Merge branch 'main' into 2.0
This commit is contained in:
commit
9ce332f22c
|
@ -12,7 +12,7 @@ on:
|
|||
permissions: read-all
|
||||
|
||||
env:
|
||||
EXPECTED_GO_VERSION: "1.20"
|
||||
EXPECTED_GO_VERSION: "1.21"
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
|
|
@ -22,6 +22,10 @@ parameters:
|
|||
maxCPUs: "$(($(nproc) / 3))"
|
||||
rawToolchainCacheURL: "$(rawToolchainCacheURL_ARM64)"
|
||||
rawToolchainExpectedHash: "65de43b3bdcfdaac71df1f11fd1f830a8109b1eb9d7cb6cbc2e2d0e929d0ef76"
|
||||
- name: debug
|
||||
type: boolean
|
||||
default: false
|
||||
displayName: "Run in debug mode"
|
||||
|
||||
resources:
|
||||
repositories:
|
||||
|
@ -37,7 +41,7 @@ variables:
|
|||
- name: toolchainArtifactNameBase
|
||||
value: Toolchain
|
||||
- name: system.debug
|
||||
value: 'true'
|
||||
value: '${{ parameters.debug }}'
|
||||
|
||||
extends:
|
||||
template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
|
||||
|
@ -103,6 +107,7 @@ extends:
|
|||
steps:
|
||||
- template: .pipelines/templates/PackageBuild.yml@self
|
||||
parameters:
|
||||
checkBuildRetries: "1"
|
||||
customToolchainArtifactName: $(toolchainArtifactName)
|
||||
isCheckBuild: true
|
||||
isQuickRebuildPackages: true
|
||||
|
|
|
@ -6,6 +6,10 @@ parameters:
|
|||
type: string
|
||||
default: "$(Build.SourcesDirectory)"
|
||||
|
||||
- name: checkBuildRetries
|
||||
type: string
|
||||
default: ""
|
||||
|
||||
- name: concurrentPackageBuilds
|
||||
type: number
|
||||
default: 12
|
||||
|
@ -22,10 +26,6 @@ parameters:
|
|||
type: string
|
||||
default: ""
|
||||
|
||||
- name: testRerunList
|
||||
type: string
|
||||
default: ""
|
||||
|
||||
- name: failOnTestFailures
|
||||
type: boolean
|
||||
default: true
|
||||
|
@ -125,6 +125,10 @@ parameters:
|
|||
type: string
|
||||
default: ""
|
||||
|
||||
- name: testRerunList
|
||||
type: string
|
||||
default: ""
|
||||
|
||||
- name: testSuiteName
|
||||
type: string
|
||||
default: "Package test"
|
||||
|
@ -176,6 +180,10 @@ steps:
|
|||
displayName: "Populate cache RPMs"
|
||||
|
||||
- script: |
|
||||
if [[ -n "${{ parameters.checkBuildRetries }}" ]]; then
|
||||
check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}"
|
||||
fi
|
||||
|
||||
if [[ ${{ parameters.isDeltaBuild }} == "true" ]]; then
|
||||
delta_fetch_arg="DELTA_FETCH=y"
|
||||
elif [[ ${{ parameters.isDeltaBuild }} == "false" ]]; then
|
||||
|
@ -217,6 +225,7 @@ steps:
|
|||
SPECS_DIR="${{ parameters.buildRepoRoot }}/${{ parameters.specsFolderPath }}" \
|
||||
SRPM_PACK_LIST="${{ parameters.srpmPackList }}" \
|
||||
TEST_RERUN_LIST="${{ parameters.testRerunList }}" \
|
||||
$check_build_retries_arg \
|
||||
$delta_fetch_arg \
|
||||
$max_cascading_rebuilds_arg \
|
||||
$quick_rebuild_packages_arg \
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
From 638d1c5d1c33b4383a4e307f5bcb8b366dd36071 Mon Sep 17 00:00:00 2001
|
||||
From: Amrita Kohli <amritakohli@microsoft.com>
|
||||
Date: Fri, 9 Aug 2024 16:19:34 +0000
|
||||
Subject: [PATCH] Modified upstream patch from PR https://github.com/jonschlinkert/kind-of/pull/31 with commit id
|
||||
975c13a7cfaf25d811475823824af3a9c04b0ba8 for CVE-2019-20149. Modified by:
|
||||
Amrita Kohli <amritakohli@microsoft.com>
|
||||
|
||||
---
|
||||
node_modules/kind-of/index.js | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/node_modules/kind-of/index.js b/node_modules/kind-of/index.js
|
||||
index dfa799b7..bdcfdc85 100644
|
||||
--- a/node_modules/kind-of/index.js
|
||||
+++ b/node_modules/kind-of/index.js
|
||||
@@ -66,7 +66,7 @@ module.exports = function kindOf(val) {
|
||||
};
|
||||
|
||||
function ctorName(val) {
|
||||
- return typeof val.constructor === 'function' ? val.constructor.name : null;
|
||||
+ return val.constructor && typeof val.constructor === 'function' ? val.constructor.name : null;
|
||||
}
|
||||
|
||||
function isArray(val) {
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -2,7 +2,7 @@ Vendor: Microsoft Corporation
|
|||
Distribution: Mariner
|
||||
Name: js-jquery
|
||||
Version: 3.5.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: JavaScript DOM manipulation, event handling, and AJAX library
|
||||
BuildArch: noarch
|
||||
|
||||
|
@ -18,6 +18,8 @@ Source1: jquery_%{version}_node_modules.tar.gz
|
|||
|
||||
# disable gzip-js during build
|
||||
Patch1: %{name}-disable-gzip-js.patch
|
||||
# Patch for CVE-2019-20149 in kind-of package https://github.com/jonschlinkert/kind-of/pull/31
|
||||
Patch2: CVE-2019-20149.patch
|
||||
|
||||
|
||||
BuildRequires: web-assets-devel
|
||||
|
@ -45,14 +47,15 @@ browsers. With a combination of versatility and extensibility, jQuery has
|
|||
changed the way that millions of people write JavaScript.
|
||||
|
||||
%prep
|
||||
%autosetup -n jquery-%{version} -v -p1
|
||||
%setup -n jquery-%{version}
|
||||
%patch1 -p1
|
||||
|
||||
#remove precompiled stuff
|
||||
rm -rf dist/*
|
||||
|
||||
# Install the cached node modules
|
||||
tar xf %{SOURCE1}
|
||||
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
./node_modules/grunt-cli/bin/grunt -v 'build:*:*' uglify
|
||||
|
@ -83,6 +86,10 @@ ln -s %{version} %{installdir}/%{ver_x}.%{ver_y}
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Aug 9 2024 Amrita Kohli <amritakohli@microsoft.com> - 3.5.0-4
|
||||
- Patch CVE-2019-20149 in kind-of package.
|
||||
- License verified
|
||||
|
||||
* Mon Jun 14 2021 Thomas Crain <thcrain@microsoft.com> - 3.5.0-3
|
||||
- Initial CBL-Mariner import from Fedora 32 (license: MIT).
|
||||
- Add explicit build-time dependency on nodejs-devel
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"mosh-1.4.0.tar.gz": "872e4b134e5df29c8933dff12350785054d2fd2839b5ae6b5587b14db1465ddd"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,226 @@
|
|||
Name: mosh
|
||||
Version: 1.4.0
|
||||
Release: 6%{?dist}
|
||||
Summary: Mobile shell that supports roaming and intelligent local echo
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
||||
License: GPLv3+
|
||||
URL: https://mosh.mit.edu/
|
||||
Source0: https://github.com/mobile-shell/mosh/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
|
||||
|
||||
BuildRequires: libutempter-devel
|
||||
BuildRequires: ncurses-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: perl-diagnostics
|
||||
BuildRequires: perl-generators
|
||||
BuildRequires: protobuf-compiler
|
||||
BuildRequires: protobuf-devel
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: make
|
||||
Requires: openssh-clients
|
||||
Requires: openssl
|
||||
Requires: perl-IO-Socket-IP
|
||||
|
||||
%description
|
||||
Mosh is a remote terminal application that supports:
|
||||
- intermittent network connectivity,
|
||||
- roaming to different IP address without dropping the connection, and
|
||||
- intelligent local echo and line editing to reduce the effects
|
||||
of "network lag" on high-latency connections.
|
||||
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
|
||||
%build
|
||||
%configure --disable-silent-rules CC=gcc CXX=g++
|
||||
%make_build
|
||||
|
||||
|
||||
%install
|
||||
%make_install
|
||||
|
||||
|
||||
%files
|
||||
%doc README.md ChangeLog
|
||||
%license COPYING
|
||||
%{_bindir}/mosh
|
||||
%{_bindir}/mosh-client
|
||||
%{_bindir}/mosh-server
|
||||
%{_mandir}/man1/mosh.1.gz
|
||||
%{_mandir}/man1/mosh-client.1.gz
|
||||
%{_mandir}/man1/mosh-server.1.gz
|
||||
|
||||
|
||||
%changelog
|
||||
* Sun Aug 11 2024 Chris Co <chrco@microsoft.com> - 1.4.0-6
|
||||
- Initial CBL-Mariner import from Fedora 40 (license: MIT)
|
||||
- License verified
|
||||
|
||||
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Wed Oct 26 2022 Alex Chernyakhovsky <achernya@mit.edu> - 1.4.0-1
|
||||
- Update to mosh 1.4.0
|
||||
|
||||
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-15
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Tue Apr 05 2022 Michal Josef Špaček <mspacek@redhat.com> - 1.3.2-14
|
||||
- Remove dependency to obsolete IO::Socket::INET6
|
||||
|
||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-13
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-12
|
||||
- Rebuilt for protobuf 3.19.0
|
||||
|
||||
* Tue Oct 26 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-11
|
||||
- Rebuilt for protobuf 3.18.1
|
||||
|
||||
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.3.2-10
|
||||
- Rebuilt with OpenSSL 3.0.0
|
||||
|
||||
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Thu Jan 14 08:32:44 CET 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-7
|
||||
- Rebuilt for protobuf 3.14
|
||||
|
||||
* Thu Sep 24 2020 Adrian Reber <adrian@lisas.de> - 1.3.2-6
|
||||
- Rebuilt for protobuf 3.13
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 1.3.2-4
|
||||
- Rebuilt for protobuf 3.12
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Dec 19 2019 Orion Poplawski <orion@nwra.com> - 1.3.2-2
|
||||
- Rebuild for protobuf 3.11
|
||||
|
||||
* Sun Sep 22 2019 Alex Chernyakhovsky <achernya@mit.edu> - 1.3.2-1
|
||||
- Update to mosh 1.3.2
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-11
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Wed Nov 21 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.0-9
|
||||
- Rebuild for protobuf 3.6
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Wed Nov 29 2017 Igor Gnatenko <ignatenko@redhat.com> - 1.3.0-6
|
||||
- Rebuild for protobuf 3.5
|
||||
|
||||
* Mon Nov 13 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.0-5
|
||||
- Rebuild for protobuf 3.4
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Tue Jun 13 2017 Orion Poplawski <orion@cora.nwra.com> - 1.3.0-2
|
||||
- Rebuild for protobuf 3.3.1
|
||||
|
||||
* Sun Mar 26 2017 Alex Chernyakhovsky <achernya@mit.edu> - 1.3.0-1
|
||||
- Update to mosh 1.3.0
|
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.6-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Thu Jan 26 2017 Orion Poplawski <orion@cora.nwra.com> - 1.2.6-3
|
||||
- Rebuild for protobuf 3.2.0
|
||||
|
||||
* Sat Nov 19 2016 Orion Poplawski <orion@cora.nwra.com> - 1.2.6-2
|
||||
- Rebuild for protobuf 3.1.0
|
||||
|
||||
* Wed Aug 10 2016 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.6-1
|
||||
- Update to mosh 1.2.6
|
||||
|
||||
* Mon Feb 08 2016 Ralf Corsépius <corsepiu@fedoraproject.org> - 1.2.5-3
|
||||
- Let package honor RPM_OPT_FLAGS (Fix F24FTBFS).
|
||||
- Add %%license.
|
||||
- Make building verbose.
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.5-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Thu Aug 6 2015 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.5-1
|
||||
- Update to mosh 1.2.5
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Sun Apr 26 2015 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.4-6
|
||||
- Rebuild for protobuf version bump.
|
||||
|
||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 1.2.4-2
|
||||
- Perl 5.18 rebuild
|
||||
|
||||
* Wed Mar 27 2013 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.4-1
|
||||
- Update to mosh 1.2.4
|
||||
|
||||
* Sun Mar 10 2013 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.3-3
|
||||
- Rebuilt for Protobuf API change from 2.4.1 to 2.5.0
|
||||
|
||||
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.3-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||
|
||||
* Fri Oct 19 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.3-1
|
||||
- Update to mosh 1.2.3
|
||||
|
||||
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
* Wed Jun 13 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.2-1
|
||||
- Update to mosh 1.2.2
|
||||
|
||||
* Sat Apr 28 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2-2
|
||||
- Add -g and -O2 CFLAGS
|
||||
|
||||
* Fri Apr 27 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2-1
|
||||
- Update to mosh 1.2.
|
||||
|
||||
* Mon Mar 26 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.1.1-1
|
||||
- Update to mosh 1.1.1.
|
||||
|
||||
* Wed Mar 21 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.1-1
|
||||
- Initial packaging for mosh.
|
|
@ -9,7 +9,7 @@
|
|||
%define uname_r %{version}-%{release}
|
||||
Summary: Signed Linux Kernel for Azure
|
||||
Name: kernel-azure-signed-%{buildarch}
|
||||
Version: 5.15.162.2
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
|
|||
%exclude /module_info.ld
|
||||
|
||||
%changelog
|
||||
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
|
||||
- Auto-upgrade to 5.15.164.1
|
||||
|
||||
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
|
||||
- Auto-upgrade to 5.15.162.2
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
%define uname_r %{version}-%{release}
|
||||
Summary: Signed Linux Kernel for HCI
|
||||
Name: kernel-hci-signed-%{buildarch}
|
||||
Version: 5.15.162.2
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
|
|||
%exclude /module_info.ld
|
||||
|
||||
%changelog
|
||||
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
|
||||
- Auto-upgrade to 5.15.164.1
|
||||
|
||||
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
|
||||
- Auto-upgrade to 5.15.162.2
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
%define uname_r %{version}-%{release}
|
||||
Summary: Signed Linux Kernel for MOS systems
|
||||
Name: kernel-mos-signed-%{buildarch}
|
||||
Version: 5.15.161.1
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -150,6 +150,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
|
|||
%exclude /module_info.ld
|
||||
|
||||
%changelog
|
||||
* Mon Aug 12 2024 Gary Swalling <gaswal@microsoft.com> - 5.15.164.1-1
|
||||
- Update to 5.15.164.1
|
||||
|
||||
* Wed Jul 24 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.15.161.1-1
|
||||
- Update to 5.15.161.1
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
%define uname_r %{version}-%{release}
|
||||
Summary: Signed Linux Kernel for %{buildarch} systems
|
||||
Name: kernel-signed-%{buildarch}
|
||||
Version: 5.15.162.2
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
|
|||
%exclude /module_info.ld
|
||||
|
||||
%changelog
|
||||
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
|
||||
- Auto-upgrade to 5.15.164.1
|
||||
|
||||
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
|
||||
- Auto-upgrade to 5.15.162.2
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -909,6 +909,7 @@
|
|||
"mod_wsgi",
|
||||
"mokutil",
|
||||
"moreutils",
|
||||
"mosh",
|
||||
"mpage",
|
||||
"mrtg",
|
||||
"mstflint",
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
Summary: The Windows Azure Linux Agent
|
||||
Name: WALinuxAgent
|
||||
Version: 2.3.1.1
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: ASL 2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -11,6 +11,7 @@ Source0: https://github.com/Azure/WALinuxAgent/archive/refs/tags/v%{versi
|
|||
Source1: ephemeral-disk-warning.service
|
||||
Source2: ephemeral-disk-warning.conf
|
||||
Source3: ephemeral-disk-warning
|
||||
Patch0: add_firewall_rules.patch
|
||||
BuildRequires: python3-distro
|
||||
BuildRequires: python3-setuptools
|
||||
BuildRequires: python3-xml
|
||||
|
@ -38,7 +39,7 @@ VMs in the Windows Azure cloud. This package should be installed on Linux disk
|
|||
images that are built to run in the Windows Azure environment.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%autosetup -n %{name}-%{version} -p1
|
||||
|
||||
%pre -p /bin/sh
|
||||
|
||||
|
@ -90,6 +91,9 @@ python3 setup.py check && python3 setup.py test
|
|||
%{python3_sitelib}/*
|
||||
|
||||
%changelog
|
||||
* Tue Jan 30 2024 Nan Liu <liunan@microsoft.com> - 2.3.1.1-4
|
||||
- Patch waagent.conf to add firewall rules to protect access to Azure host node
|
||||
|
||||
* Tue Nov 10 2022 Nan Liu <liunan@microsoft.com> - 2.3.1.1-3
|
||||
- Add ephemeral-disk-warning.service
|
||||
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
From 9ac40d805925f130283ed54f3cbb424afad41461 Mon Sep 17 00:00:00 2001
|
||||
From: Nan Liu <liunan@microsoft.com>
|
||||
Date: Tue, 30 Jan 2024 17:58:36 +0000
|
||||
Subject: [PATCH] Add firewall rules to protect access to Azure host node
|
||||
services
|
||||
|
||||
---
|
||||
config/mariner/waagent.conf | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/config/mariner/waagent.conf b/config/mariner/waagent.conf
|
||||
index 65da131..cda61de 100644
|
||||
--- a/config/mariner/waagent.conf
|
||||
+++ b/config/mariner/waagent.conf
|
||||
@@ -78,3 +78,6 @@ AutoUpdate.GAFamily=Prod
|
||||
# handling until inVMArtifactsProfile.OnHold is false.
|
||||
# Default is disabled
|
||||
# EnableOverProvisioning=n
|
||||
+
|
||||
+# Add firewall rules to protect access to Azure host node services
|
||||
+OS.EnableFirewall=y
|
||||
--
|
||||
2.25.1
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"azure-storage-azcopy-10.24.0-vendor.tar.gz": "b0b0436e8e8aa280007d2daf5cb1ea06346d54e070062042c792a9fbd110e690",
|
||||
"azure-storage-azcopy-10.24.0.tar.gz": "bbb09bee00207eb6e6e80a3ecf58ac39beb956c94f500b62888ed3404580430d"
|
||||
"azure-storage-azcopy-10.25.1-vendor.tar.gz": "2e51019e29834b9b4ea2480fa80eaa95d2ce09601eb1be2edcf5febd927e5a4e",
|
||||
"azure-storage-azcopy-10.25.1.tar.gz": "d62f0a88e8899a611d9ef627252e4379bee8530177caca081f155e28917e70d3"
|
||||
}
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
Summary: The new Azure Storage data transfer utility - AzCopy v10
|
||||
Name: azcopy
|
||||
Version: 10.24.0
|
||||
Release: 3%{?dist}
|
||||
Version: 10.25.1
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -63,6 +63,9 @@ go test -mod=vendor
|
|||
%{_bindir}/azcopy
|
||||
|
||||
%changelog
|
||||
* Thu Aug 01 2024 Archana Choudhary <archana1@microsoft.com> - 10.25.1-1
|
||||
- Bump version to 10.25.1 to fix CVE-2024-35255
|
||||
|
||||
* Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 10.24.0-3
|
||||
- Drop requirement on a specific version of golang
|
||||
|
||||
|
|
|
@ -0,0 +1,521 @@
|
|||
From 835ce6a069a1741b5df6977a10ef824598b5c027 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Fri, 1 Mar 2024 08:26:07 +0100
|
||||
Subject: [PATCH 1/6] Add a limit to the number of RRs in RRSets
|
||||
|
||||
Previously, the number of RRs in the RRSets were internally unlimited.
|
||||
As the data structure that holds the RRs is just a linked list, and
|
||||
there are places where we just walk through all of the RRs, adding an
|
||||
RRSet with huge number of RRs inside would slow down processing of said
|
||||
RRSets.
