Merge branch 'main' into 2.0

Author: jslobodzian

.pipelines/templatesWithCheckout/SodiffCheck.yml

@@ -13,6 +13,14 @@ parameters:
     type: string
     default: "rpms.tar.gz"
 
+  - name: sodiffRepoCommand
+    type: string
+    default: "sodiff-repo"
+
+  - name: sodiffRepoFile
+    type: string
+    default: "sodiff.repo"
+
   - name: sourcesWorkspace
     type: string
     default: "$(Agent.TempDirectory)/SourcesWorkspace"
@@ -52,16 +60,16 @@ steps:
       sodiff_out_dir="${{ parameters.buildRepoRoot }}/out/sodiff"
       mkdir -p $sodiff_out_dir
 
-      echo "Generate sodiff.repo file"
-      sudo make -sC "$toolkit_dir" sodiff-repo
+      echo "Generate sodiff repo file"
+      sudo make -sC "$toolkit_dir" ${{ parameters.sodiffRepoCommand }}
 
       echo "Generate input file"
       find $sodiff_rpms_dir -type f -name '*.rpm' -exec basename {} \; > ./sodiff-rpms
 
       sodiff_release_ver=`cat ${{ parameters.buildRepoRoot }}/SPECS/mariner-release/mariner-release.spec | grep "Version:" | cut -d " " -f 1 --complement | xargs`
       echo "sodiff release ver: $sodiff_release_ver"
       
-      $toolkit_dir/scripts/sodiff/mariner-sodiff.sh $sodiff_rpms_dir/ $toolkit_dir/scripts/sodiff/sodiff.repo $sodiff_release_ver $sodiff_out_dir < ./sodiff-rpms
+      $toolkit_dir/scripts/sodiff/mariner-sodiff.sh -r $sodiff_rpms_dir/ -f ${{ parameters.buildRepoRoot }}/build/sodiff/${{ parameters.sodiffRepoFile }} -v $sodiff_release_ver -o $sodiff_out_dir -e true < ./sodiff-rpms
 
 
-    displayName: "Sodiff check"
+    displayName: "Sodiff check"

SPECS-EXTENDED/nmi/nmi.spec

@@ -2,7 +2,7 @@
 Summary:        Node Managed Identity
 Name:           nmi
 Version:        1.8.17
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -26,7 +26,7 @@ Source0:        %{name}-%{version}.tar.gz
 Source1:        %{name}-%{version}-vendor-v2.tar.gz
 Patch0:         modify-go-build-option.patch
 Patch1:         CVE-2023-45288.patch
-BuildRequires:  golang >= 1.15
+BuildRequires:  golang
 
 %description
 NMI is the resource that is used when your pods look to use their identity.
@@ -62,6 +62,9 @@ popd
 %{_bindir}/%{name}
 
 %changelog
+* Wed Jul 17 2024 Muhammad Falak R Wani <[email protected]> - 1.8.17-4
+- Drop requirement on a specific version of golang
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <[email protected]> - 1.8.17-3
 - Bump release to rebuild with go 1.21.11
 

SPECS-EXTENDED/umoci/umoci.spec

@@ -1,7 +1,7 @@
 Summary:        Open Container Image manipulation tool
 Name:           umoci
 Version:        0.4.7
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,7 +10,7 @@ URL:            https://github.com/opencontainers/umoci
 Source0:        https://github.com/opencontainers/umoci/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
-BuildRequires:  golang >= 1.17.9
+BuildRequires:  golang
 
 %description
 umoci modifies Open Container images.
@@ -39,6 +39,9 @@ go test -mod=vendor
 %{_bindir}/umoci
 
 %changelog
+* Wed Jul 17 2024 Muhammad Falak R Wani <[email protected]> - 0.4.7-16
+- Drop requirement on a specific version of golang
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <[email protected]> - 0.4.7-15
 - Bump release to rebuild with go 1.21.11
 

SPECS-SIGNED/hvloader-signed/hvloader-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +69,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Wed Jun 19 2024 Archana Choudhary <[email protected]> - 1.0.1-5
+- Update version for consistency with hvloader spec
+
 * Thu Jun 06 2024 Archana Choudhary <[email protected]> - 1.0.1-4
 - Update version for consistency with hvloader spec
 

SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
-Version:        5.15.160.1
+Version:        5.15.162.2
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Jul 17 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.162.2-1
+- Auto-upgrade to 5.15.162.2
+
+* Thu Jul 11 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.162.1-1
+- Auto-upgrade to 5.15.162.1
+
 * Sat Jun 08 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.160.1-1
 - Auto-upgrade to 5.15.160.1
 

SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec

@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.160.1
+Version:        5.15.162.2
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -149,6 +149,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Jul 17 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.162.2-1
+- Auto-upgrade to 5.15.162.2
+
+* Thu Jul 11 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.162.1-1
+- Auto-upgrade to 5.15.162.1
+
 * Sat Jun 08 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.160.1-1
 - Auto-upgrade to 5.15.160.1
 

SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec

@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for MOS systems
 Name:           kernel-mos-signed-%{buildarch}
-Version:        5.15.158.2
+Version:        5.15.161.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -150,6 +150,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Jul 24 2024 Suresh Babu Chalamalasetty <[email protected]> - 5.15.161.1-1
+- Update to 5.15.161.1
+
 * Fri Jun 07 2024 Gary Swalling <[email protected]> - 5.15.158.2-1
 - Update to 5.15.158.2
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.160.1
+Version:        5.15.162.2
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Jul 17 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.162.2-1
+- Auto-upgrade to 5.15.162.2
+
+* Thu Jul 11 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.162.1-1
+- Auto-upgrade to 5.15.162.1
+
 * Sat Jun 08 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.160.1-1
 - Auto-upgrade to 5.15.160.1
 

SPECS/KeysInUse-OpenSSL/KeysInUse-OpenSSL.spec

@@ -1,7 +1,7 @@
 Summary:        The KeysInUse Engine for OpenSSL allows the logging of private key usage through OpenSSL
 Name:           KeysInUse-OpenSSL
 Version:        0.3.4
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,7 +10,7 @@ URL:            https://github.com/microsoft/KeysInUse-OpenSSL
 Source0:        https://github.com/microsoft/KeysInUse-OpenSSL/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 BuildRequires:  cmake
 BuildRequires:  gcc
-BuildRequires:  golang >= 1.16.6
+BuildRequires:  golang
 BuildRequires:  make
 BuildRequires:  openssl-devel
 Requires:       openssl < 1.1.2
@@ -74,6 +74,9 @@ if [ -x %{_bindir}/keysinuseutil ]; then
 fi
 
 %changelog
+* Wed Jul 17 2024 Muhammad Falak R Wani <[email protected]> - 0.3.4-6
+- Drop requirement on a specific version of golang
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <[email protected]> - 0.3.4-5
 - Bump release to rebuild with go 1.21.11
 

SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md

@@ -2713,7 +2713,6 @@
                 "gnutls",
                 "gobject-introspection",
                 "golang",
-                "golang-1.17",
                 "golang-1.18",
                 "gperf",
                 "gperftools",

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -2,7 +2,7 @@
 Summary:        Application Gateway Ingress Controller
 Name:           application-gateway-kubernetes-ingress
 Version:        1.4.0
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -30,7 +30,7 @@ Patch0:         CVE-2022-21698.patch
 Patch1:         CVE-2023-44487.patch
 Patch2:         CVE-2021-44716.patch
 
-BuildRequires:  golang >= 1.13
+BuildRequires:  golang
 %if %{with_check}
 BuildRequires:  helm
 %endif
@@ -67,6 +67,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 %{_bindir}/appgw-ingress
 
 %changelog
+* Wed Jul 17 2024 Muhammad Falak R Wani <[email protected]> - 1.4.0-21
+- Drop requirement on a specific version of golang
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <[email protected]> - 1.4.0-20
 - Bump release to rebuild with go 1.21.11
 

SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec

@@ -1,7 +1,7 @@
 Summary:        The new Azure Storage data transfer utility - AzCopy v10
 Name:           azcopy
 Version:        10.24.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -28,7 +28,7 @@ Source0:        https://github.com/Azure/azure-storage-azcopy/archive/refs/tags/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        azure-storage-%{name}-%{version}-vendor.tar.gz
 
-BuildRequires:  golang >= 1.19
+BuildRequires:  golang
 BuildRequires:  git
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -63,6 +63,9 @@ go test -mod=vendor
 %{_bindir}/azcopy
 
 %changelog
+* Wed Jul 17 2024 Muhammad Falak R Wani <[email protected]> - 10.24.0-3
+- Drop requirement on a specific version of golang
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <[email protected]> - 10.24.0-2
 - Bump release to rebuild with go 1.21.11
 

