From 4dd629fea2251dd561f3e248c9f7afa558f4f0b3 Mon Sep 17 00:00:00 2001 From: Bala Date: Wed, 21 Jun 2023 11:12:03 +0530 Subject: [PATCH 1/4] Upgrade msft-golang to fix CVE-2023-29404 (#5714) * Fix CVE-2023-2454, CVE-2023-2455 and CVE-2022-41862 by upgrading postgresql to 14.8 * Update cgmanifest.json * Upgrade go version to 1.19.10 * Update changelog and cgmanifest * Revert "Fix CVE-2023-2454, CVE-2023-2455 and CVE-2022-41862 by upgrading" This reverts commit cfadb816eb0144a89ac68d64aa0c5d6f29d722ac. * Revert "Update cgmanifest.json" This reverts commit acca3b1207625b50a98e711c734f2aabef4e90b1. --- SPECS/msft-golang/msft-golang.signatures.json | 2 +- SPECS/msft-golang/msft-golang.spec | 7 +++++-- cgmanifest.json | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/SPECS/msft-golang/msft-golang.signatures.json b/SPECS/msft-golang/msft-golang.signatures.json index cb588f7ecd4..b4b4357bac9 100644 --- a/SPECS/msft-golang/msft-golang.signatures.json +++ b/SPECS/msft-golang/msft-golang.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "go.20230404.2.src.tar.gz": "05a5275e6102a680c6367f67bf3e25234094a9bf6bacb9d99610e5fb5d5388e0", + "go.20230606.2.src.tar.gz": "6905d65e0f813c48d64ea71bafc119975e85593e424b9b5e864ccba65c505baf", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } \ No newline at end of file diff --git a/SPECS/msft-golang/msft-golang.spec b/SPECS/msft-golang/msft-golang.spec index 3f90b0ce917..9464f6c64d8 100644 --- a/SPECS/msft-golang/msft-golang.spec +++ b/SPECS/msft-golang/msft-golang.spec @@ -12,14 +12,14 @@ %define __find_requires %{nil} Summary: Go Name: msft-golang -Version: 1.19.8 +Version: 1.19.10 Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Security URL: https://github.com/microsoft/go -Source0: https://github.com/microsoft/go/releases/download/v1.19.8-1/go.20230404.2.src.tar.gz +Source0: https://github.com/microsoft/go/releases/download/v1.19.10-1/go.20230606.2.src.tar.gz Source1: https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz Patch0: go14_bootstrap_aarch64.patch Conflicts: go @@ -115,6 +115,9 @@ fi %{_bindir}/* %changelog +* Tue Jun 06 2023 Bala - 1.19.10-1 +- Upgrade to 1.19.10 to fix CVE-2023-29404 + * Wed Apr 05 2023 Muhammad Falak - 1.19.8-1 - Bump version to address CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538 diff --git a/cgmanifest.json b/cgmanifest.json index 48171392a8b..759959b4fc9 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -13453,8 +13453,8 @@ "type": "other", "other": { "name": "msft-golang", - "version": "1.19.8", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.19.8-1/go.20230404.2.src.tar.gz" + "version": "1.19.10", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.19.10-1/go.20230606.2.src.tar.gz" } } }, From a881a2cf9ace7fff531d84a56f635c52f4abc1c9 Mon Sep 17 00:00:00 2001 From: Henry Li <69694695+henryli001@users.noreply.github.com> Date: Wed, 21 Jun 2023 09:40:38 -0700 Subject: [PATCH 2/4] fix typo in changelog (#5718) Co-authored-by: Henry Li --- SPECS/libcap/libcap.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/libcap/libcap.spec b/SPECS/libcap/libcap.spec index ebe7113e08d..4348144c4a5 100644 --- a/SPECS/libcap/libcap.spec +++ b/SPECS/libcap/libcap.spec @@ -60,7 +60,7 @@ sed -i "s|pass_capsh --chroot=\$(/bin/pwd) ==||g" quicktest.sh %{_mandir}/man3/* %changelog -* Thu JUn 15 2023 Henry Li - 2.60-2 +* Thu Jun 15 2023 Henry Li - 2.60-2 - Add patch to resolve CVE-2023-2602 and CVE-2023-2603 - Use autosetup From e04bb4e7aab6b7037343a9359c40158bb425a2f2 Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Wed, 21 Jun 2023 11:06:56 -0700 Subject: [PATCH 3/4] Switched to GitOps.ResourceManagement from FabricBot. (#5710) --- .github/fabricbot.json | 141 ------------------------ .github/policies/resourceManagement.yml | 83 ++++++++++++++ 2 files changed, 83 insertions(+), 141 deletions(-) delete mode 100644 .github/fabricbot.json create mode 100644 .github/policies/resourceManagement.yml diff --git a/.github/fabricbot.json b/.github/fabricbot.json deleted file mode 100644 index aebd1cced8c..00000000000 --- a/.github/fabricbot.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "version": "1.0", - "tasks": [ - { - "taskType": "trigger", - "capabilityId": "PrAutoLabel", - "subCapability": "Path", - "version": "1.0", - "id": "ldNQNnhTM", - "config": { - "taskName": "Add tags (paths)", - "configs": [ - { - "label": "Packaging", - "pathFilter": [ - "SPECS/", - "SPECS-SIGNED/" - ] - }, - { - "label": "documentation", - "pathFilter": [ - "toolkit/docs/" - ] - }, - { - "label": "Tools", - "pathFilter": [ - "toolkit/tools/", - "toolkit/scripts/" - ] - }, - { - "label": "Schema", - "pathFilter": [ - "toolkit/imageconfigs/", - "toolkit/tools/imagegen/configuration" - ] - } - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestResponder", - "version": "1.0", - "id": "znSU-jzNE", - "config": { - "taskName": "Apply security tag for CVE patches", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "prMatchesPattern", - "parameters": { - "matchRegex": "(CVE|cve)-\\d+-\\d+\\.