|
||||
|
||||
The fix for end-of-life branches make the limit compile-time only for
|
||||
simplicity and the limit can be changed at the compile time by adding
|
||||
following define to CFLAGS:
|
||||
|
||||
-DDNS_RDATASET_MAX_RECORDS=<limit>
|
||||
|
||||
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
configure | 2 +-
|
||||
configure.ac | 2 +-
|
||||
lib/dns/rdataslab.c | 12 ++++++++++++
|
||||
3 files changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index 1b436d6..30e65f1 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -12341,7 +12341,7 @@ fi
|
||||
|
||||
XTARGETS=
|
||||
if test "$enable_developer" = "yes"; then :
|
||||
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
|
||||
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
|
||||
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
|
||||
test "${enable_querytrace+set}" = set || enable_querytrace=yes
|
||||
test "${with_cmocka+set}" = set || with_cmocka=yes
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index fb6f172..ffe087e 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -96,7 +96,7 @@ AC_ARG_ENABLE([developer],
|
||||
|
||||
XTARGETS=
|
||||
AS_IF([test "$enable_developer" = "yes"],
|
||||
- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
|
||||
+ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
|
||||
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
|
||||
test "${enable_querytrace+set}" = set || enable_querytrace=yes
|
||||
test "${with_cmocka+set}" = set || with_cmocka=yes
|
||||
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
|
||||
index 14c4381..d74e84c 100644
|
||||
--- a/lib/dns/rdataslab.c
|
||||
+++ b/lib/dns/rdataslab.c
|
||||
@@ -112,6 +112,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
|
||||
}
|
||||
#endif /* if DNS_RDATASET_FIXED */
|
||||
|
||||
+#ifndef DNS_RDATASET_MAX_RECORDS
|
||||
+#define DNS_RDATASET_MAX_RECORDS 100
|
||||
+#endif /* DNS_RDATASET_MAX_RECORDS */
|
||||
+
|
||||
isc_result_t
|
||||
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||
isc_region_t *region, unsigned int reservelen) {
|
||||
@@ -156,6 +160,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
+ if (nitems > DNS_RDATASET_MAX_RECORDS) {
|
||||
+ return (DNS_R_TOOMANYRECORDS);
|
||||
+ }
|
||||
+
|
||||
if (nitems > 0xffff) {
|
||||
return (ISC_R_NOSPACE);
|
||||
}
|
||||
@@ -524,6 +532,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
|
||||
#endif /* if DNS_RDATASET_FIXED */
|
||||
INSIST(ocount > 0 && ncount > 0);
|
||||
|
||||
+ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
|
||||
+ return (DNS_R_TOOMANYRECORDS);
|
||||
+ }
|
||||
+
|
||||
#if DNS_RDATASET_FIXED
|
||||
oncount = ncount;
|
||||
#endif /* if DNS_RDATASET_FIXED */
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From c2309258b876feb7d818da89312e5af385790eaf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Wed, 29 May 2024 08:43:39 +0200
|
||||
Subject: [PATCH 2/6] Add a limit to the number of RR types for single name
|
||||
|
||||
Previously, the number of RR types for a single owner name was limited
|
||||
only by the maximum number of the types (64k). As the data structure
|
||||
that holds the RR types for the database node is just a linked list, and
|
||||
there are places where we just walk through the whole list (again and
|
||||
again), adding a large number of RR types for a single owner named with
|
||||
would slow down processing of such name (database node).
|
||||
|
||||
Add a hard-coded limit (100) to cap the number of the RR types for a single
|
||||
owner. The limit can be changed at the compile time by adding following
|
||||
define to CFLAGS:
|
||||
|
||||
-DDNS_RBTDB_MAX_RTYPES=<limit>
|
||||
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
configure | 2 +-
|
||||
configure.ac | 2 +-
|
||||
lib/dns/rbtdb.c | 17 +++++++++++++++++
|
||||
3 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index 30e65f1..835cd94 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -12341,7 +12341,7 @@ fi
|
||||
|
||||
XTARGETS=
|
||||
if test "$enable_developer" = "yes"; then :
|
||||
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
|
||||
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
|
||||
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
|
||||
test "${enable_querytrace+set}" = set || enable_querytrace=yes
|
||||
test "${with_cmocka+set}" = set || with_cmocka=yes
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index ffe087e..6db4250 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -96,7 +96,7 @@ AC_ARG_ENABLE([developer],
|
||||
|
||||
XTARGETS=
|
||||
AS_IF([test "$enable_developer" = "yes"],
|
||||
- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
|
||||
+ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
|
||||
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
|
||||
test "${enable_querytrace+set}" = set || enable_querytrace=yes
|
||||
test "${with_cmocka+set}" = set || with_cmocka=yes
|
||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||
index 3f06545..b35e101 100644
|
||||
--- a/lib/dns/rbtdb.c
|
||||
+++ b/lib/dns/rbtdb.c
|
||||
@@ -6240,6 +6240,10 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
|
||||
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
|
||||
}
|
||||
|
||||
+#ifndef DNS_RBTDB_MAX_RTYPES
|
||||
+#define DNS_RBTDB_MAX_RTYPES 100
|
||||
+#endif /* DNS_RBTDB_MAX_RTYPES */
|
||||
+
|
||||
/*
|
||||
* write lock on rbtnode must be held.
|
||||
*/
|
||||
@@ -6261,6 +6265,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
rbtdb_rdatatype_t negtype, sigtype;
|
||||
dns_trust_t trust;
|
||||
int idx;
|
||||
+ uint32_t ntypes;
|
||||
|
||||
/*
|
||||
* Add an rdatasetheader_t to a node.
|
||||
@@ -6325,6 +6330,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
set_ttl(rbtdb, topheader, 0);
|
||||
mark_header_ancient(rbtdb, topheader);
|
||||
}
|
||||
+ ntypes = 0;
|
||||
goto find_header;
|
||||
}
|
||||
/*
|
||||
@@ -6348,9 +6354,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
* check for an extant non-ancient NODATA ncache
|
||||
* entry which covers the same type as the RRSIG.
|
||||
*/
|
||||
+ ntypes = 0;
|
||||
for (topheader = rbtnode->data; topheader != NULL;
|
||||
topheader = topheader->next)
|
||||
{
|
||||
+ ntypes++;
|
||||
if ((topheader->type ==
|
||||
RBTDB_RDATATYPE_NCACHEANY) ||
|
||||
(newheader->type == sigtype &&
|
||||
@@ -6395,9 +6403,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
}
|
||||
}
|
||||
|
||||
+ ntypes = 0;
|
||||
for (topheader = rbtnode->data; topheader != NULL;
|
||||
topheader = topheader->next)
|
||||
{
|
||||
+ ntypes++;
|
||||
if (prio_type(topheader->type)) {
|
||||
prioheader = topheader;
|
||||
}
|
||||
@@ -6755,6 +6765,13 @@ find_header:
|
||||
/*
|
||||
* No rdatasets of the given type exist at the node.
|
||||
*/
|
||||
+
|
||||
+ if (ntypes > DNS_RBTDB_MAX_RTYPES) {
|
||||
+ free_rdataset(rbtdb, rbtdb->common.mctx,
|
||||
+ newheader);
|
||||
+ return (ISC_R_QUOTA);
|
||||
+ }
|
||||
+
|
||||
newheader->down = NULL;
|
||||
|
||||
if (prio_type(newheader->type)) {
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From 23797a4f5db6698baf98bdeaeb1e6095e67772a6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= <nicki@isc.org>
|
||||
Date: Thu, 6 Jun 2024 15:29:14 +0200
|
||||
Subject: [PATCH 3/6] Revert "Build gcc:oraclelinux9:amd64 CI jobs with
|
||||
--disable-developer"
|
||||
|
||||
This reverts commit 6a7ec0c01cf9df31cc29b81883be3304c07ffafd.
|
||||
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
.gitlab-ci.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
|
||||
index 06b17c3..9e10eca 100644
|
||||
--- a/.gitlab-ci.yml
|
||||
+++ b/.gitlab-ci.yml
|
||||
@@ -733,7 +733,7 @@ gcc:oraclelinux9:amd64:
|
||||
variables:
|
||||
CC: gcc
|
||||
CFLAGS: "${CFLAGS_COMMON}"
|
||||
- EXTRA_CONFIGURE: "--with-libidn2 --disable-developer"
|
||||
+ EXTRA_CONFIGURE: "--with-libidn2"
|
||||
<<: *oraclelinux_9_amd64_image
|
||||
<<: *build_job
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From 03b3c1c24cb2758814b61ce65d6cd300d161ab6a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Mon, 17 Jun 2024 11:40:40 +0200
|
||||
Subject: [PATCH 4/6] Expand the list of the priority types
|
||||
|
||||
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
|
||||
the priority types that are put at the beginning of the slabheader list
|
||||
for faster access and to avoid eviction when there are more types than
|
||||
the max-types-per-name limit.
|
||||
|
||||
(cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
lib/dns/rbtdb.c | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||
index b35e101..0932453 100644
|
||||
--- a/lib/dns/rbtdb.c
|
||||
+++ b/lib/dns/rbtdb.c
|
||||
@@ -990,6 +990,8 @@ prio_type(rbtdb_rdatatype_t type) {
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
|
||||
case dns_rdatatype_a:
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
|
||||
+ case dns_rdatatype_mx:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
|
||||
case dns_rdatatype_aaaa:
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
|
||||
case dns_rdatatype_nsec:
|
||||
@@ -1002,6 +1004,22 @@ prio_type(rbtdb_rdatatype_t type) {
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
|
||||
case dns_rdatatype_cname:
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
|
||||
+ case dns_rdatatype_dname:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
|
||||
+ case dns_rdatatype_svcb:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_svcb):
|
||||
+ case dns_rdatatype_https:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_https):
|
||||
+ case dns_rdatatype_dnskey:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
|
||||
+ case dns_rdatatype_srv:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
|
||||
+ case dns_rdatatype_txt:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
|
||||
+ case dns_rdatatype_ptr:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
|
||||
+ case dns_rdatatype_naptr:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
|
||||
return (true);
|
||||
}
|
||||
return (false);
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From 3798953881077eae1cc6992d0bce27e2637b942e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Mon, 17 Jun 2024 17:54:09 +0200
|
||||
Subject: [PATCH 5/6] Make the resolver qtype ANY test order agnostic
|
||||
|
||||
Instead of relying on a specific order of the RR types in the databases
|
||||
pick the first RR type as returned from the cache.
|
||||
|
||||
(cherry picked from commit 58f660cf2b800963fa649bc9823a626009db3a7e)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
bin/tests/system/resolver/tests.sh | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
|
||||
index fc05635..2e089fa 100755
|
||||
--- a/bin/tests/system/resolver/tests.sh
|
||||
+++ b/bin/tests/system/resolver/tests.sh
|
||||
@@ -596,18 +596,18 @@ n=$((n + 1))
|
||||
echo_i "check prefetch qtype * (${n})"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.1.${n} || ret=1
|
||||
-ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n})
|
||||
+ttl1=$(awk '/^fetchall.tld/ { print $2 - 3; exit }' dig.out.1.${n})
|
||||
# sleep so we are in prefetch range
|
||||
sleep "${ttl1:-0}"
|
||||
# trigger prefetch
|
||||
dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.2.${n} || ret=1
|
||||
-ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n})
|
||||
+ttl2=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.2.${n})
|
||||
sleep 1
|
||||
# check that prefetch occurred;
|
||||
-# note that only one record is prefetched, which is the AAAA record in this case,
|
||||
+# note that only the first record is prefetched,
|
||||
# because of the order of the records in the cache
|
||||
dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.3.${n} || ret=1
|
||||
-ttl3=$(awk '/::1/ { print $2 }' dig.out.3.${n})
|
||||
+ttl3=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.3.${n})
|
||||
test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From 84ce66c3491df6f31225b50d27e9a9e5fa93eaed Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Mon, 17 Jun 2024 11:40:40 +0200
|
||||
Subject: [PATCH 6/6] Be smarter about refusing to add many RR types to the
|
||||
database
|
||||
|
||||
Instead of outright refusing to add new RR types to the cache, be a bit
|
||||
smarter:
|
||||
|
||||
1. If the new header type is in our priority list, we always add either
|
||||
positive or negative entry at the beginning of the list.
|
||||
|
||||
2. If the new header type is negative entry, and we are over the limit,
|
||||
we mark it as ancient immediately, so it gets evicted from the cache
|
||||
as soon as possible.
|
||||
|
||||
3. Otherwise add the new header after the priority headers (or at the
|
||||
head of the list).
|
||||
|
||||
4. If we are over the limit, evict the last entry on the normal header
|
||||
list.
|
||||
|
||||
(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
lib/dns/rbtdb.c | 68 +++++++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 57 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||
index 0932453..9670671 100644
|
||||
--- a/lib/dns/rbtdb.c
|
||||
+++ b/lib/dns/rbtdb.c
|
||||
@@ -6262,6 +6262,26 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
|
||||
#define DNS_RBTDB_MAX_RTYPES 100
|
||||
#endif /* DNS_RBTDB_MAX_RTYPES */
|
||||
|
||||
+static bool
|
||||
+overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
|
||||
+ UNUSED(rbtdb);
|
||||
+
|
||||
+ if (DNS_RBTDB_MAX_RTYPES == 0) {
|
||||
+ return (false);
|
||||
+ }
|
||||
+
|
||||
+ return (ntypes >= DNS_RBTDB_MAX_RTYPES);
|
||||
+}
|
||||
+
|
||||
+static bool
|
||||
+prio_header(rdatasetheader_t *header) {
|
||||
+ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
+ return (prio_type(header->type));
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* write lock on rbtnode must be held.
|
||||
*/
|
||||
@@ -6273,7 +6293,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
rbtdb_changed_t *changed = NULL;
|
||||
rdatasetheader_t *topheader = NULL, *topheader_prev = NULL;
|
||||
rdatasetheader_t *header = NULL, *sigheader = NULL;
|
||||
- rdatasetheader_t *prioheader = NULL;
|
||||
+ rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
|
||||
unsigned char *merged = NULL;
|
||||
isc_result_t result;
|
||||
bool header_nx;
|
||||
@@ -6283,7 +6303,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
rbtdb_rdatatype_t negtype, sigtype;
|
||||
dns_trust_t trust;
|
||||
int idx;
|
||||
- uint32_t ntypes;
|
||||
+ uint32_t ntypes = 0;
|
||||
|
||||
/*
|
||||
* Add an rdatasetheader_t to a node.
|
||||
@@ -6348,7 +6368,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
set_ttl(rbtdb, topheader, 0);
|
||||
mark_header_ancient(rbtdb, topheader);
|
||||
}
|
||||
- ntypes = 0;
|
||||
goto find_header;
|
||||
}
|
||||
/*
|
||||
@@ -6360,6 +6379,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
{
|
||||
if (topheader->type == sigtype) {
|
||||
sigheader = topheader;
|
||||
+ break;
|
||||
}
|
||||
}
|
||||
negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
|
||||
@@ -6372,11 +6392,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
* check for an extant non-ancient NODATA ncache
|
||||
* entry which covers the same type as the RRSIG.
|
||||
*/
|
||||
- ntypes = 0;
|
||||
for (topheader = rbtnode->data; topheader != NULL;
|
||||
topheader = topheader->next)
|
||||
{
|
||||
- ntypes++;
|
||||
if ((topheader->type ==
|
||||
RBTDB_RDATATYPE_NCACHEANY) ||
|
||||
(newheader->type == sigtype &&
|
||||
@@ -6421,12 +6439,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
|
||||
}
|
||||
}
|
||||
|
||||
- ntypes = 0;
|
||||
for (topheader = rbtnode->data; topheader != NULL;
|
||||
topheader = topheader->next)
|
||||
{
|
||||
- ntypes++;
|
||||
- if (prio_type(topheader->type)) {
|
||||
+ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
|
||||
+ ++ntypes;
|
||||
+ expireheader = topheader;
|
||||
+ } else if (!IS_CACHE(rbtdb)) {
|
||||
+ ++ntypes;
|
||||
+ }
|
||||
+ if (prio_header(topheader)) {
|
||||
prioheader = topheader;
|
||||
}
|
||||
if (topheader->type == newheader->type ||
|
||||
@@ -6783,8 +6805,7 @@ find_header:
|
||||
/*
|
||||
* No rdatasets of the given type exist at the node.
|
||||
*/
|
||||
-
|
||||
- if (ntypes > DNS_RBTDB_MAX_RTYPES) {
|
||||
+ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
|
||||
free_rdataset(rbtdb, rbtdb->common.mctx,
|
||||
newheader);
|
||||
return (ISC_R_QUOTA);
|
||||
@@ -6792,7 +6813,7 @@ find_header:
|
||||
|
||||
newheader->down = NULL;
|
||||
|
||||
- if (prio_type(newheader->type)) {
|
||||
+ if (prio_header(newheader)) {
|
||||
/* This is a priority type, prepend it */
|
||||
newheader->next = rbtnode->data;
|
||||
rbtnode->data = newheader;
|
||||
@@ -6805,6 +6826,31 @@ find_header:
|
||||
newheader->next = rbtnode->data;
|
||||
rbtnode->data = newheader;
|
||||
}
|
||||
+
|
||||
+ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
|
||||
+ if (expireheader == NULL) {
|
||||
+ expireheader = newheader;
|
||||
+ }
|
||||
+ if (NEGATIVE(newheader) &&
|
||||
+ !prio_header(newheader))
|
||||
+ {
|
||||
+ /*
|
||||
+ * Add the new non-priority negative
|
||||
+ * header to the database only
|
||||
+ * temporarily.
|
||||
+ */
|
||||
+ expireheader = newheader;
|
||||
+ }
|
||||
+
|
||||
+ set_ttl(rbtdb, expireheader, 0);
|
||||
+ mark_header_ancient(rbtdb, expireheader);
|
||||
+ /*
|
||||
+ * FIXME: In theory, we should mark the RRSIG
|
||||
+ * and the header at the same time, but there is
|
||||
+ * no direct link between those two header, so
|
||||
+ * we would have to check the whole list again.
|
||||
+ */
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
|
@ -0,0 +1,432 @@
|
|||
From 6a4565566db942eb660e421786f73bc5baffc7b8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
|
||||
Date: Thu, 16 May 2024 12:10:41 +0200
|
||||
Subject: [PATCH 1/5] Remove support for SIG(0) message verification
|
||||
|
||||
(cherry picked from commit 857fd5c346e3309ee8e280c29174b46579af5a13)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
lib/dns/message.c | 99 +++--------------------------------------------
|
||||
lib/ns/client.c | 7 ++++
|
||||
2 files changed, 13 insertions(+), 93 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c
|
||||
index 22aa552..12331ab 100644
|
||||
--- a/lib/dns/message.c
|
||||
+++ b/lib/dns/message.c
|
||||
@@ -3301,111 +3301,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
|
||||
|
||||
isc_result_t
|
||||
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
|
||||
- isc_buffer_t b, msgb;
|
||||
+ isc_buffer_t msgb;
|
||||
|
||||
REQUIRE(DNS_MESSAGE_VALID(msg));
|
||||
|
||||
- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL) {
|
||||
+ if (msg->tsigkey == NULL && msg->tsig == NULL) {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
INSIST(msg->saved.base != NULL);
|
||||
isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
|
||||
isc_buffer_add(&msgb, msg->saved.length);
|
||||
- if (msg->tsigkey != NULL || msg->tsig != NULL) {
|
||||
#ifdef SKAN_MSG_DEBUG
|
||||
- dns_message_dumpsig(msg, "dns_message_checksig#1");
|
||||
+ dns_message_dumpsig(msg, "dns_message_checksig#1");
|
||||
#endif /* ifdef SKAN_MSG_DEBUG */
|
||||
- if (view != NULL) {
|
||||
- return (dns_view_checksig(view, &msgb, msg));
|
||||
- } else {
|
||||
- return (dns_tsig_verify(&msgb, msg, NULL, NULL));
|
||||
- }
|
||||
+ if (view != NULL) {
|
||||
+ return (dns_view_checksig(view, &msgb, msg));
|
||||
} else {
|
||||
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
- dns_rdata_sig_t sig;
|
||||
- dns_rdataset_t keyset;
|
||||
- isc_result_t result;
|
||||
-
|
||||
- result = dns_rdataset_first(msg->sig0);
|
||||
- INSIST(result == ISC_R_SUCCESS);
|
||||
- dns_rdataset_current(msg->sig0, &rdata);
|
||||
-
|
||||
- /*
|
||||
- * This can occur when the message is a dynamic update, since
|
||||
- * the rdata length checking is relaxed. This should not
|
||||
- * happen in a well-formed message, since the SIG(0) is only
|
||||
- * looked for in the additional section, and the dynamic update
|
||||
- * meta-records are in the prerequisite and update sections.
