v points to Fields[NNN1],
- * second evaluate() reallocates and moves (!) Fields[],
+ /* NB: if both L and R are $NNNs, and right one is large,
+ * then at this pint L.v points to Fields[NNN1], second
+ * evaluate() below reallocates and moves (!) Fields[],
* R.v points to Fields[NNN2] but L.v now points to freed mem!
* (Seen trying to evaluate "$444 $44444")
*/
@@ -3013,6 +3008,16 @@ static var *evaluate(node *op, var *res)
debug_printf_eval("R.s:'%s'\n", R.s);
}
}
+ /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v
+ * so we must get the string after "old_Fields_ptr" correction
+ * above. Testcase: x = (v = "abc", gsub("b", "X", v));
+ */
+ if (opinfo & OF_RES1) {
+ if (opinfo & OF_STR1) {
+ L.s = getvar_s(L.v);
+ debug_printf_eval("L.s:'%s'\n", L.s);
+ }
+ }
debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK));
switch (XC(opinfo & OPCLSMASK)) {
--
2.46.0

1660
SPECS/busybox/CVE-2023-42365.patch Normal file
View File

File diff suppressed because it is too large Load Diff

9
SPECS/busybox/busybox.spec
View File

@ -1,7 +1,7 @@
Summary: Statically linked binary providing simplified versions of system commands
Name: busybox
Version: 1.35.0
Release: 10%{?dist}
Release: 11%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -17,6 +17,10 @@ Patch4: ash-fix-use-after-free-in-pattern-substituon-code.patch
Patch5: ash-fix-use-after-free-in-bash-pattern-substitution.patch
Patch6: selinux-copy-file.patch
Patch7: selinux-cp-a.patch
Patch8: CVE-2021-42380.patch
# Also Fixes CVE-2023-42364
Patch9: CVE-2023-42363.patch
Patch10: CVE-2023-42365.patch
BuildRequires: gcc
BuildRequires: glibc-static >= 2.35-7%{?dist}
BuildRequires: libselinux-devel >= 1.27.7-2
@ -96,6 +100,9 @@ install -m 644 docs/busybox.petitboot.1 %{buildroot}/%{_mandir}/man1/busybox.pet
%{_mandir}/man1/busybox.petitboot.1.gz
%changelog
* Tue Aug 13 2024 Suresh Thelkar <sthelkar@microsoft.com> - 1.35.0-11
- Address CVE-2021-42380, CVE-2023-42363, CVE-2023-42364 & CVE-2023-42365
* Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.35.0-10
- Bump release to rebuild against glibc 2.35-7

2
SPECS/ca-certificates/ca-certificates.signatures.json
View File

@ -11,7 +11,7 @@
"README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
"bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
"certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
"certdata.microsoft.txt": "89655788a99b61c94aa18ad060b7e032d3e63b9db1417b1496e767662126c75a",
"certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd",
"certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
"pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
"trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",

5
SPECS/ca-certificates/ca-certificates.spec
View File

@ -45,7 +45,7 @@ Name: ca-certificates
# When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well.
Epoch: 1
Version: 2.0.0
Release: 17%{?dist}
Release: 18%{?dist}
License: MPLv2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -324,6 +324,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%{_bindir}/bundle2pem.sh
%changelog
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.0.0-18
- Updating Microsoft trusted root CAs.
* Mon Apr 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.0.0-17
- Updating Microsoft trusted root CAs.

1534
SPECS/ca-certificates/certdata.microsoft.txt
View File

File diff suppressed because it is too large Load Diff

110
SPECS/cert-manager/CVE-2024-25620.patch Normal file
View File

@ -0,0 +1,110 @@
From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001
From: Bhagyashri Pathak <bhapathak@microsoft.com>
Date: Thu, 8 Aug 2024 10:27:21 +0530
Subject: [PATCH] CVE-2024-25620 patch
---
vendor/helm.sh/helm/v3/pkg/chart/metadata.go | 4 ++++
.../helm.sh/helm/v3/pkg/chartutil/errors.go | 8 ++++++++
vendor/helm.sh/helm/v3/pkg/chartutil/save.go | 20 +++++++++++++++++++
.../helm/v3/pkg/lint/rules/chartfile.go | 4 ++++
4 files changed, 36 insertions(+)
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
index ae572ab..3834b4c 100644
--- a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
+++ b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
@@ -16,6 +16,7 @@ limitations under the License.
package chart
import (
+ "path/filepath"
"strings"
"unicode"
@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error {
if md.Name == "" {
return ValidationError("chart.metadata.name is required")
}
+ if md.Name != filepath.Base(md.Name) {
+ return ValidationErrorf("chart.metadata.name %q is invalid", md.Name)
+ }
if md.Version == "" {
return ValidationError("chart.metadata.version is required")
}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
index fcdcc27..0a4046d 100644
--- a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
@@ -33,3 +33,11 @@ type ErrNoValue struct {
}
func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) }
+
+type ErrInvalidChartName struct {
+ Name string
+}
+
+func (e ErrInvalidChartName) Error() string {
+ return fmt.Sprintf("%q is not a valid chart name", e.Name)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
index 2ce4edd..4ee9070 100644
--- a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=")
// directory, writing the chart's contents to that subdirectory.
func SaveDir(c *chart.Chart, dest string) error {
// Create the chart directory
+ err := validateName(c.Name())
+ if err != nil {
+ return err
+ }
outdir := filepath.Join(dest, c.Name())
if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() {
return errors.Errorf("file %s already exists and is not a directory", outdir)
@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) {
}
func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error {
+ err := validateName(c.Name())
+ if err != nil {
+ return err
+ }
base := filepath.Join(prefix, c.Name())
// Pull out the dependencies of a v1 Chart, since there's no way
@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error {
_, err := out.Write(body)
return err
}
+
+// If the name has directory name has characters which would change the location
+// they need to be removed.
+func validateName(name string) error {
+ nname := filepath.Base(name)
+
+ if nname != name {
+ return ErrInvalidChartName{name}
+ }
+
+ return nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
index b49f2ce..f8f033c 100644
--- a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
+++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error {
if cf.Name == "" {
return errors.New("name is required")
}
+ name := filepath.Base(cf.Name)
+ if name != cf.Name {
+ return fmt.Errorf("chart name %q is invalid", cf.Name)
+ }
return nil
}
--
2.34.1

81
SPECS/cert-manager/CVE-2024-6104.patch Normal file
View File

@ -0,0 +1,81 @@
From 3b68627a36a0682f92acb7fc592dee346b18a22c Mon Sep 17 00:00:00 2001
From: Balakumaran Kannan <kumaran.4353@gmail.com>
Date: Tue, 30 Jul 2024 12:13:03 +0000
Subject: [PATCH] Patch CVE-2024-6104
---
.../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++-----
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
index 57116e9..10a5f70 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
@@ -577,9 +577,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if logger != nil {
switch v := logger.(type) {
case LeveledLogger:
- v.Debug("performing request", "method", req.Method, "url", req.URL)
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
case Logger:
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
}
}
@@ -634,9 +634,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if err != nil {
switch v := logger.(type) {
case LeveledLogger:
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
case Logger:
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
}
} else {
// Call this here to maintain the behavior of logging all requests,
@@ -672,7 +672,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
if logger != nil {
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
if resp != nil {
desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
}
@@ -728,11 +728,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
// communicate why
if err == nil {
return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
- req.Method, req.URL, attempt)
+ req.Method, redactURL(req.URL), attempt)
}
return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
- req.Method, req.URL, attempt, err)
+ req.Method, redactURL(req.URL), attempt, err)
}
// Try to read the response body so we can reuse this connection.
@@ -813,3 +813,17 @@ func (c *Client) StandardClient() *http.Client {
Transport: &RoundTripper{Client: c},
}
}
+
+
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
+func redactURL(u *url.URL) string {
+ if u == nil {
+ return ""
+ }
+
+ ru := *u
+ if _, has := ru.User.Password(); has {
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
+ }
+ return ru.String()
+}
--
2.33.8

10
SPECS/cert-manager/cert-manager.spec
View File

@ -1,7 +1,7 @@
Summary: Automatically provision and manage TLS certificates in Kubernetes
Name: cert-manager
Version: 1.11.2
Release: 11%{?dist}
Release: 13%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -22,6 +22,8 @@ Source1: %{name}-%{version}-govendor.tar.gz
Patch0: CVE-2023-48795.patch
Patch1: CVE-2023-45288.patch
Patch2: CVE-2024-26147.patch
Patch3: CVE-2024-25620.patch
Patch4: CVE-2024-6104.patch
BuildRequires: golang
Requires: %{name}-acmesolver
Requires: %{name}-cainjector
@ -114,6 +116,12 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
%{_bindir}/webhook
%changelog
* Mon Aug 19 2023 Bala <balakumaran.kannan@microsoft.com> - 1.11.2-13
- Patch for CVE-2024-6104
* Wed Aug 07 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.11.2-12
- Patch for CVE-2024-25620
* Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.11.2-11
- Bump release to rebuild with go 1.21.11