SPECS/azcopy/azcopy.spec

@@ -7,7 +7,7 @@
 Summary:        FUSE adapter - Azure Storage
 Name:           blobfuse2
 Version:        %{blobfuse2_version}
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -39,7 +39,7 @@ Patch0:         CVE-2023-45288.patch
 BuildRequires:  cmake
 BuildRequires:  fuse3-devel
 BuildRequires:  gcc
-BuildRequires:  golang >= 1.16
+BuildRequires:  golang
 Requires:       fuse3
 
 %description
@@ -80,6 +80,9 @@ install -D -m 0644 ./setup/blobfuse2-logrotate %{buildroot}%{_sysconfdir}/logrot
 %{_sysconfdir}/logrotate.d/blobfuse2
 
 %changelog
+* Wed Jul 17 2024 Muhammad Falak R Wani <[email protected]> - 2.1.2-5
+- Drop requirement on a specific version of golang
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <[email protected]> - 2.1.2-4
 - Bump release to rebuild with go 1.21.11
 

SPECS/blobfuse2/blobfuse2.spec

@@ -0,0 +1,64 @@
+From 9138794bd0e51fe444f14803f891924798a651ac Mon Sep 17 00:00:00 2001
+From: Vince Perri <[email protected]>
+Date: Mon, 15 Jul 2024 18:33:06 +0000
+Subject: [PATCH] Prevent int underflow when parsing exponents
+
+From 8269bc2bc289e9d343bae51cdf6d23ef0950e001 Mon Sep 17 00:00:00 2001
+From: Florin Malita <[email protected]>
+Date: Tue, 15 May 2018 22:48:07 -0400
+Subject: [PATCH] Prevent int underflow when parsing exponents
+
+When parsing negative exponents, the current implementation takes
+precautions for |exp| to not underflow int.
+
+But that is not sufficient: later on [1], |exp + expFrac| is also
+stored to an int - so we must ensure that the sum stays within int
+representable values.
+
+Update the exp clamping logic to take expFrac into account.
+
+[1] https://github.com/Tencent/rapidjson/blob/master/include/rapidjson/reader.h#L1690
+---
+ src/rapidjson/include/rapidjson/reader.h   | 11 ++++++++++-
+ src/rapidjson/test/unittest/readertest.cpp |  1 +
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/rapidjson/include/rapidjson/reader.h b/src/rapidjson/include/rapidjson/reader.h
+index 19f8849b1..a9f502307 100644
+--- a/src/rapidjson/include/rapidjson/reader.h
++++ b/src/rapidjson/include/rapidjson/reader.h
+@@ -1302,9 +1302,18 @@ private:
+             if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
+                 exp = static_cast<int>(s.Take() - '0');
+                 if (expMinus) {
++                    // (exp + expFrac) must not underflow int => we're detecting when -exp gets
++                    // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into
++                    // underflow territory):
++                    //
++                    //        -(exp * 10 + 9) + expFrac >= INT_MIN
++                    //   <=>  exp <= (expFrac - INT_MIN - 9) / 10
++                    RAPIDJSON_ASSERT(expFrac <= 0);
++                    int maxExp = (expFrac + 2147483639) / 10;
++
+                     while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
+                         exp = exp * 10 + static_cast<int>(s.Take() - '0');
+-                        if (exp >= 214748364) {                         // Issue #313: prevent overflow exponent
++                        if (RAPIDJSON_UNLIKELY(exp > maxExp)) {
+                             while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9'))  // Consume the rest of exponent
+                                 s.Take();
+                         }
+diff --git a/src/rapidjson/test/unittest/readertest.cpp b/src/rapidjson/test/unittest/readertest.cpp
+index 64a1f9c3c..65163de60 100644
+--- a/src/rapidjson/test/unittest/readertest.cpp
++++ b/src/rapidjson/test/unittest/readertest.cpp
+@@ -242,6 +242,7 @@ static void TestParseDouble() {
+     TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0);                                  // Maximum supported negative exponent
+     TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0);
+     TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0);
++    TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0);
+     TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form
+ 
+     // Since
+-- 
+2.34.1
+

SPECS/ceph/CVE-2024-38517.patch

@@ -0,0 +1 @@
+CVE-2024-39684 is a duplicate of CVE-2024-38517