|
||||
- */
|
||||
- if (rdata.length == 0) {
|
||||
- return (ISC_R_UNEXPECTEDEND);
|
||||
- }
|
||||
-
|
||||
- result = dns_rdata_tostruct(&rdata, &sig, NULL);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- return (result);
|
||||
- }
|
||||
-
|
||||
- dns_rdataset_init(&keyset);
|
||||
- if (view == NULL) {
|
||||
- result = DNS_R_KEYUNAUTHORIZED;
|
||||
- goto freesig;
|
||||
- }
|
||||
- result = dns_view_simplefind(view, &sig.signer,
|
||||
- dns_rdatatype_key /* SIG(0) */, 0,
|
||||
- 0, false, &keyset, NULL);
|
||||
-
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- /* XXXBEW Should possibly create a fetch here */
|
||||
- result = DNS_R_KEYUNAUTHORIZED;
|
||||
- goto freesig;
|
||||
- } else if (keyset.trust < dns_trust_secure) {
|
||||
- /* XXXBEW Should call a validator here */
|
||||
- result = DNS_R_KEYUNAUTHORIZED;
|
||||
- goto freesig;
|
||||
- }
|
||||
- result = dns_rdataset_first(&keyset);
|
||||
- INSIST(result == ISC_R_SUCCESS);
|
||||
- for (; result == ISC_R_SUCCESS;
|
||||
- result = dns_rdataset_next(&keyset))
|
||||
- {
|
||||
- dst_key_t *key = NULL;
|
||||
-
|
||||
- dns_rdata_reset(&rdata);
|
||||
- dns_rdataset_current(&keyset, &rdata);
|
||||
- isc_buffer_init(&b, rdata.data, rdata.length);
|
||||
- isc_buffer_add(&b, rdata.length);
|
||||
-
|
||||
- result = dst_key_fromdns(&sig.signer, rdata.rdclass, &b,
|
||||
- view->mctx, &key);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- continue;
|
||||
- }
|
||||
- if (dst_key_alg(key) != sig.algorithm ||
|
||||
- dst_key_id(key) != sig.keyid ||
|
||||
- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
|
||||
- dst_key_proto(key) == DNS_KEYPROTO_ANY))
|
||||
- {
|
||||
- dst_key_free(&key);
|
||||
- continue;
|
||||
- }
|
||||
- result = dns_dnssec_verifymessage(&msgb, msg, key);
|
||||
- dst_key_free(&key);
|
||||
- if (result == ISC_R_SUCCESS) {
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- if (result == ISC_R_NOMORE) {
|
||||
- result = DNS_R_KEYUNAUTHORIZED;
|
||||
- }
|
||||
-
|
||||
- freesig:
|
||||
- if (dns_rdataset_isassociated(&keyset)) {
|
||||
- dns_rdataset_disassociate(&keyset);
|
||||
- }
|
||||
- dns_rdata_freestruct(&sig);
|
||||
- return (result);
|
||||
+ return (dns_tsig_verify(&msgb, msg, NULL, NULL));
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/lib/ns/client.c b/lib/ns/client.c
|
||||
index d4ce000..2679a5e 100644
|
||||
--- a/lib/ns/client.c
|
||||
+++ b/lib/ns/client.c
|
||||
@@ -2041,6 +2041,13 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
|
||||
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
|
||||
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
|
||||
"request is signed by a nonauthoritative key");
|
||||
+ } else if (result == DNS_R_NOTVERIFIEDYET &&
|
||||
+ client->message->sig0 != NULL)
|
||||
+ {
|
||||
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
|
||||
+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
|
||||
+ "request has a SIG(0) signature but its support "
|
||||
+ "was removed (CVE-2024-1975)");
|
||||
} else {
|
||||
char tsigrcode[64];
|
||||
isc_buffer_t b;
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From afd9c8976d78a5145a92ff0cccc2954083042555 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
|
||||
Date: Thu, 16 May 2024 12:15:23 +0200
|
||||
Subject: [PATCH 2/5] Document SIG(0) verification removal
|
||||
|
||||
(cherry picked from commit 654ba34d80b8b6ed805461d7ada2466f8c19a6f1)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
doc/arm/advanced.rst | 18 +++---------------
|
||||
doc/arm/general.rst | 6 ++----
|
||||
doc/arm/reference.rst | 4 ++--
|
||||
doc/arm/security.rst | 4 ++--
|
||||
4 files changed, 9 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst
|
||||
index 4405b5c..f3325d9 100644
|
||||
--- a/doc/arm/advanced.rst
|
||||
+++ b/doc/arm/advanced.rst
|
||||
@@ -537,7 +537,7 @@ zone).
|
||||
The TKEY process is initiated by a client or server by sending a query
|
||||
of type TKEY to a TKEY-aware server. The query must include an
|
||||
appropriate KEY record in the additional section, and must be signed
|
||||
-using either TSIG or SIG(0) with a previously established key. The
|
||||
+using either TSIG with a previously established key. The
|
||||
server's response, if successful, contains a TKEY record in its
|
||||
answer section. After this transaction, both participants have
|
||||
enough information to calculate a shared secret using Diffie-Hellman key
|
||||
@@ -555,20 +555,8 @@ deletion" mode.
|
||||
SIG(0)
|
||||
------
|
||||
|
||||
-BIND partially supports DNSSEC SIG(0) transaction signatures as
|
||||
-specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to
|
||||
-authenticate messages. Access control is performed in the same manner as with
|
||||
-TSIG keys; privileges can be granted or denied in ACL directives based
|
||||
-on the key name.
|
||||
-
|
||||
-When a SIG(0) signed message is received, it is only verified if
|
||||
-the key is known and trusted by the server. The server does not attempt
|
||||
-to recursively fetch or validate the key.
|
||||
-
|
||||
-SIG(0) signing of multiple-message TCP streams is not supported.
|
||||
-
|
||||
-The only tool shipped with BIND 9 that generates SIG(0) signed messages
|
||||
-is ``nsupdate``.
|
||||
+Support for DNSSEC SIG(0) transaction signatures was removed.
|
||||
+This is a countermeasure for CVE-2024-1975.
|
||||
|
||||
.. include:: managed-keys.rst
|
||||
.. include:: pkcs11.rst
|
||||
diff --git a/doc/arm/general.rst b/doc/arm/general.rst
|
||||
index d7b7c20..136e806 100644
|
||||
--- a/doc/arm/general.rst
|
||||
+++ b/doc/arm/general.rst
|
||||
@@ -367,10 +367,8 @@ Notes
|
||||
.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a
|
||||
feature.
|
||||
|
||||
-.. [#rfc2931] When receiving a query signed with a SIG(0), the server is
|
||||
- only able to verify the signature if it has the key in its local
|
||||
- authoritative data; it cannot do recursion or validation to
|
||||
- retrieve unknown keys.
|
||||
+.. [#rfc2931] Support for SIG(0) message verification was removed
|
||||
+ as a countermeasure for CVE-2024-1975.
|
||||
|
||||
.. [#rfc2874] Compliance is with loading and serving of A6 records only.
|
||||
A6 records were moved to the experimental category by :rfc:`3363`.
|
||||
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
|
||||
index ecc84d4..f982e0a 100644
|
||||
--- a/doc/arm/reference.rst
|
||||
+++ b/doc/arm/reference.rst
|
||||
@@ -5900,7 +5900,7 @@ The ``update-policy`` clause allows more fine-grained control over which
|
||||
updates are allowed. It specifies a set of rules, in which each rule
|
||||
either grants or denies permission for one or more names in the zone to
|
||||
be updated by one or more identities. Identity is determined by the key
|
||||
-that signed the update request, using either TSIG or SIG(0). In most
|
||||
+that signed the update request, using either TSIG. In most
|
||||
cases, ``update-policy`` rules only apply to key-based identities. There
|
||||
is no way to specify update permissions based on the client source address.
|
||||
|
||||
@@ -5957,7 +5957,7 @@ field), and the type of the record to be updated matches the ``types``
|
||||
field. Details for each rule type are described below.
|
||||
|
||||
The ``identity`` field must be set to a fully qualified domain name. In
|
||||
-most cases, this represents the name of the TSIG or SIG(0) key that
|
||||
+most cases, this represents the name of the TSIG key that
|
||||
must be used to sign the update request. If the specified name is a
|
||||
wildcard, it is subject to DNS wildcard expansion, and the rule may
|
||||
apply to multiple identities. When a TKEY exchange has been used to
|
||||
diff --git a/doc/arm/security.rst b/doc/arm/security.rst
|
||||
index 817ebd0..92b1668 100644
|
||||
--- a/doc/arm/security.rst
|
||||
+++ b/doc/arm/security.rst
|
||||
@@ -83,7 +83,7 @@ Limiting access to the server by outside parties can help prevent
|
||||
spoofing and denial of service (DoS) attacks against the server.
|
||||
|
||||
ACLs match clients on the basis of up to three characteristics: 1) The
|
||||
-client's IP address; 2) the TSIG or SIG(0) key that was used to sign the
|
||||
+client's IP address; 2) the TSIG key that was used to sign the
|
||||
request, if any; and 3) an address prefix encoded in an EDNS
|
||||
Client-Subnet option, if any.
|
||||
|
||||
@@ -124,7 +124,7 @@ and no queries at all from the networks specified in ``bogusnets``.
|
||||
|
||||
In addition to network addresses and prefixes, which are matched against
|
||||
the source address of the DNS request, ACLs may include ``key``
|
||||
-elements, which specify the name of a TSIG or SIG(0) key.
|
||||
+elements, which specify the name of a TSIG key.
|
||||
|
||||
When BIND 9 is built with GeoIP support, ACLs can also be used for
|
||||
geographic access restrictions. This is done by specifying an ACL
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From d58461e425e61c1740ff4e914c7d41513c972850 Mon Sep 17 00:00:00 2001
|
||||
From: Aram Sargsyan <aram@isc.org>
|
||||
Date: Tue, 21 May 2024 08:45:48 +0000
|
||||
Subject: [PATCH 3/5] Enable stdout autoflush in authsock.pl
|
||||
|
||||
With enabled buffering the output gets lost when the process
|
||||
receives a TERM signal. Disable the buffering.
|
||||
|
||||
(cherry picked from commit a0311dfb6e2a51f89dfa8b200b96a0f4675fb654)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
bin/tests/system/tsiggss/authsock.pl | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
|
||||
index d629c65..d181b1a 100644
|
||||
--- a/bin/tests/system/tsiggss/authsock.pl
|
||||
+++ b/bin/tests/system/tsiggss/authsock.pl
|
||||
@@ -33,6 +33,10 @@ if (!defined($path)) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+# Enable output autoflush so that it's not lost when the parent sends TERM.
|
||||
+select STDOUT;
|
||||
+$| = 1;
|
||||
+
|
||||
unlink($path);
|
||||
my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
|
||||
die "unable to create socket $path";
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From d8431d0c68df185077cf656edf46a985f3291a30 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
|
||||
Date: Fri, 17 May 2024 12:23:05 +0200
|
||||
Subject: [PATCH 4/5] Adapt the tsiggss test to the SIG(0) removal
|
||||
|
||||
Test that SIG(0) signer is NOT sent to the external socket for
|
||||
authorization. It MUST NOT be considered a valid signature by
|
||||
any chance.
|
||||
|
||||
Also check that the signer's name does not appear in authsock.pl
|
||||
output.
|
||||
|
||||
(cherry picked from commit cf8838085905171fbc00747eb210e8b8284ca0e1)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
bin/tests/system/tsiggss/authsock.pl | 1 +
|
||||
bin/tests/system/tsiggss/clean.sh | 2 +-
|
||||
bin/tests/system/tsiggss/tests.sh | 12 +++++++-----
|
||||
3 files changed, 9 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
|
||||
index d181b1a..b3888fb 100644
|
||||
--- a/bin/tests/system/tsiggss/authsock.pl
|
||||
+++ b/bin/tests/system/tsiggss/authsock.pl
|
||||
@@ -59,6 +59,7 @@ if ($timeout != 0) {
|
||||
}
|
||||
|
||||
while (my $client = $server->accept()) {
|
||||
+ printf("accept()\n");
|
||||
$client->recv(my $buf, 8, 0);
|
||||
my ($version, $req_len) = unpack('N N', $buf);
|
||||
|
||||
diff --git a/bin/tests/system/tsiggss/clean.sh b/bin/tests/system/tsiggss/clean.sh
|
||||
index 0ace209..ce885d5 100644
|
||||
--- a/bin/tests/system/tsiggss/clean.sh
|
||||
+++ b/bin/tests/system/tsiggss/clean.sh
|
||||
@@ -21,7 +21,7 @@ rm -f ns1/_default.tsigkeys
|
||||
rm -f */named.memstats
|
||||
rm -f */named.conf
|
||||
rm -f */named.run
|
||||
-rm -f authsock.pid
|
||||
+rm -f authsock.log authsock.pid
|
||||
rm -f ns1/core
|
||||
rm -f nsupdate.out*
|
||||
rm -f ns*/named.lock
|
||||
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
|
||||
index a665703..34b8c89 100644
|
||||
--- a/bin/tests/system/tsiggss/tests.sh
|
||||
+++ b/bin/tests/system/tsiggss/tests.sh
|
||||
@@ -116,7 +116,7 @@ status=$((status + ret))
|
||||
|
||||
echo_i "testing external update policy (CNAME) with auth sock ($n)"
|
||||
ret=0
|
||||
-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >/dev/null 2>&1 &
|
||||
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 &
|
||||
sleep 1
|
||||
test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
|
||||
n=$((n + 1))
|
||||
@@ -130,17 +130,19 @@ n=$((n + 1))
|
||||
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
-echo_i "testing external policy with SIG(0) key ($n)"
|
||||
+echo_i "testing external policy with unsupported SIG(0) key ($n)"
|
||||
ret=0
|
||||
-$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END >/dev/null 2>&1 || ret=1
|
||||
+$NSUPDATE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
|
||||
+debug
|
||||
server 10.53.0.1 ${PORT}
|
||||
zone example.nil
|
||||
update add fred.example.nil 120 cname foo.bar.
|
||||
send
|
||||
END
|
||||
output=$($DIG $DIGOPTS +short cname fred.example.nil.)
|
||||
-[ -n "$output" ] || ret=1
|
||||
-[ $ret -eq 0 ] || echo_i "failed"
|
||||
+# update must have failed - SIG(0) signer is not supported
|
||||
+[ -n "$output" ] && ret=1
|
||||
+grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
|
||||
n=$((n + 1))
|
||||
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
--
|
||||
2.40.1
|
||||
|
||||
From db69c8bb093a19eafb016b14aff45b69803f0065 Mon Sep 17 00:00:00 2001
|
||||
From: Aram Sargsyan <aram@isc.org>
|
||||
Date: Tue, 21 May 2024 09:29:35 +0000
|
||||
Subject: [PATCH 5/5] Adapt the upforwd test to the SIG(0) removal
|
||||
|
||||
Change the check so that update with SIG(0) is expected to fail.
|
||||
|
||||
(cherry picked from commit 5f7558f6dbb0527c08caf281299245ab8de268cd)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
bin/tests/system/upforwd/tests.sh | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||
index 9165ba9..89e2241 100644
|
||||
--- a/bin/tests/system/upforwd/tests.sh
|
||||
+++ b/bin/tests/system/upforwd/tests.sh
|
||||
@@ -262,10 +262,12 @@ if $FEATURETEST --enable-dnstap; then
|
||||
fi
|
||||
|
||||
if test -f keyname; then
|
||||
- echo_i "checking update forwarding to with sig0 ($n)"
|
||||
+ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
|
||||
ret=0
|
||||
keyname=$(cat keyname)
|
||||
- $NSUPDATE -k $keyname.private -- - <<EOF
|
||||
+ # SIG(0) is removed, update is expected to fail.
|
||||
+ {
|
||||
+ $NSUPDATE -k $keyname.private -- - <<EOF
|
||||
local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone example2
|
||||
@@ -273,8 +275,9 @@ if test -f keyname; then
|
||||
update add unsigned.example2. 600 TXT Foo
|
||||
send
|
||||
EOF
|
||||
+ } >nsupdate.out.$n 2>&1 && ret=1
|
||||
$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 >dig.out.ns1.test$n || ret=1
|
||||
- grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
|
||||
+ grep "status: NOERROR" dig.out.ns1.test$n >/dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$(expr $status + $ret)
|
||||
n=$(expr $n + 1)
|
||||
--
|
||||
2.40.1
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 63fac0c45a583983847b17d1220dccf13d1cac7e Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Tue, 16 Jan 2024 14:25:27 +1100
|
||||
Subject: [PATCH] Clear qctx->zversion
|
||||
|
||||
Clear qctx->zversion when clearing qctx->zrdataset et al in
|
||||
lib/ns/query.c:qctx_freedata. The uncleared pointer could lead to
|
||||
an assertion failure if zone data needed to be re-saved which could
|
||||
happen with stale data support enabled.
|
||||
|
||||
(cherry picked from commit 179fb3532ab8d4898ab070b2db54c0ce872ef709)
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
lib/ns/query.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||
index 1290c30..ec9bf5b 100644
|
||||
--- a/lib/ns/query.c
|
||||
+++ b/lib/ns/query.c
|
||||
@@ -5260,6 +5260,7 @@ qctx_freedata(query_ctx_t *qctx) {
|
||||
ns_client_releasename(qctx->client, &qctx->zfname);
|
||||
dns_db_detachnode(qctx->zdb, &qctx->znode);
|
||||
dns_db_detach(&qctx->zdb);
|
||||
+ qctx->zversion = NULL;
|
||||
}
|
||||
|
||||
if (qctx->event != NULL && !qctx->client->nodetach) {
|
||||
--
|
||||
2.40.1
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"bind-9.16.50.tar.xz": "816dbaa3c115019f30fcebd9e8ef8f7637f4adde91c79daa099b035255a15795",
|
||||
"generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422",
|
||||
"named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c",
|
||||
"named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a",
|
||||
|
@ -13,7 +14,6 @@
|
|||
"named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735",
|
||||
"named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816",
|
||||
"setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a",
|
||||
"setup-named-softhsm.sh": "3b243d9e48577acb95a08ae5dd7288c5eec4830bc02bd29b1f1724c497d12864",
|
||||
"bind-9.16.48.tar.xz": "8d3814582348f90dead1ad410b1019094cd399d3d83930abebb2b3b1eb0b2bbb"
|
||||
"setup-named-softhsm.sh": "3b243d9e48577acb95a08ae5dd7288c5eec4830bc02bd29b1f1724c497d12864"
|
||||
}
|
||||
}
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
Summary: Domain Name System software
|
||||
Name: bind
|
||||
Version: 9.16.48
|
||||
Version: 9.16.50
|
||||
Release: 1%{?dist}
|
||||
License: ISC
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -33,6 +33,9 @@ Source14: setup-named-softhsm.sh
|
|||
Source15: named-chroot.files
|
||||
Patch9: bind-9.14-config-pkcs11.patch
|
||||
Patch10: bind-9.10-dist-native-pkcs11.patch
|
||||
Patch11: CVE-2024-1737.patch
|
||||
Patch12: CVE-2024-1975.patch
|
||||
Patch13: CVE-2024-4076.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: json-c-devel
|
||||
|
@ -234,6 +237,9 @@ cp -r bin/dnssec{,-pkcs11}
|
|||
cp -r lib/dns{,-pkcs11}
|
||||
cp -r lib/ns{,-pkcs11}
|
||||
%patch10 -p1 -b .dist_pkcs11
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
|
||||
libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
|
||||
|
||||
|
@ -613,6 +619,10 @@ fi;
|
|||
%{_mandir}/man8/named-nzd2nzf.8*
|
||||
|
||||
%changelog
|
||||
* Tue Aug 06 2024 Muhammad Falak <mwani@microsoft.com> - 9.16.50-1
|
||||
- Bump version to 9.16.50
|
||||
- Introduce patch to address CVE-2024-1737, CVE-2024-1975 & CVE-2024-4076
|
||||
|
||||
* Wed Feb 28 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 9.16.48-1
|
||||
- Auto-upgrade to 9.16.48 - Fix CVE-2023-50387
|
||||
|
||||
|
|
|
@ -0,0 +1,83 @@
|
|||
From 5dcc443dba039b305a510c01883e9f34e42656ae Mon Sep 17 00:00:00 2001
|
||||
From: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Date: Fri, 26 May 2023 19:36:58 +0200
|
||||
Subject: [PATCH 01/19] awk: fix use-after-realloc (CVE-2021-42380), closes
|
||||
15601
|
||||
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
editors/awk.c | 26 ++++++++++++++++++++------
|
||||
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/editors/awk.c b/editors/awk.c
|
||||
index 728ee8685..2af823808 100644
|
||||
--- a/editors/awk.c
|
||||
+++ b/editors/awk.c
|
||||
@@ -555,7 +555,7 @@ struct globals {
|
||||
const char *g_progname;
|
||||
int g_lineno;
|
||||
int nfields;
|
||||
- int maxfields; /* used in fsrealloc() only */
|
||||
+ unsigned maxfields;
|
||||
var *Fields;
|
||||
char *g_pos;
|
||||
char g_saved_ch;
|
||||
@@ -1931,9 +1931,9 @@ static void fsrealloc(int size)
|
||||
{
|
||||
int i, newsize;
|
||||
|
||||
- if (size >= maxfields) {
|
||||
- /* Sanity cap, easier than catering for overflows */
|
||||
- if (size > 0xffffff)
|
||||
+ if ((unsigned)size >= maxfields) {
|
||||
+ /* Sanity cap, easier than catering for over/underflows */
|
||||
+ if ((unsigned)size > 0xffffff)
|
||||
bb_die_memory_exhausted();
|
||||
|
||||
i = maxfields;
|
||||
@@ -2891,6 +2891,7 @@ static var *evaluate(node *op, var *res)
|
||||
uint32_t opinfo;
|
||||
int opn;
|
||||
node *op1;
|
||||
+ var *old_Fields_ptr;
|
||||
|
||||
opinfo = op->info;
|
||||
opn = (opinfo & OPNMASK);
|
||||
@@ -2899,10 +2900,16 @@ static var *evaluate(node *op, var *res)
|
||||
debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn);
|
||||
|
||||
/* execute inevitable things */
|
||||
+ old_Fields_ptr = NULL;
|
||||
if (opinfo & OF_RES1) {
|
||||
if ((opinfo & OF_REQUIRED) && !op1)
|
||||
syntax_error(EMSG_TOO_FEW_ARGS);
|
||||
L.v = evaluate(op1, TMPVAR0);
|
||||
+ /* Does L.v point to $n variable? */
|
||||
+ if ((size_t)(L.v - Fields) < maxfields) {
|
||||
+ /* yes, remember where Fields[] is */
|
||||
+ old_Fields_ptr = Fields;
|
||||
+ }
|
||||
if (opinfo & OF_STR1) {
|
||||
L.s = getvar_s(L.v);
|
||||
debug_printf_eval("L.s:'%s'\n", L.s);
|
||||
@@ -2921,8 +2928,15 @@ static var *evaluate(node *op, var *res)
|
||||
*/
|
||||
if (opinfo & OF_RES2) {
|
||||
R.v = evaluate(op->r.n, TMPVAR1);
|
||||
- //TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
|
||||
- //L.v = NULL;
|
||||
+ /* Seen in $5=$$5=$0:
|
||||
+ * Evaluation of R.v ($$5=$0 expression)
|
||||
+ * made L.v ($5) invalid. It's detected here.