114
SPECS/cloud-init/0001-feat-azure-Add-ProvisionGuestProxyAgent-OVF-setting-.patch Normal file
View File

@ -0,0 +1,114 @@
From 402e9331a72d543e779898667488a51ad3e3ec13 Mon Sep 17 00:00:00 2001
From: Ksenija Stanojevic <KsenijaS@users.noreply.github.com>
Date: Fri, 9 Feb 2024 13:32:19 -0800
Subject: [PATCH 1/3] feat(azure): Add ProvisionGuestProxyAgent OVF setting
(#4860)
Add ProvisionGuestProxyAgent Boolean configuration setting into the OvfEnv class.
This PR is only logging the value of ProvisionGuestProxyAgent.
---
cloudinit/sources/DataSourceAzure.py | 6 ++++++
cloudinit/sources/helpers/azure.py | 8 ++++++++
tests/unittests/sources/test_azure.py | 15 +++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py
index 5a82aa34e..dc2b79a3a 100644
--- a/cloudinit/sources/DataSourceAzure.py
+++ b/cloudinit/sources/DataSourceAzure.py
@@ -1784,6 +1784,12 @@ def read_azure_ovf(contents):
"PreprovisionedVMType: %s" % ovf_env.preprovisioned_vm_type,
logger_func=LOG.info,
)
+
+ cfg["ProvisionGuestProxyAgent"] = ovf_env.provision_guest_proxy_agent
+ report_diagnostic_event(
+ "ProvisionGuestProxyAgent: %s" % ovf_env.provision_guest_proxy_agent,
+ logger_func=LOG.info,
+ )
return (md, ud, cfg)
diff --git a/cloudinit/sources/helpers/azure.py b/cloudinit/sources/helpers/azure.py
index 6e5c1f433..2847a9e53 100644
--- a/cloudinit/sources/helpers/azure.py
+++ b/cloudinit/sources/helpers/azure.py
@@ -1064,6 +1064,7 @@ class OvfEnvXml:
public_keys: Optional[List[dict]] = None,
preprovisioned_vm: bool = False,
preprovisioned_vm_type: Optional[str] = None,
+ provision_guest_proxy_agent: bool = False,
) -> None:
self.username = username
self.password = password
@@ -1073,6 +1074,7 @@ class OvfEnvXml:
self.public_keys: List[dict] = public_keys or []
self.preprovisioned_vm = preprovisioned_vm
self.preprovisioned_vm_type = preprovisioned_vm_type
+ self.provision_guest_proxy_agent = provision_guest_proxy_agent
def __eq__(self, other) -> bool:
return self.__dict__ == other.__dict__
@@ -1216,6 +1218,12 @@ class OvfEnvXml:
"PreprovisionedVMType",
required=False,
)
+ self.provision_guest_proxy_agent = self._parse_property(
+ platform_settings,
+ "ProvisionGuestProxyAgent",
+ default=False,
+ required=False,
+ )
def _parse_ssh_section(self, config_set):
self.public_keys = []
diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py
index 1ddbd3f39..6afde95fd 100644
--- a/tests/unittests/sources/test_azure.py
+++ b/tests/unittests/sources/test_azure.py
@@ -356,6 +356,7 @@ def construct_ovf_env(
disable_ssh_password_auth=None,
preprovisioned_vm=None,
preprovisioned_vm_type=None,
+ provision_guest_proxy_agent=None,
):
content = [
'<?xml version="1.0" encoding="utf-8"?>',
@@ -426,6 +427,11 @@ def construct_ovf_env(
"<ns1:PreprovisionedVMType>%s</ns1:PreprovisionedVMType>"
% preprovisioned_vm_type
)
+ if provision_guest_proxy_agent is not None:
+ content.append(
+ "<ns1:ProvisionGuestProxyAgent>%s</ns1:ProvisionGuestProxyAgent>"
+ % provision_guest_proxy_agent
+ )
content += [
"</ns1:PlatformSettings>",
"</ns1:PlatformSettingsSection>",
@@ -1316,6 +1322,7 @@ scbus-1 on xpt0 bus 0
expected_cfg = {
"PreprovisionedVMType": None,
"PreprovisionedVm": False,
+ "ProvisionGuestProxyAgent": False,
"system_info": {"default_user": {"name": "myuser"}},
}
expected_metadata = {
@@ -2668,6 +2675,14 @@ class TestPreprovisioningReadAzureOvfFlag(CiTestCase):
self.assertTrue(cfg["PreprovisionedVm"])
self.assertEqual("Savable", cfg["PreprovisionedVMType"])
+ def test_read_azure_ovf_with_proxy_guest_agent(self):
+ """The read_azure_ovf method should set ProvisionGuestProxyAgent
+ cfg flag to True."""
+ content = construct_ovf_env(provision_guest_proxy_agent=True)
+ ret = dsaz.read_azure_ovf(content)
+ cfg = ret[2]
+ self.assertTrue(cfg["ProvisionGuestProxyAgent"])
+
@pytest.mark.parametrize(
"ovf_cfg,imds_md,pps_type",
--
2.34.1

54
SPECS/cloud-init/0002-feat-azure-parse-ProvisionGuestProxyAgent-as-bool-51.patch Normal file
View File

@ -0,0 +1,54 @@
From e3ba5800d26065df9ce03ee2ac58ec6f08506423 Mon Sep 17 00:00:00 2001
From: Ksenija Stanojevic <KsenijaS@users.noreply.github.com>
Date: Fri, 5 Apr 2024 16:52:26 -0700
Subject: [PATCH 2/3] feat(azure): parse ProvisionGuestProxyAgent as bool
(#5126)
---
cloudinit/sources/helpers/azure.py | 1 +
tests/unittests/sources/test_azure.py | 12 ++++++++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/cloudinit/sources/helpers/azure.py b/cloudinit/sources/helpers/azure.py
index 2847a9e53..165f47429 100644
--- a/cloudinit/sources/helpers/azure.py
+++ b/cloudinit/sources/helpers/azure.py
@@ -1221,6 +1221,7 @@ class OvfEnvXml:
self.provision_guest_proxy_agent = self._parse_property(
platform_settings,
"ProvisionGuestProxyAgent",
+ parse_bool=True,
default=False,
required=False,
)
diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py
index 6afde95fd..255991ec3 100644
--- a/tests/unittests/sources/test_azure.py
+++ b/tests/unittests/sources/test_azure.py
@@ -2675,13 +2675,21 @@ class TestPreprovisioningReadAzureOvfFlag(CiTestCase):
self.assertTrue(cfg["PreprovisionedVm"])
self.assertEqual("Savable", cfg["PreprovisionedVMType"])
- def test_read_azure_ovf_with_proxy_guest_agent(self):
+ def test_read_azure_ovf_with_proxy_guest_agent_true(self):
"""The read_azure_ovf method should set ProvisionGuestProxyAgent
cfg flag to True."""
content = construct_ovf_env(provision_guest_proxy_agent=True)
ret = dsaz.read_azure_ovf(content)
cfg = ret[2]
- self.assertTrue(cfg["ProvisionGuestProxyAgent"])
+ assert cfg["ProvisionGuestProxyAgent"] is True
+
+ def test_read_azure_ovf_with_proxy_guest_agent_false(self):
+ """The read_azure_ovf method should set ProvisionGuestProxyAgent
+ cfg flag to False."""
+ content = construct_ovf_env(provision_guest_proxy_agent=False)
+ ret = dsaz.read_azure_ovf(content)
+ cfg = ret[2]
+ assert cfg["ProvisionGuestProxyAgent"] is False
@pytest.mark.parametrize(
--
2.34.1