(no)?patch" - } - } - ] - }, - "eventType": "pull_request", - "eventNames": [ - "pull_request", - "issues", - "project_card" - ], - "actions": [ - { - "name": "addLabel", - "parameters": { - "label": "security" - } - } - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestResponder", - "version": "1.0", - "id": "7jJOHIRF6", - "config": { - "taskName": "Add label for automatic PRs", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "opened" - } - }, - { - "name": "isActivitySender", - "parameters": { - "user": "CBL-Mariner-Bot" - } - } - ] - }, - "eventType": "pull_request", - "eventNames": [ - "pull_request", - "issues", - "project_card" - ], - "actions": [ - { - "name": "addLabel", - "parameters": { - "label": "Automatic PR" - } - } - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "PrAutoLabel", - "subCapability": "Branch", - "version": "1.0", - "id": "lBG0b8Sb8Mpdm0byiViDh", - "config": { - "taskName": "Add labels for PRs to common branches", - "configs": [ - { - "label": "1.0-dev", - "branchName": "1.0-dev" - }, - { - "label": "main", - "branchName": "main" - } - ] - } - } - ], - "userGroups": [] -} diff --git a/.github/policies/resourceManagement.yml b/.github/policies/resourceManagement.yml new file mode 100644 index 00000000000..35d419125cd --- /dev/null +++ b/.github/policies/resourceManagement.yml @@ -0,0 +1,83 @@ +id: +name: GitOps.PullRequestIssueManagement +description: GitOps.PullRequestIssueManagement primitive +owner: +resource: repository +disabled: false +where: +configuration: + resourceManagementConfiguration: + scheduledSearches: [] + eventResponderTasks: + - if: + - payloadType: Pull_Request + then: + - if: + - includesModifiedFiles: + files: + - SPECS/ + - SPECS-SIGNED/ + then: + - addLabel: + label: Packaging + - if: + - includesModifiedFiles: + files: + - toolkit/docs/ + then: + - addLabel: + label: documentation + - if: + - includesModifiedFiles: + files: + - toolkit/tools/ + - toolkit/scripts/ + then: + - addLabel: + label: Tools + - if: + - includesModifiedFiles: + files: + - toolkit/imageconfigs/ + - toolkit/tools/imagegen/configuration + then: + - addLabel: + label: Schema + description: + - if: + - payloadType: Pull_Request + - filesMatchPattern: + pattern: (CVE|cve)-\d+-\d+\.(no)?patch + then: + - addLabel: + label: security + description: + - if: + - payloadType: Pull_Request + - isAction: + action: Opened + - isActivitySender: + user: CBL-Mariner-Bot + issueAuthor: False + then: + - addLabel: + label: Automatic PR + description: + - if: + - payloadType: Pull_Request + then: + - if: + - targetsBranch: + branch: 1.0-dev + then: + - addLabel: + label: 1.0-dev + - if: + - targetsBranch: + branch: main + then: + - addLabel: + label: main + description: +onFailure: +onSuccess: From d3979a0e2cd39767e2cc29fae1ad3654590cdc3b Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Wed, 21 Jun 2023 13:20:28 -0700 Subject: [PATCH 4/4] Fully qualify libcap name in official toolchain script (#5724) Avoid a naming collision between `libcap` and `libcap-ng` when using the `find` command to select a delta rpm in `build_official_toolchain_rpms.sh`. A proper fix should follow to always use the fully qualified path by setting a default value for `$2` that copies `$1` in the chroot function calls. --- toolkit/scripts/toolchain/build_official_toolchain_rpms.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh index e71155cfea2..74d7104a5bd 100755 --- a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh +++ b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh @@ -314,7 +314,7 @@ build_rpm_in_chroot_no_install xz build_rpm_in_chroot_no_install zstd build_rpm_in_chroot_no_install lz4 build_rpm_in_chroot_no_install m4 -build_rpm_in_chroot_no_install libcap +build_rpm_in_chroot_no_install libcap libcap # Use full naming since we have a collision with libcap-ng build_rpm_in_chroot_no_install popt build_rpm_in_chroot_no_install tar build_rpm_in_chroot_no_install gawk @@ -586,7 +586,7 @@ copy_rpm_subpackage python3-jinja2 # systemd-bootstrap requires libcap, xz, kbd, kmod, util-linux, meson, intltool, python3-jinja2 # gperf is also needed, but is installed earlier -chroot_and_install_rpms libcap +chroot_and_install_rpms libcap libcap # Use full naming since we have a collision with libcap-ng chroot_and_install_rpms lz4 chroot_and_install_rpms xz chroot_and_install_rpms kbd