|
||||
+ */
|
||||
+ if (old_Fields_ptr) {
|
||||
+ //if (old_Fields_ptr != Fields)
|
||||
+ // debug_printf_eval("L.v moved\n");
|
||||
+ L.v += Fields - old_Fields_ptr;
|
||||
+ }
|
||||
if (opinfo & OF_STR2) {
|
||||
R.s = getvar_s(R.v);
|
||||
debug_printf_eval("R.s:'%s'\n", R.s);
|
||||
--
|
||||
2.46.0
|
|
@ -0,0 +1,63 @@
|
|||
From fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa Mon Sep 17 00:00:00 2001
|
||||
From: Natanael Copa <ncopa@alpinelinux.org>
|
||||
Date: Mon, 20 May 2024 17:55:28 +0200
|
||||
Subject: [PATCH 19/19] awk: fix use after free (CVE-2023-42363)
|
||||
|
||||
function old new delta
|
||||
evaluate 3377 3385 +8
|
||||
|
||||
Fixes https://bugs.busybox.net/show_bug.cgi?id=15865
|
||||
|
||||
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
||||
---
|
||||
editors/awk.c | 21 +++++++++++++--------
|
||||
1 file changed, 13 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/editors/awk.c b/editors/awk.c
|
||||
index 0981c6735..ff6d6350b 100644
|
||||
--- a/editors/awk.c
|
||||
+++ b/editors/awk.c
|
||||
@@ -2981,19 +2981,14 @@ static var *evaluate(node *op, var *res)
|
||||
/* yes, remember where Fields[] is */
|
||||
old_Fields_ptr = Fields;
|
||||
}
|
||||
- if (opinfo & OF_STR1) {
|
||||
- L.s = getvar_s(L.v);
|
||||
- debug_printf_eval("L.s:'%s'\n", L.s);
|
||||
- }
|
||||
if (opinfo & OF_NUM1) {
|
||||
L_d = getvar_i(L.v);
|
||||
debug_printf_eval("L_d:%f\n", L_d);
|
||||
}
|
||||
}
|
||||
- /* NB: Must get string/numeric values of L (done above)
|
||||
- * _before_ evaluate()'ing R.v: if both L and R are $NNNs,
|
||||
- * and right one is large, then L.v points to Fields[NNN1],
|
||||
- * second evaluate() reallocates and moves (!) Fields[],
|
||||
+ /* NB: if both L and R are $NNNs, and right one is large,
|
||||
+ * then at this pint L.v points to Fields[NNN1], second
|
||||
+ * evaluate() below reallocates and moves (!) Fields[],
|
||||
* R.v points to Fields[NNN2] but L.v now points to freed mem!
|
||||
* (Seen trying to evaluate "$444 $44444")
|
||||
*/
|
||||
@@ -3013,6 +3008,16 @@ static var *evaluate(node *op, var *res)
|
||||
debug_printf_eval("R.s:'%s'\n", R.s);
|
||||
}
|
||||
}
|
||||
+ /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v
|
||||
+ * so we must get the string after "old_Fields_ptr" correction
|
||||
+ * above. Testcase: x = (v = "abc", gsub("b", "X", v));
|
||||
+ */
|
||||
+ if (opinfo & OF_RES1) {
|
||||
+ if (opinfo & OF_STR1) {
|
||||
+ L.s = getvar_s(L.v);
|
||||
+ debug_printf_eval("L.s:'%s'\n", L.s);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK));
|
||||
switch (XC(opinfo & OPCLSMASK)) {
|
||||
--
|
||||
2.46.0
|
File diff suppressed because it is too large
Load Diff
|
@ -1,7 +1,7 @@
|
|||
Summary: Statically linked binary providing simplified versions of system commands
|
||||
Name: busybox
|
||||
Version: 1.35.0
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -17,6 +17,10 @@ Patch4: ash-fix-use-after-free-in-pattern-substituon-code.patch
|
|||
Patch5: ash-fix-use-after-free-in-bash-pattern-substitution.patch
|
||||
Patch6: selinux-copy-file.patch
|
||||
Patch7: selinux-cp-a.patch
|
||||
Patch8: CVE-2021-42380.patch
|
||||
# Also Fixes CVE-2023-42364
|
||||
Patch9: CVE-2023-42363.patch
|
||||
Patch10: CVE-2023-42365.patch
|
||||
BuildRequires: gcc
|
||||
BuildRequires: glibc-static >= 2.35-7%{?dist}
|
||||
BuildRequires: libselinux-devel >= 1.27.7-2
|
||||
|
@ -96,6 +100,9 @@ install -m 644 docs/busybox.petitboot.1 %{buildroot}/%{_mandir}/man1/busybox.pet
|
|||
%{_mandir}/man1/busybox.petitboot.1.gz
|
||||
|
||||
%changelog
|
||||
* Tue Aug 13 2024 Suresh Thelkar <sthelkar@microsoft.com> - 1.35.0-11
|
||||
- Address CVE-2021-42380, CVE-2023-42363, CVE-2023-42364 & CVE-2023-42365
|
||||
|
||||
* Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.35.0-10
|
||||
- Bump release to rebuild against glibc 2.35-7
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
"README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
|
||||
"bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
|
||||
"certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
|
||||
"certdata.microsoft.txt": "89655788a99b61c94aa18ad060b7e032d3e63b9db1417b1496e767662126c75a",
|
||||
"certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd",
|
||||
"certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
|
||||
"pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
|
||||
"trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
|
||||
|
|
|
@ -45,7 +45,7 @@ Name: ca-certificates
|
|||
# When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well.
|
||||
Epoch: 1
|
||||
Version: 2.0.0
|
||||
Release: 17%{?dist}
|
||||
Release: 18%{?dist}
|
||||
License: MPLv2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -324,6 +324,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
|
|||
%{_bindir}/bundle2pem.sh
|
||||
|
||||
%changelog
|
||||
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.0.0-18
|
||||
- Updating Microsoft trusted root CAs.
|
||||
|
||||
* Mon Apr 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.0.0-17
|
||||
- Updating Microsoft trusted root CAs.
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,110 @@
|
|||
From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001
|
||||
From: Bhagyashri Pathak <bhapathak@microsoft.com>
|
||||
Date: Thu, 8 Aug 2024 10:27:21 +0530
|
||||
Subject: [PATCH] CVE-2024-25620 patch
|
||||
|
||||
---
|
||||
vendor/helm.sh/helm/v3/pkg/chart/metadata.go | 4 ++++
|
||||
.../helm.sh/helm/v3/pkg/chartutil/errors.go | 8 ++++++++
|
||||
vendor/helm.sh/helm/v3/pkg/chartutil/save.go | 20 +++++++++++++++++++
|
||||
.../helm/v3/pkg/lint/rules/chartfile.go | 4 ++++
|
||||
4 files changed, 36 insertions(+)
|
||||
|
||||
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
|
||||
index ae572ab..3834b4c 100644
|
||||
--- a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
|
||||
+++ b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
|
||||
@@ -16,6 +16,7 @@ limitations under the License.
|
||||
package chart
|
||||
|
||||
import (
|
||||
+ "path/filepath"
|
||||
"strings"
|
||||
"unicode"
|
||||
|
||||
@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error {
|
||||
if md.Name == "" {
|
||||
return ValidationError("chart.metadata.name is required")
|
||||
}
|
||||
+ if md.Name != filepath.Base(md.Name) {
|
||||
+ return ValidationErrorf("chart.metadata.name %q is invalid", md.Name)
|
||||
+ }
|
||||
if md.Version == "" {
|
||||
return ValidationError("chart.metadata.version is required")
|
||||
}
|
||||
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
|
||||
index fcdcc27..0a4046d 100644
|
||||
--- a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
|
||||
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
|
||||
@@ -33,3 +33,11 @@ type ErrNoValue struct {
|
||||
}
|
||||
|
||||
func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) }
|
||||
+
|
||||
+type ErrInvalidChartName struct {
|
||||
+ Name string
|
||||
+}
|
||||
+
|
||||
+func (e ErrInvalidChartName) Error() string {
|
||||
+ return fmt.Sprintf("%q is not a valid chart name", e.Name)
|
||||
+}
|
||||
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
|
||||
index 2ce4edd..4ee9070 100644
|
||||
--- a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
|
||||
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
|
||||
@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=")
|
||||
// directory, writing the chart's contents to that subdirectory.
|
||||
func SaveDir(c *chart.Chart, dest string) error {
|
||||
// Create the chart directory
|
||||
+ err := validateName(c.Name())
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
outdir := filepath.Join(dest, c.Name())
|
||||
if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() {
|
||||
return errors.Errorf("file %s already exists and is not a directory", outdir)
|
||||
@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) {
|
||||
}
|
||||
|
||||
func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error {
|
||||
+ err := validateName(c.Name())
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
base := filepath.Join(prefix, c.Name())
|
||||
|
||||
// Pull out the dependencies of a v1 Chart, since there's no way
|
||||
@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error {
|
||||
_, err := out.Write(body)
|
||||
return err
|
||||
}
|
||||
+
|
||||
+// If the name has directory name has characters which would change the location
|
||||
+// they need to be removed.
|
||||
+func validateName(name string) error {
|
||||
+ nname := filepath.Base(name)
|
||||
+
|
||||
+ if nname != name {
|
||||
+ return ErrInvalidChartName{name}
|
||||
+ }
|
||||
+
|
||||
+ return nil
|
||||
+}
|
||||
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
|
||||
index b49f2ce..f8f033c 100644
|
||||
--- a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
|
||||
+++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
|
||||
@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error {
|
||||
if cf.Name == "" {
|
||||
return errors.New("name is required")
|
||||
}
|
||||
+ name := filepath.Base(cf.Name)
|
||||
+ if name != cf.Name {
|
||||
+ return fmt.Errorf("chart name %q is invalid", cf.Name)
|
||||
+ }
|
||||
return nil
|
||||
}
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -0,0 +1,81 @@
|
|||
From 3b68627a36a0682f92acb7fc592dee346b18a22c Mon Sep 17 00:00:00 2001
|
||||
From: Balakumaran Kannan <kumaran.4353@gmail.com>
|
||||
Date: Tue, 30 Jul 2024 12:13:03 +0000
|
||||
Subject: [PATCH] Patch CVE-2024-6104
|
||||
|
||||
---
|
||||
.../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++-----
|
||||
1 file changed, 21 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
index 57116e9..10a5f70 100644
|
||||
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
@@ -577,9 +577,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if logger != nil {
|
||||
switch v := logger.(type) {
|
||||
case LeveledLogger:
|
||||
- v.Debug("performing request", "method", req.Method, "url", req.URL)
|
||||
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
|
||||
case Logger:
|
||||
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
|
||||
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -634,9 +634,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if err != nil {
|
||||
switch v := logger.(type) {
|
||||
case LeveledLogger:
|
||||
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
|
||||
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
|
||||
case Logger:
|
||||
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
|
||||
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
|
||||
}
|
||||
} else {
|
||||
// Call this here to maintain the behavior of logging all requests,
|
||||
@@ -672,7 +672,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
|
||||
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
|
||||
if logger != nil {
|
||||
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
|
||||
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
|
||||
if resp != nil {
|
||||
desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
|
||||
}
|
||||
@@ -728,11 +728,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
// communicate why
|
||||
if err == nil {
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
|
||||
- req.Method, req.URL, attempt)
|
||||
+ req.Method, redactURL(req.URL), attempt)
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
|
||||
- req.Method, req.URL, attempt, err)
|
||||
+ req.Method, redactURL(req.URL), attempt, err)
|
||||
}
|
||||
|
||||
// Try to read the response body so we can reuse this connection.
|
||||
@@ -813,3 +813,17 @@ func (c *Client) StandardClient() *http.Client {
|
||||
Transport: &RoundTripper{Client: c},
|
||||
}
|
||||
}
|
||||
+
|
||||
+
|
||||
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
|
||||
+func redactURL(u *url.URL) string {
|
||||
+ if u == nil {
|
||||
+ return ""
|
||||
+ }
|
||||
+
|
||||
+ ru := *u
|
||||
+ if _, has := ru.User.Password(); has {
|
||||
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
|
||||
+ }
|
||||
+ return ru.String()
|
||||
+}
|
||||
--
|
||||
2.33.8
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Automatically provision and manage TLS certificates in Kubernetes
|
||||
Name: cert-manager
|
||||
Version: 1.11.2
|
||||
Release: 11%{?dist}
|
||||
Release: 13%{?dist}
|
||||
License: ASL 2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -22,6 +22,8 @@ Source1: %{name}-%{version}-govendor.tar.gz
|
|||
Patch0: CVE-2023-48795.patch
|
||||
Patch1: CVE-2023-45288.patch
|
||||
Patch2: CVE-2024-26147.patch
|
||||
Patch3: CVE-2024-25620.patch
|
||||
Patch4: CVE-2024-6104.patch
|
||||
BuildRequires: golang
|
||||
Requires: %{name}-acmesolver
|
||||
Requires: %{name}-cainjector
|
||||
|
@ -114,6 +116,12 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
|
|||
%{_bindir}/webhook
|
||||
|
||||
%changelog
|
||||
* Mon Aug 19 2023 Bala <balakumaran.kannan@microsoft.com> - 1.11.2-13
|
||||
- Patch for CVE-2024-6104
|
||||
|
||||
* Wed Aug 07 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.11.2-12
|
||||
- Patch for CVE-2024-25620
|
||||
|
||||
* Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.11.2-11
|
||||
- Bump release to rebuild with go 1.21.11
|
||||
|
||||
|
|
|
@ -0,0 +1,114 @@
|
|||
From 402e9331a72d543e779898667488a51ad3e3ec13 Mon Sep 17 00:00:00 2001
|
||||
From: Ksenija Stanojevic <KsenijaS@users.noreply.github.com>
|
||||
Date: Fri, 9 Feb 2024 13:32:19 -0800
|
||||
Subject: [PATCH 1/3] feat(azure): Add ProvisionGuestProxyAgent OVF setting
|
||||
(#4860)
|
||||
|
||||
Add ProvisionGuestProxyAgent Boolean configuration setting into the OvfEnv class.
|
||||
This PR is only logging the value of ProvisionGuestProxyAgent.
|
||||
---
|
||||
cloudinit/sources/DataSourceAzure.py | 6 ++++++
|
||||
cloudinit/sources/helpers/azure.py | 8 ++++++++
|
||||
tests/unittests/sources/test_azure.py | 15 +++++++++++++++
|
||||
3 files changed, 29 insertions(+)
|
||||
|
||||
diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py
|
||||
index 5a82aa34e..dc2b79a3a 100644
|
||||
--- a/cloudinit/sources/DataSourceAzure.py
|
||||
+++ b/cloudinit/sources/DataSourceAzure.py
|
||||
@@ -1784,6 +1784,12 @@ def read_azure_ovf(contents):
|
||||
"PreprovisionedVMType: %s" % ovf_env.preprovisioned_vm_type,
|
||||
logger_func=LOG.info,
|
||||
)
|
||||
+
|
||||
+ cfg["ProvisionGuestProxyAgent"] = ovf_env.provision_guest_proxy_agent
|
||||
+ report_diagnostic_event(
|
||||
+ "ProvisionGuestProxyAgent: %s" % ovf_env.provision_guest_proxy_agent,
|
||||
+ logger_func=LOG.info,
|
||||
+ )
|
||||
return (md, ud, cfg)
|
||||
|
||||
|
||||
diff --git a/cloudinit/sources/helpers/azure.py b/cloudinit/sources/helpers/azure.py
|
||||
index 6e5c1f433..2847a9e53 100644
|
||||
--- a/cloudinit/sources/helpers/azure.py
|
||||
+++ b/cloudinit/sources/helpers/azure.py
|
||||
@@ -1064,6 +1064,7 @@ class OvfEnvXml:
|
||||
public_keys: Optional[List[dict]] = None,
|
||||
preprovisioned_vm: bool = False,
|
||||
preprovisioned_vm_type: Optional[str] = None,
|
||||
+ provision_guest_proxy_agent: bool = False,
|
||||
) -> None:
|
||||
self.username = username
|
||||
self.password = password
|
||||
@@ -1073,6 +1074,7 @@ class OvfEnvXml:
|
||||
self.public_keys: List[dict] = public_keys or []
|
||||
self.preprovisioned_vm = preprovisioned_vm
|
||||
self.preprovisioned_vm_type = preprovisioned_vm_type
|
||||
+ self.provision_guest_proxy_agent = provision_guest_proxy_agent
|
||||
|
||||
def __eq__(self, other) -> bool:
|
||||
return self.__dict__ == other.__dict__
|
||||
@@ -1216,6 +1218,12 @@ class OvfEnvXml:
|
||||
"PreprovisionedVMType",
|
||||
required=False,
|
||||
)
|
||||
+ self.provision_guest_proxy_agent = self._parse_property(
|
||||
+ platform_settings,
|
||||
+ "ProvisionGuestProxyAgent",
|
||||
+ default=False,
|
||||
+ required=False,
|
||||
+ )
|
||||
|
||||
def _parse_ssh_section(self, config_set):
|
||||
self.public_keys = []
|
||||
diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py
|
||||
index 1ddbd3f39..6afde95fd 100644
|
||||
--- a/tests/unittests/sources/test_azure.py
|
||||
+++ b/tests/unittests/sources/test_azure.py
|
||||
@@ -356,6 +356,7 @@ def construct_ovf_env(
|
||||
disable_ssh_password_auth=None,
|
||||
preprovisioned_vm=None,
|
||||
preprovisioned_vm_type=None,
|
||||
+ provision_guest_proxy_agent=None,
|
||||
):
|
||||
content = [
|
||||
'<?xml version="1.0" encoding="utf-8"?>',
|
||||
@@ -426,6 +427,11 @@ def construct_ovf_env(
|
||||
"<ns1:PreprovisionedVMType>%s</ns1:PreprovisionedVMType>"
|
||||
% preprovisioned_vm_type
|
||||
)
|
||||
+ if provision_guest_proxy_agent is not None:
|
||||
+ content.append(
|
||||
+ "<ns1:ProvisionGuestProxyAgent>%s</ns1:ProvisionGuestProxyAgent>"
|
||||
+ % provision_guest_proxy_agent
|
||||
+ )
|
||||
content += [
|
||||
"</ns1:PlatformSettings>",
|
||||
"</ns1:PlatformSettingsSection>",
|
||||
@@ -1316,6 +1322,7 @@ scbus-1 on xpt0 bus 0
|
||||
expected_cfg = {
|
||||
"PreprovisionedVMType": None,
|
||||
"PreprovisionedVm": False,
|
||||
+ "ProvisionGuestProxyAgent": False,
|
||||
"system_info": {"default_user": {"name": "myuser"}},
|
||||
}
|
||||
expected_metadata = {
|
||||
@@ -2668,6 +2675,14 @@ class TestPreprovisioningReadAzureOvfFlag(CiTestCase):
|
||||
self.assertTrue(cfg["PreprovisionedVm"])
|
||||
self.assertEqual("Savable", cfg["PreprovisionedVMType"])
|
||||
|
||||
+ def test_read_azure_ovf_with_proxy_guest_agent(self):
|
||||
+ """The read_azure_ovf method should set ProvisionGuestProxyAgent
|
||||
+ cfg flag to True."""
|
||||
+ content = construct_ovf_env(provision_guest_proxy_agent=True)
|
||||
+ ret = dsaz.read_azure_ovf(content)
|
||||
+ cfg = ret[2]
|
||||
+ self.assertTrue(cfg["ProvisionGuestProxyAgent"])
|
||||
+
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"ovf_cfg,imds_md,pps_type",
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
From e3ba5800d26065df9ce03ee2ac58ec6f08506423 Mon Sep 17 00:00:00 2001
|
||||
From: Ksenija Stanojevic <KsenijaS@users.noreply.github.com>
|
||||
Date: Fri, 5 Apr 2024 16:52:26 -0700
|
||||
Subject: [PATCH 2/3] feat(azure): parse ProvisionGuestProxyAgent as bool
|
||||
(#5126)
|
||||
|
||||
---
|
||||
cloudinit/sources/helpers/azure.py | 1 +
|
||||
tests/unittests/sources/test_azure.py | 12 ++++++++++--
|
||||
2 files changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/sources/helpers/azure.py b/cloudinit/sources/helpers/azure.py
|
||||
index 2847a9e53..165f47429 100644
|
||||
--- a/cloudinit/sources/helpers/azure.py
|
||||
+++ b/cloudinit/sources/helpers/azure.py
|
||||
@@ -1221,6 +1221,7 @@ class OvfEnvXml:
|
||||
self.provision_guest_proxy_agent = self._parse_property(
|
||||
platform_settings,
|
||||
"ProvisionGuestProxyAgent",
|
||||
+ parse_bool=True,
|
||||
default=False,
|
||||
required=False,
|
||||
)
|
||||
diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py
|
||||
index 6afde95fd..255991ec3 100644
|
||||
--- a/tests/unittests/sources/test_azure.py
|
||||
+++ b/tests/unittests/sources/test_azure.py
|
||||
@@ -2675,13 +2675,21 @@ class TestPreprovisioningReadAzureOvfFlag(CiTestCase):
|
||||
self.assertTrue(cfg["PreprovisionedVm"])
|
||||
self.assertEqual("Savable", cfg["PreprovisionedVMType"])
|
||||
|
||||
- def test_read_azure_ovf_with_proxy_guest_agent(self):
|
||||
+ def test_read_azure_ovf_with_proxy_guest_agent_true(self):
|
||||
"""The read_azure_ovf method should set ProvisionGuestProxyAgent
|
||||
cfg flag to True."""