413
SPECS/cloud-init/0003-feat-azure-add-support-for-azure-proxy-agent.patch Normal file
View File

@ -0,0 +1,413 @@
From 8932242a65bae5504ba45134091767f215a441fa Mon Sep 17 00:00:00 2001
From: Ksenija Stanojevic <ksenija.stanojevic@gmail.com>
Date: Mon, 15 Jul 2024 18:48:19 -0700
Subject: [PATCH 3/3] feat(azure): add support for azure-proxy-agent
---
cloudinit/sources/DataSourceAzure.py | 40 ++++
cloudinit/sources/azure/errors.py | 19 +-
tests/unittests/sources/test_azure.py | 254 ++++++++++++++++++++++++++
3 files changed, 312 insertions(+), 1 deletion(-)
diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py
index dc2b79a3a..c2f74e173 100644
--- a/cloudinit/sources/DataSourceAzure.py
+++ b/cloudinit/sources/DataSourceAzure.py
@@ -483,6 +483,41 @@ class DataSourceAzure(sources.DataSource):
or self._ephemeral_dhcp_ctx.lease is None
)
+ def _check_azure_proxy_agent_status(self) -> None:
+ """Check if azure-proxy-agent is ready for communication with WS/IMDS.
+ If ProvisionGuestProxyAgent is true, query azure-proxy-agent status,
+ waiting up to 120 seconds for the proxy to negotiate with Wireserver
+ and configure an eBPF proxy. Once azure-proxy-agent is ready,
+ it will exit with code 0 and cloud-init can then expect to be able to
+ communicate with these services.
+ Fail deployment if azure-proxy-agent is not found or otherwise returns
+ an error.
+ For more information, check out:
+ https://github.com/azure/guestproxyagent
+ """
+ try:
+ cmd = [
+ "azure-proxy-agent",
+ "--status",
+ "--wait",
+ "120",
+ ]
+ out, err = subp.subp(cmd)
+ report_diagnostic_event(
+ "Running azure-proxy-agent %s resulted"
+ "in stderr output: %s with stdout: %s" % (cmd, err, out),
+ logger_func=LOG.debug,
+ )
+ except subp.ProcessExecutionError as error:
+ if isinstance(error.reason, FileNotFoundError):
+ report_error = errors.ReportableErrorProxyAgentNotFound()
+ self._report_failure(report_error)
+ else:
+ reportable_error = (
+ errors.ReportableErrorProxyAgentStatusFailure(error)
+ )
+ self._report_failure(reportable_error)
+
@azure_ds_telemetry_reporter
def crawl_metadata(self):
"""Walk all instance metadata sources returning a dict on success.
@@ -566,6 +601,11 @@ class DataSourceAzure(sources.DataSource):
imds_md = {}
if self._is_ephemeral_networking_up():
+ # check if azure-proxy-agent is enabled in the ovf-env.xml file.
+ # azure-proxy-agent feature is opt-in and disabled by default.
+ if cfg.get("ProvisionGuestProxyAgent"):
+ self._check_azure_proxy_agent_status()
+
imds_md = self.get_metadata_from_imds(report_failure=True)
if not imds_md and ovf_source is None:
diff --git a/cloudinit/sources/azure/errors.py b/cloudinit/sources/azure/errors.py
index 966725b00..b331cd686 100644
--- a/cloudinit/sources/azure/errors.py
+++ b/cloudinit/sources/azure/errors.py
@@ -12,7 +12,7 @@ from typing import Any, Dict, List, Optional
import requests
-from cloudinit import version
+from cloudinit import subp, version
from cloudinit.sources.azure import identity
from cloudinit.url_helper import UrlError
@@ -151,3 +151,20 @@ class ReportableErrorUnhandledException(ReportableError):
self.supporting_data["exception"] = repr(exception)
self.supporting_data["traceback_base64"] = trace_base64
+
+
+class ReportableErrorProxyAgentNotFound(ReportableError):
+ def __init__(self) -> None:
+ super().__init__(
+ "Unable to activate Azure Guest Proxy Agent."
+ "azure-proxy-agent not found"
+ )
+
+
+class ReportableErrorProxyAgentStatusFailure(ReportableError):
+ def __init__(self, exception: subp.ProcessExecutionError) -> None:
+ super().__init__("azure-proxy-agent status failure")
+
+ self.supporting_data["exit_code"] = exception.exit_code
+ self.supporting_data["stdout"] = exception.stdout
+ self.supporting_data["stderr"] = exception.stderr
diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py
index 255991ec3..9b6672e1e 100644
--- a/tests/unittests/sources/test_azure.py
+++ b/tests/unittests/sources/test_azure.py
@@ -1,6 +1,7 @@
# This file is part of cloud-init. See LICENSE file for license information.
import copy
+import datetime
import json
import os
import stat
@@ -48,6 +49,16 @@ def mock_wrapping_setup_ephemeral_networking(azure_ds):
yield m
+@pytest.fixture
+def mock_wrapping_report_failure(azure_ds):
+ with mock.patch.object(
+ azure_ds,
+ "_report_failure",
+ wraps=azure_ds._report_failure,
+ ) as m:
+ yield m
+
+
@pytest.fixture
def mock_azure_helper_readurl():
with mock.patch(
@@ -253,6 +264,14 @@ def mock_subp_subp():
yield m
+@pytest.fixture
+def mock_timestamp():
+ timestamp = datetime.datetime.utcnow()
+ with mock.patch.object(errors, "datetime", autospec=True) as m:
+ m.utcnow.return_value = timestamp
+ yield timestamp
+
+
@pytest.fixture
def mock_util_ensure_dir():
with mock.patch(
@@ -3672,6 +3691,91 @@ class TestProvisioning:
}
def test_no_pps(self):
+ ovf = construct_ovf_env(provision_guest_proxy_agent=False)
+ md, ud, cfg = dsaz.read_azure_ovf(ovf)
+ self.mock_util_mount_cb.return_value = (md, ud, cfg, {})
+ self.mock_readurl.side_effect = [
+ mock.MagicMock(contents=json.dumps(self.imds_md).encode()),
+ ]
+ self.mock_azure_get_metadata_from_fabric.return_value = []
+
+ self.azure_ds._check_and_get_data()
+
+ assert self.mock_subp_subp.mock_calls == []
+
+ assert self.mock_readurl.mock_calls == [
+ mock.call(
+ "http://169.254.169.254/metadata/instance?"
+ "api-version=2021-08-01&extended=true",
+ timeout=30,
+ headers_cb=imds.headers_cb,
+ exception_cb=mock.ANY,
+ infinite=True,
+ log_req_resp=True,
+ ),
+ ]
+
+ # Verify DHCP is setup once.
+ assert self.mock_wrapping_setup_ephemeral_networking.mock_calls == [
+ mock.call(timeout_minutes=20)
+ ]
+ assert self.mock_net_dhcp_maybe_perform_dhcp_discovery.mock_calls == [
+ mock.call(
+ self.azure_ds.distro,
+ None,
+ dsaz.dhcp_log_cb,
+ )
+ ]
+ assert self.azure_ds._wireserver_endpoint == "10.11.12.13"
+ assert self.azure_ds._is_ephemeral_networking_up() is False
+
+ # Verify DMI usage.
+ assert self.mock_dmi_read_dmi_data.mock_calls == [
+ mock.call("chassis-asset-tag"),
+ mock.call("system-uuid"),
+ ]
+ assert (
+ self.azure_ds.metadata["instance-id"]
+ == "50109936-ef07-47fe-ac82-890c853f60d5"
+ )
+
+ # Verify IMDS metadata.
+ assert self.azure_ds.metadata["imds"] == self.imds_md
+
+ # Verify reporting ready once.
+ assert self.mock_azure_get_metadata_from_fabric.mock_calls == [
+ mock.call(
+ endpoint="10.11.12.13",
+ distro=self.azure_ds.distro,
+ iso_dev="/dev/sr0",
+ pubkey_info=None,
+ )
+ ]
+
+ # Verify netlink.
+ assert self.mock_netlink.mock_calls == []
+
+ # Verify no reported_ready marker written.
+ assert self.wrapped_util_write_file.mock_calls == []
+ assert self.patched_reported_ready_marker_path.exists() is False
+
+ # Verify reports via KVP.
+ assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 0
+ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 0
+ assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1
+
+ # Verify dmesg reported via KVP.
+ assert len(self.mock_report_dmesg_to_kvp.mock_calls) == 1
+
+ def test_no_pps_gpa(self):
+ """test full provisioning scope when azure-proxy-agent
+ is enabled and running."""
+ self.mock_subp_subp.side_effect = [
+ subp.SubpResult("Guest Proxy Agent running", ""),
+ ]
+ ovf = construct_ovf_env(provision_guest_proxy_agent=True)
+ md, ud, cfg = dsaz.read_azure_ovf(ovf)
+ self.mock_util_mount_cb.return_value = (md, ud, cfg, {})
self.mock_readurl.side_effect = [
mock.MagicMock(contents=json.dumps(self.imds_md).encode()),
]
@@ -3679,6 +3783,11 @@ class TestProvisioning:
self.azure_ds._check_and_get_data()
+ assert self.mock_subp_subp.mock_calls == [
+ mock.call(
+ ["azure-proxy-agent", "--status", "--wait", "120"],
+ ),
+ ]
assert self.mock_readurl.mock_calls == [
mock.call(
"http://169.254.169.254/metadata/instance?"
@@ -3736,6 +3845,93 @@ class TestProvisioning:
# Verify reports via KVP.
assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 0
+ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 0
+ assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1
+
+ def test_no_pps_gpa_fail(self):
+ """test full provisioning scope when azure-proxy-agent is enabled and
+ throwing an exception during provisioning."""
+ self.mock_subp_subp.side_effect = [
+ subp.ProcessExecutionError(
+ cmd=["failed", "azure-proxy-agent"],
+ stdout="test_stdout",
+ stderr="test_stderr",
+ exit_code=4,
+ ),
+ ]
+ ovf = construct_ovf_env(provision_guest_proxy_agent=True)
+ md, ud, cfg = dsaz.read_azure_ovf(ovf)
+ self.mock_util_mount_cb.return_value = (md, ud, cfg, {})
+ self.mock_readurl.side_effect = [
+ mock.MagicMock(contents=json.dumps(self.imds_md).encode()),
+ ]
+ self.mock_azure_get_metadata_from_fabric.return_value = []
+
+ self.azure_ds._check_and_get_data()
+
+ assert self.mock_subp_subp.mock_calls == [
+ mock.call(
+ ["azure-proxy-agent", "--status", "--wait", "120"],
+ ),
+ ]
+ assert self.mock_readurl.mock_calls == [
+ mock.call(
+ "http://169.254.169.254/metadata/instance?"
+ "api-version=2021-08-01&extended=true",
+ timeout=30,
+ headers={"Metadata": "true"},
+ exception_cb=mock.ANY,
+ infinite=True,
+ log_req_resp=True,
+ ),
+ ]
+
+ # Verify DHCP is setup once.
+ assert self.mock_wrapping_setup_ephemeral_networking.mock_calls == [
+ mock.call(timeout_minutes=20)
+ ]
+ assert self.mock_net_dhcp_maybe_perform_dhcp_discovery.mock_calls == [
+ mock.call(
+ self.azure_ds.distro,
+ None,
+ dsaz.dhcp_log_cb,
+ )
+ ]
+ assert self.azure_ds._wireserver_endpoint == "10.11.12.13"
+ assert self.azure_ds._is_ephemeral_networking_up() is False
+
+ # Verify DMI usage.
+ assert self.mock_dmi_read_dmi_data.mock_calls == [
+ mock.call("chassis-asset-tag"),
+ mock.call("system-uuid"),
+ mock.call("system-uuid"),
+ ]
+ assert (
+ self.azure_ds.metadata["instance-id"]
+ == "50109936-ef07-47fe-ac82-890c853f60d5"
+ )
+
+ # Verify IMDS metadata.
+ assert self.azure_ds.metadata["imds"] == self.imds_md
+
+ ### BACKPORT NOTE: 23.3 _will_ report ready later after failure.
+ ### In newer versions there will be no call to report ready after failure.
+ assert self.mock_azure_get_metadata_from_fabric.mock_calls == [
+ mock.call(
+ endpoint="10.11.12.13", iso_dev="/dev/sr0", pubkey_info=None
+ )
+ ]
+
+ # Verify netlink.
+ assert self.mock_netlink.mock_calls == []
+
+ # Verify no reported_ready marker written.
+ assert self.wrapped_util_write_file.mock_calls == []
+ assert self.patched_reported_ready_marker_path.exists() is False
+
+ # Verify reports via KVP.
+ assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 1
+ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 1
assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1
def test_running_pps(self):
@@ -4315,6 +4511,64 @@ class TestProvisioning:
assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1
+class TestCheckAzureProxyAgent:
+ @pytest.fixture(autouse=True)
+ def proxy_setup(
+ self,
+ azure_ds,
+ mock_subp_subp,
+ caplog,
+ mock_wrapping_report_failure,
+ mock_timestamp,
+ ):
+ self.azure_ds = azure_ds
+ self.mock_subp_subp = mock_subp_subp
+ self.caplog = caplog
+ self.mock_wrapping_report_failure = mock_wrapping_report_failure
+ self.mock_timestamp = mock_timestamp
+
+ def test_check_azure_proxy_agent_status(self):
+ self.mock_subp_subp.side_effect = [
+ subp.SubpResult("Guest Proxy Agent running", ""),
+ ]
+ self.azure_ds._check_azure_proxy_agent_status()
+ assert "Running azure-proxy-agent" in self.caplog.text
+ assert self.mock_wrapping_report_failure.mock_calls == []
+
+ def test_check_azure_proxy_agent_status_notfound(self):
+ exception = subp.ProcessExecutionError(reason=FileNotFoundError())
+ self.mock_subp_subp.side_effect = [
+ exception,
+ ]
+ self.azure_ds._check_azure_proxy_agent_status()
+ assert "azure-proxy-agent not found" in self.caplog.text
+ assert self.mock_wrapping_report_failure.mock_calls == [
+ mock.call(
+ errors.ReportableErrorProxyAgentNotFound(),
+ ),
+ ]
+
+ def test_check_azure_proxy_agent_status_failure(self):
+ exception = subp.ProcessExecutionError(
+ cmd=["failed", "azure-proxy-agent"],
+ stdout="test_stdout",
+ stderr="test_stderr",
+ exit_code=4,
+ )
+ self.mock_subp_subp.side_effect = [
+ exception,
+ ]
+ self.azure_ds._check_azure_proxy_agent_status()
+ assert "azure-proxy-agent status failure" in self.caplog.text
+ assert self.mock_wrapping_report_failure.mock_calls == [
+ mock.call(
+ errors.ReportableErrorProxyAgentStatusFailure(
+ exception=exception
+ ),
+ ),
+ ]
+
+
class TestGetMetadataFromImds:
@pytest.mark.parametrize("report_failure", [False, True])
@pytest.mark.parametrize(
--
2.34.1

