Merge branch 'main' into 2.0

microsoft · Nov 11, 2023 · 5b3b93f · 5b3b93f
2 parents e4722c9 + 3602bb5
commit 5b3b93f
Show file tree

Hide file tree

Showing 109 changed files with 1,355 additions and 737 deletions.
diff --git a/.config/CredScanSuppressions.json b/.config/CredScanSuppressions.json
@@ -24,6 +24,14 @@
         {
             "file": "\\toolkit\\imageconfigs\\read-only-root-efi.json",
             "_justification": "Secret for a sample, non-production Mariner image."
+        },
+        {
+            "file": "\\toolkit\\tools\\imagecustomizer\\docs\\configuration.md",
+            "_justification": "Secrets from documentation samples. No production secrets."
+        },
+        {
+            "file": "\\toolkit\\tools\\pkg\\imagecustomizerlib\\testdata\\addusers-config.yaml",
+            "_justification": "Dummy secrets used to unit test configuration code."
         }
     ]
 }
diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml
@@ -34,6 +34,8 @@ variables:
     value: RPMs
   - name: toolchainArtifactNameBase
     value: Toolchain
+  - name: system.debug
+    value: 'true'
 
 extends:
   template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates

diff --git a/.pipelines/templates/PackageTestResultsAnalysis.yml b/.pipelines/templates/PackageTestResultsAnalysis.yml
@@ -43,6 +43,7 @@ steps:
         displayName: "Authenticate to custom pip artifact feeds"
 
   - bash: pip3 install junit_xml
+    retryCountOnTaskFailure: 3
     displayName: "Install Python dependencies"
 
   - task: PythonScript@0

diff --git a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec
@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
-Version:        5.15.135.1
+Version:        5.15.137.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Mon Nov 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.137.1-1
+- Auto-upgrade to 5.15.137.1
+
 * Tue Oct 17 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.135.1-1
 - Auto-upgrade to 5.15.135.1
 

diff --git a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec
@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.135.1
+Version:        5.15.137.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Mon Nov 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.137.1-1
+- Auto-upgrade to 5.15.137.1
+
 * Tue Oct 17 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.135.1-1
 - Auto-upgrade to 5.15.135.1
 

diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.135.1
-Release:        2%{?dist}
+Version:        5.15.137.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Mon Nov 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.137.1-1
+- Auto-upgrade to 5.15.137.1
+
 * Mon Oct 23 2023 Rachel Menge <[email protected]> - 5.15.135.1-2
 - Bump release to match kernel
 

diff --git a/SPECS/PyYAML/PyYAML.signatures.json b/SPECS/PyYAML/PyYAML.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "PyYAML-5.2.tar.gz": "c0ee8eca2c582d29c3c2ec6e2c4f703d1b7f1fb10bc72317355a746057e7346c"
+  "PyYAML-5.4.1.tar.gz": "75f966559c5f262dfc44da0f958cc2aa18953ae5021f2c3657b415c5a370045f"
  }
 }
diff --git a/SPECS/PyYAML/PyYAML.spec b/SPECS/PyYAML/PyYAML.spec
@@ -1,13 +1,13 @@
 Summary:        YAML parser and emitter for Python
 Name:           PyYAML
-Version:        5.2
+Version:        5.4.1
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Libraries
-URL:            https://pyyaml.org/
-Source0:        https://pyyaml.org/download/pyyaml/%{name}-%{version}.tar.gz
+URL:            https://github.com/yaml/pyyaml
+Source0:        https://github.com/yaml/pyyaml/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 BuildRequires:  libyaml-devel
 BuildRequires:  python3
 BuildRequires:  python3-Cython
@@ -33,7 +33,7 @@ PyYAML is applicable for a broad range of tasks from complex
 configuration files to object serialization and persistence.
 
 %prep
-%autosetup -p 1 -n PyYAML-%{version}
+%autosetup -p1 -n pyyaml-%{version}
 find -type f -name "*.c" -delete -print
 
 %build
@@ -51,10 +51,13 @@ chmod a-x examples/yaml-highlight/yaml_hl.py
 %files
 %defattr(-,root,root,-)
 %license LICENSE
-%doc PKG-INFO README examples
+%doc README examples
 %{python3_sitelib}/*
 
 %changelog
+* Tue Nov 07 2023 Pawel Winogrodzki <[email protected]> - 5.4.1-1
+- Upgrade to 5.4 to fix CVE-2020-1747 and CVE-2020-14343.
+
 * Fri Oct 27 2023 Xiaohong Deng <[email protected]> - 5.2-1
 - Upgrade to 5.2
 

diff --git a/SPECS/blobfuse2/blobfuse2.signatures.json b/SPECS/blobfuse2/blobfuse2.signatures.json
@@ -1,6 +1,6 @@
 {
     "Signatures": {
-     "blobfuse2-2.1.0.tar.gz": "cf51a427d32083a49721d92b35e7fdb76c8f1887b14c0e0e7a5744c470b1653e",
-     "blobfuse2-2.1.0-vendor.tar.gz": "338bd84bd65012b408330077e163ddab2c5362b379e50263e589500ec6d283a2"
+     "blobfuse2-2.1.1.tar.gz": "6bbed0d7db05ecfe7b7e12b5c4506dde1e2ef018ce1ac6fe6c8b7d697af24968",
+     "blobfuse2-2.1.1-vendor.tar.gz": "85cbf93aacaa63e583dd9a72f4823f9c993449d5f2ab2332d8b97b4bf91e7da0"
     }
 }
diff --git a/SPECS/blobfuse2/blobfuse2.spec b/SPECS/blobfuse2/blobfuse2.spec
@@ -1,13 +1,13 @@
 %global debug_package %{nil}
 
 %define our_gopath %{_topdir}/.gopath
-%define blobfuse2_version 2.1.0
+%define blobfuse2_version 2.1.1
 %define blobfuse2_health_monitor bfusemon
 
 Summary:        FUSE adapter - Azure Storage
 Name:           blobfuse2
 Version:        %{blobfuse2_version}
-Release:        3%{?dist}
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -80,6 +80,9 @@ install -D -m 0644 ./setup/blobfuse2-logrotate %{buildroot}%{_sysconfdir}/logrot
 %{_sysconfdir}/logrotate.d/blobfuse2
 
 %changelog
+* Thu Nov 02 2023 Sourav Gupta <[email protected]> - 2.1.1-1
+- Bump version to 2.1.1
+
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 2.1.0-3
 - Bump release to rebuild with go 1.20.10
 

diff --git a/SPECS/chrony/chrony.spec b/SPECS/chrony/chrony.spec
@@ -4,7 +4,7 @@
 
 Name:           chrony
 Version:        4.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        An NTP client/server
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -45,9 +45,6 @@ Requires(pre):  shadow-utils
 # The 'chrony.helper' script requires the 'dig' command from 'bind-utils'.
 Requires:       bind-utils
 
-# Old NetworkManager expects the dispatcher scripts in a different place
-Conflicts:      NetworkManager < 1.20
-
 # suggest drivers for hardware reference clocks
 Suggests:       ntp-refclock
 
@@ -124,7 +121,6 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d}
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d
 mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
-mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d
 mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d}
 
 install -m 644 -p chrony.conf $RPM_BUILD_ROOT%{_sysconfdir}/chrony.conf
@@ -138,10 +134,6 @@ install -m 644 -p examples/chrony.logrotate \
 
 install -m 644 -p examples/chronyd.service \
         $RPM_BUILD_ROOT%{_unitdir}/chronyd.service
-install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
-        $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
-install -m 755 -p examples/chrony.nm-dispatcher.onoffline \
-        $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
 install -m 644 -p examples/chrony-wait.service \
         $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service
 install -m 644 -p %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/[email protected]
@@ -195,7 +187,6 @@ systemctl start chronyd.service
 %{_bindir}/chronyc
 %{_sbindir}/chronyd
 %{_libexecdir}/chrony-helper
-%{_prefix}/lib/NetworkManager
 %{_prefix}/lib/systemd/ntp-units.d/*.list
 %{_unitdir}/chrony*.service
 %{_unitdir}/chrony*.timer
@@ -206,6 +197,9 @@ systemctl start chronyd.service
 %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony
 
 %changelog
+* Mon Oct 30 2023 Andy Zaugg <[email protected]> - 4.1-3
+- Removed references to NetworkManager
+
 * Thu May 18 2023 Tobias Brick <[email protected]> - 4.1-2
 - Explicitly run chronyd as the user chrony
 

diff --git a/SPECS/frr/CVE-2023-46752.patch b/SPECS/frr/CVE-2023-46752.patch
@@ -0,0 +1,121 @@
+Imported for CBL-Mariner by Rachel Menge <[email protected]>
+
+From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <[email protected]>
+Date: Fri, 20 Oct 2023 17:49:18 +0300
+Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
+ reset
+
+Avoid crashing bgpd.
+
+```
+(gdb)
+bgp_mp_reach_parse (args=<optimized out>, mp_update=0x7fffffffe140) at bgpd/bgp_attr.c:2341
+2341			stream_get(&attr->mp_nexthop_global, s, IPV6_MAX_BYTELEN);
+(gdb)
+stream_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320
+320	{
+(gdb)
+321		STREAM_VERIFY_SANE(s);
+(gdb)
+323		if (STREAM_READABLE(s) < size) {
+(gdb)
+34	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
+(gdb)
+
+Thread 1 "bgpd" received signal SIGSEGV, Segmentation fault.
+0x00005555556e37be in route_set_aspath_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050,
+    object=0x7fffffffdb00) at bgpd/bgp_routemap.c:2282
+2282		if (path->attr->aspath->refcnt)
+(gdb)
+```
+
+With the configuration:
+
+```
+ neighbor 127.0.0.1 remote-as external
+ neighbor 127.0.0.1 passive
+ neighbor 127.0.0.1 ebgp-multihop
+ neighbor 127.0.0.1 disable-connected-check
+ neighbor 127.0.0.1 update-source 127.0.0.2
+ neighbor 127.0.0.1 timers 3 90
+ neighbor 127.0.0.1 timers connect 1
+ address-family ipv4 unicast
+  redistribute connected
+  neighbor 127.0.0.1 default-originate
+  neighbor 127.0.0.1 route-map RM_IN in
+ exit-address-family
+!
+route-map RM_IN permit 10
+ set as-path prepend 200
+exit
+```
+
+Reported-by: Iggy Frankovic <[email protected]>
+Signed-off-by: Donatas Abraitis <[email protected]>
+---
+ bgpd/bgp_attr.c   | 6 +-----
+ bgpd/bgp_attr.h   | 1 -
+ bgpd/bgp_packet.c | 6 +-----
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 6925aff727e2..e7bb42a5d989 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
+
+ 		mp_update->afi = afi;
+ 		mp_update->safi = safi;
+-		return BGP_ATTR_PARSE_EOR;
++		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
+ 	}
+
+ 	mp_update->afi = afi;
+@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 			goto done;
+ 		}
+
+-		if (ret == BGP_ATTR_PARSE_EOR) {
+-			goto done;
+-		}
+-
+ 		if (ret == BGP_ATTR_PARSE_ERROR) {
+ 			flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
+ 				  "%s: Attribute %s, parse error", peer->host,
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 961e5f122470..fc347e7a1b4b 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
+ 	/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
+ 	 */
+ 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+-	BGP_ATTR_PARSE_EOR = -4,
+ };
+
+ struct bpacket_attr_vec_arr;
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index b585591e2f69..5ecf343b6657 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection,
+ 	 * Non-MP IPv4/Unicast EoR is a completely empty UPDATE
+ 	 * and MP EoR should have only an empty MP_UNREACH
+ 	 */
+-	if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
+-	    || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
++	if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
+ 		afi_t afi = 0;
+ 		safi_t safi;
+ 		struct graceful_restart_info *gr_info;
+@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection,
+ 			   && nlris[NLRI_MP_WITHDRAW].length == 0) {
+ 			afi = nlris[NLRI_MP_WITHDRAW].afi;
+ 			safi = nlris[NLRI_MP_WITHDRAW].safi;
+-		} else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
+-			afi = nlris[NLRI_MP_UPDATE].afi;
+-			safi = nlris[NLRI_MP_UPDATE].safi;
+ 		}
+
+ 		if (afi && peer->afc[afi][safi]) {