|
||||
content = construct_ovf_env(provision_guest_proxy_agent=True)
|
||||
ret = dsaz.read_azure_ovf(content)
|
||||
cfg = ret[2]
|
||||
- self.assertTrue(cfg["ProvisionGuestProxyAgent"])
|
||||
+ assert cfg["ProvisionGuestProxyAgent"] is True
|
||||
+
|
||||
+ def test_read_azure_ovf_with_proxy_guest_agent_false(self):
|
||||
+ """The read_azure_ovf method should set ProvisionGuestProxyAgent
|
||||
+ cfg flag to False."""
|
||||
+ content = construct_ovf_env(provision_guest_proxy_agent=False)
|
||||
+ ret = dsaz.read_azure_ovf(content)
|
||||
+ cfg = ret[2]
|
||||
+ assert cfg["ProvisionGuestProxyAgent"] is False
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -0,0 +1,413 @@
|
|||
From 8932242a65bae5504ba45134091767f215a441fa Mon Sep 17 00:00:00 2001
|
||||
From: Ksenija Stanojevic <ksenija.stanojevic@gmail.com>
|
||||
Date: Mon, 15 Jul 2024 18:48:19 -0700
|
||||
Subject: [PATCH 3/3] feat(azure): add support for azure-proxy-agent
|
||||
|
||||
---
|
||||
cloudinit/sources/DataSourceAzure.py | 40 ++++
|
||||
cloudinit/sources/azure/errors.py | 19 +-
|
||||
tests/unittests/sources/test_azure.py | 254 ++++++++++++++++++++++++++
|
||||
3 files changed, 312 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py
|
||||
index dc2b79a3a..c2f74e173 100644
|
||||
--- a/cloudinit/sources/DataSourceAzure.py
|
||||
+++ b/cloudinit/sources/DataSourceAzure.py
|
||||
@@ -483,6 +483,41 @@ class DataSourceAzure(sources.DataSource):
|
||||
or self._ephemeral_dhcp_ctx.lease is None
|
||||
)
|
||||
|
||||
+ def _check_azure_proxy_agent_status(self) -> None:
|
||||
+ """Check if azure-proxy-agent is ready for communication with WS/IMDS.
|
||||
+ If ProvisionGuestProxyAgent is true, query azure-proxy-agent status,
|
||||
+ waiting up to 120 seconds for the proxy to negotiate with Wireserver
|
||||
+ and configure an eBPF proxy. Once azure-proxy-agent is ready,
|
||||
+ it will exit with code 0 and cloud-init can then expect to be able to
|
||||
+ communicate with these services.
|
||||
+ Fail deployment if azure-proxy-agent is not found or otherwise returns
|
||||
+ an error.
|
||||
+ For more information, check out:
|
||||
+ https://github.com/azure/guestproxyagent
|
||||
+ """
|
||||
+ try:
|
||||
+ cmd = [
|
||||
+ "azure-proxy-agent",
|
||||
+ "--status",
|
||||
+ "--wait",
|
||||
+ "120",
|
||||
+ ]
|
||||
+ out, err = subp.subp(cmd)
|
||||
+ report_diagnostic_event(
|
||||
+ "Running azure-proxy-agent %s resulted"
|
||||
+ "in stderr output: %s with stdout: %s" % (cmd, err, out),
|
||||
+ logger_func=LOG.debug,
|
||||
+ )
|
||||
+ except subp.ProcessExecutionError as error:
|
||||
+ if isinstance(error.reason, FileNotFoundError):
|
||||
+ report_error = errors.ReportableErrorProxyAgentNotFound()
|
||||
+ self._report_failure(report_error)
|
||||
+ else:
|
||||
+ reportable_error = (
|
||||
+ errors.ReportableErrorProxyAgentStatusFailure(error)
|
||||
+ )
|
||||
+ self._report_failure(reportable_error)
|
||||
+
|
||||
@azure_ds_telemetry_reporter
|
||||
def crawl_metadata(self):
|
||||
"""Walk all instance metadata sources returning a dict on success.
|
||||
@@ -566,6 +601,11 @@ class DataSourceAzure(sources.DataSource):
|
||||
|
||||
imds_md = {}
|
||||
if self._is_ephemeral_networking_up():
|
||||
+ # check if azure-proxy-agent is enabled in the ovf-env.xml file.
|
||||
+ # azure-proxy-agent feature is opt-in and disabled by default.
|
||||
+ if cfg.get("ProvisionGuestProxyAgent"):
|
||||
+ self._check_azure_proxy_agent_status()
|
||||
+
|
||||
imds_md = self.get_metadata_from_imds(report_failure=True)
|
||||
|
||||
if not imds_md and ovf_source is None:
|
||||
diff --git a/cloudinit/sources/azure/errors.py b/cloudinit/sources/azure/errors.py
|
||||
index 966725b00..b331cd686 100644
|
||||
--- a/cloudinit/sources/azure/errors.py
|
||||
+++ b/cloudinit/sources/azure/errors.py
|
||||
@@ -12,7 +12,7 @@ from typing import Any, Dict, List, Optional
|
||||
|
||||
import requests
|
||||
|
||||
-from cloudinit import version
|
||||
+from cloudinit import subp, version
|
||||
from cloudinit.sources.azure import identity
|
||||
from cloudinit.url_helper import UrlError
|
||||
|
||||
@@ -151,3 +151,20 @@ class ReportableErrorUnhandledException(ReportableError):
|
||||
|
||||
self.supporting_data["exception"] = repr(exception)
|
||||
self.supporting_data["traceback_base64"] = trace_base64
|
||||
+
|
||||
+
|
||||
+class ReportableErrorProxyAgentNotFound(ReportableError):
|
||||
+ def __init__(self) -> None:
|
||||
+ super().__init__(
|
||||
+ "Unable to activate Azure Guest Proxy Agent."
|
||||
+ "azure-proxy-agent not found"
|
||||
+ )
|
||||
+
|
||||
+
|
||||
+class ReportableErrorProxyAgentStatusFailure(ReportableError):
|
||||
+ def __init__(self, exception: subp.ProcessExecutionError) -> None:
|
||||
+ super().__init__("azure-proxy-agent status failure")
|
||||
+
|
||||
+ self.supporting_data["exit_code"] = exception.exit_code
|
||||
+ self.supporting_data["stdout"] = exception.stdout
|
||||
+ self.supporting_data["stderr"] = exception.stderr
|
||||
diff --git a/tests/unittests/sources/test_azure.py b/tests/unittests/sources/test_azure.py
|
||||
index 255991ec3..9b6672e1e 100644
|
||||
--- a/tests/unittests/sources/test_azure.py
|
||||
+++ b/tests/unittests/sources/test_azure.py
|
||||
@@ -1,6 +1,7 @@
|
||||
# This file is part of cloud-init. See LICENSE file for license information.
|
||||
|
||||
import copy
|
||||
+import datetime
|
||||
import json
|
||||
import os
|
||||
import stat
|
||||
@@ -48,6 +49,16 @@ def mock_wrapping_setup_ephemeral_networking(azure_ds):
|
||||
yield m
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def mock_wrapping_report_failure(azure_ds):
|
||||
+ with mock.patch.object(
|
||||
+ azure_ds,
|
||||
+ "_report_failure",
|
||||
+ wraps=azure_ds._report_failure,
|
||||
+ ) as m:
|
||||
+ yield m
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def mock_azure_helper_readurl():
|
||||
with mock.patch(
|
||||
@@ -253,6 +264,14 @@ def mock_subp_subp():
|
||||
yield m
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def mock_timestamp():
|
||||
+ timestamp = datetime.datetime.utcnow()
|
||||
+ with mock.patch.object(errors, "datetime", autospec=True) as m:
|
||||
+ m.utcnow.return_value = timestamp
|
||||
+ yield timestamp
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def mock_util_ensure_dir():
|
||||
with mock.patch(
|
||||
@@ -3672,6 +3691,91 @@ class TestProvisioning:
|
||||
}
|
||||
|
||||
def test_no_pps(self):
|
||||
+ ovf = construct_ovf_env(provision_guest_proxy_agent=False)
|
||||
+ md, ud, cfg = dsaz.read_azure_ovf(ovf)
|
||||
+ self.mock_util_mount_cb.return_value = (md, ud, cfg, {})
|
||||
+ self.mock_readurl.side_effect = [
|
||||
+ mock.MagicMock(contents=json.dumps(self.imds_md).encode()),
|
||||
+ ]
|
||||
+ self.mock_azure_get_metadata_from_fabric.return_value = []
|
||||
+
|
||||
+ self.azure_ds._check_and_get_data()
|
||||
+
|
||||
+ assert self.mock_subp_subp.mock_calls == []
|
||||
+
|
||||
+ assert self.mock_readurl.mock_calls == [
|
||||
+ mock.call(
|
||||
+ "http://169.254.169.254/metadata/instance?"
|
||||
+ "api-version=2021-08-01&extended=true",
|
||||
+ timeout=30,
|
||||
+ headers_cb=imds.headers_cb,
|
||||
+ exception_cb=mock.ANY,
|
||||
+ infinite=True,
|
||||
+ log_req_resp=True,
|
||||
+ ),
|
||||
+ ]
|
||||
+
|
||||
+ # Verify DHCP is setup once.
|
||||
+ assert self.mock_wrapping_setup_ephemeral_networking.mock_calls == [
|
||||
+ mock.call(timeout_minutes=20)
|
||||
+ ]
|
||||
+ assert self.mock_net_dhcp_maybe_perform_dhcp_discovery.mock_calls == [
|
||||
+ mock.call(
|
||||
+ self.azure_ds.distro,
|
||||
+ None,
|
||||
+ dsaz.dhcp_log_cb,
|
||||
+ )
|
||||
+ ]
|
||||
+ assert self.azure_ds._wireserver_endpoint == "10.11.12.13"
|
||||
+ assert self.azure_ds._is_ephemeral_networking_up() is False
|
||||
+
|
||||
+ # Verify DMI usage.
|
||||
+ assert self.mock_dmi_read_dmi_data.mock_calls == [
|
||||
+ mock.call("chassis-asset-tag"),
|
||||
+ mock.call("system-uuid"),
|
||||
+ ]
|
||||
+ assert (
|
||||
+ self.azure_ds.metadata["instance-id"]
|
||||
+ == "50109936-ef07-47fe-ac82-890c853f60d5"
|
||||
+ )
|
||||
+
|
||||
+ # Verify IMDS metadata.
|
||||
+ assert self.azure_ds.metadata["imds"] == self.imds_md
|
||||
+
|
||||
+ # Verify reporting ready once.
|
||||
+ assert self.mock_azure_get_metadata_from_fabric.mock_calls == [
|
||||
+ mock.call(
|
||||
+ endpoint="10.11.12.13",
|
||||
+ distro=self.azure_ds.distro,
|
||||
+ iso_dev="/dev/sr0",
|
||||
+ pubkey_info=None,
|
||||
+ )
|
||||
+ ]
|
||||
+
|
||||
+ # Verify netlink.
|
||||
+ assert self.mock_netlink.mock_calls == []
|
||||
+
|
||||
+ # Verify no reported_ready marker written.
|
||||
+ assert self.wrapped_util_write_file.mock_calls == []
|
||||
+ assert self.patched_reported_ready_marker_path.exists() is False
|
||||
+
|
||||
+ # Verify reports via KVP.
|
||||
+ assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 0
|
||||
+ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 0
|
||||
+ assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1
|
||||
+
|
||||
+ # Verify dmesg reported via KVP.
|
||||
+ assert len(self.mock_report_dmesg_to_kvp.mock_calls) == 1
|
||||
+
|
||||
+ def test_no_pps_gpa(self):
|
||||
+ """test full provisioning scope when azure-proxy-agent
|
||||
+ is enabled and running."""
|
||||
+ self.mock_subp_subp.side_effect = [
|
||||
+ subp.SubpResult("Guest Proxy Agent running", ""),
|
||||
+ ]
|
||||
+ ovf = construct_ovf_env(provision_guest_proxy_agent=True)
|
||||
+ md, ud, cfg = dsaz.read_azure_ovf(ovf)
|
||||
+ self.mock_util_mount_cb.return_value = (md, ud, cfg, {})
|
||||
self.mock_readurl.side_effect = [
|
||||
mock.MagicMock(contents=json.dumps(self.imds_md).encode()),
|
||||
]
|
||||
@@ -3679,6 +3783,11 @@ class TestProvisioning:
|
||||
|
||||
self.azure_ds._check_and_get_data()
|
||||
|
||||
+ assert self.mock_subp_subp.mock_calls == [
|
||||
+ mock.call(
|
||||
+ ["azure-proxy-agent", "--status", "--wait", "120"],
|
||||
+ ),
|
||||
+ ]
|
||||
assert self.mock_readurl.mock_calls == [
|
||||
mock.call(
|
||||
"http://169.254.169.254/metadata/instance?"
|
||||
@@ -3736,6 +3845,93 @@ class TestProvisioning:
|
||||
|
||||
# Verify reports via KVP.
|
||||
assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 0
|
||||
+ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 0
|
||||
+ assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1
|
||||
+
|
||||
+ def test_no_pps_gpa_fail(self):
|
||||
+ """test full provisioning scope when azure-proxy-agent is enabled and
|
||||
+ throwing an exception during provisioning."""
|
||||
+ self.mock_subp_subp.side_effect = [
|
||||
+ subp.ProcessExecutionError(
|
||||
+ cmd=["failed", "azure-proxy-agent"],
|
||||
+ stdout="test_stdout",
|
||||
+ stderr="test_stderr",
|
||||
+ exit_code=4,
|
||||
+ ),
|
||||
+ ]
|
||||
+ ovf = construct_ovf_env(provision_guest_proxy_agent=True)
|
||||
+ md, ud, cfg = dsaz.read_azure_ovf(ovf)
|
||||
+ self.mock_util_mount_cb.return_value = (md, ud, cfg, {})
|
||||
+ self.mock_readurl.side_effect = [
|
||||
+ mock.MagicMock(contents=json.dumps(self.imds_md).encode()),
|
||||
+ ]
|
||||
+ self.mock_azure_get_metadata_from_fabric.return_value = []
|
||||
+
|
||||
+ self.azure_ds._check_and_get_data()
|
||||
+
|
||||
+ assert self.mock_subp_subp.mock_calls == [
|
||||
+ mock.call(
|
||||
+ ["azure-proxy-agent", "--status", "--wait", "120"],
|
||||
+ ),
|
||||
+ ]
|
||||
+ assert self.mock_readurl.mock_calls == [
|
||||
+ mock.call(
|
||||
+ "http://169.254.169.254/metadata/instance?"
|
||||
+ "api-version=2021-08-01&extended=true",
|
||||
+ timeout=30,
|
||||
+ headers={"Metadata": "true"},
|
||||
+ exception_cb=mock.ANY,
|
||||
+ infinite=True,
|
||||
+ log_req_resp=True,
|
||||
+ ),
|
||||
+ ]
|
||||
+
|
||||
+ # Verify DHCP is setup once.
|
||||
+ assert self.mock_wrapping_setup_ephemeral_networking.mock_calls == [
|
||||
+ mock.call(timeout_minutes=20)
|
||||
+ ]
|
||||
+ assert self.mock_net_dhcp_maybe_perform_dhcp_discovery.mock_calls == [
|
||||
+ mock.call(
|
||||
+ self.azure_ds.distro,
|
||||
+ None,
|
||||
+ dsaz.dhcp_log_cb,
|
||||
+ )
|
||||
+ ]
|
||||
+ assert self.azure_ds._wireserver_endpoint == "10.11.12.13"
|
||||
+ assert self.azure_ds._is_ephemeral_networking_up() is False
|
||||
+
|
||||
+ # Verify DMI usage.
|
||||
+ assert self.mock_dmi_read_dmi_data.mock_calls == [
|
||||
+ mock.call("chassis-asset-tag"),
|
||||
+ mock.call("system-uuid"),
|
||||
+ mock.call("system-uuid"),
|
||||
+ ]
|
||||
+ assert (
|
||||
+ self.azure_ds.metadata["instance-id"]
|
||||
+ == "50109936-ef07-47fe-ac82-890c853f60d5"
|
||||
+ )
|
||||
+
|
||||
+ # Verify IMDS metadata.
|
||||
+ assert self.azure_ds.metadata["imds"] == self.imds_md
|
||||
+
|
||||
+ ### BACKPORT NOTE: 23.3 _will_ report ready later after failure.
|
||||
+ ### In newer versions there will be no call to report ready after failure.
|
||||
+ assert self.mock_azure_get_metadata_from_fabric.mock_calls == [
|
||||
+ mock.call(
|
||||
+ endpoint="10.11.12.13", iso_dev="/dev/sr0", pubkey_info=None
|
||||
+ )
|
||||
+ ]
|
||||
+
|
||||
+ # Verify netlink.
|
||||
+ assert self.mock_netlink.mock_calls == []
|
||||
+
|
||||
+ # Verify no reported_ready marker written.
|
||||
+ assert self.wrapped_util_write_file.mock_calls == []
|
||||
+ assert self.patched_reported_ready_marker_path.exists() is False
|
||||
+
|
||||
+ # Verify reports via KVP.
|
||||
+ assert len(self.mock_kvp_report_failure_to_host.mock_calls) == 1
|
||||
+ assert len(self.mock_azure_report_failure_to_fabric.mock_calls) == 1
|
||||
assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1
|
||||
|
||||
def test_running_pps(self):
|
||||
@@ -4315,6 +4511,64 @@ class TestProvisioning:
|
||||
assert len(self.mock_kvp_report_success_to_host.mock_calls) == 1
|
||||
|
||||
|
||||
+class TestCheckAzureProxyAgent:
|
||||
+ @pytest.fixture(autouse=True)
|
||||
+ def proxy_setup(
|
||||
+ self,
|
||||
+ azure_ds,
|
||||
+ mock_subp_subp,
|
||||
+ caplog,
|
||||
+ mock_wrapping_report_failure,
|
||||
+ mock_timestamp,
|
||||
+ ):
|
||||
+ self.azure_ds = azure_ds
|
||||
+ self.mock_subp_subp = mock_subp_subp
|
||||
+ self.caplog = caplog
|
||||
+ self.mock_wrapping_report_failure = mock_wrapping_report_failure
|
||||
+ self.mock_timestamp = mock_timestamp
|
||||
+
|
||||
+ def test_check_azure_proxy_agent_status(self):
|
||||
+ self.mock_subp_subp.side_effect = [
|
||||
+ subp.SubpResult("Guest Proxy Agent running", ""),
|
||||
+ ]
|
||||
+ self.azure_ds._check_azure_proxy_agent_status()
|
||||
+ assert "Running azure-proxy-agent" in self.caplog.text
|
||||
+ assert self.mock_wrapping_report_failure.mock_calls == []
|
||||
+
|
||||
+ def test_check_azure_proxy_agent_status_notfound(self):
|
||||
+ exception = subp.ProcessExecutionError(reason=FileNotFoundError())
|
||||
+ self.mock_subp_subp.side_effect = [
|
||||
+ exception,
|
||||
+ ]
|
||||
+ self.azure_ds._check_azure_proxy_agent_status()
|
||||
+ assert "azure-proxy-agent not found" in self.caplog.text
|
||||
+ assert self.mock_wrapping_report_failure.mock_calls == [
|
||||
+ mock.call(
|
||||
+ errors.ReportableErrorProxyAgentNotFound(),
|
||||
+ ),
|
||||
+ ]
|
||||
+
|
||||
+ def test_check_azure_proxy_agent_status_failure(self):
|
||||
+ exception = subp.ProcessExecutionError(
|
||||
+ cmd=["failed", "azure-proxy-agent"],
|
||||
+ stdout="test_stdout",
|
||||
+ stderr="test_stderr",
|
||||
+ exit_code=4,
|
||||
+ )
|
||||
+ self.mock_subp_subp.side_effect = [
|
||||
+ exception,
|
||||
+ ]
|
||||
+ self.azure_ds._check_azure_proxy_agent_status()
|
||||
+ assert "azure-proxy-agent status failure" in self.caplog.text
|
||||
+ assert self.mock_wrapping_report_failure.mock_calls == [
|
||||
+ mock.call(
|
||||
+ errors.ReportableErrorProxyAgentStatusFailure(
|
||||
+ exception=exception
|
||||
+ ),
|
||||
+ ),
|
||||
+ ]
|
||||
+
|
||||
+
|
||||
class TestGetMetadataFromImds:
|
||||
@pytest.mark.parametrize("report_failure", [False, True])
|
||||
@pytest.mark.parametrize(
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -5,7 +5,7 @@ Summary: Cloud instance init scripts
|
|||
Name: cloud-init
|
||||
Epoch: 1
|
||||
Version: %{package_version}
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv3
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -16,6 +16,9 @@ Source1: 10-azure-kvp.cfg
|
|||
Patch0: overrideDatasourceDetection.patch
|
||||
Patch1: exec_cmd_error_handling.patch
|
||||
Patch2: Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch
|
||||
Patch3: 0001-feat-azure-Add-ProvisionGuestProxyAgent-OVF-setting-.patch
|
||||
Patch4: 0002-feat-azure-parse-ProvisionGuestProxyAgent-as-bool-51.patch
|
||||
Patch5: 0003-feat-azure-add-support-for-azure-proxy-agent.patch
|
||||
%define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service
|
||||
BuildRequires: automake
|
||||
BuildRequires: dbus
|
||||
|
@ -151,6 +154,9 @@ make check %{?_smp_mflags}
|
|||
%config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg
|
||||
|
||||
%changelog
|
||||
* Mon July 15 2024 Ksenija Stanojevic <ksstanoj@microsoft.com> - 23.3.3-4
|
||||
- Add patches to support azure-proxy-agent.