8
SPECS/cloud-init/cloud-init.spec
View File

@ -5,7 +5,7 @@ Summary: Cloud instance init scripts
Name: cloud-init
Epoch: 1
Version: %{package_version}
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv3
Vendor: Microsoft Corporation
Distribution: Mariner
@ -16,6 +16,9 @@ Source1: 10-azure-kvp.cfg
Patch0: overrideDatasourceDetection.patch
Patch1: exec_cmd_error_handling.patch
Patch2: Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch
Patch3: 0001-feat-azure-Add-ProvisionGuestProxyAgent-OVF-setting-.patch
Patch4: 0002-feat-azure-parse-ProvisionGuestProxyAgent-as-bool-51.patch
Patch5: 0003-feat-azure-add-support-for-azure-proxy-agent.patch
%define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service
BuildRequires: automake
BuildRequires: dbus
@ -151,6 +154,9 @@ make check %{?_smp_mflags}
%config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg
%changelog
* Mon July 15 2024 Ksenija Stanojevic <ksstanoj@microsoft.com> - 23.3.3-4
- Add patches to support azure-proxy-agent.
* Wed May 8 2024 Sharath Srikanth Chellappa <sharathsr@microsoft.com> - 1:23.3-3
- Add patch to add network interface renaming support for CAPM3 Met.

78
SPECS/cmake/CVE-2023-28320.patch Normal file
View File

@ -0,0 +1,78 @@
From def1a172f3a5ac13c3cd5687d2a352262b02e358 Mon Sep 17 00:00:00 2001
From: Zhichun Wan <zhichunwan@microsoft.com>
Date: Fri, 26 Jul 2024 22:30:10 +0000
Subject: [PATCH] patches
---
Utilities/cmcurl/lib/hostip.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/Utilities/cmcurl/lib/hostip.c b/Utilities/cmcurl/lib/hostip.c
index e0e3cfc2..a763ad84 100644
--- a/Utilities/cmcurl/lib/hostip.c
+++ b/Utilities/cmcurl/lib/hostip.c
@@ -72,12 +72,19 @@
#include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
#endif
-#if defined(CURLRES_SYNCH) && \
- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
+#if defined(CURLRES_SYNCH) && \
+ defined(HAVE_ALARM) && \
+ defined(SIGALRM) && \
+ defined(HAVE_SIGSETJMP) && \
+ defined(GLOBAL_INIT_IS_THREADSAFE)
/* alarm-based timeouts can only be used with all the dependencies satisfied */
#define USE_ALARM_TIMEOUT
#endif
+#ifdef USE_ALARM_TIMEOUT
+#include "easy_lock.h"
+#endif
+
#define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
/*
@@ -249,11 +256,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
}
-#ifdef HAVE_SIGSETJMP
+#ifdef USE_ALARM_TIMEOUT
/* Beware this is a global and unique instance. This is used to store the
return address that we can jump back to from inside a signal handler. This
is not thread-safe stuff. */
sigjmp_buf curl_jmpenv;
+curl_simple_lock curl_jmpenv_lock;
#endif
/* lookup address, returns entry if found and not stale */
@@ -640,7 +648,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
static
void alarmfunc(int sig)
{
- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
(void)sig;
siglongjmp(curl_jmpenv, 1);
}
@@ -720,6 +727,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
This should be the last thing we do before calling Curl_resolv(),
as otherwise we'd have to worry about variables that get modified
before we invoke Curl_resolv() (and thus use "volatile"). */
+ curl_simple_lock_lock(&curl_jmpenv_lock);
+
if(sigsetjmp(curl_jmpenv, 1)) {
/* this is coming from a siglongjmp() after an alarm signal */
failf(data, "name lookup timed out");
@@ -788,6 +797,8 @@ clean_up:
#endif
#endif /* HAVE_SIGACTION */
+ curl_simple_lock_unlock(&curl_jmpenv_lock);
+
/* switch back the alarm() to either zero or to what it was before minus
the time we spent until now! */
if(prev_alarm) {
--
2.39.4

6
SPECS/cmake/cmake.spec
View File

@ -2,7 +2,7 @@
Summary: Cmake
Name: cmake
Version: 3.21.4
Release: 10%{?dist}
Release: 11%{?dist}
License: BSD AND LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
@ -20,6 +20,7 @@ Patch5: CVE-2023-35945.patch
Patch6: CVE-2023-38545.patch
Patch7: CVE-2023-38546.patch
Patch8: cve-2023-44487.patch
Patch9: CVE-2023-28320.patch
BuildRequires: bzip2
BuildRequires: bzip2-devel
BuildRequires: curl
@ -85,6 +86,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
%{_prefix}/doc/%{name}-*/*
%changelog
* Fri Jul 26 2024 Zhichun Wan <zhichunwan@microsoft.com> - 3.21.4-11
- Patch CVE-2023-28320.patch
* Thu Oct 19 2023 Dan Streetman <ddstreet@ieee.org> - 3.21.4-10
- Patch vendored nghttp2 for CVE-2023-44487

76
SPECS/cri-o/CVE-2024-6104.patch Normal file
View File

@ -0,0 +1,76 @@
From ab64e79170aea240fa050a929b52607d72c62c9e Mon Sep 17 00:00:00 2001
From: Balakumaran Kannan <kumaran.4353@gmail.com>
Date: Thu, 1 Aug 2024 07:01:21 +0000
Subject: [PATCH] Patch CVE-2024-6104
---
.../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++-----
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
index 7bfa759..aead5e1 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
@@ -467,9 +467,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if logger != nil {
switch v := logger.(type) {
case Logger:
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
case LeveledLogger:
- v.Debug("performing request", "method", req.Method, "url", req.URL)
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
}
}
@@ -516,9 +516,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if err != nil {
switch v := logger.(type) {
case Logger:
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
case LeveledLogger:
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
}
} else {
// Call this here to maintain the behavior of logging all requests,
@@ -558,7 +558,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
}
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
if code > 0 {
desc = fmt.Sprintf("%s (status: %d)", desc, code)
}
@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
}
c.HTTPClient.CloseIdleConnections()
return nil, fmt.Errorf("%s %s giving up after %d attempts",
- req.Method, req.URL, c.RetryMax+1)
+ req.Method, redactURL(req.URL), c.RetryMax+1)
}
// Try to read the response body so we can reuse this connection.
@@ -663,3 +663,17 @@ func PostForm(url string, data url.Values) (*http.Response, error) {
func (c *Client) PostForm(url string, data url.Values) (*http.Response, error) {
return c.Post(url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
}
+
+
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
+func redactURL(u *url.URL) string {
+ if u == nil {
+ return ""
+ }
+
+ ru := *u
+ if _, has := ru.User.Password(); has {
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
+ }
+ return ru.String()
+}
--
2.33.8

6
SPECS/cri-o/cri-o.spec
View File

@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa
# Define macros for further referenced sources
Name: cri-o
Version: 1.22.3
Release: 5%{?dist}
Release: 6%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -66,6 +66,7 @@ Patch10: CVE-2024-21626.patch
Patch11: CVE-2024-3154.patch
Patch12: CVE-2024-3727.patch
Patch13: CVE-2021-43565.patch
Patch14: CVE-2024-6104.patch
BuildRequires: btrfs-progs-devel
BuildRequires: device-mapper-devel
BuildRequires: fdupes
@ -218,6 +219,9 @@ mkdir -p /opt/cni/bin
%{_fillupdir}/sysconfig.kubelet
%changelog
* Thu Aug 01 2024 Bala <balakumaran.kannan@microsoft.com> - 1.22.3-6
- Patch CVE-2024-6104
* Mon Jul 22 2024 Archana Choudhary <archana1@microsoft.com> - 1.22.3-5
- Patch CVE-2021-43565

431
SPECS/dhcp/CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,431 @@
From 23a4652346fb2877d6246b1eebaa967969dbde16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 29 Jan 2024 16:36:30 +0100
Subject: [PATCH] Optimize the slabheader placement for certain RRTypes
Mark the infrastructure RRTypes as "priority" types and place them at
the beginning of the rdataslab header data graph. The non-priority
types either go right after the priority types (if any).
(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
---
bind/bind-9.11.36/lib/dns/rbtdb.c | 44 +++++++++++++++++++++++++++++--
1 file changed, 42 insertions(+), 2 deletions(-)
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
index 3ee1876..3d76ca1 100644
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
@@ -1164,6 +1164,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
isc_heap_decreased(heap, header->heap_index);
}
+static bool
+prio_type(rbtdb_rdatatype_t type) {
+ switch (type) {
+ case dns_rdatatype_soa:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
+ case dns_rdatatype_a:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
+ case dns_rdatatype_aaaa:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
+ case dns_rdatatype_nsec:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
+ case dns_rdatatype_nsec3:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
+ case dns_rdatatype_ns:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
+ case dns_rdatatype_ds:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
+ case dns_rdatatype_cname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
+ return (true);
+ }
+ return (false);
+}
+
/*%
* These functions allow the heap code to rank the priority of each
* element. It returns true if v1 happens "sooner" than v2.
@@ -6176,6 +6200,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
{
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
+ rdatasetheader_t *prioheader = NULL;
unsigned char *merged;
isc_result_t result;
bool header_nx;
@@ -6317,6 +6342,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
+ if (prio_type(topheader->type)) {
+ prioheader = topheader;
+ }
if (topheader->type == newheader->type ||
topheader->type == negtype)
break;
@@ -6672,9 +6700,21 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
/*
* No rdatasets of the given type exist at the node.
*/
- newheader->next = rbtnode->data;
newheader->down = NULL;
- rbtnode->data = newheader;
+
+ if (prio_type(newheader->type)) {
+ /* This is a priority type, prepend it */
+ newheader->next = rbtnode->data;
+ rbtnode->data = newheader;
+ } else if (prioheader != NULL) {
+ /* Append after the priority headers */
+ newheader->next = prioheader->next;
+ prioheader->next = newheader;
+ } else {
+ /* There were no priority headers */
+ newheader->next = rbtnode->data;
+ rbtnode->data = newheader;
+ }
}
}
---
From b9b5485b22c364fb88c27aa04bad4c8f616da3fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 1 Mar 2024 08:26:07 +0100
Subject: [PATCH 1/2] Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.
The fix for end-of-life branches make the limit compile-time only for
simplicity and the limit can be changed at the compile time by adding
following define to CFLAGS:
-DDNS_RDATASET_MAX_RECORDS=<limit>
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
(cherry picked from commit 7f705778af729ada7fec36ac4b456c73329bd996)
---
bind/bind-9.11.36/configure | 2 +-
bind/bind-9.11.36/configure.ac | 2 +-
bind/bind-9.11.36/lib/dns/rbtdb.c | 17 +++++++++++++++++
bind/bind-9.11.36/lib/dns/rdataslab.c | 12 ++++++++++++
4 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
index 368112f..8e881e3 100755
--- a/bind/bind-9.11.36/configure
+++ b/bind/bind-9.11.36/configure
@@ -12185,7 +12185,7 @@ fi
XTARGETS=
case "$enable_developer" in
yes)
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
index 030c4d7..0eab441 100644
--- a/bind/bind-9.11.36/configure.ac
+++ b/bind/bind-9.11.36/configure.ac
@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
XTARGETS=
case "$enable_developer" in
yes)
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
index 3d76ca1..0cfef36 100644
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
@@ -6190,6 +6190,10 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
}
+#ifndef DNS_RBTDB_MAX_RTYPES
+#define DNS_RBTDB_MAX_RTYPES 100
+#endif /* DNS_RBTDB_MAX_RTYPES */
+
/*
* write lock on rbtnode must be held.
*/
@@ -6210,6 +6214,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
+ uint32_t ntypes;
/*
* Add an rdatasetheader_t to a node.
@@ -6272,6 +6277,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
set_ttl(rbtdb, topheader, 0);
mark_stale_header(rbtdb, topheader);
}
+ ntypes = 0;
goto find_header;
}
/*
@@ -6293,9 +6299,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
* check for an extant non-stale NODATA ncache
* entry which covers the same type as the RRSIG.
*/
+ ntypes = 0;
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
+ ntypes++;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
@@ -6339,9 +6347,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
}
+ ntypes = 0;
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
+ ntypes++;
if (prio_type(topheader->type)) {
prioheader = topheader;
}
@@ -6700,6 +6710,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
/*
* No rdatasets of the given type exist at the node.
*/
+
+ if (ntypes > DNS_RBTDB_MAX_RTYPES) {
+ free_rdataset(rbtdb, rbtdb->common.mctx,
+ newheader);
+ return (ISC_R_QUOTA);
+ }
+
newheader->down = NULL;
if (prio_type(newheader->type)) {
diff --git a/bind/bind-9.11.36/lib/dns/rdataslab.c b/bind/bind-9.11.36/lib/dns/rdataslab.c
index b0f77b1..347b7d2 100644
--- a/bind/bind-9.11.36/lib/dns/rdataslab.c
+++ b/bind/bind-9.11.36/lib/dns/rdataslab.c
@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
}
#endif
+#ifndef DNS_RDATASET_MAX_RECORDS
+#define DNS_RDATASET_MAX_RECORDS 100
+#endif /* DNS_RDATASET_MAX_RECORDS */
+
isc_result_t
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
isc_region_t *region, unsigned int reservelen)
@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
return (ISC_R_SUCCESS);
}
+ if (nitems > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
if (nitems > 0xffff)
return (ISC_R_NOSPACE);
@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
#endif
INSIST(ocount > 0 && ncount > 0);
+ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
#if DNS_RDATASET_FIXED
oncount = ncount;
#endif
--
From 3e0a67e4bdb253dae3a03a45c1aa117239a3313d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 17 Jun 2024 11:40:40 +0200
Subject: [PATCH 1/2] Expand the list of the priority types
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
the priority types that are put at the beginning of the slabheader list
for faster access and to avoid eviction when there are more types than
the max-types-per-name limit.
(cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb)
---
bind/bind-9.11.36/lib/dns/rbtdb.c | 75 ++++++++++++++++++++++++++-----
1 file changed, 64 insertions(+), 11 deletions(-)
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
index 0cfef36..7ab4869 100644
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
@@ -1171,6 +1171,8 @@ prio_type(rbtdb_rdatatype_t type) {
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
case dns_rdatatype_a:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
+ case dns_rdatatype_mx:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
case dns_rdatatype_aaaa:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
case dns_rdatatype_nsec:
@@ -1183,6 +1185,18 @@ prio_type(rbtdb_rdatatype_t type) {
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
case dns_rdatatype_cname:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
+ case dns_rdatatype_dname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
+ case dns_rdatatype_dnskey:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
+ case dns_rdatatype_srv:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
+ case dns_rdatatype_txt:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
+ case dns_rdatatype_ptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
+ case dns_rdatatype_naptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
return (true);
}
return (false);
@@ -6194,6 +6208,26 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
#define DNS_RBTDB_MAX_RTYPES 100
#endif /* DNS_RBTDB_MAX_RTYPES */
+static bool
+overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
+ UNUSED(rbtdb);
+
+ if (DNS_RBTDB_MAX_RTYPES == 0) {
+ return (false);
+ }
+
+ return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+}
+
+static bool
+prio_header(rdatasetheader_t *header) {
+ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
+ return (true);
+ }
+
+ return (prio_type(header->type));
+}
+
/*
* write lock on rbtnode must be held.
*/
@@ -6204,7 +6238,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
{
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
- rdatasetheader_t *prioheader = NULL;
+ rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
unsigned char *merged;
isc_result_t result;
bool header_nx;
@@ -6214,7 +6248,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
- uint32_t ntypes;
+ uint32_t ntypes = 0;
/*
* Add an rdatasetheader_t to a node.
@@ -6277,7 +6311,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
set_ttl(rbtdb, topheader, 0);
mark_stale_header(rbtdb, topheader);
}
- ntypes = 0;
goto find_header;
}
/*
@@ -6299,11 +6332,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
* check for an extant non-stale NODATA ncache
* entry which covers the same type as the RRSIG.
*/
- ntypes = 0;
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
- ntypes++;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
@@ -6347,12 +6378,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
}
- ntypes = 0;
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
- ntypes++;
- if (prio_type(topheader->type)) {
+ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
+ ++ntypes;
+ expireheader = topheader;
+ } else if (!IS_CACHE(rbtdb)) {
+ ++ntypes;
+ }
+ if (prio_header(topheader)) {
prioheader = topheader;
}
if (topheader->type == newheader->type ||
@@ -6710,8 +6745,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
/*
* No rdatasets of the given type exist at the node.
*/
-
- if (ntypes > DNS_RBTDB_MAX_RTYPES) {
+ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
free_rdataset(rbtdb, rbtdb->common.mctx,
newheader);
return (ISC_R_QUOTA);
@@ -6719,7 +6753,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
newheader->down = NULL;
- if (prio_type(newheader->type)) {
+ if (prio_header(newheader)) {
/* This is a priority type, prepend it */
newheader->next = rbtnode->data;
rbtnode->data = newheader;
@@ -6732,6 +6766,25 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
newheader->next = rbtnode->data;
rbtnode->data = newheader;
}
+
+ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ if (expireheader == NULL) {
+ expireheader = newheader;
+ }
+ if (NEGATIVE(newheader) &&
+ !prio_header(newheader))
+ {
+ /*
+ * Add the new non-priority negative
+ * header to the database only
+ * temporarily.
+ */
+ expireheader = newheader;
+ }
+
+ set_ttl(rbtdb, expireheader, 0);
+ mark_stale_header(rbtdb, expireheader);
+ }
}
}
--

251
SPECS/dhcp/CVE-2024-1975.patch Normal file
View File

@ -0,0 +1,251 @@
From 9dc5c3709ffcfa3b9c8ba81fd28baebafe097f44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 16 May 2024 12:10:41 +0200
Subject: Remove support for SIG(0) message verification
(cherry picked from commit 857fd5c346e3309ee8e280c29174b46579af5a13)
---
bind/bind-9.11.36/bin/named/client.c | 6 ++
.../bin/tests/system/tsiggss/authsock.pl | 5 +
.../bin/tests/system/tsiggss/clean.sh | 2 +-
.../bin/tests/system/tsiggss/tests.sh | 12 ++-
.../bin/tests/system/upforwd/tests.sh | 8 +-
bind/bind-9.11.36/lib/dns/message.c | 94 ++-----------------
6 files changed, 32 insertions(+), 95 deletions(-)
diff --git a/bind/bind-9.11.36/bin/named/client.c b/bind/bind-9.11.36/bin/named/client.c
index 15fcfcd..761d72a 100644
--- a/bind/bind-9.11.36/bin/named/client.c
+++ b/bind/bind-9.11.36/bin/named/client.c
@@ -3012,6 +3012,12 @@ client_request(isc_task_t *task, isc_event_t *event) {
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request is signed by a nonauthoritative key");
+ } else if (result == DNS_R_NOTVERIFIEDYET &&
+ client->message->sig0 != NULL) {
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ "request has a SIG(0) signature but its support "
+ "was removed (CVE-2024-1975)");
} else {
char tsigrcode[64];
isc_buffer_t b;
diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
index ab3833d..0b231ee 100644
--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
+++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
@@ -31,6 +31,10 @@ if (!defined($path)) {
exit(1);
}
+# Enable output autoflush so that it's not lost when the parent sends TERM.
+select STDOUT;
+$| = 1;
+
unlink($path);
my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
die "unable to create socket $path";
@@ -53,6 +57,7 @@ if ($timeout != 0) {
}
while (my $client = $server->accept()) {
+ printf("accept()\n");
$client->recv(my $buf, 8, 0);
my ($version, $req_len) = unpack('N N', $buf);
diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh
index d9fae68..67b8c3e 100644
--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh
+++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh
@@ -19,7 +19,7 @@ rm -f ns1/_default.tsigkeys
rm -f */named.memstats
rm -f */named.conf
rm -f */named.run
-rm -f authsock.pid
+rm -f authsock.log authsock.pid
rm -f ns1/core
rm -f nsupdate.out*
rm -f ns*/named.lock
diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
index 456ce61..9b55e82 100644
--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
+++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
@@ -116,7 +116,7 @@ status=$((status+ret))
echo_i "testing external update policy (CNAME) with auth sock ($n)"
ret=0
-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 &
sleep 1
test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
n=$((n+1))
@@ -130,17 +130,19 @@ n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
-echo_i "testing external policy with SIG(0) key ($n)"
+echo_i "testing external policy with unsupported SIG(0) key ($n)"
ret=0
-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
+$NSUPDATE -R $RANDFILE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
+debug
server 10.53.0.1 ${PORT}
zone example.nil
update add fred.example.nil 120 cname foo.bar.
send
END
output=`$DIG $DIGOPTS +short cname fred.example.nil.`
-[ -n "$output" ] || ret=1
-[ $ret -eq 0 ] || echo_i "failed"
+# update must have failed - SIG(0) signer is not supported
+[ -n "$output" ] && ret=1
+grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
diff --git a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
index 1cf8d3b..7110ea5 100644
--- a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
+++ b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
@@ -177,9 +177,10 @@ n=`expr $n + 1`
if test -f keyname
then
- echo_i "checking update forwarding to with sig0 ($n)"
+ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
ret=0
keyname=`cat keyname`
+ # SIG(0) is removed, update is expected to fail.
$NSUPDATE -k $keyname.private -- - <<EOF
server 10.53.0.3 ${PORT}
zone example2
@@ -187,8 +188,9 @@ then
update add unsigned.example2. 600 TXT Foo
send
EOF
- $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
- grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+ >nsupdate.out.$n 2>&1 && ret=1
+ $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n || ret=1
+ grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
diff --git a/bind/bind-9.11.36/lib/dns/message.c b/bind/bind-9.11.36/lib/dns/message.c
index 2812ab5..48814ce 100644
--- a/bind/bind-9.11.36/lib/dns/message.c
+++ b/bind/bind-9.11.36/lib/dns/message.c
@@ -3214,102 +3214,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
isc_result_t
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
- isc_buffer_t b, msgb;
+ isc_buffer_t msgb;
REQUIRE(DNS_MESSAGE_VALID(msg));
- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
+ if (msg->tsigkey == NULL && msg->tsig == NULL) {
return (ISC_R_SUCCESS);
+ }
INSIST(msg->saved.base != NULL);
isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
isc_buffer_add(&msgb, msg->saved.length);
- if (msg->tsigkey != NULL || msg->tsig != NULL) {
#ifdef SKAN_MSG_DEBUG
- dns_message_dumpsig(msg, "dns_message_checksig#1");
-#endif
- if (view != NULL)
- return (dns_view_checksig(view, &msgb, msg));
- else
- return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+ dns_message_dumpsig(msg, "dns_message_checksig#1");
+#endif /* ifdef SKAN_MSG_DEBUG */
+ if (view != NULL) {
+ return (dns_view_checksig(view, &msgb, msg));
} else {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_sig_t sig;
- dns_rdataset_t keyset;
- isc_result_t result;
-
- result = dns_rdataset_first(msg->sig0);
- INSIST(result == ISC_R_SUCCESS);
- dns_rdataset_current(msg->sig0, &rdata);
-
- /*
- * This can occur when the message is a dynamic update, since
- * the rdata length checking is relaxed. This should not
- * happen in a well-formed message, since the SIG(0) is only
- * looked for in the additional section, and the dynamic update
- * meta-records are in the prerequisite and update sections.
- */
- if (rdata.length == 0)
- return (ISC_R_UNEXPECTEDEND);
-
- result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
- if (result != ISC_R_SUCCESS)
- return (result);
-
- dns_rdataset_init(&keyset);
- if (view == NULL)
- return (DNS_R_KEYUNAUTHORIZED);
- result = dns_view_simplefind(view, &sig.signer,
- dns_rdatatype_key /* SIG(0) */,
- 0, 0, false, &keyset, NULL);
-
- if (result != ISC_R_SUCCESS) {
- /* XXXBEW Should possibly create a fetch here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- } else if (keyset.trust < dns_trust_secure) {
- /* XXXBEW Should call a validator here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- }
- result = dns_rdataset_first(&keyset);
- INSIST(result == ISC_R_SUCCESS);
- for (;
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&keyset))
- {
- dst_key_t *key = NULL;
-
- dns_rdata_reset(&rdata);
- dns_rdataset_current(&keyset, &rdata);
- isc_buffer_init(&b, rdata.data, rdata.length);
- isc_buffer_add(&b, rdata.length);
-
- result = dst_key_fromdns(&sig.signer, rdata.rdclass,
- &b, view->mctx, &key);
- if (result != ISC_R_SUCCESS)
- continue;
- if (dst_key_alg(key) != sig.algorithm ||
- dst_key_id(key) != sig.keyid ||
- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
- dst_key_proto(key) == DNS_KEYPROTO_ANY))
- {
- dst_key_free(&key);
- continue;
- }
- result = dns_dnssec_verifymessage(&msgb, msg, key);
- dst_key_free(&key);
- if (result == ISC_R_SUCCESS)
- break;
- }
- if (result == ISC_R_NOMORE)
- result = DNS_R_KEYUNAUTHORIZED;
-
- freesig:
- if (dns_rdataset_isassociated(&keyset))
- dns_rdataset_disassociate(&keyset);
- dns_rdata_freestruct(&sig);
- return (result);
+ return (dns_tsig_verify(&msgb, msg, NULL, NULL));
}
}
--
2.25.1

21
SPECS/dhcp/dhcp.spec
View File

@ -1,7 +1,7 @@
Summary: Dynamic host configuration protocol
Name: dhcp
Version: 4.4.3.P1
Release: 1%{?dist}
Release: 2%{?dist}
License: MPLv2.0
Url: https://www.isc.org/dhcp/
Source0: https://downloads.isc.org/isc/dhcp/4.4.3-P1/dhcp-4.4.3-P1.tar.gz
@ -9,6 +9,13 @@ Group: System Environment/Base
Vendor: Microsoft Corporation
Distribution: Azure Linux
BuildRequires: systemd
Patch0: CVE-2022-38177.patch
Patch1: CVE-2022-38178.patch
Patch2: CVE-2022-2795.patch
Patch3: CVE-2023-2828.patch
Patch4: CVE-2024-1737.patch
Patch5: CVE-2024-1975.patch
%description
The ISC DHCP package contains both the client and server programs for DHCP. dhclient (the client) is used for connecting to a network which uses DHCP to assign network addresses. dhcpd (the server) is used for assigning network addresses on private networks
@ -38,7 +45,13 @@ The ISC DHCP Client, dhclient, provides a means for configuring one or more netw
%prep
%autosetup -p1 -n dhcp-4.4.3-P1
%setup -q -n dhcp-4.4.3-P1
# Extracting bundled 'bind' to allow some of the patches to modify it.
tar -C bind -xf bind/bind.tar.gz
ln -s bind/bind-9* bind_ln
%autopatch -p1
%build -n dhcp-4.4.3-P1
CFLAGS="$CFLAGS \
@ -169,6 +182,10 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/
%{_mandir}/man8/dhclient.8.gz
%changelog
* Mon Jul 29 2024 Sumedh Sharma <sumsharma@microsoft.com> - 4.4.3-P1-2
- Add patch for CVE-2024-1737 & CVE-2024-1975 in bundled bind-9
- Apply old patches meant for bundled bind-9
* Wed Jun 19 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 4.4.3-P1-1
- Auto-upgrade to 4.4.3-P1 - CVE-2022-2928, CVE-2022-2929
- Updating spec to match 3.0

48
SPECS/frr/CVE-2024-44070.patch Normal file
View File

@ -0,0 +1,48 @@
From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 31 Jul 2024 08:35:14 +0300
Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
TLV value
```
0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11)
4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
6 0xe0d12c83712c in abort stdlib/abort.c:79:7
7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgp_attr.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 2ed49935e52b..ac5d08b6fe6e 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2749,6 +2749,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
args->total);
}
+ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+ sublength, STREAM_READABLE(BGP_INPUT(peer)));
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
+ }
+
/* alloc and copy sub-tlv */
/* TBD make sure these are freed when attributes are released */
tlv = XCALLOC(MTYPE_ENCAP_TLV,

2
SPECS/frr/frr.signatures.json
View File

@ -1,6 +1,6 @@
{
"Signatures": {
"frr-8.5.3.tar.gz": "5f0d9e47e2621ad01307764df8a228ed0a4ae18f58e8912d638cb8db2c072d78",
"frr-8.5.5.tar.gz": "efa3a834c4fae6de9144a20d16f3ef5f0aa66f5b171f168413eec725ce269d5f",
"frr-sysusers.conf": "c6f5a54402aa5f11e21dac3bd0e6cdeadfbf7937e9b34775b5fd368a9ca96fa4",
"frr-tmpfiles.conf": "edd7b01b11f2be66bb6b4531496d1eaf6536add9f4b549c659b27f5a32cdc512"
}

17
SPECS/frr/frr.spec
View File

@ -2,8 +2,8 @@
Summary: Routing daemon
Name: frr
Version: 8.5.3
Release: 6%{?dist}
Version: 8.5.5
Release: 2%{?dist}
License: GPL-2.0-or-later
Vendor: Microsoft Corporation
Distribution: Mariner
@ -16,11 +16,7 @@ Patch1: 0001-enable-openssl.patch
Patch2: 0002-disable-eigrp-crypto.patch
Patch3: 0003-fips-mode.patch
Patch4: 0004-remove-grpc-test.patch
Patch5: CVE-2023-46752.patch
Patch6: CVE-2023-46753.patch
Patch7: CVE-2023-47235.patch
Patch8: CVE-2023-47234.patch
Patch9: CVE-2024-34088.patch
Patch5: CVE-2024-44070.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
@ -202,6 +198,13 @@ rm tests/lib/*grpc*
%{_sysusersdir}/%{name}.conf
%changelog
* Wed Aug 21 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 8.5.5-2
- Patch CVE-2024-44070
* Tue Aug 06 2024 Sumedh Sharma <sumsharma@microsoft.com> - 8.5.5-1
- Bump version to fix CVE-2024-31950 & CVE-2024-31951
- Remove patches present in sources
* Fri May 03 2024 Henry Beberman <henry.beberman@microsoft.com> - 8.5.3-6
- Patch CVE-2024-34088
- Remove CVE-2024-27913 patch since it's replaced by the CVE-2024-34088 patch

2
SPECS/hyperv-daemons/hyperv-daemons.signatures.json
View File

@ -7,6 +7,6 @@
"hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f",
"hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
"hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
"kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5"
"kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8"
}
}

5
SPECS/hyperv-daemons/hyperv-daemons.spec
View File

@ -8,7 +8,7 @@
%global udev_prefix 70
Summary: Hyper-V daemons suite
Name: hyperv-daemons
Version: 5.15.162.2
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2+
Vendor: Microsoft Corporation
@ -219,6 +219,9 @@ fi
%{_sbindir}/lsvmbus
%changelog
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
- Auto-upgrade to 5.15.164.1
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
- Auto-upgrade to 5.15.162.2

76
SPECS/influxdb/CVE-2024-6104.patch Normal file
View File

@ -0,0 +1,76 @@
From 11d1dffc2525be8ec078bfb0af61e02c0abfda0f Mon Sep 17 00:00:00 2001
From: Balakumaran Kannan <kumaran.4353@gmail.com>
Date: Thu, 1 Aug 2024 08:17:06 +0000
Subject: [PATCH] Patch CVE-2024-6104
---
.../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++-----
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
index 7bfa759..aead5e1 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
@@ -467,9 +467,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if logger != nil {
switch v := logger.(type) {
case Logger:
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
case LeveledLogger:
- v.Debug("performing request", "method", req.Method, "url", req.URL)
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
}
}
@@ -516,9 +516,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if err != nil {
switch v := logger.(type) {
case Logger:
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
case LeveledLogger:
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
}
} else {
// Call this here to maintain the behavior of logging all requests,
@@ -558,7 +558,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
}
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
if code > 0 {
desc = fmt.Sprintf("%s (status: %d)", desc, code)
}
@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
}
c.HTTPClient.CloseIdleConnections()
return nil, fmt.Errorf("%s %s giving up after %d attempts",
- req.Method, req.URL, c.RetryMax+1)
+ req.Method, redactURL(req.URL), c.RetryMax+1)
}
// Try to read the response body so we can reuse this connection.
@@ -663,3 +663,17 @@ func PostForm(url string, data url.Values) (*http.Response, error) {
func (c *Client) PostForm(url string, data url.Values) (*http.Response, error) {
return c.Post(url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
}
+
+
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
+func redactURL(u *url.URL) string {
+ if u == nil {
+ return ""
+ }
+
+ ru := *u
+ if _, has := ru.User.Password(); has {
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
+ }
+ return ru.String()
+}
--
2.33.8

8
SPECS/influxdb/influxdb.spec
View File

@ -18,7 +18,7 @@
Summary: Scalable datastore for metrics, events, and real-time analytics
Name: influxdb
Version: 2.6.1
Release: 14%{?dist}
Release: 15%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -55,6 +55,7 @@ Source3: influxdb.service
Source4: influxdb.tmpfiles
Source5: config.yaml
Source6: influxdb-user.conf
Patch0: CVE-2024-6104.patch
BuildRequires: clang
BuildRequires: golang <= 1.18.8
BuildRequires: kernel-headers
@ -84,7 +85,7 @@ Conflicts: influxdb
Go sources and other development files for InfluxDB
%prep
%autosetup -a 1
%autosetup -p1 -a 1
mkdir -pv static
tar -xf %{SOURCE2} -C static/ --no-same-owner
@ -144,6 +145,9 @@ go test ./...
%{_tmpfilesdir}/influxdb.conf
%changelog
* Thu Aug 01 2024 Bala <balakumaran.kannan@microsoft.com> - 2.6.1.15
- Fix CVE 2024-6104 by patching vendor packages
* Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.6.1-14
- Bump release to rebuild with go 1.21.11

83
SPECS/jx/CVE-2023-45288.patch Normal file
View File

@ -0,0 +1,83 @@
From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 10 Jan 2024 13:41:39 -0800
Subject: [PATCH] http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and process
all HEADERS and CONTINUATION frames on a connection.
When a request's headers exceed MaxHeaderBytes, we don't
allocate memory to store the excess headers but we do
parse them. This permits an attacker to cause an HTTP/2
endpoint to read arbitrary amounts of data, all associated
with a request which is going to be rejected.
Set a limit on the amount of excess header frames we
will process before closing a connection.
Thanks to Bartek Nowotarski for reporting this issue.
Fixes CVE-2023-45288
Fixes golang/go#65051
Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
index c1f6b90..175c154 100644
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
if size > remainSize {
hdec.SetEmitEnabled(false)
mh.Truncated = true
+ remainSize = 0
return
}
remainSize -= size
@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
var hc headersOrContinuation = hf
for {
frag := hc.HeaderBlockFragment()
+
+ // Avoid parsing large amounts of headers that we will then discard.
+ // If the sender exceeds the max header list size by too much,
+ // skip parsing the fragment and close the connection.
+ //
+ // "Too much" is either any CONTINUATION frame after we've already
+ // exceeded the max header list size (in which case remainSize is 0),
+ // or a frame whose encoded size is more than twice the remaining
+ // header list bytes we're willing to accept.
+ if int64(len(frag)) > int64(2*remainSize) {
+ if VerboseLogs {
+ log.Printf("http2: header list too large")
+ }
+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
+ // but the struture of the server's frame writer makes this difficult.
+ return nil, ConnectionError(ErrCodeProtocol)
+ }
+
+ // Also close the connection after any CONTINUATION frame following an
+ // invalid header, since we stop tracking the size of the headers after
+ // an invalid one.
+ if invalid != nil {
+ if VerboseLogs {
+ log.Printf("http2: invalid header: %v", invalid)
+ }
+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
+ // but the struture of the server's frame writer makes this difficult.
+ return nil, ConnectionError(ErrCodeProtocol)
+ }
+
if _, err := hdec.Write(frag); err != nil {
return nil, ConnectionError(ErrCodeCompression)
}

6
SPECS/jx/jx.spec
View File

@ -1,7 +1,7 @@
Summary: Command line tool for working with Jenkins X.
Name: jx
Version: 3.2.236
Release: 18%{?dist}
Release: 19%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -29,6 +29,7 @@ Source0: https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na
Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2023-44487.patch
Patch1: CVE-2021-44716.patch
Patch2: CVE-2023-45288.patch
BuildRequires: golang
%global debug_package %{nil}
@ -71,6 +72,9 @@ make test && \
%{_bindir}/jx
%changelog
* Thu Aug 22 2024 Sumedh Sharma <sumsharma@microsoft.com> - 3.2.236-19
- Add patch to resolve CVE-2023-45288
* Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 3.2.236-18
- Drop requirement on a specific version of golang

76
SPECS/keda/CVE-2024-6104.patch Normal file
View File

@ -0,0 +1,76 @@
From 7314ebdc4e965359fba5cf19fbffb6af5e712d0e Mon Sep 17 00:00:00 2001
From: Balakumaran Kannan <kumaran.4353@gmail.com>
Date: Thu, 1 Aug 2024 12:21:11 +0000
Subject: [PATCH] Patch CVE-2024-6104
---
.../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++-----
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
index f1ccd3d..25d7ef5 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
@@ -499,9 +499,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if logger != nil {
switch v := logger.(type) {
case Logger:
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
case LeveledLogger:
- v.Debug("performing request", "method", req.Method, "url", req.URL)
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
}
}
@@ -548,9 +548,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if err != nil {
switch v := logger.(type) {
case Logger:
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
case LeveledLogger:
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
}
} else {
// Call this here to maintain the behavior of logging all requests,
@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
}
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
if code > 0 {
desc = fmt.Sprintf("%s (status: %d)", desc, code)
}
@@ -622,7 +622,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
}
c.HTTPClient.CloseIdleConnections()
return nil, fmt.Errorf("%s %s giving up after %d attempts",
- req.Method, req.URL, c.RetryMax+1)
+ req.Method, redactURL(req.URL), c.RetryMax+1)
}
// Try to read the response body so we can reuse this connection.
@@ -703,3 +703,17 @@ func (c *Client) StandardClient() *http.Client {
Transport: &RoundTripper{Client: c},
}
}
+
+
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
+func redactURL(u *url.URL) string {
+ if u == nil {
+ return ""
+ }
+
+ ru := *u
+ if _, has := ru.User.Password(); has {
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
+ }
+ return ru.String()
+}
--
2.33.8

6
SPECS/keda/keda.spec
View File

@ -1,7 +1,7 @@
Summary: Kubernetes-based Event Driven Autoscaling
Name: keda
Version: 2.4.0
Release: 21%{?dist}
Release: 22%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -31,6 +31,7 @@ Source1: %{name}-%{version}-vendor-v2.tar.gz
Patch0: CVE-2022-21698.patch
Patch1: CVE-2023-44487.patch
Patch2: CVE-2021-44716.patch
Patch3: CVE-2024-6104.patch
BuildRequires: golang
@ -66,6 +67,9 @@ cp ./bin/keda-adapter %{buildroot}%{_bindir}
%{_bindir}/%{name}-adapter
%changelog
* Thu Aug 01 2024 Bala <balakumaran.kannan@microsoft.com> - 2.4.0-22
- Patch CVE-2024-6104
* Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 2.4.0-21
- Drop requirement on a specific version of golang

2
SPECS/kernel-azure/config
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.162.2 Kernel Configuration
# Linux/x86_64 5.15.164.1 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

2
SPECS/kernel-azure/config_aarch64
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/arm64 5.15.162.2 Kernel Configuration
# Linux/arm64 5.15.164.1 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

6
SPECS/kernel-azure/kernel-azure.signatures.json
View File

@ -1,9 +1,9 @@
{
"Signatures": {
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "0033f60dcfa13616a26c58a7fddc486a31e0f5be80b9290b4f911f678aff9796",
"config_aarch64": "bfda2d51bf24db34edabfeb9bb6d20dc777c6c991b861a39961fde3999f2bfdc",
"config": "a84f20c07e5f2a8a76db3a5bc7c7da29cb8b5bccb457a75ac52cfef847b7e743",
"config_aarch64": "2e737ff36bf79ea1cebaffc145e6e24c6a292992cb3191a4a5bf7e7b51aafb6b",
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
"kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5"
"kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8"
}
}

5
SPECS/kernel-azure/kernel-azure.spec
View File

@ -27,7 +27,7 @@
Summary: Linux Kernel
Name: kernel-azure
Version: 5.15.162.2
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -420,6 +420,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
- Auto-upgrade to 5.15.164.1
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
- Auto-upgrade to 5.15.162.2

2
SPECS/kernel-hci/config
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.162.2 Kernel Configuration
# Linux/x86_64 5.15.164.1 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

4
SPECS/kernel-hci/kernel-hci.signatures.json
View File

@ -1,7 +1,7 @@
{
"Signatures": {
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "ad11508bb6ca2133c14bfa56a05883f2feb85d27986f0fc4541666a21f4bbb72",
"kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5"
"config": "a2580de76388be81d6c393c90b1d0e01befa4cc1b668e3f68d4f2e7337a473ea",
"kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8"
}
}

5
SPECS/kernel-hci/kernel-hci.spec
View File

@ -17,7 +17,7 @@
%define config_source %{SOURCE1}
Summary: Linux Kernel for HCI
Name: kernel-hci
Version: 5.15.162.2
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -547,6 +547,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
- Auto-upgrade to 5.15.164.1
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
- Auto-upgrade to 5.15.162.2

2
SPECS/kernel-headers/kernel-headers.signatures.json
View File

@ -1,5 +1,5 @@
{
"Signatures": {
"kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5"
"kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8"
}
}

5
SPECS/kernel-headers/kernel-headers.spec
View File

@ -11,7 +11,7 @@
Summary: Linux API header files
Name: kernel-headers
Version: 5.15.162.2
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -73,6 +73,9 @@ done
%endif
%changelog
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
- Auto-upgrade to 5.15.164.1
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
- Auto-upgrade to 5.15.162.2

2
SPECS/kernel-mos/config
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.161.1 Kernel Configuration
# Linux/x86_64 5.15.164.1 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

4
SPECS/kernel-mos/kernel-mos.signatures.json
View File

@ -1,8 +1,8 @@
{
"Signatures": {
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "170e9e5b27619d595f627af620da52facf9ad7ca7b717ecd097841766e36cda3",
"config": "bb8f743baac9e1ae181e6de5ad3ea4a085023f7037abbf6ed518ecb6afcf72e3",
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
"kernel-mos-5.15.161.1.tar.gz": "b48578cb4ef0361974c1156fff4041234cf00f9b66876b5c5dca2e536a78220d"
"kernel-mos-5.15.164.1.tar.gz": "cc83103f8d935d59d68b7f6e3d81d078e384b7e7e6cb590ff0146b7f01ef1e6e"
}
}

5
SPECS/kernel-mos/kernel-mos.spec
View File

@ -18,7 +18,7 @@
%define config_source %{SOURCE1}
Summary: Linux Kernel for MOS
Name: kernel-mos
Version: 5.15.161.1
Version: 5.15.164.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -377,6 +377,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
* Mon Aug 12 2024 Gary Swalling <gaswal@microsoft.com> - 5.15.164.1-1
- Update to 5.15.164.1
* Wed Jul 24 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.15.161.1-1
- Update to 5.15.161.1

3
SPECS/kernel/CVE-2022-48788.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2022-48788 - patched in 5.15.25.1 - (generated by autopatch tool)
upstream b6bb1722f34bbdbabed27acdceaf585d300c5fd2 - stable 646952b2210f19e584d2bf9eb5d092abdca2fcc1

4
SPECS/kernel/CVE-2022-48841.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2022-48841 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: f153546913bada41a811722f2c6d17c3243a0333
upstream introducing commit: e72bba21355dbb67512a0d666fec9f4b56dbfc2f

3
SPECS/kernel/CVE-2023-52340.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2023-52340 - patched in 5.15.147.1 - (generated by autopatch tool)
upstream af6d10345ca76670c1b7c37799f0d5576ccef277 - stable b8a5308feedda10d4875a912e2e1f6be215a4ead

3
SPECS/kernel/CVE-2024-26900.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-26900 - patched in 5.15.159.1 - (generated by autopatch tool)
upstream 6cf350658736681b9d6b0b6e58c5c76b235bb4c4 - stable f3a1787dc48213f6caea5ba7d47e0222e7fa34a9

3
SPECS/kernel/CVE-2024-36901.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-36901 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 4db783d68b9b39a411a96096c10828ff5dfada7a - stable 2272e2db38f2e85929278146d7c770f22f528579

4
SPECS/kernel/CVE-2024-39473.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-39473 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: ffa077b2f6ad124ec3d23fbddc5e4b0ff2647af8
upstream introducing commit: 648fea12847695d60ddeebea86597114885ee76e

4
SPECS/kernel/CVE-2024-39474.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-39474 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: 8e0545c83d672750632f46e3f9ad95c48c91a0fc
upstream introducing commit: 9376130c390a76fac2788a5d6e1a149017b4ab50

4
SPECS/kernel/CVE-2024-39483.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-39483 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: b4bd556467477420ee3a91fbcba73c579669edc6
upstream introducing commit: fa4c027a7956f5e07697bfcb580d25eeb8471257

4
SPECS/kernel/CVE-2024-39485.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-39485 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: 9537a8425a7a0222999d5839a0b394b1e8834b4a
upstream introducing commit: b8ec754ae4c563f6aab8c0cb47aeb2eae67f1da3

3
SPECS/kernel/CVE-2024-41007.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-41007 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 97a9063518f198ec0adb2ecb89789de342bb8283 - stable 04317a2471c2f637b4c49cbd0e9c0d04a519f570

3
SPECS/kernel/CVE-2024-41009.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-41009 - patched in 5.15.164.1 - (generated by autopatch tool)
upstream cfa1a2329a691ffd991fcf7248a57d752e712881 - stable 0f98f40eb1ed52af8b81f61901b6c0289ff59de4

4
SPECS/kernel/CVE-2024-42071.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-42071 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: 84b767f9e34fdb143c09e66a2a20722fc2921821
upstream introducing commit: 386e69865311044b576ff536c99c6ee9cc98a228

4
SPECS/kernel/CVE-2024-42072.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-42072 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: 2b2efe1937ca9f8815884bd4dcd5b32733025103
upstream introducing commit: 011832b97b311bb9e3c27945bc0d1089a14209c9

4
SPECS/kernel/CVE-2024-42073.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-42073 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: c28947de2bed40217cf256c5d0d16880054fcf13
upstream introducing commit: f8538aec88b46642553a9ba9efa0952f5958dbed

4
SPECS/kernel/CVE-2024-42074.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-42074 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: 98d919dfee1cc402ca29d45da642852d7c9a2301
upstream introducing commit: 088a40980efbc2c449b72f0f2c7ebd82f71d08e2

4
SPECS/kernel/CVE-2024-42075.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-42075 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: b90d77e5fd784ada62ddd714d15ee2400c28e1cf
upstream introducing commit: 317460317a02a1af512697e6e964298dedd8a163

4
SPECS/kernel/CVE-2024-42078.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-42078 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: e0011bca603c101f2a3c007bdb77f7006fa78fb1
upstream introducing commit: 7b207ccd983350a5dedd132b57c666186dd02a7c

4
SPECS/kernel/CVE-2024-42083.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-42083 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: e3f02f32a05009a688a87f5799e049ed6b55bab5
upstream introducing commit: 5377805dc1c02ad3721a9256f0eef9b4813952e7

3
SPECS/kernel/CVE-2024-42152.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42152 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4 - stable b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5

3
SPECS/kernel/CVE-2024-42153.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42153 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream f63b94be6942ba82c55343e196bd09b53227618e - stable 3503372d0bf7b324ec0bd6b90606703991426176

3
SPECS/kernel/CVE-2024-42154.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42154 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 66be40e622e177316ae81717aa30057ba9e61dff - stable ef7c428b425beeb52b894e16f1c4b629d6cebfb6

3
SPECS/kernel/CVE-2024-42157.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42157 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 1d8c270de5eb74245d72325d285894a577a945d9 - stable 4889f117755b2f18c23045a0f57977f3ec130581

3
SPECS/kernel/CVE-2024-42161.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42161 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 009367099eb61a4fc2af44d4eb06b6b4de7de6db - stable 3364c2ed1c241989847f19cf83e3db903ce689e3

3
SPECS/kernel/CVE-2024-42223.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42223 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 1aa1329a67cc214c3b7bd2a14d1301a795760b07 - stable bd5620439959a7e02012588c724c6ff5143b80af

3
SPECS/kernel/CVE-2024-42224.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42224 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b - stable 8c2c3cca816d074c75a2801d1ca0dea7b0148114

3
SPECS/kernel/CVE-2024-42225.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42225 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 7f819a2f4fbc510e088b49c79addcf1734503578 - stable dc7f14d00d0c4c21898f3504607f4a31079065a2

3
SPECS/kernel/CVE-2024-42229.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42229 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 23e4099bdc3c8381992f9eb975c79196d6755210 - stable 71dd428615375e36523f4d4f7685ddd54113646d

3
SPECS/kernel/CVE-2024-42232.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42232 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 - stable 20cf67dcb7db842f941eff1af6ee5e9dc41796d7

3
SPECS/kernel/CVE-2024-42236.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42236 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 6d3c721e686ea6c59e18289b400cc95c76e927e0 - stable 72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce

4
SPECS/kernel/CVE-2024-42237.nopatch Normal file
View File

@ -0,0 +1,4 @@
CVE-2024-42237 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
upstream fix commit: 6598afa9320b6ab13041616950ca5f8f938c0cf1
upstream introducing commit: f6bc909e7673c30abcbdb329e7d0aa2e83c103d7

3
SPECS/kernel/CVE-2024-42244.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42244 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream c15a688e49987385baa8804bf65d570e362f8576 - stable b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4

3
SPECS/kernel/CVE-2024-42247.nopatch Normal file
View File

@ -0,0 +1,3 @@
CVE-2024-42247 - patched in 5.15.163.1 - (generated by autopatch tool)
upstream 948f991c62a4018fb81d85804eeab3029c6209f8 - stable b4764f0ad3d68de8a0b847c05f427afb86dd54e6

2
SPECS/kernel/config
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.162.2 Kernel Configuration
# Linux/x86_64 5.15.164.1 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

2
SPECS/kernel/config_aarch64
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/arm64 5.15.162.2 Kernel Configuration
# Linux/arm64 5.15.164.1 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

Some files were not shown because too many files have changed in this diff Show More