|
||||
|
||||
* Wed May 8 2024 Sharath Srikanth Chellappa <sharathsr@microsoft.com> - 1:23.3-3
|
||||
- Add patch to add network interface renaming support for CAPM3 Met.
|
||||
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
From def1a172f3a5ac13c3cd5687d2a352262b02e358 Mon Sep 17 00:00:00 2001
|
||||
From: Zhichun Wan <zhichunwan@microsoft.com>
|
||||
Date: Fri, 26 Jul 2024 22:30:10 +0000
|
||||
Subject: [PATCH] patches
|
||||
|
||||
---
|
||||
Utilities/cmcurl/lib/hostip.c | 19 +++++++++++++++----
|
||||
1 file changed, 15 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Utilities/cmcurl/lib/hostip.c b/Utilities/cmcurl/lib/hostip.c
|
||||
index e0e3cfc2..a763ad84 100644
|
||||
--- a/Utilities/cmcurl/lib/hostip.c
|
||||
+++ b/Utilities/cmcurl/lib/hostip.c
|
||||
@@ -72,12 +72,19 @@
|
||||
#include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
|
||||
#endif
|
||||
|
||||
-#if defined(CURLRES_SYNCH) && \
|
||||
- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
|
||||
+#if defined(CURLRES_SYNCH) && \
|
||||
+ defined(HAVE_ALARM) && \
|
||||
+ defined(SIGALRM) && \
|
||||
+ defined(HAVE_SIGSETJMP) && \
|
||||
+ defined(GLOBAL_INIT_IS_THREADSAFE)
|
||||
/* alarm-based timeouts can only be used with all the dependencies satisfied */
|
||||
#define USE_ALARM_TIMEOUT
|
||||
#endif
|
||||
|
||||
+#ifdef USE_ALARM_TIMEOUT
|
||||
+#include "easy_lock.h"
|
||||
+#endif
|
||||
+
|
||||
#define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
|
||||
|
||||
/*
|
||||
@@ -249,11 +256,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
|
||||
Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
|
||||
}
|
||||
|
||||
-#ifdef HAVE_SIGSETJMP
|
||||
+#ifdef USE_ALARM_TIMEOUT
|
||||
/* Beware this is a global and unique instance. This is used to store the
|
||||
return address that we can jump back to from inside a signal handler. This
|
||||
is not thread-safe stuff. */
|
||||
sigjmp_buf curl_jmpenv;
|
||||
+curl_simple_lock curl_jmpenv_lock;
|
||||
#endif
|
||||
|
||||
/* lookup address, returns entry if found and not stale */
|
||||
@@ -640,7 +648,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
|
||||
static
|
||||
void alarmfunc(int sig)
|
||||
{
|
||||
- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
|
||||
(void)sig;
|
||||
siglongjmp(curl_jmpenv, 1);
|
||||
}
|
||||
@@ -720,6 +727,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
|
||||
This should be the last thing we do before calling Curl_resolv(),
|
||||
as otherwise we'd have to worry about variables that get modified
|
||||
before we invoke Curl_resolv() (and thus use "volatile"). */
|
||||
+ curl_simple_lock_lock(&curl_jmpenv_lock);
|
||||
+
|
||||
if(sigsetjmp(curl_jmpenv, 1)) {
|
||||
/* this is coming from a siglongjmp() after an alarm signal */
|
||||
failf(data, "name lookup timed out");
|
||||
@@ -788,6 +797,8 @@ clean_up:
|
||||
#endif
|
||||
#endif /* HAVE_SIGACTION */
|
||||
|
||||
+ curl_simple_lock_unlock(&curl_jmpenv_lock);
|
||||
+
|
||||
/* switch back the alarm() to either zero or to what it was before minus
|
||||
the time we spent until now! */
|
||||
if(prev_alarm) {
|
||||
--
|
||||
2.39.4
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
Summary: Cmake
|
||||
Name: cmake
|
||||
Version: 3.21.4
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: BSD AND LGPLv2+
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -20,6 +20,7 @@ Patch5: CVE-2023-35945.patch
|
|||
Patch6: CVE-2023-38545.patch
|
||||
Patch7: CVE-2023-38546.patch
|
||||
Patch8: cve-2023-44487.patch
|
||||
Patch9: CVE-2023-28320.patch
|
||||
BuildRequires: bzip2
|
||||
BuildRequires: bzip2-devel
|
||||
BuildRequires: curl
|
||||
|
@ -85,6 +86,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
|
|||
%{_prefix}/doc/%{name}-*/*
|
||||
|
||||
%changelog
|
||||
* Fri Jul 26 2024 Zhichun Wan <zhichunwan@microsoft.com> - 3.21.4-11
|
||||
- Patch CVE-2023-28320.patch
|
||||
|
||||
* Thu Oct 19 2023 Dan Streetman <ddstreet@ieee.org> - 3.21.4-10
|
||||
- Patch vendored nghttp2 for CVE-2023-44487
|
||||
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
From ab64e79170aea240fa050a929b52607d72c62c9e Mon Sep 17 00:00:00 2001
|
||||
From: Balakumaran Kannan <kumaran.4353@gmail.com>
|
||||
Date: Thu, 1 Aug 2024 07:01:21 +0000
|
||||
Subject: [PATCH] Patch CVE-2024-6104
|
||||
|
||||
---
|
||||
.../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++-----
|
||||
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
index 7bfa759..aead5e1 100644
|
||||
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
@@ -467,9 +467,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if logger != nil {
|
||||
switch v := logger.(type) {
|
||||
case Logger:
|
||||
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
|
||||
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
|
||||
case LeveledLogger:
|
||||
- v.Debug("performing request", "method", req.Method, "url", req.URL)
|
||||
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -516,9 +516,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if err != nil {
|
||||
switch v := logger.(type) {
|
||||
case Logger:
|
||||
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
|
||||
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
|
||||
case LeveledLogger:
|
||||
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
|
||||
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
|
||||
}
|
||||
} else {
|
||||
// Call this here to maintain the behavior of logging all requests,
|
||||
@@ -558,7 +558,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
}
|
||||
|
||||
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
|
||||
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
|
||||
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
|
||||
if code > 0 {
|
||||
desc = fmt.Sprintf("%s (status: %d)", desc, code)
|
||||
}
|
||||
@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
}
|
||||
c.HTTPClient.CloseIdleConnections()
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempts",
|
||||
- req.Method, req.URL, c.RetryMax+1)
|
||||
+ req.Method, redactURL(req.URL), c.RetryMax+1)
|
||||
}
|
||||
|
||||
// Try to read the response body so we can reuse this connection.
|
||||
@@ -663,3 +663,17 @@ func PostForm(url string, data url.Values) (*http.Response, error) {
|
||||
func (c *Client) PostForm(url string, data url.Values) (*http.Response, error) {
|
||||
return c.Post(url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
|
||||
}
|
||||
+
|
||||
+
|
||||
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
|
||||
+func redactURL(u *url.URL) string {
|
||||
+ if u == nil {
|
||||
+ return ""
|
||||
+ }
|
||||
+
|
||||
+ ru := *u
|
||||
+ if _, has := ru.User.Password(); has {
|
||||
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
|
||||
+ }
|
||||
+ return ru.String()
|
||||
+}
|
||||
--
|
||||
2.33.8
|
||||
|
|
@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa
|
|||
# Define macros for further referenced sources
|
||||
Name: cri-o
|
||||
Version: 1.22.3
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: ASL 2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -66,6 +66,7 @@ Patch10: CVE-2024-21626.patch
|
|||
Patch11: CVE-2024-3154.patch
|
||||
Patch12: CVE-2024-3727.patch
|
||||
Patch13: CVE-2021-43565.patch
|
||||
Patch14: CVE-2024-6104.patch
|
||||
BuildRequires: btrfs-progs-devel
|
||||
BuildRequires: device-mapper-devel
|
||||
BuildRequires: fdupes
|
||||
|
@ -218,6 +219,9 @@ mkdir -p /opt/cni/bin
|
|||
%{_fillupdir}/sysconfig.kubelet
|
||||
|
||||
%changelog
|
||||
* Thu Aug 01 2024 Bala <balakumaran.kannan@microsoft.com> - 1.22.3-6
|
||||
- Patch CVE-2024-6104
|
||||
|
||||
* Mon Jul 22 2024 Archana Choudhary <archana1@microsoft.com> - 1.22.3-5
|
||||
- Patch CVE-2021-43565
|
||||
|
||||
|
|
|
@ -0,0 +1,431 @@
|
|||
From 23a4652346fb2877d6246b1eebaa967969dbde16 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Mon, 29 Jan 2024 16:36:30 +0100
|
||||
Subject: [PATCH] Optimize the slabheader placement for certain RRTypes
|
||||
|
||||
Mark the infrastructure RRTypes as "priority" types and place them at
|
||||
the beginning of the rdataslab header data graph. The non-priority
|
||||
types either go right after the priority types (if any).
|
||||
|
||||
(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
|
||||
---
|
||||
bind/bind-9.11.36/lib/dns/rbtdb.c | 44 +++++++++++++++++++++++++++++--
|
||||
1 file changed, 42 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
index 3ee1876..3d76ca1 100644
|
||||
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
@@ -1164,6 +1164,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
|
||||
isc_heap_decreased(heap, header->heap_index);
|
||||
}
|
||||
|
||||
+static bool
|
||||
+prio_type(rbtdb_rdatatype_t type) {
|
||||
+ switch (type) {
|
||||
+ case dns_rdatatype_soa:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
|
||||
+ case dns_rdatatype_a:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
|
||||
+ case dns_rdatatype_aaaa:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
|
||||
+ case dns_rdatatype_nsec:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
|
||||
+ case dns_rdatatype_nsec3:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
|
||||
+ case dns_rdatatype_ns:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
|
||||
+ case dns_rdatatype_ds:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
|
||||
+ case dns_rdatatype_cname:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
|
||||
+ return (true);
|
||||
+ }
|
||||
+ return (false);
|
||||
+}
|
||||
+
|
||||
/*%
|
||||
* These functions allow the heap code to rank the priority of each
|
||||
* element. It returns true if v1 happens "sooner" than v2.
|
||||
@@ -6176,6 +6200,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
{
|
||||
rbtdb_changed_t *changed = NULL;
|
||||
rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
|
||||
+ rdatasetheader_t *prioheader = NULL;
|
||||
unsigned char *merged;
|
||||
isc_result_t result;
|
||||
bool header_nx;
|
||||
@@ -6317,6 +6342,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
for (topheader = rbtnode->data;
|
||||
topheader != NULL;
|
||||
topheader = topheader->next) {
|
||||
+ if (prio_type(topheader->type)) {
|
||||
+ prioheader = topheader;
|
||||
+ }
|
||||
if (topheader->type == newheader->type ||
|
||||
topheader->type == negtype)
|
||||
break;
|
||||
@@ -6672,9 +6700,21 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
/*
|
||||
* No rdatasets of the given type exist at the node.
|
||||
*/
|
||||
- newheader->next = rbtnode->data;
|
||||
newheader->down = NULL;
|
||||
- rbtnode->data = newheader;
|
||||
+
|
||||
+ if (prio_type(newheader->type)) {
|
||||
+ /* This is a priority type, prepend it */
|
||||
+ newheader->next = rbtnode->data;
|
||||
+ rbtnode->data = newheader;
|
||||
+ } else if (prioheader != NULL) {
|
||||
+ /* Append after the priority headers */
|
||||
+ newheader->next = prioheader->next;
|
||||
+ prioheader->next = newheader;
|
||||
+ } else {
|
||||
+ /* There were no priority headers */
|
||||
+ newheader->next = rbtnode->data;
|
||||
+ rbtnode->data = newheader;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
---
|
||||
|
||||
From b9b5485b22c364fb88c27aa04bad4c8f616da3fa Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Fri, 1 Mar 2024 08:26:07 +0100
|
||||
Subject: [PATCH 1/2] Add a limit to the number of RRs in RRSets
|
||||
|
||||
Previously, the number of RRs in the RRSets were internally unlimited.
|
||||
As the data structure that holds the RRs is just a linked list, and
|
||||
there are places where we just walk through all of the RRs, adding an
|
||||
RRSet with huge number of RRs inside would slow down processing of said
|
||||
RRSets.
|
||||
|
||||
The fix for end-of-life branches make the limit compile-time only for
|
||||
simplicity and the limit can be changed at the compile time by adding
|
||||
following define to CFLAGS:
|
||||
|
||||
-DDNS_RDATASET_MAX_RECORDS=<limit>
|
||||
|
||||
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
|
||||
(cherry picked from commit 7f705778af729ada7fec36ac4b456c73329bd996)
|
||||
---
|
||||
bind/bind-9.11.36/configure | 2 +-
|
||||
bind/bind-9.11.36/configure.ac | 2 +-
|
||||
bind/bind-9.11.36/lib/dns/rbtdb.c | 17 +++++++++++++++++
|
||||
bind/bind-9.11.36/lib/dns/rdataslab.c | 12 ++++++++++++
|
||||
4 files changed, 31 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
|
||||
index 368112f..8e881e3 100755
|
||||
--- a/bind/bind-9.11.36/configure
|
||||
+++ b/bind/bind-9.11.36/configure
|
||||
@@ -12185,7 +12185,7 @@ fi
|
||||
XTARGETS=
|
||||
case "$enable_developer" in
|
||||
yes)
|
||||
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
|
||||
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
|
||||
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
|
||||
test "${enable_querytrace+set}" = set || enable_querytrace=yes
|
||||
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
|
||||
diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
|
||||
index 030c4d7..0eab441 100644
|
||||
--- a/bind/bind-9.11.36/configure.ac
|
||||
+++ b/bind/bind-9.11.36/configure.ac
|
||||
@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
|
||||
XTARGETS=
|
||||
case "$enable_developer" in
|
||||
yes)
|
||||
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
|
||||
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
|
||||
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
|
||||
test "${enable_querytrace+set}" = set || enable_querytrace=yes
|
||||
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
|
||||
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
index 3d76ca1..0cfef36 100644
|
||||
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
@@ -6190,6 +6190,10 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
|
||||
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
|
||||
}
|
||||
|
||||
+#ifndef DNS_RBTDB_MAX_RTYPES
|
||||
+#define DNS_RBTDB_MAX_RTYPES 100
|
||||
+#endif /* DNS_RBTDB_MAX_RTYPES */
|
||||
+
|
||||
/*
|
||||
* write lock on rbtnode must be held.
|
||||
*/
|
||||
@@ -6210,6 +6214,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
rbtdb_rdatatype_t negtype, sigtype;
|
||||
dns_trust_t trust;
|
||||
int idx;
|
||||
+ uint32_t ntypes;
|
||||
|
||||
/*
|
||||
* Add an rdatasetheader_t to a node.
|
||||
@@ -6272,6 +6277,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
set_ttl(rbtdb, topheader, 0);
|
||||
mark_stale_header(rbtdb, topheader);
|
||||
}
|
||||
+ ntypes = 0;
|
||||
goto find_header;
|
||||
}
|
||||
/*
|
||||
@@ -6293,9 +6299,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
* check for an extant non-stale NODATA ncache
|
||||
* entry which covers the same type as the RRSIG.
|
||||
*/
|
||||
+ ntypes = 0;
|
||||
for (topheader = rbtnode->data;
|
||||
topheader != NULL;
|
||||
topheader = topheader->next) {
|
||||
+ ntypes++;
|
||||
if ((topheader->type ==
|
||||
RBTDB_RDATATYPE_NCACHEANY) ||
|
||||
(newheader->type == sigtype &&
|
||||
@@ -6339,9 +6347,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
}
|
||||
}
|
||||
|
||||
+ ntypes = 0;
|
||||
for (topheader = rbtnode->data;
|
||||
topheader != NULL;
|
||||
topheader = topheader->next) {
|
||||
+ ntypes++;
|
||||
if (prio_type(topheader->type)) {
|
||||
prioheader = topheader;
|
||||
}
|
||||
@@ -6700,6 +6710,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
/*
|
||||
* No rdatasets of the given type exist at the node.
|
||||
*/
|
||||
+
|
||||
+ if (ntypes > DNS_RBTDB_MAX_RTYPES) {
|
||||
+ free_rdataset(rbtdb, rbtdb->common.mctx,
|
||||
+ newheader);
|
||||
+ return (ISC_R_QUOTA);
|
||||
+ }
|
||||
+
|
||||
newheader->down = NULL;
|
||||
|
||||
if (prio_type(newheader->type)) {
|
||||
diff --git a/bind/bind-9.11.36/lib/dns/rdataslab.c b/bind/bind-9.11.36/lib/dns/rdataslab.c
|
||||
index b0f77b1..347b7d2 100644
|
||||
--- a/bind/bind-9.11.36/lib/dns/rdataslab.c
|
||||
+++ b/bind/bind-9.11.36/lib/dns/rdataslab.c
|
||||
@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifndef DNS_RDATASET_MAX_RECORDS
|
||||
+#define DNS_RDATASET_MAX_RECORDS 100
|
||||
+#endif /* DNS_RDATASET_MAX_RECORDS */
|
||||
+
|
||||
isc_result_t
|
||||
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||
isc_region_t *region, unsigned int reservelen)
|
||||
@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
+ if (nitems > DNS_RDATASET_MAX_RECORDS) {
|
||||
+ return (DNS_R_TOOMANYRECORDS);
|
||||
+ }
|
||||
+
|
||||
if (nitems > 0xffff)
|
||||
return (ISC_R_NOSPACE);
|
||||
|
||||
@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
|
||||
#endif
|
||||
INSIST(ocount > 0 && ncount > 0);
|
||||
|
||||
+ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
|
||||
+ return (DNS_R_TOOMANYRECORDS);
|
||||
+ }
|
||||
+
|
||||
#if DNS_RDATASET_FIXED
|
||||
oncount = ncount;
|
||||
#endif
|
||||
--
|
||||
|
||||
From 3e0a67e4bdb253dae3a03a45c1aa117239a3313d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Mon, 17 Jun 2024 11:40:40 +0200
|
||||
Subject: [PATCH 1/2] Expand the list of the priority types
|
||||
|
||||
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
|
||||
the priority types that are put at the beginning of the slabheader list
|
||||
for faster access and to avoid eviction when there are more types than
|
||||
the max-types-per-name limit.
|
||||
|
||||
(cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb)
|
||||
---
|
||||
bind/bind-9.11.36/lib/dns/rbtdb.c | 75 ++++++++++++++++++++++++++-----
|
||||
1 file changed, 64 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
index 0cfef36..7ab4869 100644
|
||||
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
|
||||
@@ -1171,6 +1171,8 @@ prio_type(rbtdb_rdatatype_t type) {
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
|
||||
case dns_rdatatype_a:
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
|
||||
+ case dns_rdatatype_mx:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
|
||||
case dns_rdatatype_aaaa:
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
|
||||
case dns_rdatatype_nsec:
|
||||
@@ -1183,6 +1185,18 @@ prio_type(rbtdb_rdatatype_t type) {
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
|
||||
case dns_rdatatype_cname:
|
||||
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
|
||||
+ case dns_rdatatype_dname:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
|
||||
+ case dns_rdatatype_dnskey:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
|
||||
+ case dns_rdatatype_srv:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
|
||||
+ case dns_rdatatype_txt:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
|
||||
+ case dns_rdatatype_ptr:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
|
||||
+ case dns_rdatatype_naptr:
|
||||
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
|
||||
return (true);
|
||||
}
|
||||
return (false);
|
||||
@@ -6194,6 +6208,26 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
|
||||
#define DNS_RBTDB_MAX_RTYPES 100
|
||||
#endif /* DNS_RBTDB_MAX_RTYPES */
|
||||
|
||||
+static bool
|
||||
+overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
|
||||
+ UNUSED(rbtdb);
|
||||
+
|
||||
+ if (DNS_RBTDB_MAX_RTYPES == 0) {
|
||||
+ return (false);
|
||||
+ }
|
||||
+
|
||||
+ return (ntypes >= DNS_RBTDB_MAX_RTYPES);
|
||||
+}
|
||||
+
|
||||
+static bool
|
||||
+prio_header(rdatasetheader_t *header) {
|
||||
+ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
+ return (prio_type(header->type));
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* write lock on rbtnode must be held.
|
||||
*/
|
||||
@@ -6204,7 +6238,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
{
|
||||
rbtdb_changed_t *changed = NULL;
|
||||
rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
|
||||
- rdatasetheader_t *prioheader = NULL;
|
||||
+ rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
|
||||
unsigned char *merged;
|
||||
isc_result_t result;
|
||||
bool header_nx;
|
||||
@@ -6214,7 +6248,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
rbtdb_rdatatype_t negtype, sigtype;
|
||||
dns_trust_t trust;
|
||||
int idx;
|
||||
- uint32_t ntypes;
|
||||
+ uint32_t ntypes = 0;
|
||||
|
||||
/*
|
||||
* Add an rdatasetheader_t to a node.
|
||||
@@ -6277,7 +6311,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
set_ttl(rbtdb, topheader, 0);
|
||||
mark_stale_header(rbtdb, topheader);
|
||||
}
|
||||
- ntypes = 0;
|
||||
goto find_header;
|
||||
}
|
||||
/*
|
||||
@@ -6299,11 +6332,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
* check for an extant non-stale NODATA ncache
|
||||
* entry which covers the same type as the RRSIG.
|
||||
*/
|
||||
- ntypes = 0;
|
||||
for (topheader = rbtnode->data;
|
||||
topheader != NULL;
|
||||
topheader = topheader->next) {
|
||||
- ntypes++;
|
||||
if ((topheader->type ==
|
||||
RBTDB_RDATATYPE_NCACHEANY) ||
|
||||
(newheader->type == sigtype &&
|
||||
@@ -6347,12 +6378,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
}
|
||||
}
|
||||
|
||||
- ntypes = 0;
|
||||
for (topheader = rbtnode->data;
|
||||
topheader != NULL;
|
||||
topheader = topheader->next) {
|
||||
- ntypes++;
|
||||
- if (prio_type(topheader->type)) {
|
||||
+ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
|
||||
+ ++ntypes;
|
||||
+ expireheader = topheader;
|
||||
+ } else if (!IS_CACHE(rbtdb)) {
|
||||
+ ++ntypes;
|
||||
+ }
|
||||
+ if (prio_header(topheader)) {
|
||||
prioheader = topheader;
|
||||
}
|
||||
if (topheader->type == newheader->type ||
|
||||
@@ -6710,8 +6745,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
/*
|
||||
* No rdatasets of the given type exist at the node.
|
||||
*/
|
||||
-
|
||||
- if (ntypes > DNS_RBTDB_MAX_RTYPES) {
|
||||
+ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
|
||||
free_rdataset(rbtdb, rbtdb->common.mctx,
|
||||
newheader);
|
||||
return (ISC_R_QUOTA);
|
||||
@@ -6719,7 +6753,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
|
||||
newheader->down = NULL;
|
||||
|
||||
- if (prio_type(newheader->type)) {
|
||||
+ if (prio_header(newheader)) {
|
||||
/* This is a priority type, prepend it */
|
||||
newheader->next = rbtnode->data;
|
||||
rbtnode->data = newheader;
|
||||
@@ -6732,6 +6766,25 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
newheader->next = rbtnode->data;
|
||||
rbtnode->data = newheader;
|
||||
}
|
||||
+
|
||||
+ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
|
||||
+ if (expireheader == NULL) {
|
||||
+ expireheader = newheader;
|
||||
+ }
|
||||
+ if (NEGATIVE(newheader) &&
|
||||
+ !prio_header(newheader))
|
||||
+ {
|
||||
+ /*
|
||||
+ * Add the new non-priority negative
|
||||
+ * header to the database only
|
||||
+ * temporarily.
|
||||
+ */
|
||||
+ expireheader = newheader;
|
||||
+ }
|
||||
+
|
||||
+ set_ttl(rbtdb, expireheader, 0);
|
||||
+ mark_stale_header(rbtdb, expireheader);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
--
|
|
@ -0,0 +1,251 @@
|
|||
From 9dc5c3709ffcfa3b9c8ba81fd28baebafe097f44 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
|
||||
Date: Thu, 16 May 2024 12:10:41 +0200
|
||||
Subject: Remove support for SIG(0) message verification
|
||||
|
||||
(cherry picked from commit 857fd5c346e3309ee8e280c29174b46579af5a13)
|
||||
---
|
||||
bind/bind-9.11.36/bin/named/client.c | 6 ++
|
||||
.../bin/tests/system/tsiggss/authsock.pl | 5 +
|
||||
.../bin/tests/system/tsiggss/clean.sh | 2 +-
|
||||
.../bin/tests/system/tsiggss/tests.sh | 12 ++-
|
||||
.../bin/tests/system/upforwd/tests.sh | 8 +-
|
||||
bind/bind-9.11.36/lib/dns/message.c | 94 ++-----------------
|
||||
6 files changed, 32 insertions(+), 95 deletions(-)
|
||||
|
||||
diff --git a/bind/bind-9.11.36/bin/named/client.c b/bind/bind-9.11.36/bin/named/client.c
|
||||
index 15fcfcd..761d72a 100644
|
||||
--- a/bind/bind-9.11.36/bin/named/client.c
|
||||
+++ b/bind/bind-9.11.36/bin/named/client.c
|
||||
@@ -3012,6 +3012,12 @@ client_request(isc_task_t *task, isc_event_t *event) {
|
||||
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
|
||||
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
|
||||
"request is signed by a nonauthoritative key");
|
||||
+ } else if (result == DNS_R_NOTVERIFIEDYET &&
|
||||
+ client->message->sig0 != NULL) {
|
||||
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
|
||||
+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
|
||||
+ "request has a SIG(0) signature but its support "
|
||||
+ "was removed (CVE-2024-1975)");
|
||||
} else {
|
||||
char tsigrcode[64];
|
||||
isc_buffer_t b;
|
||||
diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
|
||||
index ab3833d..0b231ee 100644
|
||||
--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
|
||||
+++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
|
||||
@@ -31,6 +31,10 @@ if (!defined($path)) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+# Enable output autoflush so that it's not lost when the parent sends TERM.
|
||||
+select STDOUT;
|
||||
+$| = 1;
|
||||
+
|
||||
unlink($path);
|
||||
my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
|
||||
die "unable to create socket $path";
|
||||
@@ -53,6 +57,7 @@ if ($timeout != 0) {
|
||||
}
|
||||
|
||||
while (my $client = $server->accept()) {
|
||||
+ printf("accept()\n");
|
||||
$client->recv(my $buf, 8, 0);
|
||||
my ($version, $req_len) = unpack('N N', $buf);
|
||||
|
||||
diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh
|
||||
index d9fae68..67b8c3e 100644
|
||||
--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh
|
||||
+++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/clean.sh
|
||||
@@ -19,7 +19,7 @@ rm -f ns1/_default.tsigkeys
|
||||
rm -f */named.memstats
|
||||
rm -f */named.conf
|
||||
rm -f */named.run
|
||||
-rm -f authsock.pid
|
||||
+rm -f authsock.log authsock.pid
|
||||
rm -f ns1/core
|
||||
rm -f nsupdate.out*
|
||||
rm -f ns*/named.lock
|
||||
diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
|
||||
index 456ce61..9b55e82 100644
|
||||
--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
|
||||
+++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
|
||||
@@ -116,7 +116,7 @@ status=$((status+ret))
|
||||
|
||||
echo_i "testing external update policy (CNAME) with auth sock ($n)"
|
||||
ret=0
|
||||
-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
|
||||
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 &
|
||||
sleep 1
|
||||
test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
|
||||
n=$((n+1))
|
||||
@@ -130,17 +130,19 @@ n=$((n+1))
|
||||
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
||||
-echo_i "testing external policy with SIG(0) key ($n)"
|
||||
+echo_i "testing external policy with unsupported SIG(0) key ($n)"
|
||||
ret=0
|
||||
-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
|
||||
+$NSUPDATE -R $RANDFILE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
|
||||
+debug
|
||||
server 10.53.0.1 ${PORT}
|
||||
zone example.nil
|
||||
update add fred.example.nil 120 cname foo.bar.
|
||||
send
|
||||
END
|
||||
output=`$DIG $DIGOPTS +short cname fred.example.nil.`
|
||||
-[ -n "$output" ] || ret=1
|
||||
-[ $ret -eq 0 ] || echo_i "failed"
|
||||
+# update must have failed - SIG(0) signer is not supported
|
||||
+[ -n "$output" ] && ret=1
|
||||
+grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
|
||||
n=$((n+1))
|
||||
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
diff --git a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
|
||||
index 1cf8d3b..7110ea5 100644
|
||||
--- a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
|
||||
+++ b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
|
||||
@@ -177,9 +177,10 @@ n=`expr $n + 1`
|
||||
|
||||
if test -f keyname
|
||||
then
|
||||
- echo_i "checking update forwarding to with sig0 ($n)"
|
||||
+ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
|
||||
ret=0
|
||||
keyname=`cat keyname`
|
||||
+ # SIG(0) is removed, update is expected to fail.
|
||||
$NSUPDATE -k $keyname.private -- - <<EOF
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone example2
|
||||
@@ -187,8 +188,9 @@ then
|
||||
update add unsigned.example2. 600 TXT Foo
|
||||
send
|
||||
EOF
|
||||
- $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
|
||||
- grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
|
||||
+ >nsupdate.out.$n 2>&1 && ret=1
|
||||
+ $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
+ grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ] ; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
diff --git a/bind/bind-9.11.36/lib/dns/message.c b/bind/bind-9.11.36/lib/dns/message.c
|
||||
index 2812ab5..48814ce 100644
|
||||
--- a/bind/bind-9.11.36/lib/dns/message.c
|
||||
+++ b/bind/bind-9.11.36/lib/dns/message.c
|
||||
@@ -3214,102 +3214,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
|
||||
|
||||
isc_result_t
|
||||
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
|
||||
- isc_buffer_t b, msgb;
|
||||
+ isc_buffer_t msgb;
|
||||
|
||||
REQUIRE(DNS_MESSAGE_VALID(msg));
|
||||
|
||||
- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
|
||||
+ if (msg->tsigkey == NULL && msg->tsig == NULL) {
|
||||
return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
|
||||
INSIST(msg->saved.base != NULL);
|
||||
isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
|
||||
isc_buffer_add(&msgb, msg->saved.length);
|
||||
- if (msg->tsigkey != NULL || msg->tsig != NULL) {
|
||||
#ifdef SKAN_MSG_DEBUG
|
||||
- dns_message_dumpsig(msg, "dns_message_checksig#1");
|
||||
-#endif
|
||||
- if (view != NULL)
|
||||
- return (dns_view_checksig(view, &msgb, msg));
|
||||
- else
|
||||
- return (dns_tsig_verify(&msgb, msg, NULL, NULL));
|
||||
+ dns_message_dumpsig(msg, "dns_message_checksig#1");
|
||||
+#endif /* ifdef SKAN_MSG_DEBUG */
|
||||
+ if (view != NULL) {
|
||||
+ return (dns_view_checksig(view, &msgb, msg));
|
||||
} else {
|
||||
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
- dns_rdata_sig_t sig;
|
||||
- dns_rdataset_t keyset;
|
||||
- isc_result_t result;
|
||||
-
|
||||
- result = dns_rdataset_first(msg->sig0);
|
||||
- INSIST(result == ISC_R_SUCCESS);
|
||||
- dns_rdataset_current(msg->sig0, &rdata);
|
||||
-
|
||||
- /*
|
||||
- * This can occur when the message is a dynamic update, since
|
||||
- * the rdata length checking is relaxed. This should not
|
||||
- * happen in a well-formed message, since the SIG(0) is only
|
||||
- * looked for in the additional section, and the dynamic update
|
||||
- * meta-records are in the prerequisite and update sections.
|
||||
- */
|
||||
- if (rdata.length == 0)
|
||||
- return (ISC_R_UNEXPECTEDEND);
|
||||
-
|
||||
- result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
|
||||
- if (result != ISC_R_SUCCESS)
|
||||
- return (result);
|
||||
-
|
||||
- dns_rdataset_init(&keyset);
|
||||
- if (view == NULL)
|
||||
- return (DNS_R_KEYUNAUTHORIZED);
|
||||
- result = dns_view_simplefind(view, &sig.signer,
|
||||
- dns_rdatatype_key /* SIG(0) */,
|
||||
- 0, 0, false, &keyset, NULL);
|
||||
-
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- /* XXXBEW Should possibly create a fetch here */
|
||||
- result = DNS_R_KEYUNAUTHORIZED;
|
||||
- goto freesig;
|
||||
- } else if (keyset.trust < dns_trust_secure) {
|
||||
- /* XXXBEW Should call a validator here */
|
||||
- result = DNS_R_KEYUNAUTHORIZED;
|
||||
- goto freesig;
|
||||
- }
|
||||
- result = dns_rdataset_first(&keyset);
|
||||
- INSIST(result == ISC_R_SUCCESS);
|
||||
- for (;
|
||||
- result == ISC_R_SUCCESS;
|
||||
- result = dns_rdataset_next(&keyset))
|
||||
- {
|
||||
- dst_key_t *key = NULL;
|
||||
-
|
||||
- dns_rdata_reset(&rdata);
|
||||
- dns_rdataset_current(&keyset, &rdata);
|
||||
- isc_buffer_init(&b, rdata.data, rdata.length);
|
||||
- isc_buffer_add(&b, rdata.length);
|
||||
-
|
||||
- result = dst_key_fromdns(&sig.signer, rdata.rdclass,
|
||||
- &b, view->mctx, &key);
|
||||
- if (result != ISC_R_SUCCESS)
|
||||
- continue;
|
||||
- if (dst_key_alg(key) != sig.algorithm ||
|
||||
- dst_key_id(key) != sig.keyid ||
|
||||
- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
|
||||
- dst_key_proto(key) == DNS_KEYPROTO_ANY))
|
||||
- {
|
||||
- dst_key_free(&key);
|
||||
- continue;
|
||||
- }
|
||||
- result = dns_dnssec_verifymessage(&msgb, msg, key);
|
||||
- dst_key_free(&key);
|
||||
- if (result == ISC_R_SUCCESS)
|
||||
- break;
|
||||
- }
|
||||
- if (result == ISC_R_NOMORE)
|
||||
- result = DNS_R_KEYUNAUTHORIZED;
|
||||
-
|
||||
- freesig:
|
||||
- if (dns_rdataset_isassociated(&keyset))
|
||||
- dns_rdataset_disassociate(&keyset);
|
||||
- dns_rdata_freestruct(&sig);
|
||||
- return (result);
|
||||
+ return (dns_tsig_verify(&msgb, msg, NULL, NULL));
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.25.1
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Dynamic host configuration protocol
|
||||
Name: dhcp
|
||||
Version: 4.4.3.P1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: MPLv2.0
|
||||
Url: https://www.isc.org/dhcp/
|
||||
Source0: https://downloads.isc.org/isc/dhcp/4.4.3-P1/dhcp-4.4.3-P1.tar.gz
|
||||
|
@ -9,6 +9,13 @@ Group: System Environment/Base
|
|||
Vendor: Microsoft Corporation
|
||||
Distribution: Azure Linux
|
||||
BuildRequires: systemd
|
||||
Patch0: CVE-2022-38177.patch
|
||||
Patch1: CVE-2022-38178.patch
|
||||
Patch2: CVE-2022-2795.patch
|
||||
Patch3: CVE-2023-2828.patch
|
||||
Patch4: CVE-2024-1737.patch
|
||||
Patch5: CVE-2024-1975.patch
|
||||
|
||||
%description
|
||||
The ISC DHCP package contains both the client and server programs for DHCP. dhclient (the client) is used for connecting to a network which uses DHCP to assign network addresses. dhcpd (the server) is used for assigning network addresses on private networks
|
||||
|
||||
|
@ -38,7 +45,13 @@ The ISC DHCP Client, dhclient, provides a means for configuring one or more netw
|
|||
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n dhcp-4.4.3-P1
|
||||
%setup -q -n dhcp-4.4.3-P1
|
||||
|
||||
# Extracting bundled 'bind' to allow some of the patches to modify it.
|
||||
tar -C bind -xf bind/bind.tar.gz
|
||||
ln -s bind/bind-9* bind_ln
|
||||
|
||||
%autopatch -p1
|
||||
|
||||
%build -n dhcp-4.4.3-P1
|
||||
CFLAGS="$CFLAGS \
|
||||
|
@ -169,6 +182,10 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/
|
|||
%{_mandir}/man8/dhclient.8.gz
|
||||
|
||||
%changelog
|
||||
* Mon Jul 29 2024 Sumedh Sharma <sumsharma@microsoft.com> - 4.4.3-P1-2
|
||||
- Add patch for CVE-2024-1737 & CVE-2024-1975 in bundled bind-9
|
||||
- Apply old patches meant for bundled bind-9
|
||||
|
||||
* Wed Jun 19 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 4.4.3-P1-1
|
||||
- Auto-upgrade to 4.4.3-P1 - CVE-2022-2928, CVE-2022-2929
|
||||
- Updating spec to match 3.0
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Wed, 31 Jul 2024 08:35:14 +0300
|
||||
Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
|
||||
TLV value
|
||||
|
||||
```
|
||||
0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
|
||||
1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
|
||||
2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
|
||||
3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11)
|
||||
4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
|
||||
5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
|
||||
6 0xe0d12c83712c in abort stdlib/abort.c:79:7
|
||||
7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
|
||||
8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
|
||||
9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
|
||||
10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
|
||||
11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
|
||||
12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
|
||||
13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
|
||||
```
|
||||
|
||||
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 2ed49935e52b..ac5d08b6fe6e 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -2749,6 +2749,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
|
||||
args->total);
|
||||
}
|
||||
|
||||
+ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
|
||||
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
|
||||
+ sublength, STREAM_READABLE(BGP_INPUT(peer)));
|
||||
+ return bgp_attr_malformed(args,
|
||||
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||
+ args->total);
|
||||
+ }
|
||||
+
|
||||
/* alloc and copy sub-tlv */
|
||||
/* TBD make sure these are freed when attributes are released */
|
||||
tlv = XCALLOC(MTYPE_ENCAP_TLV,
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"frr-8.5.3.tar.gz": "5f0d9e47e2621ad01307764df8a228ed0a4ae18f58e8912d638cb8db2c072d78",
|
||||
"frr-8.5.5.tar.gz": "efa3a834c4fae6de9144a20d16f3ef5f0aa66f5b171f168413eec725ce269d5f",
|
||||
"frr-sysusers.conf": "c6f5a54402aa5f11e21dac3bd0e6cdeadfbf7937e9b34775b5fd368a9ca96fa4",
|
||||
"frr-tmpfiles.conf": "edd7b01b11f2be66bb6b4531496d1eaf6536add9f4b549c659b27f5a32cdc512"
|
||||
}
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
|
||||
Summary: Routing daemon
|
||||
Name: frr
|
||||
Version: 8.5.3
|
||||
Release: 6%{?dist}
|
||||
Version: 8.5.5
|
||||
Release: 2%{?dist}
|
||||
License: GPL-2.0-or-later
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -16,11 +16,7 @@ Patch1: 0001-enable-openssl.patch
|
|||
Patch2: 0002-disable-eigrp-crypto.patch
|
||||
Patch3: 0003-fips-mode.patch
|
||||
Patch4: 0004-remove-grpc-test.patch
|
||||
Patch5: CVE-2023-46752.patch
|
||||
Patch6: CVE-2023-46753.patch
|
||||
Patch7: CVE-2023-47235.patch
|
||||
Patch8: CVE-2023-47234.patch
|
||||
Patch9: CVE-2024-34088.patch
|
||||
Patch5: CVE-2024-44070.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: bison
|
||||
|
@ -202,6 +198,13 @@ rm tests/lib/*grpc*
|
|||
%{_sysusersdir}/%{name}.conf
|
||||
|
||||
%changelog
|
||||
* Wed Aug 21 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 8.5.5-2
|
||||
- Patch CVE-2024-44070
|
||||
|
||||
* Tue Aug 06 2024 Sumedh Sharma <sumsharma@microsoft.com> - 8.5.5-1
|
||||
- Bump version to fix CVE-2024-31950 & CVE-2024-31951
|
||||
- Remove patches present in sources
|
||||
|
||||
* Fri May 03 2024 Henry Beberman <henry.beberman@microsoft.com> - 8.5.3-6
|
||||
- Patch CVE-2024-34088
|
||||
- Remove CVE-2024-27913 patch since it's replaced by the CVE-2024-34088 patch
|
||||
|
|
|
@ -7,6 +7,6 @@
|
|||
"hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f",
|
||||
"hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
|
||||
"hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
|
||||
"kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5"
|
||||
"kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
%global udev_prefix 70
|
||||
Summary: Hyper-V daemons suite
|
||||
Name: hyperv-daemons
|
||||
Version: 5.15.162.2
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -219,6 +219,9 @@ fi
|
|||
%{_sbindir}/lsvmbus
|
||||
|
||||
%changelog
|
||||
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
|
||||
- Auto-upgrade to 5.15.164.1
|
||||
|
||||
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
|
||||
- Auto-upgrade to 5.15.162.2
|
||||
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
From 11d1dffc2525be8ec078bfb0af61e02c0abfda0f Mon Sep 17 00:00:00 2001
|
||||
From: Balakumaran Kannan <kumaran.4353@gmail.com>
|
||||
Date: Thu, 1 Aug 2024 08:17:06 +0000
|
||||
Subject: [PATCH] Patch CVE-2024-6104
|
||||
|
||||
---
|
||||
.../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++-----
|
||||
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
index 7bfa759..aead5e1 100644
|
||||
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
@@ -467,9 +467,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if logger != nil {
|
||||
switch v := logger.(type) {
|
||||
case Logger:
|
||||
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
|
||||
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
|
||||
case LeveledLogger:
|
||||
- v.Debug("performing request", "method", req.Method, "url", req.URL)
|
||||
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -516,9 +516,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if err != nil {
|
||||
switch v := logger.(type) {
|
||||
case Logger:
|
||||
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
|
||||
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
|
||||
case LeveledLogger:
|
||||
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
|
||||
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
|
||||
}
|
||||
} else {
|
||||
// Call this here to maintain the behavior of logging all requests,
|
||||
@@ -558,7 +558,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
}
|
||||
|
||||
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
|
||||
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
|
||||
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
|
||||
if code > 0 {
|
||||
desc = fmt.Sprintf("%s (status: %d)", desc, code)
|
||||
}
|
||||
@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
}
|
||||
c.HTTPClient.CloseIdleConnections()
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempts",
|
||||
- req.Method, req.URL, c.RetryMax+1)
|
||||
+ req.Method, redactURL(req.URL), c.RetryMax+1)
|
||||
}
|
||||
|
||||
// Try to read the response body so we can reuse this connection.
|
||||
@@ -663,3 +663,17 @@ func PostForm(url string, data url.Values) (*http.Response, error) {
|
||||
func (c *Client) PostForm(url string, data url.Values) (*http.Response, error) {
|
||||
return c.Post(url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
|
||||
}
|
||||
+
|
||||
+
|
||||
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
|
||||
+func redactURL(u *url.URL) string {
|
||||
+ if u == nil {
|
||||
+ return ""
|
||||
+ }
|
||||
+
|
||||
+ ru := *u
|
||||
+ if _, has := ru.User.Password(); has {
|
||||
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
|
||||
+ }
|
||||
+ return ru.String()
|
||||
+}
|
||||
--
|
||||
2.33.8
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
Summary: Scalable datastore for metrics, events, and real-time analytics
|
||||
Name: influxdb
|
||||
Version: 2.6.1
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
License: MIT
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -55,6 +55,7 @@ Source3: influxdb.service
|
|||
Source4: influxdb.tmpfiles
|
||||
Source5: config.yaml
|
||||
Source6: influxdb-user.conf
|
||||
Patch0: CVE-2024-6104.patch
|
||||
BuildRequires: clang
|
||||
BuildRequires: golang <= 1.18.8
|
||||
BuildRequires: kernel-headers
|
||||
|
@ -84,7 +85,7 @@ Conflicts: influxdb
|
|||
Go sources and other development files for InfluxDB
|
||||
|
||||
%prep
|
||||
%autosetup -a 1
|
||||
%autosetup -p1 -a 1
|
||||
|
||||
mkdir -pv static
|
||||
tar -xf %{SOURCE2} -C static/ --no-same-owner
|
||||
|
@ -144,6 +145,9 @@ go test ./...
|
|||
%{_tmpfilesdir}/influxdb.conf
|
||||
|
||||
%changelog
|
||||
* Thu Aug 01 2024 Bala <balakumaran.kannan@microsoft.com> - 2.6.1.15
|
||||
- Fix CVE 2024-6104 by patching vendor packages
|
||||
|
||||
* Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.6.1-14
|
||||
- Bump release to rebuild with go 1.21.11
|
||||
|
||||
|
|
|
@ -0,0 +1,83 @@
|
|||
From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Neil <dneil@google.com>
|
||||
Date: Wed, 10 Jan 2024 13:41:39 -0800
|
||||
Subject: [PATCH] http2: close connections when receiving too many headers
|
||||
|
||||
Maintaining HPACK state requires that we parse and process
|
||||
all HEADERS and CONTINUATION frames on a connection.
|
||||
When a request's headers exceed MaxHeaderBytes, we don't
|
||||
allocate memory to store the excess headers but we do
|
||||
parse them. This permits an attacker to cause an HTTP/2
|
||||
endpoint to read arbitrary amounts of data, all associated
|
||||
with a request which is going to be rejected.
|
||||
|
||||
Set a limit on the amount of excess header frames we
|
||||
will process before closing a connection.
|
||||
|
||||
Thanks to Bartek Nowotarski for reporting this issue.
|
||||
|
||||
Fixes CVE-2023-45288
|
||||
Fixes golang/go#65051
|
||||
|
||||
Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
|
||||
Reviewed-by: Than McIntosh <thanm@google.com>
|
||||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
---
|
||||
vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
|
||||
1 file changed, 31 insertions(+)
|
||||
|
||||
diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
|
||||
index c1f6b90..175c154 100644
|
||||
--- a/vendor/golang.org/x/net/http2/frame.go
|
||||
+++ b/vendor/golang.org/x/net/http2/frame.go
|
||||
@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
|
||||
if size > remainSize {
|
||||
hdec.SetEmitEnabled(false)
|
||||
mh.Truncated = true
|
||||
+ remainSize = 0
|
||||
return
|
||||
}
|
||||
remainSize -= size
|
||||
@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
|
||||
var hc headersOrContinuation = hf
|
||||
for {
|
||||
frag := hc.HeaderBlockFragment()
|
||||
+
|
||||
+ // Avoid parsing large amounts of headers that we will then discard.
|
||||
+ // If the sender exceeds the max header list size by too much,
|
||||
+ // skip parsing the fragment and close the connection.
|
||||
+ //
|
||||
+ // "Too much" is either any CONTINUATION frame after we've already
|
||||
+ // exceeded the max header list size (in which case remainSize is 0),
|
||||
+ // or a frame whose encoded size is more than twice the remaining
|
||||
+ // header list bytes we're willing to accept.
|
||||
+ if int64(len(frag)) > int64(2*remainSize) {
|
||||
+ if VerboseLogs {
|
||||
+ log.Printf("http2: header list too large")
|
||||
+ }
|
||||
+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
|
||||
+ // but the struture of the server's frame writer makes this difficult.
|
||||
+ return nil, ConnectionError(ErrCodeProtocol)
|
||||
+ }
|
||||
+
|
||||
+ // Also close the connection after any CONTINUATION frame following an
|
||||
+ // invalid header, since we stop tracking the size of the headers after
|
||||
+ // an invalid one.
|
||||
+ if invalid != nil {
|
||||
+ if VerboseLogs {
|
||||
+ log.Printf("http2: invalid header: %v", invalid)
|
||||
+ }
|
||||
+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
|
||||
+ // but the struture of the server's frame writer makes this difficult.
|
||||
+ return nil, ConnectionError(ErrCodeProtocol)
|
||||
+ }
|
||||
+
|
||||
if _, err := hdec.Write(frag); err != nil {
|
||||
return nil, ConnectionError(ErrCodeCompression)
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Command line tool for working with Jenkins X.
|
||||
Name: jx
|
||||
Version: 3.2.236
|
||||
Release: 18%{?dist}
|
||||
Release: 19%{?dist}
|
||||
License: Apache-2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -29,6 +29,7 @@ Source0: https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na
|
|||
Source1: %{name}-%{version}-vendor.tar.gz
|
||||
Patch0: CVE-2023-44487.patch
|
||||
Patch1: CVE-2021-44716.patch
|
||||
Patch2: CVE-2023-45288.patch
|
||||
|
||||
BuildRequires: golang
|
||||
%global debug_package %{nil}
|
||||
|
@ -71,6 +72,9 @@ make test && \
|
|||
%{_bindir}/jx
|
||||
|
||||
%changelog
|
||||
* Thu Aug 22 2024 Sumedh Sharma <sumsharma@microsoft.com> - 3.2.236-19
|
||||
- Add patch to resolve CVE-2023-45288
|
||||
|
||||
* Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 3.2.236-18
|
||||
- Drop requirement on a specific version of golang
|
||||
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
From 7314ebdc4e965359fba5cf19fbffb6af5e712d0e Mon Sep 17 00:00:00 2001
|
||||
From: Balakumaran Kannan <kumaran.4353@gmail.com>
|
||||
Date: Thu, 1 Aug 2024 12:21:11 +0000
|
||||
Subject: [PATCH] Patch CVE-2024-6104
|
||||
|
||||
---
|
||||
.../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++-----
|
||||
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
index f1ccd3d..25d7ef5 100644
|
||||
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
@@ -499,9 +499,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if logger != nil {
|
||||
switch v := logger.(type) {
|
||||
case Logger:
|
||||
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
|
||||
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
|
||||
case LeveledLogger:
|
||||
- v.Debug("performing request", "method", req.Method, "url", req.URL)
|
||||
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -548,9 +548,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if err != nil {
|
||||
switch v := logger.(type) {
|
||||
case Logger:
|
||||
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
|
||||
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
|
||||
case LeveledLogger:
|
||||
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
|
||||
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
|
||||
}
|
||||
} else {
|
||||
// Call this here to maintain the behavior of logging all requests,
|
||||
@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
}
|
||||
|
||||
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
|
||||
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
|
||||
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
|
||||
if code > 0 {
|
||||
desc = fmt.Sprintf("%s (status: %d)", desc, code)
|
||||
}
|
||||
@@ -622,7 +622,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
}
|
||||
c.HTTPClient.CloseIdleConnections()
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempts",
|
||||
- req.Method, req.URL, c.RetryMax+1)
|
||||
+ req.Method, redactURL(req.URL), c.RetryMax+1)
|
||||
}
|
||||
|
||||
// Try to read the response body so we can reuse this connection.
|
||||
@@ -703,3 +703,17 @@ func (c *Client) StandardClient() *http.Client {
|
||||
Transport: &RoundTripper{Client: c},
|
||||
}
|
||||
}
|
||||
+
|
||||
+
|
||||
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
|
||||
+func redactURL(u *url.URL) string {
|
||||
+ if u == nil {
|
||||
+ return ""
|
||||
+ }
|
||||
+
|
||||
+ ru := *u
|
||||
+ if _, has := ru.User.Password(); has {
|
||||
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
|
||||
+ }
|
||||
+ return ru.String()
|
||||
+}
|
||||
--
|
||||
2.33.8
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Kubernetes-based Event Driven Autoscaling
|
||||
Name: keda
|
||||
Version: 2.4.0
|
||||
Release: 21%{?dist}
|
||||
Release: 22%{?dist}
|
||||
License: ASL 2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -31,6 +31,7 @@ Source1: %{name}-%{version}-vendor-v2.tar.gz
|
|||
Patch0: CVE-2022-21698.patch
|
||||
Patch1: CVE-2023-44487.patch
|
||||
Patch2: CVE-2021-44716.patch
|
||||
Patch3: CVE-2024-6104.patch
|
||||
|
||||
BuildRequires: golang
|
||||
|
||||
|
@ -66,6 +67,9 @@ cp ./bin/keda-adapter %{buildroot}%{_bindir}
|
|||
%{_bindir}/%{name}-adapter
|
||||
|
||||
%changelog
|
||||
* Thu Aug 01 2024 Bala <balakumaran.kannan@microsoft.com> - 2.4.0-22
|
||||
- Patch CVE-2024-6104
|
||||
|
||||
* Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 2.4.0-21
|
||||
- Drop requirement on a specific version of golang
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#
|
||||
# Automatically generated file; DO NOT EDIT.
|
||||
# Linux/x86_64 5.15.162.2 Kernel Configuration
|
||||
# Linux/x86_64 5.15.164.1 Kernel Configuration
|
||||
#
|
||||
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
|
||||
CONFIG_CC_IS_GCC=y
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#
|
||||
# Automatically generated file; DO NOT EDIT.
|
||||
# Linux/arm64 5.15.162.2 Kernel Configuration
|
||||
# Linux/arm64 5.15.164.1 Kernel Configuration
|
||||
#
|
||||
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
|
||||
CONFIG_CC_IS_GCC=y
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
|
||||
"config": "0033f60dcfa13616a26c58a7fddc486a31e0f5be80b9290b4f911f678aff9796",
|
||||
"config_aarch64": "bfda2d51bf24db34edabfeb9bb6d20dc777c6c991b861a39961fde3999f2bfdc",
|
||||
"config": "a84f20c07e5f2a8a76db3a5bc7c7da29cb8b5bccb457a75ac52cfef847b7e743",
|
||||
"config_aarch64": "2e737ff36bf79ea1cebaffc145e6e24c6a292992cb3191a4a5bf7e7b51aafb6b",
|
||||
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
|
||||
"kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5"
|
||||
"kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
|
||||
Summary: Linux Kernel
|
||||
Name: kernel-azure
|
||||
Version: 5.15.162.2
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -420,6 +420,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
|
|||
%{_sysconfdir}/bash_completion.d/bpftool
|
||||
|
||||
%changelog
|
||||
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
|
||||
- Auto-upgrade to 5.15.164.1
|
||||
|
||||
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
|
||||
- Auto-upgrade to 5.15.162.2
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#
|
||||
# Automatically generated file; DO NOT EDIT.
|
||||
# Linux/x86_64 5.15.162.2 Kernel Configuration
|
||||
# Linux/x86_64 5.15.164.1 Kernel Configuration
|
||||
#
|
||||
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
|
||||
CONFIG_CC_IS_GCC=y
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
|
||||
"config": "ad11508bb6ca2133c14bfa56a05883f2feb85d27986f0fc4541666a21f4bbb72",
|
||||
"kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5"
|
||||
"config": "a2580de76388be81d6c393c90b1d0e01befa4cc1b668e3f68d4f2e7337a473ea",
|
||||
"kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
%define config_source %{SOURCE1}
|
||||
Summary: Linux Kernel for HCI
|
||||
Name: kernel-hci
|
||||
Version: 5.15.162.2
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -547,6 +547,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
|
|||
%{_sysconfdir}/bash_completion.d/bpftool
|
||||
|
||||
%changelog
|
||||
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
|
||||
- Auto-upgrade to 5.15.164.1
|
||||
|
||||
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
|
||||
- Auto-upgrade to 5.15.162.2
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"kernel-5.15.162.2.tar.gz": "1691992d5b3f279076115114c908065d08d8fd76476def3cea81b1ac707414f5"
|
||||
"kernel-5.15.164.1.tar.gz": "3634a7f014a0c821ada6cfb2ca6bdb2e18ae90fe9ce47b0adf8f81fd2852c3d8"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
Summary: Linux API header files
|
||||
Name: kernel-headers
|
||||
Version: 5.15.162.2
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -73,6 +73,9 @@ done
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Aug 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.164.1-1
|
||||
- Auto-upgrade to 5.15.164.1
|
||||
|
||||
* Wed Jul 17 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.162.2-1
|
||||
- Auto-upgrade to 5.15.162.2
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#
|
||||
# Automatically generated file; DO NOT EDIT.
|
||||
# Linux/x86_64 5.15.161.1 Kernel Configuration
|
||||
# Linux/x86_64 5.15.164.1 Kernel Configuration
|
||||
#
|
||||
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
|
||||
CONFIG_CC_IS_GCC=y
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
|
||||
"config": "170e9e5b27619d595f627af620da52facf9ad7ca7b717ecd097841766e36cda3",
|
||||
"config": "bb8f743baac9e1ae181e6de5ad3ea4a085023f7037abbf6ed518ecb6afcf72e3",
|
||||
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
|
||||
"kernel-mos-5.15.161.1.tar.gz": "b48578cb4ef0361974c1156fff4041234cf00f9b66876b5c5dca2e536a78220d"
|
||||
"kernel-mos-5.15.164.1.tar.gz": "cc83103f8d935d59d68b7f6e3d81d078e384b7e7e6cb590ff0146b7f01ef1e6e"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
%define config_source %{SOURCE1}
|
||||
Summary: Linux Kernel for MOS
|
||||
Name: kernel-mos
|
||||
Version: 5.15.161.1
|
||||
Version: 5.15.164.1
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -377,6 +377,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
|
|||
%{_sysconfdir}/bash_completion.d/bpftool
|
||||
|
||||
%changelog
|
||||
* Mon Aug 12 2024 Gary Swalling <gaswal@microsoft.com> - 5.15.164.1-1
|
||||
- Update to 5.15.164.1
|
||||
|
||||
* Wed Jul 24 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.15.161.1-1
|
||||
- Update to 5.15.161.1
|
||||
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2022-48788 - patched in 5.15.25.1 - (generated by autopatch tool)
|
||||
upstream b6bb1722f34bbdbabed27acdceaf585d300c5fd2 - stable 646952b2210f19e584d2bf9eb5d092abdca2fcc1
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2022-48841 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: f153546913bada41a811722f2c6d17c3243a0333
|
||||
upstream introducing commit: e72bba21355dbb67512a0d666fec9f4b56dbfc2f
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2023-52340 - patched in 5.15.147.1 - (generated by autopatch tool)
|
||||
upstream af6d10345ca76670c1b7c37799f0d5576ccef277 - stable b8a5308feedda10d4875a912e2e1f6be215a4ead
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-26900 - patched in 5.15.159.1 - (generated by autopatch tool)
|
||||
upstream 6cf350658736681b9d6b0b6e58c5c76b235bb4c4 - stable f3a1787dc48213f6caea5ba7d47e0222e7fa34a9
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-36901 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 4db783d68b9b39a411a96096c10828ff5dfada7a - stable 2272e2db38f2e85929278146d7c770f22f528579
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-39473 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: ffa077b2f6ad124ec3d23fbddc5e4b0ff2647af8
|
||||
upstream introducing commit: 648fea12847695d60ddeebea86597114885ee76e
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-39474 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: 8e0545c83d672750632f46e3f9ad95c48c91a0fc
|
||||
upstream introducing commit: 9376130c390a76fac2788a5d6e1a149017b4ab50
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-39483 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: b4bd556467477420ee3a91fbcba73c579669edc6
|
||||
upstream introducing commit: fa4c027a7956f5e07697bfcb580d25eeb8471257
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-39485 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: 9537a8425a7a0222999d5839a0b394b1e8834b4a
|
||||
upstream introducing commit: b8ec754ae4c563f6aab8c0cb47aeb2eae67f1da3
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-41007 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 97a9063518f198ec0adb2ecb89789de342bb8283 - stable 04317a2471c2f637b4c49cbd0e9c0d04a519f570
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-41009 - patched in 5.15.164.1 - (generated by autopatch tool)
|
||||
upstream cfa1a2329a691ffd991fcf7248a57d752e712881 - stable 0f98f40eb1ed52af8b81f61901b6c0289ff59de4
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-42071 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: 84b767f9e34fdb143c09e66a2a20722fc2921821
|
||||
upstream introducing commit: 386e69865311044b576ff536c99c6ee9cc98a228
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-42072 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: 2b2efe1937ca9f8815884bd4dcd5b32733025103
|
||||
upstream introducing commit: 011832b97b311bb9e3c27945bc0d1089a14209c9
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-42073 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: c28947de2bed40217cf256c5d0d16880054fcf13
|
||||
upstream introducing commit: f8538aec88b46642553a9ba9efa0952f5958dbed
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-42074 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: 98d919dfee1cc402ca29d45da642852d7c9a2301
|
||||
upstream introducing commit: 088a40980efbc2c449b72f0f2c7ebd82f71d08e2
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-42075 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: b90d77e5fd784ada62ddd714d15ee2400c28e1cf
|
||||
upstream introducing commit: 317460317a02a1af512697e6e964298dedd8a163
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-42078 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: e0011bca603c101f2a3c007bdb77f7006fa78fb1
|
||||
upstream introducing commit: 7b207ccd983350a5dedd132b57c666186dd02a7c
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-42083 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: e3f02f32a05009a688a87f5799e049ed6b55bab5
|
||||
upstream introducing commit: 5377805dc1c02ad3721a9256f0eef9b4813952e7
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42152 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4 - stable b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42153 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream f63b94be6942ba82c55343e196bd09b53227618e - stable 3503372d0bf7b324ec0bd6b90606703991426176
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42154 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 66be40e622e177316ae81717aa30057ba9e61dff - stable ef7c428b425beeb52b894e16f1c4b629d6cebfb6
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42157 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 1d8c270de5eb74245d72325d285894a577a945d9 - stable 4889f117755b2f18c23045a0f57977f3ec130581
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42161 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 009367099eb61a4fc2af44d4eb06b6b4de7de6db - stable 3364c2ed1c241989847f19cf83e3db903ce689e3
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42223 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 1aa1329a67cc214c3b7bd2a14d1301a795760b07 - stable bd5620439959a7e02012588c724c6ff5143b80af
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42224 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b - stable 8c2c3cca816d074c75a2801d1ca0dea7b0148114
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42225 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 7f819a2f4fbc510e088b49c79addcf1734503578 - stable dc7f14d00d0c4c21898f3504607f4a31079065a2
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42229 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 23e4099bdc3c8381992f9eb975c79196d6755210 - stable 71dd428615375e36523f4d4f7685ddd54113646d
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42232 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 - stable 20cf67dcb7db842f941eff1af6ee5e9dc41796d7
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42236 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 6d3c721e686ea6c59e18289b400cc95c76e927e0 - stable 72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
CVE-2024-42237 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
|
||||
upstream fix commit: 6598afa9320b6ab13041616950ca5f8f938c0cf1
|
||||
upstream introducing commit: f6bc909e7673c30abcbdb329e7d0aa2e83c103d7
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42244 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream c15a688e49987385baa8804bf65d570e362f8576 - stable b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
CVE-2024-42247 - patched in 5.15.163.1 - (generated by autopatch tool)
|
||||
upstream 948f991c62a4018fb81d85804eeab3029c6209f8 - stable b4764f0ad3d68de8a0b847c05f427afb86dd54e6
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
#
|
||||
# Automatically generated file; DO NOT EDIT.
|
||||
# Linux/x86_64 5.15.162.2 Kernel Configuration
|
||||
# Linux/x86_64 5.15.164.1 Kernel Configuration
|
||||
#
|
||||
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
|
||||
CONFIG_CC_IS_GCC=y
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#
|
||||
# Automatically generated file; DO NOT EDIT.
|
||||
# Linux/arm64 5.15.162.2 Kernel Configuration
|
||||
# Linux/arm64 5.15.164.1 Kernel Configuration
|
||||
#
|
||||
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
|
||||
CONFIG_CC_IS_GCC=y
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue