From 222de009ea6f6061cbbaed82d5780b086fde9bc2 Mon Sep 17 00:00:00 2001 From: Minghe Ren Date: Wed, 29 May 2024 14:11:36 -0700 Subject: [PATCH 01/31] add patch for rubygem-rexml CVE-2024-35176 (#9242) Co-authored-by: minghe --- SPECS/rubygem-rexml/CVE-2024-35176.patch | 190 +++++++++++++++++++++++ SPECS/rubygem-rexml/rubygem-rexml.spec | 8 +- 2 files changed, 196 insertions(+), 2 deletions(-) create mode 100644 SPECS/rubygem-rexml/CVE-2024-35176.patch diff --git a/SPECS/rubygem-rexml/CVE-2024-35176.patch b/SPECS/rubygem-rexml/CVE-2024-35176.patch new file mode 100644 index 00000000000..6422fb733d4 --- /dev/null +++ b/SPECS/rubygem-rexml/CVE-2024-35176.patch @@ -0,0 +1,190 @@ +diff -ruN a/Gemfile b/Gemfile +--- a/Gemfile 2021-04-05 04:43:38.000000000 -0700 ++++ b/Gemfile 2024-05-29 00:06:13.851182285 -0700 +@@ -4,3 +4,7 @@ + + # Specify your gem's dependencies in rexml.gemspec + gemspec ++ ++group :development do ++ gem "test-unit-ruby-core" ++end +diff -ruN a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb +--- a/lib/rexml/parsers/baseparser.rb 2021-04-05 04:43:38.000000000 -0700 ++++ b/lib/rexml/parsers/baseparser.rb 2024-05-28 18:53:32.656078157 -0700 +@@ -589,60 +589,41 @@ + def parse_attributes(prefixes, curr_ns) + attributes = {} + closed = false +- match_data = @source.match(/^(.*?)(\/)?>/um, true) +- if match_data.nil? +- message = "Start tag isn't ended" +- raise REXML::ParseException.new(message, @source) +- end +- +- raw_attributes = match_data[1] +- closed = !match_data[2].nil? +- return attributes, closed if raw_attributes.nil? +- return attributes, closed if raw_attributes.empty? +- +- scanner = StringScanner.new(raw_attributes) +- until scanner.eos? +- if scanner.scan(/\s+/) +- break if scanner.eos? +- end +- +- pos = scanner.pos +- loop do +- break if scanner.scan(ATTRIBUTE_PATTERN) +- unless scanner.scan(QNAME) +- message = "Invalid attribute name: <#{scanner.rest}>" +- raise REXML::ParseException.new(message, @source) +- end +- name = scanner[0] +- unless scanner.scan(/\s*=\s*/um) ++ while true ++ if @source.match(">", true) ++ return attributes, closed ++ elsif @source.match("/>", true) ++ closed = true ++ return attributes, closed ++ elsif match = @source.match(QNAME, true) ++ name = match[1] ++ prefix = match[2] ++ local_part = match[3] ++ unless @source.match(/\s*=\s*/um, true) + message = "Missing attribute equal: <#{name}>" + raise REXML::ParseException.new(message, @source) + end +- quote = scanner.scan(/['"]/) +- unless quote ++ unless match = @source.match(/(['"])(.*?)\1\s*/um, true) ++ if match = @source.match(/(['"])/, true) ++ message = ++ "Missing attribute value end quote: <#{name}>: <#{match[1]}>" ++ raise REXML::ParseException.new(message, @source) ++ else ++ message = "Missing attribute value start quote: <#{name}>" ++ raise REXML::ParseException.new(message, @source) ++ end ++ unless match = @source.match(/(['"])/, true) + message = "Missing attribute value start quote: <#{name}>" + raise REXML::ParseException.new(message, @source) + end +- unless scanner.scan(/.*#{Regexp.escape(quote)}/um) +- match_data = @source.match(/^(.*?)(\/)?>/um, true) +- if match_data +- scanner << "/" if closed +- scanner << ">" +- scanner << match_data[1] +- scanner.pos = pos +- closed = !match_data[2].nil? +- next +- end +- message = +- "Missing attribute value end quote: <#{name}>: <#{quote}>" ++ quote = match[1] ++ value = @source.read_until(quote) ++ unless value.chomp!(quote) ++ message = "Missing attribute value end quote: <#{name}>: <#{quote}>" + raise REXML::ParseException.new(message, @source) + end +- end +- name = scanner[1] +- prefix = scanner[2] +- local_part = scanner[3] +- # quote = scanner[4] +- value = scanner[5] ++ value = match[2] ++ @source.match(/\s*/um, true) + if prefix == "xmlns" + if local_part == "xml" + if value != "http://www.w3.org/XML/1998/namespace" +diff -ruN a/lib/rexml/source.rb b/lib/rexml/source.rb +--- a/lib/rexml/source.rb 2021-04-05 04:43:38.000000000 -0700 ++++ b/lib/rexml/source.rb 2024-05-28 17:10:36.356913505 -0700 +@@ -81,7 +81,11 @@ + rv + end + +- def read ++ def read(term = nil) ++ end ++ ++ def read_until(term) ++ @scanner.scan_until(Regexp.union(term)) or @scanner.rest + end + + def consume( pattern ) +@@ -204,11 +208,28 @@ + rv + end + +- def read ++ def read(term = nil) + begin +- @buffer << readline ++ @scanner << readline(term) ++ true + rescue Exception, NameError + @source = nil ++ false ++ end ++ end ++ ++ def read_until(term) ++ pattern = Regexp.union(term) ++ data = [] ++ begin ++ until str = @scanner.scan_until(pattern) ++ @scanner << readline(term) ++ end ++ rescue EOFError ++ @scanner.rest ++ else ++ read if @scanner.eos? and !@source.eof? ++ str + end + end + +@@ -263,8 +284,8 @@ + end + + private +- def readline +- str = @source.readline(@line_break) ++ def readline(term = nil) ++ str = @source.readline(term || @line_break) + if @pending_buffer + if str.nil? + str = @pending_buffer +diff -ruN a/test/test_document.rb b/test/test_document.rb +--- a/test/test_document.rb 2021-04-05 04:43:38.000000000 -0700 ++++ b/test/test_document.rb 2024-05-29 00:08:01.164345808 -0700 +@@ -1,8 +1,12 @@ + # -*- coding: utf-8 -*- + # frozen_string_literal: false + ++require 'core_assertions' ++ + module REXMLTests + class TestDocument < Test::Unit::TestCase ++ include Test::Unit::CoreAssertions ++ + def test_version_attributes_to_s + doc = REXML::Document.new(<<-eoxml) + +@@ -200,6 +204,13 @@ + assert_equal('no', doc.stand_alone?, bug2539) + end + ++ def test_gt_linear_performance ++ seq = [10000, 50000, 100000, 150000, 200000] ++ assert_linear_performance(seq) do |n| ++ REXML::Document.new('" * n + '">') ++ end ++ end ++ + class WriteTest < Test::Unit::TestCase + def setup + @document = REXML::Document.new(<<-EOX) diff --git a/SPECS/rubygem-rexml/rubygem-rexml.spec b/SPECS/rubygem-rexml/rubygem-rexml.spec index 03a9d10dd92..8459996a805 100644 --- a/SPECS/rubygem-rexml/rubygem-rexml.spec +++ b/SPECS/rubygem-rexml/rubygem-rexml.spec @@ -3,13 +3,14 @@ Summary: REXML is an XML toolkit for Ruby Name: rubygem-%{gem_name} Version: 3.2.5 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner Group: Development/Languages URL: https://github.com/ruby/rexml Source0: https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz +Patch0: CVE-2024-35176.patch BuildRequires: git BuildRequires: ruby Requires: ruby(release) @@ -20,7 +21,7 @@ REXML was inspired by the Electric XML library for Java, which features an easy- REXML supports both tree and stream document parsing. Stream parsing is faster (about 1.5 times as fast). However, with stream parsing, you don't get access to features such as XPath. %prep -%setup -q -n %{gem_name}-%{version} +%autosetup -p1 -n %{gem_name}-%{version} %build gem build %{gem_name} @@ -34,6 +35,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %{gemdir} %changelog +* Tue May 28 2024 Minghe Ren - 3.2.5-2 +- Add patch for CVE-2024-35176 + * Mon Jun 13 2022 Neha Agarwal - 3.2.5-1 - License verified - Original version for CBL-Mariner From f0b829428387f4fb77ddfcfb9eb8c40a7b3e6bde Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 29 May 2024 14:31:46 -0700 Subject: [PATCH 02/31] [AUTOPATCHER-kernel] Kernel upgrade to version 5.15.159.1 - branch main (#9187) --- .../kernel-azure-signed.spec | 5 ++++- .../kernel-hci-signed/kernel-hci-signed.spec | 5 ++++- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++++- SPECS/kernel-azure/config | 2 +- SPECS/kernel-azure/config_aarch64 | 2 +- .../kernel-azure/kernel-azure.signatures.json | 6 +++--- SPECS/kernel-azure/kernel-azure.spec | 5 ++++- SPECS/kernel-hci/config | 2 +- SPECS/kernel-hci/kernel-hci.signatures.json | 4 ++-- SPECS/kernel-hci/kernel-hci.spec | 5 ++++- .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/config | 2 +- SPECS/kernel/config_aarch64 | 2 +- SPECS/kernel/kernel.signatures.json | 6 +++--- SPECS/kernel/kernel.spec | 5 ++++- cgmanifest.json | 20 +++++++++---------- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 4 ++-- 23 files changed, 62 insertions(+), 38 deletions(-) diff --git a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec index 2739aba2ba0..b26ee43dca0 100644 --- a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec +++ b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for Azure Name: kernel-azure-signed-%{buildarch} -Version: 5.15.158.1 +Version: 5.15.159.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec index c38b6dbbe27..68ceaec6efb 100644 --- a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec +++ b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for HCI Name: kernel-hci-signed-%{buildarch} -Version: 5.15.158.1 +Version: 5.15.159.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 091df7a42c7..a00e8454208 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.15.158.1 +Version: 5.15.159.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 5f487cf529a..26b832bb774 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 1f914d5db85..dcfc5f62f60 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.15.158.1 +Version: 5.15.159.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -219,6 +219,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/kernel-azure/config b/SPECS/kernel-azure/config index 392ef97bcb5..302e2e28e07 100644 --- a/SPECS/kernel-azure/config +++ b/SPECS/kernel-azure/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.1 Kernel Configuration +# Linux/x86_64 5.15.159.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/config_aarch64 b/SPECS/kernel-azure/config_aarch64 index 1fb67b440e8..9a88a176c9e 100644 --- a/SPECS/kernel-azure/config_aarch64 +++ b/SPECS/kernel-azure/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.158.1 Kernel Configuration +# Linux/arm64 5.15.159.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/kernel-azure.signatures.json b/SPECS/kernel-azure/kernel-azure.signatures.json index 4e38e1dd44c..4c66263ed65 100644 --- a/SPECS/kernel-azure/kernel-azure.signatures.json +++ b/SPECS/kernel-azure/kernel-azure.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "30028d043a482088df75ef6a96a133e40fec8688cada0f9ec500859a64d29d1a", - "config_aarch64": "cbab8c30dee0480e67d0a61282b9eafb9e5aadb08e468074f454e8d0644ec801", + "config": "77c866dee4e6ade4d24a525f66c839d6000164cc77022122bf7c799783f569da", + "config_aarch64": "82d3529ac9b6bba268991521d177cfc158f8b5d7dfe22016b5015935fcbb3b82", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" } } diff --git a/SPECS/kernel-azure/kernel-azure.spec b/SPECS/kernel-azure/kernel-azure.spec index 41d70905c9b..7e30833cd45 100644 --- a/SPECS/kernel-azure/kernel-azure.spec +++ b/SPECS/kernel-azure/kernel-azure.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel-azure -Version: 5.15.158.1 +Version: 5.15.159.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -420,6 +420,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/kernel-hci/config b/SPECS/kernel-hci/config index 3f62fbe3dfa..8d165af96e0 100644 --- a/SPECS/kernel-hci/config +++ b/SPECS/kernel-hci/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.1 Kernel Configuration +# Linux/x86_64 5.15.159.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hci/kernel-hci.signatures.json b/SPECS/kernel-hci/kernel-hci.signatures.json index 2af302409a7..1fc99cbd62b 100644 --- a/SPECS/kernel-hci/kernel-hci.signatures.json +++ b/SPECS/kernel-hci/kernel-hci.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "f471f62f07544a9a4fff98e849cb66d2cc47373f541129546efa19033b8bae4e", - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "config": "a87f0f1b7b22e314f5570892020bc99928eb108c86f2612db1a5a30274f4e9c7", + "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" } } diff --git a/SPECS/kernel-hci/kernel-hci.spec b/SPECS/kernel-hci/kernel-hci.spec index 71d3fc6afbe..a56ddfb2772 100644 --- a/SPECS/kernel-hci/kernel-hci.spec +++ b/SPECS/kernel-hci/kernel-hci.spec @@ -17,7 +17,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for HCI Name: kernel-hci -Version: 5.15.158.1 +Version: 5.15.159.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -547,6 +547,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 48b1416d0e4..e0cc1d2e957 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 50a77d130cb..b73cdb4ecaa 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -11,7 +11,7 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.15.158.1 +Version: 5.15.159.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -73,6 +73,9 @@ done %endif %changelog +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 79d36c7c31e..84845cefb45 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.1 Kernel Configuration +# Linux/x86_64 5.15.159.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 2627bce805c..da1d71a5702 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.158.1 Kernel Configuration +# Linux/arm64 5.15.159.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 727afa837b2..618728097de 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "ee6ff87ddcfc431a089479d1971e30bb0bc0498c4ec95a788460e5eac26f16f2", - "config_aarch64": "6fdb0d7e5d04ab07df019f15c6e2706450d456db8c3057fec3b90514597cdc93", + "config": "06d85c7e3e286274d246f834eaf37258e13b0b391421376fa55f243230d728e9", + "config_aarch64": "9de72286da24a8e90052238d13f24621a48835a1b45a35740887ad27ef749448", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 714ec6ecd9c..928f3f3bc0e 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel -Version: 5.15.158.1 +Version: 5.15.159.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -426,6 +426,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/cgmanifest.json b/cgmanifest.json index e46f6833cdc..e1c013a8015 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -6550,8 +6550,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.15.158.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.1.tar.gz" + "version": "5.15.159.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" } } }, @@ -8141,8 +8141,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.15.158.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.1.tar.gz" + "version": "5.15.159.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" } } }, @@ -8151,8 +8151,8 @@ "type": "other", "other": { "name": "kernel-azure", - "version": "5.15.158.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.1.tar.gz" + "version": "5.15.159.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" } } }, @@ -8161,8 +8161,8 @@ "type": "other", "other": { "name": "kernel-hci", - "version": "5.15.158.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.1.tar.gz" + "version": "5.15.159.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" } } }, @@ -8171,8 +8171,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.15.158.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.1.tar.gz" + "version": "5.15.159.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index c9a868a3adf..78298db30b8 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.aarch64.rpm -kernel-headers-5.15.158.1-1.cm2.noarch.rpm +kernel-headers-5.15.159.1-1.cm2.noarch.rpm glibc-2.35-7.cm2.aarch64.rpm glibc-devel-2.35-7.cm2.aarch64.rpm glibc-i18n-2.35-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index f607a79decd..b21064bf99e 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.x86_64.rpm -kernel-headers-5.15.158.1-1.cm2.noarch.rpm +kernel-headers-5.15.159.1-1.cm2.noarch.rpm glibc-2.35-7.cm2.x86_64.rpm glibc-devel-2.35-7.cm2.x86_64.rpm glibc-i18n-2.35-7.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index a2f0e5f5011..51425e43506 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.aarch64.rpm kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm -kernel-headers-5.15.158.1-1.cm2.noarch.rpm +kernel-headers-5.15.159.1-1.cm2.noarch.rpm kmod-29-2.cm2.aarch64.rpm kmod-debuginfo-29-2.cm2.aarch64.rpm kmod-devel-29-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 60f9d492988..9f236a3375e 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -141,8 +141,8 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.x86_64.rpm kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm -kernel-cross-headers-5.15.158.1-1.cm2.noarch.rpm -kernel-headers-5.15.158.1-1.cm2.noarch.rpm +kernel-cross-headers-5.15.159.1-1.cm2.noarch.rpm +kernel-headers-5.15.159.1-1.cm2.noarch.rpm kmod-29-2.cm2.x86_64.rpm kmod-debuginfo-29-2.cm2.x86_64.rpm kmod-devel-29-2.cm2.x86_64.rpm From 07800afe35143ab7d7ab2ff3ff9715b31ceb1834 Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Wed, 29 May 2024 14:32:23 -0700 Subject: [PATCH 03/31] Address hyperv-daemons CVE-2024-26951, CVE-2024-26961, CVE-2024-26965, CVE-2024-26966, CVE-2024-26973, CVE-2024-26977, CVE-2024-26984, CVE-2024-26993, CVE-2024-27000, CVE-2024-27018, CVE-2024-35848, CVE-2024-35912, CVE-2024-36008 (#9216) Address CVE-2024-26951, CVE-2024-26961, CVE-2024-26965, CVE-2024-26966, CVE-2024-26973, CVE-2024-26977, CVE-2024-26984, CVE-2024-26993, CVE-2024-27000, CVE-2024-27018, CVE-2024-35848, CVE-2024-35912, CVE-2024-36008 --- SPECS/hyperv-daemons/CVE-2024-26951.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-26961.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-26965.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-26966.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-26973.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-26977.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-26984.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-26993.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-27000.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-27018.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-35848.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-35912.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2024-36008.nopatch | 3 +++ 13 files changed, 39 insertions(+) create mode 100644 SPECS/hyperv-daemons/CVE-2024-26951.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-26961.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-26965.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-26966.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-26973.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-26977.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-26984.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-26993.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-27000.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-27018.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-35848.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-35912.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2024-36008.nopatch diff --git a/SPECS/hyperv-daemons/CVE-2024-26951.nopatch b/SPECS/hyperv-daemons/CVE-2024-26951.nopatch new file mode 100644 index 00000000000..c3d001a4dec --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26951.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26951 - in version 5.15.154.1 +upstream: 55b6c738673871c9b0edae05d0c97995c1ff08c4 +stable: 710a177f347282eea162aec8712beb1f42d5ad87 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26961.nopatch b/SPECS/hyperv-daemons/CVE-2024-26961.nopatch new file mode 100644 index 00000000000..79f529dd3cf --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26961.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26961 - in version 5.15.154.1 +upstream: e8a1e58345cf40b7b272e08ac7b32328b2543e40 +stable: d3d858650933d44ac12c1f31337e7110c2071821 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26965.nopatch b/SPECS/hyperv-daemons/CVE-2024-26965.nopatch new file mode 100644 index 00000000000..1dc3a36c365 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26965.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26965 - in version 5.15.154.1 +upstream: e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96 +stable: 8f562f3b25177c2055b20fd8cf000496f6fa9194 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26966.nopatch b/SPECS/hyperv-daemons/CVE-2024-26966.nopatch new file mode 100644 index 00000000000..319fc23ffc9 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26966.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26966 - in version 5.15.154.1 +upstream: a903cfd38d8dee7e754fb89fd1bebed99e28003d +stable: 3aedcf3755c74dafc187eb76acb04e3e6348b1a9 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26973.nopatch b/SPECS/hyperv-daemons/CVE-2024-26973.nopatch new file mode 100644 index 00000000000..62ae050a492 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26973.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26973 - in version 5.15.154.1 +upstream: fde2497d2bc3a063d8af88b258dbadc86bd7b57c +stable: b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26977.nopatch b/SPECS/hyperv-daemons/CVE-2024-26977.nopatch new file mode 100644 index 00000000000..47411b70734 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26977.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26977 - in version 5.15.154.1 +upsream: 7626913652cc786c238e2dd7d8740b17d41b2637 +stable: 5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26984.nopatch b/SPECS/hyperv-daemons/CVE-2024-26984.nopatch new file mode 100644 index 00000000000..9cca11ab906 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26984.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26984 - in version 5.15.157.1 +upstream: fff1386cc889d8fb4089d285f883f8cba62d82ce +stable: 3ab056814cd8ab84744c9a19ef51360b2271c572 diff --git a/SPECS/hyperv-daemons/CVE-2024-26993.nopatch b/SPECS/hyperv-daemons/CVE-2024-26993.nopatch new file mode 100644 index 00000000000..4fa84da9e77 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26993.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26993 - in version 5.15.157.1 +upstream: a90bca2228c0646fc29a72689d308e5fe03e6d78 +stable: 43f00210cb257bcb0387e8caeb4b46375d67f30c \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-27000.nopatch b/SPECS/hyperv-daemons/CVE-2024-27000.nopatch new file mode 100644 index 00000000000..87ce128d432 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-27000.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27000 - in version 5.15.158.1 +upstream: 54c4ec5f8c471b7c1137a1f769648549c423c026 +stable: 479244d68f5d94f3903eced52b093c1e01ddb495 diff --git a/SPECS/hyperv-daemons/CVE-2024-27018.nopatch b/SPECS/hyperv-daemons/CVE-2024-27018.nopatch new file mode 100644 index 00000000000..119dcb985bd --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-27018.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27018 - in version 5.15.157.1 +upstream: 751de2012eafa4d46d8081056761fa0e9cc8a178 +stable: dceb683ab87ca3666a9bb5c0158528b646faedc4 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-35848.nopatch b/SPECS/hyperv-daemons/CVE-2024-35848.nopatch new file mode 100644 index 00000000000..2a7d2f2a860 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-35848.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35848 - in version 5.15.159.1 +upstream: f42c97027fb75776e2e9358d16bf4a99aeb04cf2 +stable: 26d32bec4c6d255a03762f33c637bfa3718be15a diff --git a/SPECS/hyperv-daemons/CVE-2024-35912.nopatch b/SPECS/hyperv-daemons/CVE-2024-35912.nopatch new file mode 100644 index 00000000000..cb970a9e98f --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-35912.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35912 - in version 5.15.154.1 +upstream: 06a093807eb7b5c5b29b6cff49f8174a4e702341 +stable: 28db0ae86cb91a4ab0e855cff779daead936b7d5 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-36008.nopatch b/SPECS/hyperv-daemons/CVE-2024-36008.nopatch new file mode 100644 index 00000000000..cd889cd4f5f --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-36008.nopatch @@ -0,0 +1,3 @@ +CVE-2024-36008 - in version 5.15.158.1 +upstream: 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1 +stable: 03b5a9b2b526862b21bcc31976e393a6e63785d1 \ No newline at end of file From 3304dc254a01a4ff28a2f7700ded1c17bb7c5238 Mon Sep 17 00:00:00 2001 From: Mitch Zhu Date: Wed, 29 May 2024 14:58:04 -0700 Subject: [PATCH 04/31] Patch nodejs18 to address CVE-2023-21100 (#9250) --- SPECS/nodejs/CVE-2023-21100.patch | 50 ++++++++ SPECS/nodejs/CVE-2023-42282.patch | 111 ----------------- SPECS/nodejs/CVE-2024-22025.patch | 144 ----------------------- SPECS/nodejs/CVE-2024-24806.patch | 31 ----- SPECS/nodejs/CVE-2024-27983.patch | 34 ------ SPECS/nodejs/disable-tlsv1-tlsv1-1.patch | 42 ------- SPECS/nodejs/nodejs18.spec | 7 +- 7 files changed, 56 insertions(+), 363 deletions(-) create mode 100644 SPECS/nodejs/CVE-2023-21100.patch delete mode 100644 SPECS/nodejs/CVE-2023-42282.patch delete mode 100644 SPECS/nodejs/CVE-2024-22025.patch delete mode 100644 SPECS/nodejs/CVE-2024-24806.patch delete mode 100644 SPECS/nodejs/CVE-2024-27983.patch delete mode 100644 SPECS/nodejs/disable-tlsv1-tlsv1-1.patch diff --git a/SPECS/nodejs/CVE-2023-21100.patch b/SPECS/nodejs/CVE-2023-21100.patch new file mode 100644 index 00000000000..9d42e324ffc --- /dev/null +++ b/SPECS/nodejs/CVE-2023-21100.patch @@ -0,0 +1,50 @@ +From 901960817a6dc7b40c68c47bcd77037d5fc5d1ea Mon Sep 17 00:00:00 2001 +From: Mitch Zhu +Date: Wed, 29 May 2024 19:11:14 +0000 +Subject: [PATCH] Address CVE-2023-21100 + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. +--- + deps/v8/third_party/zlib/contrib/optimizations/inflate.c | 5 +++-- + deps/v8/third_party/zlib/inflate.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c +index 4841cd96..1007f062 100644 +--- a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c ++++ b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c +@@ -772,8 +772,9 @@ int flush; + if (copy > have) copy = have; + if (copy) { + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && +++ (len = state->head->extra_len - state->length) < +++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +diff --git a/deps/v8/third_party/zlib/inflate.c b/deps/v8/third_party/zlib/inflate.c +index 7543c33d..384af93f 100644 +--- a/deps/v8/third_party/zlib/inflate.c ++++ b/deps/v8/third_party/zlib/inflate.c +@@ -761,8 +761,9 @@ int flush; + if (copy > have) copy = have; + if (copy) { + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && +++ (len = state->head->extra_len - state->length) < +++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +-- +2.34.1 + diff --git a/SPECS/nodejs/CVE-2023-42282.patch b/SPECS/nodejs/CVE-2023-42282.patch deleted file mode 100644 index 3b97b26bf4f..00000000000 --- a/SPECS/nodejs/CVE-2023-42282.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 32f468f1245574785ec080705737a579be1223aa Mon Sep 17 00:00:00 2001 -From: Luke McFarlane -Date: Mon, 12 Feb 2024 13:22:18 +1100 -Subject: [PATCH] lib: fixed CVE-2023-42282 and added unit test - -Unit test code is not applicable for NodeJS sources hence not included. - -diff --git a/deps/npm/node_modules/ip/lib/ip.js b/deps/npm/node_modules/ip/lib/ip.js -index 4b2adb5add..9022443ae5 100644 ---- a/deps/npm/node_modules/ip/lib/ip.js -+++ b/deps/npm/node_modules/ip/lib/ip.js -@@ -306,12 +306,26 @@ ip.isEqual = function (a, b) { - }; - - ip.isPrivate = function (addr) { -- return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i -- .test(addr) -+ // check loopback addresses first -+ if (ip.isLoopback(addr)) { -+ return true; -+ } -+ -+ // ensure the ipv4 address is valid -+ if (!ip.isV6Format(addr)) { -+ const ipl = ip.normalizeToLong(addr); -+ if (ipl < 0) { -+ throw new Error('invalid ipv4 address'); -+ } -+ // normalize the address for the private range checks that follow -+ addr = ip.fromLong(ipl); -+ } -+ -+ // check private ranges -+ return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) - || /^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) - || /^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i - .test(addr) -- || /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) - || /^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) - || /^f[cd][0-9a-f]{2}:/i.test(addr) - || /^fe80:/i.test(addr) -@@ -324,9 +338,16 @@ ip.isPublic = function (addr) { - }; - - ip.isLoopback = function (addr) { -+ // If addr is an IPv4 address in long integer form (no dots and no colons), convert it -+ if (!/\./.test(addr) && !/:/.test(addr)) { -+ addr = ip.fromLong(Number(addr)); -+ } -+ - return /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/ - .test(addr) -- || /^fe80::1$/.test(addr) -+ || /^0177\./.test(addr) -+ || /^0x7f\./i.test(addr) -+ || /^fe80::1$/i.test(addr) - || /^::1$/.test(addr) - || /^::$/.test(addr); - }; -@@ -420,3 +441,51 @@ ip.fromLong = function (ipl) { - ipl >> 8 & 255}.${ - ipl & 255}`); - }; -+ -+ip.normalizeToLong = function (addr) { -+ const parts = addr.split('.').map(part => { -+ // Handle hexadecimal format -+ if (part.startsWith('0x') || part.startsWith('0X')) { -+ return parseInt(part, 16); -+ } -+ // Handle octal format (strictly digits 0-7 after a leading zero) -+ else if (part.startsWith('0') && part !== '0' && /^[0-7]+$/.test(part)) { -+ return parseInt(part, 8); -+ } -+ // Handle decimal format, reject invalid leading zeros -+ else if (/^[1-9]\d*$/.test(part) || part === '0') { -+ return parseInt(part, 10); -+ } -+ // Return NaN for invalid formats to indicate parsing failure -+ else { -+ return NaN; -+ } -+ }); -+ -+ if (parts.some(isNaN)) return -1; // Indicate error with -1 -+ -+ let val = 0; -+ const n = parts.length; -+ -+ switch (n) { -+ case 1: -+ val = parts[0]; -+ break; -+ case 2: -+ if (parts[0] > 0xff || parts[1] > 0xffffff) return -1; -+ val = (parts[0] << 24) | (parts[1] & 0xffffff); -+ break; -+ case 3: -+ if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xffff) return -1; -+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] & 0xffff); -+ break; -+ case 4: -+ if (parts.some(part => part > 0xff)) return -1; -+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]; -+ break; -+ default: -+ return -1; // Error case -+ } -+ -+ return val >>> 0; -+}; diff --git a/SPECS/nodejs/CVE-2024-22025.patch b/SPECS/nodejs/CVE-2024-22025.patch deleted file mode 100644 index 16583437501..00000000000 --- a/SPECS/nodejs/CVE-2024-22025.patch +++ /dev/null @@ -1,144 +0,0 @@ -From f31d47e135973746c4f490d5eb635eded8bb3dda Mon Sep 17 00:00:00 2001 -From: Matteo Collina -Date: Tue, 6 Feb 2024 16:47:20 +0100 -Subject: [PATCH] zlib: pause stream if outgoing buffer is full - -Signed-off-by: Matteo Collina -PR-URL: https://github.com/nodejs-private/node-private/pull/540 -Reviewed-By: Robert Nagy -Ref: https://hackerone.com/reports/2284065 -PR-URL: https://github.com/nodejs-private/node-private/pull/542 -CVE-ID: CVE-2024-22025 ---- - lib/zlib.js | 33 +++++++++++++++++++------- - test/parallel/test-zlib-brotli-16GB.js | 22 +++++++++++++++++ - test/parallel/test-zlib-params.js | 24 ++++++++++++------- - 3 files changed, 62 insertions(+), 17 deletions(-) - create mode 100644 test/parallel/test-zlib-brotli-16GB.js - -diff --git a/lib/zlib.js b/lib/zlib.js -index 2b90c6f91fed76..5e6a97937054fb 100644 ---- a/lib/zlib.js -+++ b/lib/zlib.js -@@ -560,10 +560,11 @@ function processCallback() { - self.bytesWritten += inDelta; - - const have = handle.availOutBefore - availOutAfter; -+ let streamBufferIsFull = false; - if (have > 0) { - const out = self._outBuffer.slice(self._outOffset, self._outOffset + have); - self._outOffset += have; -- self.push(out); -+ streamBufferIsFull = !self.push(out); - } else { - assert(have === 0, 'have should not go down'); - } -@@ -588,13 +589,29 @@ function processCallback() { - handle.inOff += inDelta; - handle.availInBefore = availInAfter; - -- this.write(handle.flushFlag, -- this.buffer, // in -- handle.inOff, // in_off -- handle.availInBefore, // in_len -- self._outBuffer, // out -- self._outOffset, // out_off -- self._chunkSize); // out_len -+ -+ if (!streamBufferIsFull) { -+ this.write(handle.flushFlag, -+ this.buffer, // in -+ handle.inOff, // in_off -+ handle.availInBefore, // in_len -+ self._outBuffer, // out -+ self._outOffset, // out_off -+ self._chunkSize); // out_len -+ } else { -+ const oldRead = self._read; -+ self._read = (n) => { -+ self._read = oldRead; -+ this.write(handle.flushFlag, -+ this.buffer, // in -+ handle.inOff, // in_off -+ handle.availInBefore, // in_len -+ self._outBuffer, // out -+ self._outOffset, // out_off -+ self._chunkSize); // out_len -+ self._read(n); -+ }; -+ } - return; - } - -diff --git a/test/parallel/test-zlib-brotli-16GB.js b/test/parallel/test-zlib-brotli-16GB.js -new file mode 100644 -index 00000000000000..ba4f7ef5aef561 ---- /dev/null -+++ b/test/parallel/test-zlib-brotli-16GB.js -@@ -0,0 +1,22 @@ -+'use strict'; -+ -+const common = require('../common'); -+const { createBrotliDecompress } = require('node:zlib'); -+const strictEqual = require('node:assert').strictEqual; -+ -+// This tiny HEX string is a 16GB file. -+// This test verifies that the stream actually stops. -+/* eslint-disable max-len */ -+const content = 'cfffff7ff82700e2b14020f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c32200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bff3f'; -+ -+const buf = Buffer.from(content, 'hex'); -+ -+const decoder = createBrotliDecompress(); -+decoder.end(buf); -+ -+// We need to wait to verify that the libuv thread pool had time -+// to process the data and the buffer is not empty. -+setTimeout(common.mustCall(() => { -+ // There is only one chunk in the buffer -+ strictEqual(decoder._readableState.buffer.length, 1); -+}), common.platformTimeout(100)); -diff --git a/test/parallel/test-zlib-params.js b/test/parallel/test-zlib-params.js -index 30d4f133ad43bd..18271fe022a96d 100644 ---- a/test/parallel/test-zlib-params.js -+++ b/test/parallel/test-zlib-params.js -@@ -12,23 +12,29 @@ const deflater = zlib.createDeflate(opts); - const chunk1 = file.slice(0, chunkSize); - const chunk2 = file.slice(chunkSize); - const blkhdr = Buffer.from([0x00, 0x5a, 0x82, 0xa5, 0x7d]); --const expected = Buffer.concat([blkhdr, chunk2]); --let actual; -+const blkftr = Buffer.from('010000ffff7dac3072', 'hex'); -+const expected = Buffer.concat([blkhdr, chunk2, blkftr]); -+const bufs = []; -+ -+function read() { -+ let buf; -+ while ((buf = deflater.read()) !== null) { -+ bufs.push(buf); -+ } -+} - - deflater.write(chunk1, function() { - deflater.params(0, zlib.constants.Z_DEFAULT_STRATEGY, function() { - while (deflater.read()); -- deflater.end(chunk2, function() { -- const bufs = []; -- let buf; -- while ((buf = deflater.read()) !== null) -- bufs.push(buf); -- actual = Buffer.concat(bufs); -- }); -+ -+ deflater.on('readable', read); -+ -+ deflater.end(chunk2); - }); - while (deflater.read()); - }); - - process.once('exit', function() { -+ const actual = Buffer.concat(bufs); - assert.deepStrictEqual(actual, expected); - }); - \ No newline at end of file diff --git a/SPECS/nodejs/CVE-2024-24806.patch b/SPECS/nodejs/CVE-2024-24806.patch deleted file mode 100644 index f183ff3f72b..00000000000 --- a/SPECS/nodejs/CVE-2024-24806.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9c2cf90e5b3952a202a0fb8435470eaa527d3f63 Mon Sep 17 00:00:00 2001 -From: Suresh Thelkar -Date: Tue, 27 Feb 2024 10:24:03 +0530 -Subject: [PATCH] Patch CVE-2024-24806 - -Upstream patch details are given below. -https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629 ---- - deps/uv/src/idna.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c -index 93d982ca..197650af 100644 ---- a/deps/uv/src/idna.c -+++ b/deps/uv/src/idna.c -@@ -308,8 +308,10 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { - return rc; - } - -- if (d < de) -- *d++ = '\0'; -+ if (d >= de) -+ return UV_EINVAL; -+ -+ *d++ = '\0'; - - return d - ds; /* Number of bytes written. */ - } --- -2.34.1 - diff --git a/SPECS/nodejs/CVE-2024-27983.patch b/SPECS/nodejs/CVE-2024-27983.patch deleted file mode 100644 index a13516673ed..00000000000 --- a/SPECS/nodejs/CVE-2024-27983.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0fb816dbccde955cd24acc1b16497a91fab507c8 Mon Sep 17 00:00:00 2001 -From: RafaelGSS -Date: Tue, 26 Mar 2024 15:55:13 -0300 -Subject: [PATCH] src: ensure to close stream when destroying session - -Co-Authored-By: Anna Henningsen -PR-URL: https://github.com/nodejs-private/node-private/pull/561 -Fixes: https://hackerone.com/reports/2319584 -Reviewed-By: Michael Dawson -Reviewed-By: Marco Ippolito -Reviewed-By: Matteo Collina -Reviewed-By: Benjamin Gruenbaum -CVE-ID: CVE-2024-27983 ---- - src/node_http2.cc | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/node_http2.cc b/src/node_http2.cc -index 528bf3aa58b322..eb3506ff5e609b 100644 ---- a/src/node_http2.cc -+++ b/src/node_http2.cc -@@ -528,6 +528,12 @@ Http2Session::Http2Session(Http2State* http2_state, - Http2Session::~Http2Session() { - CHECK(!is_in_scope()); - Debug(this, "freeing nghttp2 session"); -+ // Ensure that all `Http2Stream` instances and the memory they hold -+ // on to are destroyed before the nghttp2 session is. -+ for (const auto& [id, stream] : streams_) { -+ stream->Detach(); -+ } -+ streams_.clear(); - // Explicitly reset session_ so the subsequent - // current_nghttp2_memory_ check passes. - session_.reset(); diff --git a/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch b/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch deleted file mode 100644 index 0a40760b4f7..00000000000 --- a/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff -ru node-v16.14.0-orig/src/crypto/crypto_context.cc node-v16.14.0/src/crypto/crypto_context.cc ---- node-v16.14.0-orig/src/crypto/crypto_context.cc 2022-02-08 04:37:50.000000000 -0800 -+++ node-v16.14.0/src/crypto/crypto_context.cc 2022-02-25 09:17:21.964960342 -0800 -@@ -467,28 +467,16 @@ - min_version = 0; - max_version = kMaxSupportedVersion; - method = TLS_client_method(); -- } else if (sslmethod == "TLSv1_method") { -- min_version = TLS1_VERSION; -- max_version = TLS1_VERSION; -- } else if (sslmethod == "TLSv1_server_method") { -- min_version = TLS1_VERSION; -- max_version = TLS1_VERSION; -- method = TLS_server_method(); -- } else if (sslmethod == "TLSv1_client_method") { -- min_version = TLS1_VERSION; -- max_version = TLS1_VERSION; -- method = TLS_client_method(); -- } else if (sslmethod == "TLSv1_1_method") { -- min_version = TLS1_1_VERSION; -- max_version = TLS1_1_VERSION; -- } else if (sslmethod == "TLSv1_1_server_method") { -- min_version = TLS1_1_VERSION; -- max_version = TLS1_1_VERSION; -- method = TLS_server_method(); -- } else if (sslmethod == "TLSv1_1_client_method") { -- min_version = TLS1_1_VERSION; -- max_version = TLS1_1_VERSION; -- method = TLS_client_method(); -+ } else if (sslmethod == "TLSv1_method" || -+ sslmethod == "TLSv1_server_method" || -+ sslmethod == "TLSv1_client_method") { -+ THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1 methods disabled"); -+ return; -+ } else if (sslmethod == "TLSv1_1_method" || -+ sslmethod == "TLSv1_1_server_method" || -+ sslmethod == "TLSv1_1_client_method") { -+ THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1_1 methods disabled"); -+ return; - } else if (sslmethod == "TLSv1_2_method") { - min_version = TLS1_2_VERSION; - max_version = TLS1_2_VERSION; diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec index 4338244bb99..26ecdff0e1b 100644 --- a/SPECS/nodejs/nodejs18.spec +++ b/SPECS/nodejs/nodejs18.spec @@ -6,7 +6,7 @@ Name: nodejs18 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. # The version of NPM can be found inside the sources under 'deps/npm/package.json'. Version: 18.20.2 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0 Group: Applications/System Vendor: Microsoft Corporation @@ -16,6 +16,7 @@ URL: https://github.com/nodejs/node # !!!! because it contains patented algorithms. # !!! => use clean-source-tarball.sh script to create a clean and reproducible source tarball. Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz +Patch0: CVE-2023-21100.patch BuildRequires: brotli-devel BuildRequires: coreutils >= 8.22 BuildRequires: gcc @@ -116,6 +117,10 @@ make cctest %{_datadir}/systemtap/tapset/node.stp %changelog +* Wed May 29 2024 Mitch Zhu - 18.20.2-2 +- Patch CVE-2023-21100. +- Remove unused patches. + * Fri Apr 26 2024 CBL-Mariner Servicing Account - 18.20.2-1 - Auto-upgrade to 18.20.2 - address multiple CVEs. - Remove patches as the upgrade already has these changes. From 84f147039873b610c3f9ec2330586ba3373ebbe1 Mon Sep 17 00:00:00 2001 From: Dinesh Kumar Ramasamy Date: Thu, 30 May 2024 10:33:04 -0500 Subject: [PATCH 05/31] Enable KNI module in DPDK build (#9246) --- SPECS/dpdk/dpdk.spec | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/SPECS/dpdk/dpdk.spec b/SPECS/dpdk/dpdk.spec index 549868b8822..409a1f8394c 100644 --- a/SPECS/dpdk/dpdk.spec +++ b/SPECS/dpdk/dpdk.spec @@ -1,4 +1,10 @@ %define _unpackaged_files_terminate_build 0 + +# Define variables for kernel version and source directory +%global KVERSION %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}-%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers)) +%global K_SRC %{_libdir}/modules/%{KVERSION}/build +%global moddestdir /lib/modules/%{KVERSION}/kernel/drivers/net/kni + # Add option to build without examples %define target %{machine_arch}-%{machine_tmpl}-linuxapp-gcc # machine_arch maps between rpm and dpdk arch name, often same as _target_cpu @@ -27,10 +33,11 @@ # Add option to build with examples, tools subpackages %bcond_with examples %bcond_without tools + Summary: Set of libraries and drivers for fast packet processing Name: dpdk Version: 21.11.2 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD AND LGPLv2 AND GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -47,6 +54,7 @@ BuildRequires: meson BuildRequires: python3-pyelftools BuildRequires: python3-sphinx BuildRequires: zlib-devel +BuildRequires: kernel-devel # # The DPDK is designed to optimize througput of network traffic using, among # other techniques, carefully crafted assembly instructions. As such it @@ -114,6 +122,8 @@ CFLAGS="$(echo %{optflags} -fcommon)" \ -Ddrivers_install_subdir=dpdk-pmds \ -Denable_docs=true \ -Dmachine=default \ + -Denable_kmods=true \ + -Dkernel_dir=%{K_SRC} \ %if %{with examples} -Dexamples=all \ %endif @@ -128,6 +138,12 @@ CFLAGS="$(echo %{optflags} -fcommon)" \ %install %meson_install +# Install the kernel modules to the specified directory +mkdir -p %{buildroot}%{moddestdir} +echo "find %{_builddir}/dpdk-stable-%{version} -name rte_kni.ko -exec install -D -m 755 '{}' %{buildroot}%{moddestdir} \;" > install_kni.sh +chmod +x install_kni.sh +./install_kni.sh + %files # BSD %doc README MAINTAINERS @@ -140,6 +156,7 @@ CFLAGS="$(echo %{optflags} -fcommon)" \ %{_bindir}/dpdk-proc-info %{_libdir}/*.so.* %{pmddir}/*.so.* +%{moddestdir}/rte_kni.ko %files devel #BSD @@ -179,6 +196,11 @@ CFLAGS="$(echo %{optflags} -fcommon)" \ %endif %changelog +* Wed May 22 2024 Dinesh Kumar Ramasamy - 21.11.2-3 +- Enable KNI module in DPDK build +- Update spec file to set kernel source directory using KVERSION and K_SRC variables. +- Ensure correct installation directory for kernel modules using moddestdir variable. + * Wed Sep 20 2023 Jon Slobodzian - 21.11.2-2 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) From 47df6748d903458516a30e7dccdadaed208a788b Mon Sep 17 00:00:00 2001 From: Minghe Ren Date: Thu, 30 May 2024 17:49:12 -0700 Subject: [PATCH 06/31] add patch for ruby CVE-2024-35176 (#9267) Co-authored-by: minghe Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com> --- SPECS/ruby/CVE-2024-35176.patch | 150 ++++++++++++++++++++++++++++++++ SPECS/ruby/ruby.spec | 7 +- 2 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 SPECS/ruby/CVE-2024-35176.patch diff --git a/SPECS/ruby/CVE-2024-35176.patch b/SPECS/ruby/CVE-2024-35176.patch new file mode 100644 index 00000000000..8fd488e18d5 --- /dev/null +++ b/SPECS/ruby/CVE-2024-35176.patch @@ -0,0 +1,150 @@ +Patch taken from https://github.com/ruby/rexml/pull/126/files#diff-93b40740603234e79b1d9be5ff2b3af80f3964a146183cbd698f14d7336726e9 +diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +--- a/.bundle/gems/rexml-3.2.5/lib/parsers/baseparser.rb 2021-04-05 04:43:38.000000000 -0700 ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb 2024-05-28 18:53:32.656078157 -0700 +@@ -589,60 +589,41 @@ + def parse_attributes(prefixes, curr_ns) + attributes = {} + closed = false +- match_data = @source.match(/^(.*?)(\/)?>/um, true) +- if match_data.nil? +- message = "Start tag isn't ended" +- raise REXML::ParseException.new(message, @source) +- end +- +- raw_attributes = match_data[1] +- closed = !match_data[2].nil? +- return attributes, closed if raw_attributes.nil? +- return attributes, closed if raw_attributes.empty? +- +- scanner = StringScanner.new(raw_attributes) +- until scanner.eos? +- if scanner.scan(/\s+/) +- break if scanner.eos? +- end +- +- pos = scanner.pos +- loop do +- break if scanner.scan(ATTRIBUTE_PATTERN) +- unless scanner.scan(QNAME) +- message = "Invalid attribute name: <#{scanner.rest}>" +- raise REXML::ParseException.new(message, @source) +- end +- name = scanner[0] +- unless scanner.scan(/\s*=\s*/um) ++ while true ++ if @source.match(">", true) ++ return attributes, closed ++ elsif @source.match("/>", true) ++ closed = true ++ return attributes, closed ++ elsif match = @source.match(QNAME, true) ++ name = match[1] ++ prefix = match[2] ++ local_part = match[3] ++ unless @source.match(/\s*=\s*/um, true) + message = "Missing attribute equal: <#{name}>" + raise REXML::ParseException.new(message, @source) + end +- quote = scanner.scan(/['"]/) +- unless quote ++ unless match = @source.match(/(['"])(.*?)\1\s*/um, true) ++ if match = @source.match(/(['"])/, true) ++ message = ++ "Missing attribute value end quote: <#{name}>: <#{match[1]}>" ++ raise REXML::ParseException.new(message, @source) ++ else ++ message = "Missing attribute value start quote: <#{name}>" ++ raise REXML::ParseException.new(message, @source) ++ end ++ unless match = @source.match(/(['"])/, true) + message = "Missing attribute value start quote: <#{name}>" + raise REXML::ParseException.new(message, @source) + end +- unless scanner.scan(/.*#{Regexp.escape(quote)}/um) +- match_data = @source.match(/^(.*?)(\/)?>/um, true) +- if match_data +- scanner << "/" if closed +- scanner << ">" +- scanner << match_data[1] +- scanner.pos = pos +- closed = !match_data[2].nil? +- next +- end +- message = +- "Missing attribute value end quote: <#{name}>: <#{quote}>" ++ quote = match[1] ++ value = @source.read_until(quote) ++ unless value.chomp!(quote) ++ message = "Missing attribute value end quote: <#{name}>: <#{quote}>" + raise REXML::ParseException.new(message, @source) + end +- end +- name = scanner[1] +- prefix = scanner[2] +- local_part = scanner[3] +- # quote = scanner[4] +- value = scanner[5] ++ value = match[2] ++ @source.match(/\s*/um, true) + if prefix == "xmlns" + if local_part == "xml" + if value != "http://www.w3.org/XML/1998/namespace" +diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb 2021-04-05 04:43:38.000000000 -0700 ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb 2024-05-28 17:10:36.356913505 -0700 +@@ -81,7 +81,11 @@ + rv + end + +- def read ++ def read(term = nil) ++ end ++ ++ def read_until(term) ++ @scanner.scan_until(Regexp.union(term)) or @scanner.rest + end + + def consume( pattern ) +@@ -204,11 +208,28 @@ + rv + end + +- def read ++ def read(term = nil) + begin +- @buffer << readline ++ @scanner << readline(term) ++ true + rescue Exception, NameError + @source = nil ++ false ++ end ++ end ++ ++ def read_until(term) ++ pattern = Regexp.union(term) ++ data = [] ++ begin ++ until str = @scanner.scan_until(pattern) ++ @scanner << readline(term) ++ end ++ rescue EOFError ++ @scanner.rest ++ else ++ read if @scanner.eos? and !@source.eof? ++ str + end + end + +@@ -263,8 +284,8 @@ + end + + private +- def readline +- str = @source.readline(@line_break) ++ def readline(term = nil) ++ str = @source.readline(term || @line_break) + if @pending_buffer + if str.nil? + str = @pending_buffer diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index 38994350c90..bdc67c8561b 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -83,7 +83,7 @@ Name: ruby # provides should be versioned according to the ruby version. # More info: https://stdgems.org/ Version: 3.1.4 -Release: 5%{?dist} +Release: 6%{?dist} License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD Vendor: Microsoft Corporation Distribution: Mariner @@ -102,6 +102,8 @@ Patch0: CVE-2023-36617.patch Patch1: CVE-2024-27280.patch Patch2: CVE-2024-27281.patch Patch3: CVE-2024-27282.patch +# Patch no longer needed if REXML gem is 3.2.7 or later. Now is 3.2.5 +Patch4: CVE-2024-35176.patch BuildRequires: openssl-devel BuildRequires: readline BuildRequires: readline-devel @@ -404,6 +406,9 @@ sudo -u test make test TESTS="-v" %{_rpmconfigdir}/rubygems.con %changelog +* Thu May 30 2024 Minghe Ren - 3.1.4-6 +- Patch CVE-2024-35176 + * Thu May 16 2024 Jonathan Behrens - 3.1.4-5 - Patch CVE-2024-27282 From ebc77031e57b4bcfbbc6ad18e0b1813d42906beb Mon Sep 17 00:00:00 2001 From: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com> Date: Thu, 30 May 2024 18:57:31 -0700 Subject: [PATCH 07/31] Patch CVE-2024-26147 for cert-manager (#9268) --- SPECS/cert-manager/CVE-2024-26147.patch | 43 +++++++++++++++++++++++++ SPECS/cert-manager/cert-manager.spec | 6 +++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 SPECS/cert-manager/CVE-2024-26147.patch diff --git a/SPECS/cert-manager/CVE-2024-26147.patch b/SPECS/cert-manager/CVE-2024-26147.patch new file mode 100644 index 00000000000..6521830cfea --- /dev/null +++ b/SPECS/cert-manager/CVE-2024-26147.patch @@ -0,0 +1,43 @@ +From d02be38fc6c54828d5eec15efe058c61f3df4a60 Mon Sep 17 00:00:00 2001 +From: Mykhailo Bykhovtsev +Date: Thu, 30 May 2024 16:33:17 -0700 +Subject: [PATCH] backport patch CVE-2024-26147. Based off commit https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af + +--- + vendor/helm.sh/helm/v3/pkg/plugin/plugin.go | 4 ++++ + vendor/helm.sh/helm/v3/pkg/repo/index.go | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go +index 1399b71..df580db 100644 +--- a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go ++++ b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go +@@ -173,6 +173,10 @@ var validPluginName = regexp.MustCompile("^[A-Za-z0-9_-]+$") + + // validatePluginData validates a plugin's YAML data. + func validatePluginData(plug *Plugin, filepath string) error { ++ // When metadata section missing, initialize with no data ++ if plug.Metadata == nil { ++ plug.Metadata = &Metadata{} ++ } + if !validPluginName.MatchString(plug.Metadata.Name) { + return fmt.Errorf("invalid plugin name at %q", filepath) + } +diff --git a/vendor/helm.sh/helm/v3/pkg/repo/index.go b/vendor/helm.sh/helm/v3/pkg/repo/index.go +index 60cfe58..94852bb 100644 +--- a/vendor/helm.sh/helm/v3/pkg/repo/index.go ++++ b/vendor/helm.sh/helm/v3/pkg/repo/index.go +@@ -347,6 +347,10 @@ func loadIndex(data []byte, source string) (*IndexFile, error) { + log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source) + continue + } ++ // When metadata section missing, initialize with no data ++ if cvs[idx].Metadata == nil { ++ cvs[idx].Metadata = &chart.Metadata{} ++ } + if cvs[idx].APIVersion == "" { + cvs[idx].APIVersion = chart.APIVersionV1 + } +-- +2.34.1 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 4aad212fe06..4091564e70e 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.11.2 -Release: 9%{?dist} +Release: 10%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -21,6 +21,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version Source1: %{name}-%{version}-govendor.tar.gz Patch0: CVE-2023-48795.patch Patch1: CVE-2023-45288.patch +Patch2: CVE-2024-26147.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -113,6 +114,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Thu May 30 2024 Mykhailo Bykhovtsev - 1.11.2-10 +- Patch for CVE-2024-26147 + * Thu Apr 18 2024 Chris Gunn - 1.11.2-9 - Fix for CVE-2023-45288 From db8f0137f62898996ca3b84d9228dad61890bf52 Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Fri, 31 May 2024 10:21:15 -0700 Subject: [PATCH 08/31] Address kernel CVE-2022-38096, CVE-2023-47233, CVE-2023-52827, CVE-2024-25739, CVE-2024-26900, CVE-2024-26902, CVE-2024-26929, CVE-2024-26934, CVE-2024-26949, CVE-2024-26952, CVE-2024-26979, CVE-2024-27013, CVE-2024-27015, CVE-2024-27016, CVE-2024-27018, CVE-2024-27019, CVE-2024-27020, CVE-2024-35978, CVE-2024-35982, CVE-2024-35984, CVE-2024-35990, CVE-2024-35997, CVE-2024-36008 (#9270) Address CVE-2022-38096, CVE-2023-47233, CVE-2023-52827, CVE-2024-25739, CVE-2024-26900, CVE-2024-26902, CVE-2024-26929, CVE-2024-26934, CVE-2024-26949, CVE-2024-26952, CVE-2024-26979, CVE-2024-27013, CVE-2024-27015, CVE-2024-27016, CVE-2024-27018, CVE-2024-27019, CVE-2024-27020, CVE-2024-35978, CVE-2024-35982, CVE-2024-35984, CVE-2024-35990, CVE-2024-35997, CVE-2024-36008 --- SPECS/kernel/CVE-2022-38096.nopatch | 3 +++ SPECS/kernel/CVE-2023-47233.nopatch | 3 +++ SPECS/kernel/CVE-2023-52827.nopatch | 3 +++ SPECS/kernel/CVE-2024-25739.nopatch | 3 +++ SPECS/kernel/CVE-2024-26900.nopatch | 3 +++ SPECS/kernel/CVE-2024-26902.nopatch | 3 +++ SPECS/kernel/CVE-2024-26929.nopatch | 3 +++ SPECS/kernel/CVE-2024-26934.nopatch | 3 +++ SPECS/kernel/CVE-2024-26949.nopatch | 4 ++++ SPECS/kernel/CVE-2024-26952.nopatch | 2 ++ SPECS/kernel/CVE-2024-26979.nopatch | 3 +++ SPECS/kernel/CVE-2024-27013.nopatch | 3 +++ SPECS/kernel/CVE-2024-27015.nopatch | 3 +++ SPECS/kernel/CVE-2024-27016.nopatch | 3 +++ SPECS/kernel/CVE-2024-27018.nopatch | 3 +++ SPECS/kernel/CVE-2024-27019.nopatch | 3 +++ SPECS/kernel/CVE-2024-27020.nopatch | 3 +++ SPECS/kernel/CVE-2024-35978.nopatch | 3 +++ SPECS/kernel/CVE-2024-35982.nopatch | 3 +++ SPECS/kernel/CVE-2024-35984.nopatch | 3 +++ SPECS/kernel/CVE-2024-35990.nopatch | 3 +++ SPECS/kernel/CVE-2024-35997.nopatch | 3 +++ SPECS/kernel/CVE-2024-36008.nopatch | 3 +++ 23 files changed, 69 insertions(+) create mode 100644 SPECS/kernel/CVE-2022-38096.nopatch create mode 100644 SPECS/kernel/CVE-2023-47233.nopatch create mode 100644 SPECS/kernel/CVE-2023-52827.nopatch create mode 100644 SPECS/kernel/CVE-2024-25739.nopatch create mode 100644 SPECS/kernel/CVE-2024-26900.nopatch create mode 100644 SPECS/kernel/CVE-2024-26902.nopatch create mode 100644 SPECS/kernel/CVE-2024-26929.nopatch create mode 100644 SPECS/kernel/CVE-2024-26934.nopatch create mode 100644 SPECS/kernel/CVE-2024-26949.nopatch create mode 100644 SPECS/kernel/CVE-2024-26952.nopatch create mode 100644 SPECS/kernel/CVE-2024-26979.nopatch create mode 100644 SPECS/kernel/CVE-2024-27013.nopatch create mode 100644 SPECS/kernel/CVE-2024-27015.nopatch create mode 100644 SPECS/kernel/CVE-2024-27016.nopatch create mode 100644 SPECS/kernel/CVE-2024-27018.nopatch create mode 100644 SPECS/kernel/CVE-2024-27019.nopatch create mode 100644 SPECS/kernel/CVE-2024-27020.nopatch create mode 100644 SPECS/kernel/CVE-2024-35978.nopatch create mode 100644 SPECS/kernel/CVE-2024-35982.nopatch create mode 100644 SPECS/kernel/CVE-2024-35984.nopatch create mode 100644 SPECS/kernel/CVE-2024-35990.nopatch create mode 100644 SPECS/kernel/CVE-2024-35997.nopatch create mode 100644 SPECS/kernel/CVE-2024-36008.nopatch diff --git a/SPECS/kernel/CVE-2022-38096.nopatch b/SPECS/kernel/CVE-2022-38096.nopatch new file mode 100644 index 00000000000..6c9c97423bc --- /dev/null +++ b/SPECS/kernel/CVE-2022-38096.nopatch @@ -0,0 +1,3 @@ +CVE-2022-38096 - in version 5.15.154.1 +upstream: 517621b7060096e48e42f545fa6646fc00252eac +stable: 899e154f9546fcae18065d74064889d08fff62c2 diff --git a/SPECS/kernel/CVE-2023-47233.nopatch b/SPECS/kernel/CVE-2023-47233.nopatch new file mode 100644 index 00000000000..22bcb7a4d3d --- /dev/null +++ b/SPECS/kernel/CVE-2023-47233.nopatch @@ -0,0 +1,3 @@ +CVE-2023-47233 - in version 5.15.158.1 +upstream: 0f7352557a35ab7888bc7831411ec8a3cbe20d78 +stable: 8c36205123dc57349b59b4f1a2301eb278cbc731 diff --git a/SPECS/kernel/CVE-2023-52827.nopatch b/SPECS/kernel/CVE-2023-52827.nopatch new file mode 100644 index 00000000000..be2dcebc348 --- /dev/null +++ b/SPECS/kernel/CVE-2023-52827.nopatch @@ -0,0 +1,3 @@ +CVE-2023-52827 - ath12k driver support is not in 5.15.X +upstream introducing commit: d889913205cf7ebda905b1e62c5867ed4e39f6c2 +upstream fix commit: 1bc44a505a229bb1dd4957e11aa594edeea3690e diff --git a/SPECS/kernel/CVE-2024-25739.nopatch b/SPECS/kernel/CVE-2024-25739.nopatch new file mode 100644 index 00000000000..569b311f2c7 --- /dev/null +++ b/SPECS/kernel/CVE-2024-25739.nopatch @@ -0,0 +1,3 @@ +CVE-2024-25739 - in version 5.15.158.1 +upstream: 68a24aba7c593eafa8fd00f2f76407b9b32b47a9 +stable: 8ce982285414b741e2dd6ebb5a62e79dede44f7f diff --git a/SPECS/kernel/CVE-2024-26900.nopatch b/SPECS/kernel/CVE-2024-26900.nopatch new file mode 100644 index 00000000000..2f8092715db --- /dev/null +++ b/SPECS/kernel/CVE-2024-26900.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26900 - in version 5.15.159.1 +upstream: 6cf350658736681b9d6b0b6e58c5c76b235bb4c4 +stable: f3a1787dc48213f6caea5ba7d47e0222e7fa34a9 diff --git a/SPECS/kernel/CVE-2024-26902.nopatch b/SPECS/kernel/CVE-2024-26902.nopatch new file mode 100644 index 00000000000..79f28eaa324 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26902.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26902 - 5.15.X does not support RISCV_PMU_SBI +upstream introducing commit: e9991434596f5373dfd75857b445eb92a9253c56 +upstream fix commit: 34b567868777e9fd39ec5333969728a7f0cf179c diff --git a/SPECS/kernel/CVE-2024-26929.nopatch b/SPECS/kernel/CVE-2024-26929.nopatch new file mode 100644 index 00000000000..e69155b6c9b --- /dev/null +++ b/SPECS/kernel/CVE-2024-26929.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26929 - in version 5.15.158.1 +upstream: 82f522ae0d97119a43da53e0f729275691b9c525 +stable: b03e626bd6d3f0684f56ee1890d70fc9ca991c04 diff --git a/SPECS/kernel/CVE-2024-26934.nopatch b/SPECS/kernel/CVE-2024-26934.nopatch new file mode 100644 index 00000000000..254de989565 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26934.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26934 - in version 5.15.158.1 +upstream: 80ba43e9f799cbdd83842fc27db667289b3150f5 +stable: 1b175bc579f46520b11ecda443bcd2ee4904f66a diff --git a/SPECS/kernel/CVE-2024-26949.nopatch b/SPECS/kernel/CVE-2024-26949.nopatch new file mode 100644 index 00000000000..af26c683f0a --- /dev/null +++ b/SPECS/kernel/CVE-2024-26949.nopatch @@ -0,0 +1,4 @@ +CVE-2024-26949 - introducing commit not present in 5.15.159.1 +(5.15.X does not support for getting power1_cap_min value for drm/amd/pm) +upstream introducing commit: 7968e9748fbbd7ae49770d9f8a8231d8bce2aebb +upstream fix commit: 08ae9ef829b8055c2fdc8cfee37510c1f4721a07 diff --git a/SPECS/kernel/CVE-2024-26952.nopatch b/SPECS/kernel/CVE-2024-26952.nopatch new file mode 100644 index 00000000000..1a395ae4824 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26952.nopatch @@ -0,0 +1,2 @@ +CVE-2024-26952 - Mariner does not enable ksmbd at this time (5.15.159.1-1) +Upstream commit: c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da diff --git a/SPECS/kernel/CVE-2024-26979.nopatch b/SPECS/kernel/CVE-2024-26979.nopatch new file mode 100644 index 00000000000..6c45589d9f2 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26979.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26979 - in version 5.15.158.1 +upstream: 517621b7060096e48e42f545fa6646fc00252eac +stable: 899e154f9546fcae18065d74064889d08fff62c2 diff --git a/SPECS/kernel/CVE-2024-27013.nopatch b/SPECS/kernel/CVE-2024-27013.nopatch new file mode 100644 index 00000000000..2a02ef84a3e --- /dev/null +++ b/SPECS/kernel/CVE-2024-27013.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27013 - in version 5.15.158.1 +upstream: f8bbc07ac535593139c875ffa19af924b1084540 +stable: a50dbeca28acf7051dfa92786b85f704c75db6eb diff --git a/SPECS/kernel/CVE-2024-27015.nopatch b/SPECS/kernel/CVE-2024-27015.nopatch new file mode 100644 index 00000000000..116c16fb132 --- /dev/null +++ b/SPECS/kernel/CVE-2024-27015.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27015 - in version 5.15.158.1 +upstream: 6db5dc7b351b9569940cd1cf445e237c42cd6d27 +stable: e719b52d0c56989b0f3475a03a6d64f182c85b56 diff --git a/SPECS/kernel/CVE-2024-27016.nopatch b/SPECS/kernel/CVE-2024-27016.nopatch new file mode 100644 index 00000000000..91196658e3c --- /dev/null +++ b/SPECS/kernel/CVE-2024-27016.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27016 - in version 5.15.158.1 +upstream: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf +stable: d06977b9a4109f8738bb276125eb6a0b772bc433 diff --git a/SPECS/kernel/CVE-2024-27018.nopatch b/SPECS/kernel/CVE-2024-27018.nopatch new file mode 100644 index 00000000000..62541743005 --- /dev/null +++ b/SPECS/kernel/CVE-2024-27018.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27018 - in version 5.15.157.1 +upstream: 751de2012eafa4d46d8081056761fa0e9cc8a178 +stable: dceb683ab87ca3666a9bb5c0158528b646faedc4 diff --git a/SPECS/kernel/CVE-2024-27019.nopatch b/SPECS/kernel/CVE-2024-27019.nopatch new file mode 100644 index 00000000000..08cbdc9b5af --- /dev/null +++ b/SPECS/kernel/CVE-2024-27019.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27019 - in version 5.15.158.1 +upstream: d78d867dcea69c328db30df665be5be7d0148484 +stable: 379bf7257bc5f2a1b1ca8514e08a871b7bf6d920 diff --git a/SPECS/kernel/CVE-2024-27020.nopatch b/SPECS/kernel/CVE-2024-27020.nopatch new file mode 100644 index 00000000000..3cea0d907f1 --- /dev/null +++ b/SPECS/kernel/CVE-2024-27020.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27020 - in version 5.15.158.1 +upstream: f969eb84ce482331a991079ab7a5c4dc3b7f89bf +stable: 0b6de00206adbbfc6373b3ae38d2a6f197987907 diff --git a/SPECS/kernel/CVE-2024-35978.nopatch b/SPECS/kernel/CVE-2024-35978.nopatch new file mode 100644 index 00000000000..10c0476ff33 --- /dev/null +++ b/SPECS/kernel/CVE-2024-35978.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35978 - in version 5.15.158.1 +upstream: 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810 +stable: 75193678cce993aa959e7764b6df2f599886dd06 diff --git a/SPECS/kernel/CVE-2024-35982.nopatch b/SPECS/kernel/CVE-2024-35982.nopatch new file mode 100644 index 00000000000..2111dc361d1 --- /dev/null +++ b/SPECS/kernel/CVE-2024-35982.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35982 - in version 5.15.158.1 +upstream: b1f532a3b1e6d2e5559c7ace49322922637a28aa +stable: 87b6af1a7683e021710c08fc0551fc078346032f diff --git a/SPECS/kernel/CVE-2024-35984.nopatch b/SPECS/kernel/CVE-2024-35984.nopatch new file mode 100644 index 00000000000..9048b2378cd --- /dev/null +++ b/SPECS/kernel/CVE-2024-35984.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35984 - in version 5.15.158.1 +upstream: 91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f +stable: 5a09eae9a7db597fe0c1fc91636205b4a25d2620 diff --git a/SPECS/kernel/CVE-2024-35990.nopatch b/SPECS/kernel/CVE-2024-35990.nopatch new file mode 100644 index 00000000000..1d709be6fbe --- /dev/null +++ b/SPECS/kernel/CVE-2024-35990.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35990 - in version 5.15.158.1 +upstream: 244296cc3a155199a8b080d19e645d7d49081a38 +stable: 0ccac964520a6f19e355652c8ca38af2a7f27076 diff --git a/SPECS/kernel/CVE-2024-35997.nopatch b/SPECS/kernel/CVE-2024-35997.nopatch new file mode 100644 index 00000000000..e9d37bd32d7 --- /dev/null +++ b/SPECS/kernel/CVE-2024-35997.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35997 - in version 5.15.158.1 +upstream: 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e +stable: b65fb50e04a95eec34a9d1bc138454a98a5578d8 diff --git a/SPECS/kernel/CVE-2024-36008.nopatch b/SPECS/kernel/CVE-2024-36008.nopatch new file mode 100644 index 00000000000..8ff29b11d2b --- /dev/null +++ b/SPECS/kernel/CVE-2024-36008.nopatch @@ -0,0 +1,3 @@ +CVE-2024-36008 - in version 5.15.158.1 +upstream: 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1 +stable: 03b5a9b2b526862b21bcc31976e393a6e63785d1 From 6e4ebc689917c58a6a81d5e399dc7070e1fdbb79 Mon Sep 17 00:00:00 2001 From: Minghe Ren Date: Fri, 31 May 2024 16:28:37 -0700 Subject: [PATCH 09/31] update and correct ruby CVE-2024035176.patch (#9280) Co-authored-by: minghe --- SPECS/ruby/CVE-2024-35176.patch | 69 +++++++++++++++++++++++++-------- 1 file changed, 53 insertions(+), 16 deletions(-) diff --git a/SPECS/ruby/CVE-2024-35176.patch b/SPECS/ruby/CVE-2024-35176.patch index 8fd488e18d5..408241c4b2c 100644 --- a/SPECS/ruby/CVE-2024-35176.patch +++ b/SPECS/ruby/CVE-2024-35176.patch @@ -1,8 +1,8 @@ Patch taken from https://github.com/ruby/rexml/pull/126/files#diff-93b40740603234e79b1d9be5ff2b3af80f3964a146183cbd698f14d7336726e9 diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ---- a/.bundle/gems/rexml-3.2.5/lib/parsers/baseparser.rb 2021-04-05 04:43:38.000000000 -0700 -+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb 2024-05-28 18:53:32.656078157 -0700 -@@ -589,60 +589,41 @@ +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb 2021-04-05 04:43:38.000000000 -0700 ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb 2024-05-31 14:22:29.683378525 -0700 +@@ -589,85 +589,58 @@ def parse_attributes(prefixes, curr_ns) attributes = {} closed = false @@ -48,15 +48,6 @@ diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/g end - quote = scanner.scan(/['"]/) - unless quote -+ unless match = @source.match(/(['"])(.*?)\1\s*/um, true) -+ if match = @source.match(/(['"])/, true) -+ message = -+ "Missing attribute value end quote: <#{name}>: <#{match[1]}>" -+ raise REXML::ParseException.new(message, @source) -+ else -+ message = "Missing attribute value start quote: <#{name}>" -+ raise REXML::ParseException.new(message, @source) -+ end + unless match = @source.match(/(['"])/, true) message = "Missing attribute value start quote: <#{name}>" raise REXML::ParseException.new(message, @source) @@ -85,11 +76,57 @@ diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/g - local_part = scanner[3] - # quote = scanner[4] - value = scanner[5] -+ value = match[2] +- if prefix == "xmlns" +- if local_part == "xml" +- if value != "http://www.w3.org/XML/1998/namespace" +- msg = "The 'xml' prefix must not be bound to any other namespace "+ + @source.match(/\s*/um, true) - if prefix == "xmlns" - if local_part == "xml" - if value != "http://www.w3.org/XML/1998/namespace" ++ if prefix == "xmlns" ++ if local_part == "xml" ++ if value != "http://www.w3.org/XML/1998/namespace" ++ msg = "The 'xml' prefix must not be bound to any other namespace "+ ++ "(http://www.w3.org/TR/REC-xml-names/#ns-decl)" ++ raise REXML::ParseException.new( msg, @source, self) ++ end ++ elsif local_part == "xmlns" ++ msg = "The 'xmlns' prefix must not be declared "+ + "(http://www.w3.org/TR/REC-xml-names/#ns-decl)" +- raise REXML::ParseException.new( msg, @source, self ) ++ raise REXML::ParseException.new( msg, @source, self) + end +- elsif local_part == "xmlns" +- msg = "The 'xmlns' prefix must not be declared "+ +- "(http://www.w3.org/TR/REC-xml-names/#ns-decl)" +- raise REXML::ParseException.new( msg, @source, self) ++ curr_ns << local_part ++ elsif prefix ++ prefixes << prefix unless prefix == "xml" + end +- curr_ns << local_part +- elsif prefix +- prefixes << prefix unless prefix == "xml" +- end +- +- if attributes.has_key?(name) +- msg = "Duplicate attribute #{name.inspect}" +- raise REXML::ParseException.new(msg, @source, self) ++ if attributes[name] ++ msg = "Duplicate attribute #{name.inspect}" ++ raise REXML::ParseException.new(msg, @source, self) ++ end ++ ++ attributes[name] = value ++ else ++ message = "Invalid attribute name: <#{@source.buffer.split(%r{[/>\s]}).first}>" ++ raise REXML::ParseException.new(message, @source) + end +- +- attributes[name] = value + end +- return attributes, closed + end + end + end diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb --- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb 2021-04-05 04:43:38.000000000 -0700 +++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb 2024-05-28 17:10:36.356913505 -0700 From 513297d3dcbfad975f4eee296128b0ab113d3dd6 Mon Sep 17 00:00:00 2001 From: Minghe Ren Date: Fri, 31 May 2024 17:03:13 -0700 Subject: [PATCH 10/31] upgrade rubygem-rexml to 3.2.7 to resolve CVE-2024-35176 (#9282) Co-authored-by: minghe --- SPECS/rubygem-rexml/CVE-2024-35176.patch | 190 ------------------ .../rubygem-rexml.signatures.json | 2 +- SPECS/rubygem-rexml/rubygem-rexml.spec | 9 +- cgmanifest.json | 4 +- 4 files changed, 9 insertions(+), 196 deletions(-) delete mode 100644 SPECS/rubygem-rexml/CVE-2024-35176.patch diff --git a/SPECS/rubygem-rexml/CVE-2024-35176.patch b/SPECS/rubygem-rexml/CVE-2024-35176.patch deleted file mode 100644 index 6422fb733d4..00000000000 --- a/SPECS/rubygem-rexml/CVE-2024-35176.patch +++ /dev/null @@ -1,190 +0,0 @@ -diff -ruN a/Gemfile b/Gemfile ---- a/Gemfile 2021-04-05 04:43:38.000000000 -0700 -+++ b/Gemfile 2024-05-29 00:06:13.851182285 -0700 -@@ -4,3 +4,7 @@ - - # Specify your gem's dependencies in rexml.gemspec - gemspec -+ -+group :development do -+ gem "test-unit-ruby-core" -+end -diff -ruN a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb ---- a/lib/rexml/parsers/baseparser.rb 2021-04-05 04:43:38.000000000 -0700 -+++ b/lib/rexml/parsers/baseparser.rb 2024-05-28 18:53:32.656078157 -0700 -@@ -589,60 +589,41 @@ - def parse_attributes(prefixes, curr_ns) - attributes = {} - closed = false -- match_data = @source.match(/^(.*?)(\/)?>/um, true) -- if match_data.nil? -- message = "Start tag isn't ended" -- raise REXML::ParseException.new(message, @source) -- end -- -- raw_attributes = match_data[1] -- closed = !match_data[2].nil? -- return attributes, closed if raw_attributes.nil? -- return attributes, closed if raw_attributes.empty? -- -- scanner = StringScanner.new(raw_attributes) -- until scanner.eos? -- if scanner.scan(/\s+/) -- break if scanner.eos? -- end -- -- pos = scanner.pos -- loop do -- break if scanner.scan(ATTRIBUTE_PATTERN) -- unless scanner.scan(QNAME) -- message = "Invalid attribute name: <#{scanner.rest}>" -- raise REXML::ParseException.new(message, @source) -- end -- name = scanner[0] -- unless scanner.scan(/\s*=\s*/um) -+ while true -+ if @source.match(">", true) -+ return attributes, closed -+ elsif @source.match("/>", true) -+ closed = true -+ return attributes, closed -+ elsif match = @source.match(QNAME, true) -+ name = match[1] -+ prefix = match[2] -+ local_part = match[3] -+ unless @source.match(/\s*=\s*/um, true) - message = "Missing attribute equal: <#{name}>" - raise REXML::ParseException.new(message, @source) - end -- quote = scanner.scan(/['"]/) -- unless quote -+ unless match = @source.match(/(['"])(.*?)\1\s*/um, true) -+ if match = @source.match(/(['"])/, true) -+ message = -+ "Missing attribute value end quote: <#{name}>: <#{match[1]}>" -+ raise REXML::ParseException.new(message, @source) -+ else -+ message = "Missing attribute value start quote: <#{name}>" -+ raise REXML::ParseException.new(message, @source) -+ end -+ unless match = @source.match(/(['"])/, true) - message = "Missing attribute value start quote: <#{name}>" - raise REXML::ParseException.new(message, @source) - end -- unless scanner.scan(/.*#{Regexp.escape(quote)}/um) -- match_data = @source.match(/^(.*?)(\/)?>/um, true) -- if match_data -- scanner << "/" if closed -- scanner << ">" -- scanner << match_data[1] -- scanner.pos = pos -- closed = !match_data[2].nil? -- next -- end -- message = -- "Missing attribute value end quote: <#{name}>: <#{quote}>" -+ quote = match[1] -+ value = @source.read_until(quote) -+ unless value.chomp!(quote) -+ message = "Missing attribute value end quote: <#{name}>: <#{quote}>" - raise REXML::ParseException.new(message, @source) - end -- end -- name = scanner[1] -- prefix = scanner[2] -- local_part = scanner[3] -- # quote = scanner[4] -- value = scanner[5] -+ value = match[2] -+ @source.match(/\s*/um, true) - if prefix == "xmlns" - if local_part == "xml" - if value != "http://www.w3.org/XML/1998/namespace" -diff -ruN a/lib/rexml/source.rb b/lib/rexml/source.rb ---- a/lib/rexml/source.rb 2021-04-05 04:43:38.000000000 -0700 -+++ b/lib/rexml/source.rb 2024-05-28 17:10:36.356913505 -0700 -@@ -81,7 +81,11 @@ - rv - end - -- def read -+ def read(term = nil) -+ end -+ -+ def read_until(term) -+ @scanner.scan_until(Regexp.union(term)) or @scanner.rest - end - - def consume( pattern ) -@@ -204,11 +208,28 @@ - rv - end - -- def read -+ def read(term = nil) - begin -- @buffer << readline -+ @scanner << readline(term) -+ true - rescue Exception, NameError - @source = nil -+ false -+ end -+ end -+ -+ def read_until(term) -+ pattern = Regexp.union(term) -+ data = [] -+ begin -+ until str = @scanner.scan_until(pattern) -+ @scanner << readline(term) -+ end -+ rescue EOFError -+ @scanner.rest -+ else -+ read if @scanner.eos? and !@source.eof? -+ str - end - end - -@@ -263,8 +284,8 @@ - end - - private -- def readline -- str = @source.readline(@line_break) -+ def readline(term = nil) -+ str = @source.readline(term || @line_break) - if @pending_buffer - if str.nil? - str = @pending_buffer -diff -ruN a/test/test_document.rb b/test/test_document.rb ---- a/test/test_document.rb 2021-04-05 04:43:38.000000000 -0700 -+++ b/test/test_document.rb 2024-05-29 00:08:01.164345808 -0700 -@@ -1,8 +1,12 @@ - # -*- coding: utf-8 -*- - # frozen_string_literal: false - -+require 'core_assertions' -+ - module REXMLTests - class TestDocument < Test::Unit::TestCase -+ include Test::Unit::CoreAssertions -+ - def test_version_attributes_to_s - doc = REXML::Document.new(<<-eoxml) - -@@ -200,6 +204,13 @@ - assert_equal('no', doc.stand_alone?, bug2539) - end - -+ def test_gt_linear_performance -+ seq = [10000, 50000, 100000, 150000, 200000] -+ assert_linear_performance(seq) do |n| -+ REXML::Document.new('" * n + '">') -+ end -+ end -+ - class WriteTest < Test::Unit::TestCase - def setup - @document = REXML::Document.new(<<-EOX) diff --git a/SPECS/rubygem-rexml/rubygem-rexml.signatures.json b/SPECS/rubygem-rexml/rubygem-rexml.signatures.json index 03e19a18013..6924da31066 100644 --- a/SPECS/rubygem-rexml/rubygem-rexml.signatures.json +++ b/SPECS/rubygem-rexml/rubygem-rexml.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "rexml-3.2.5.tar.gz": "23b7a82bf41bcd1201f67e7ca6e795eee1bb76dce94cd7abf411969e39c5c71d" + "rexml-3.2.7.tar.gz": "e17b16cf079251c76226d8aa96a2e8ba9633d600cf6ef28fe28b08b664383387" } } \ No newline at end of file diff --git a/SPECS/rubygem-rexml/rubygem-rexml.spec b/SPECS/rubygem-rexml/rubygem-rexml.spec index 8459996a805..226351689ef 100644 --- a/SPECS/rubygem-rexml/rubygem-rexml.spec +++ b/SPECS/rubygem-rexml/rubygem-rexml.spec @@ -2,15 +2,14 @@ %global gem_name rexml Summary: REXML is an XML toolkit for Ruby Name: rubygem-%{gem_name} -Version: 3.2.5 -Release: 2%{?dist} +Version: 3.2.7 +Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner Group: Development/Languages URL: https://github.com/ruby/rexml Source0: https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz -Patch0: CVE-2024-35176.patch BuildRequires: git BuildRequires: ruby Requires: ruby(release) @@ -35,6 +34,10 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %{gemdir} %changelog +* Fri May 31 2024 Minghe Ren - 3.2.7-1 +- Upgrade to 3.2.7 to resolve CVE-2024-35176 +- Remove CVE-2024-35176.patch as it is no longer needed + * Tue May 28 2024 Minghe Ren - 3.2.5-2 - Add patch for CVE-2024-35176 diff --git a/cgmanifest.json b/cgmanifest.json index e1c013a8015..36ca5562015 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -26915,8 +26915,8 @@ "type": "other", "other": { "name": "rubygem-rexml", - "version": "3.2.5", - "downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.2.5.tar.gz" + "version": "3.2.7", + "downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.2.7.tar.gz" } } }, From a6539502f375608866ae4a8a38232ad1fd6f2478 Mon Sep 17 00:00:00 2001 From: Lanze Liu <86434077+liulanze@users.noreply.github.com> Date: Mon, 3 Jun 2024 09:17:01 -0700 Subject: [PATCH 11/31] python-requests: patch CVE-2024-35195. (#9238) Co-authored-by: lanzeliu --- SPECS/python-requests/CVE-2024-35195.patch | 126 +++++++++++++++++++++ SPECS/python-requests/python-requests.spec | 6 +- 2 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 SPECS/python-requests/CVE-2024-35195.patch diff --git a/SPECS/python-requests/CVE-2024-35195.patch b/SPECS/python-requests/CVE-2024-35195.patch new file mode 100644 index 00000000000..a5ea1c83f54 --- /dev/null +++ b/SPECS/python-requests/CVE-2024-35195.patch @@ -0,0 +1,126 @@ +# Patch taken from https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac +diff --git a/requests/adapters.py b/requests/adapters.py +index fe22ff450..4fa5163de 100644 +--- a/requests/adapters.py ++++ b/requests/adapters.py +@@ -10,6 +10,7 @@ and maintain connections. + + import os.path + import socket ++import typing + + from urllib3.poolmanager import PoolManager, proxy_from_url + from urllib3.response import HTTPResponse +@@ -47,12 +48,39 @@ except ImportError: + def SOCKSProxyManager(*args, **kwargs): + raise InvalidSchema("Missing dependencies for SOCKS support.") + ++ ++if typing.TYPE_CHECKING: ++ from .models import PreparedRequest ++ ++ + DEFAULT_POOLBLOCK = False + DEFAULT_POOLSIZE = 10 + DEFAULT_RETRIES = 0 + DEFAULT_POOL_TIMEOUT = None + + ++def _urllib3_request_context( ++ request: "PreparedRequest", verify: "bool | str | None" ++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])": ++ host_params = {} ++ pool_kwargs = {} ++ parsed_request_url = urlparse(request.url) ++ scheme = parsed_request_url.scheme.lower() ++ port = parsed_request_url.port ++ cert_reqs = "CERT_REQUIRED" ++ if verify is False: ++ cert_reqs = "CERT_NONE" ++ if isinstance(verify, str): ++ pool_kwargs["ca_certs"] = verify ++ pool_kwargs["cert_reqs"] = cert_reqs ++ host_params = { ++ "scheme": scheme, ++ "host": parsed_request_url.hostname, ++ "port": port, ++ } ++ return host_params, pool_kwargs ++ ++ + class BaseAdapter(object): + """The Base Transport Adapter""" + +@@ -290,6 +318,35 @@ class HTTPAdapter(BaseAdapter): + + return response + ++ def _get_connection(self, request, verify, proxies=None): ++ # Replace the existing get_connection without breaking things and ++ # ensure that TLS settings are considered when we interact with ++ # urllib3 HTTP Pools ++ proxy = select_proxy(request.url, proxies) ++ try: ++ host_params, pool_kwargs = _urllib3_request_context(request, verify) ++ except ValueError as e: ++ raise InvalidURL(e, request=request) ++ if proxy: ++ proxy = prepend_scheme_if_needed(proxy, "http") ++ proxy_url = parse_url(proxy) ++ if not proxy_url.host: ++ raise InvalidProxyURL( ++ "Please check proxy URL. It is malformed " ++ "and could be missing the host." ++ ) ++ proxy_manager = self.proxy_manager_for(proxy) ++ conn = proxy_manager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ else: ++ # Only scheme should be lower case ++ conn = self.poolmanager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ ++ return conn ++ + def get_connection(self, url, proxies=None): + """Returns a urllib3 connection for the given URL. This should not be + called from user code, and is only exposed for use when subclassing the +@@ -410,7 +467,7 @@ class HTTPAdapter(BaseAdapter): + """ + + try: +- conn = self.get_connection(request.url, proxies) ++ conn = self._get_connection(request, verify, proxies) + except LocationValueError as e: + raise InvalidURL(e, request=request) + +diff --git a/tests/test_requests.py b/tests/test_requests.py +index 29b3aca84..13cbabcee 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -2587,3 +2607,10 @@ class TestPreparingURLs(object): + r = requests.get(httpbin('bytes/20')) + with pytest.raises(requests.exceptions.JSONDecodeError): + r.json() ++ ++ def test_different_connection_pool_for_tls_settings(self): ++ s = requests.Session() ++ r1 = s.get("https://invalid.badssl.com", verify=False) ++ assert r1.status_code == 421 ++ with pytest.raises(requests.exceptions.SSLError): ++ s.get("https://invalid.badssl.com") +diff --git a/tox.ini b/tox.ini +index 5e3d53774..d4c25a8b4 100644 +--- a/tox.ini ++++ b/tox.ini +@@ -7,7 +7,7 @@ extras = + security + socks + commands = +- pytest tests ++ pytest {posargs:tests} + + [testenv:default] + diff --git a/SPECS/python-requests/python-requests.spec b/SPECS/python-requests/python-requests.spec index 1de4da7c812..cb08e450bae 100644 --- a/SPECS/python-requests/python-requests.spec +++ b/SPECS/python-requests/python-requests.spec @@ -1,7 +1,7 @@ Summary: Awesome Python HTTP Library That's Actually Usable Name: python-requests Version: 2.27.1 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: Development/Languages/Python URL: http://python-requests.org Source0: https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz Patch0: CVE-2023-32681.patch +Patch1: CVE-2024-35195.patch BuildArch: noarch %description @@ -72,6 +73,9 @@ LANG=en_US.UTF-8 tox -e py%{python3_version_nodots} %{python3_sitelib}/* %changelog +* Tue May 28 2024 Lanze Liu - 2.27.1-7 +- Add patch for CVE-2024-35195 + * Mon Jun 12 2023 Suresh Thelkar - 2.27.1-6 - Add patch for CVE-2023-32681 From a264db1f7576d5f22d5672c46718f020bd1a7b1c Mon Sep 17 00:00:00 2001 From: Mitch Zhu Date: Mon, 3 Jun 2024 10:52:43 -0700 Subject: [PATCH 12/31] Patch moby-engine to address CVE-2023-44487 (#9276) --- SPECS/moby-engine/CVE-2023-44487.patch | 200 +++++++++++++++++++++++++ SPECS/moby-engine/moby-engine.spec | 6 +- 2 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 SPECS/moby-engine/CVE-2023-44487.patch diff --git a/SPECS/moby-engine/CVE-2023-44487.patch b/SPECS/moby-engine/CVE-2023-44487.patch new file mode 100644 index 00000000000..b363a44076c --- /dev/null +++ b/SPECS/moby-engine/CVE-2023-44487.patch @@ -0,0 +1,200 @@ +From acdb7b9731b3d1eb14352328d2976d4b7baaafea Mon Sep 17 00:00:00 2001 +From: Mitch Zhu +Date: Fri, 31 May 2024 17:00:00 +0000 +Subject: [PATCH] Address CVE-2023-44487 + +--- + .../grpc/internal/transport/http2_server.go | 11 +-- + vendor/google.golang.org/grpc/server.go | 77 +++++++++++++------ + 2 files changed, 57 insertions(+), 31 deletions(-) + +diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go +index 3dd1564..9d9a3fd 100644 +--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go ++++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go +@@ -165,15 +165,10 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, + ID: http2.SettingMaxFrameSize, + Val: http2MaxFrameLen, + }} +- // TODO(zhaoq): Have a better way to signal "no limit" because 0 is +- // permitted in the HTTP2 spec. +- maxStreams := config.MaxStreams +- if maxStreams == 0 { +- maxStreams = math.MaxUint32 +- } else { ++ if config.MaxStreams != math.MaxUint32 { + isettings = append(isettings, http2.Setting{ + ID: http2.SettingMaxConcurrentStreams, +- Val: maxStreams, ++ Val: config.MaxStreams, + }) + } + dynamicWindow := true +@@ -252,7 +247,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, + framer: framer, + readerDone: make(chan struct{}), + writerDone: make(chan struct{}), +- maxStreams: maxStreams, ++ maxStreams: config.MaxStreams, + inTapHandle: config.InTapHandle, + fc: &trInFlow{limit: uint32(icwz)}, + state: reachable, +diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go +index f4dde72..17d39cf 100644 +--- a/vendor/google.golang.org/grpc/server.go ++++ b/vendor/google.golang.org/grpc/server.go +@@ -115,12 +115,6 @@ type serviceInfo struct { + mdata interface{} + } + +-type serverWorkerData struct { +- st transport.ServerTransport +- wg *sync.WaitGroup +- stream *transport.Stream +-} +- + // Server is a gRPC server to serve RPC requests. + type Server struct { + opts serverOptions +@@ -145,7 +139,7 @@ type Server struct { + channelzID *channelz.Identifier + czData *channelzData + +- serverWorkerChannels []chan *serverWorkerData ++ serverWorkerChannel chan func() + } + + type serverOptions struct { +@@ -177,6 +171,7 @@ type serverOptions struct { + } + + var defaultServerOptions = serverOptions{ ++ maxConcurrentStreams: math.MaxUint32, + maxReceiveMessageSize: defaultServerMaxReceiveMessageSize, + maxSendMessageSize: defaultServerMaxSendMessageSize, + connectionTimeout: 120 * time.Second, +@@ -387,6 +382,9 @@ func MaxSendMsgSize(m int) ServerOption { + // MaxConcurrentStreams returns a ServerOption that will apply a limit on the number + // of concurrent streams to each ServerTransport. + func MaxConcurrentStreams(n uint32) ServerOption { ++ if n == 0 { ++ n = math.MaxUint32 ++ } + return newFuncServerOption(func(o *serverOptions) { + o.maxConcurrentStreams = n + }) +@@ -565,35 +563,31 @@ const serverWorkerResetThreshold = 1 << 16 + // re-allocations (see the runtime.morestack problem [1]). + // + // [1] https://github.com/golang/go/issues/18138 +-func (s *Server) serverWorker(ch chan *serverWorkerData) { ++func (s *Server) serverWorker() { + // To make sure all server workers don't reset at the same time, choose a + // random number of iterations before resetting. + threshold := serverWorkerResetThreshold + grpcrand.Intn(serverWorkerResetThreshold) + for completed := 0; completed < threshold; completed++ { +- data, ok := <-ch ++ f, ok := <-s.serverWorkerChannel + if !ok { + return + } +- s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream)) +- data.wg.Done() ++ f() + } +- go s.serverWorker(ch) ++ go s.serverWorker() + } + + // initServerWorkers creates worker goroutines and channels to process incoming + // connections to reduce the time spent overall on runtime.morestack. + func (s *Server) initServerWorkers() { +- s.serverWorkerChannels = make([]chan *serverWorkerData, s.opts.numServerWorkers) ++ s.serverWorkerChannel = make(chan func()) + for i := uint32(0); i < s.opts.numServerWorkers; i++ { +- s.serverWorkerChannels[i] = make(chan *serverWorkerData) +- go s.serverWorker(s.serverWorkerChannels[i]) ++ go s.serverWorker() + } + } + + func (s *Server) stopServerWorkers() { +- for i := uint32(0); i < s.opts.numServerWorkers; i++ { +- close(s.serverWorkerChannels[i]) +- } ++ close(s.serverWorkerChannel) + } + + // NewServer creates a gRPC server which has no service registered and has not +@@ -945,13 +939,20 @@ func (s *Server) serveStreams(st transport.ServerTransport) { + defer st.Close() + var wg sync.WaitGroup + +- var roundRobinCounter uint32 ++ streamQuota := newHandlerQuota(s.opts.maxConcurrentStreams) + st.HandleStreams(func(stream *transport.Stream) { + wg.Add(1) ++ ++ streamQuota.acquire() ++ f := func() { ++ defer streamQuota.release() ++ defer wg.Done() ++ s.handleStream(st, stream, s.traceInfo(st, stream)) ++ } ++ + if s.opts.numServerWorkers > 0 { +- data := &serverWorkerData{st: st, wg: &wg, stream: stream} + select { +- case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data: ++ case s.serverWorkerChannel <- f: + default: + // If all stream workers are busy, fallback to the default code path. + go func() { +@@ -961,8 +962,7 @@ func (s *Server) serveStreams(st transport.ServerTransport) { + } + } else { + go func() { +- defer wg.Done() +- s.handleStream(st, stream, s.traceInfo(st, stream)) ++ go f() + }() + } + }, func(ctx context.Context, method string) context.Context { +@@ -1978,3 +1978,34 @@ type channelzServer struct { + func (c *channelzServer) ChannelzMetric() *channelz.ServerInternalMetric { + return c.s.channelzMetric() + } ++ ++// atomicSemaphore implements a blocking, counting semaphore. acquire should be ++// called synchronously; release may be called asynchronously. ++type atomicSemaphore struct { ++ n atomic.Int64 ++ wait chan struct{} ++} ++ ++func (q *atomicSemaphore) acquire() { ++ if q.n.Add(-1) < 0 { ++ // We ran out of quota. Block until a release happens. ++ <-q.wait ++ } ++} ++ ++func (q *atomicSemaphore) release() { ++ // N.B. the "<= 0" check below should allow for this to work with multiple ++ // concurrent calls to acquire, but also note that with synchronous calls to ++ // acquire, as our system does, n will never be less than -1. There are ++ // fairness issues (queuing) to consider if this was to be generalized. ++ if q.n.Add(1) <= 0 { ++ // An acquire was waiting on us. Unblock it. ++ q.wait <- struct{}{} ++ } ++} ++ ++func newHandlerQuota(n uint32) *atomicSemaphore { ++ a := &atomicSemaphore{wait: make(chan struct{}, 1)} ++ a.n.Store(int64(n)) ++ return a ++} +-- +2.34.1 + diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 81bcf45dd80..041f06eb10f 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 24.0.9 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -21,6 +21,7 @@ Patch1: CVE-2024-23651.patch # Remove once we upgrade this package at least to version 25.0+. Patch2: CVE-2024-23652.patch Patch3: CVE-2023-45288.patch +Patch4: CVE-2023-44487.patch %{?systemd_requires} @@ -126,6 +127,9 @@ fi %{_unitdir}/* %changelog +* Fri May 31 2024 Mitch Zhu - 24.0.9-4 +- Fix for CVE-2023-44487 + * Fri May 03 2024 Chris Gunn - 24.0.9-3 - Fix for CVE-2023-45288 From 3a41e97aed89481554de87a13ef78fc2ecc04f31 Mon Sep 17 00:00:00 2001 From: Christopher Co <35273088+christopherco@users.noreply.github.com> Date: Mon, 3 Jun 2024 19:29:33 -0700 Subject: [PATCH 13/31] Add stable release maintainers to CODEOWNERS (#7564) Update main branch CODEOWNERS file to require CBL-Mariner-Stable-Maintainers team review for all files in this branch since PRs targeting main are going to our next 2.0 stable release. --- .github/CODEOWNERS | 100 +-------------------------------------------- 1 file changed, 2 insertions(+), 98 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 1c0878d0d0f..6aea2ae5683 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,98 +1,2 @@ -# By default all files require a review by at lest one member of the CBL-Mariner developers team. -* @microsoft/cbl-mariner-devs - -# Modification to this file require admin approval. -/.github/CODEOWNERS @microsoft/cbl-mariner-admins - -# Modifications to the build pipelines require admin approval. -/.pipelines/* @microsoft/cbl-mariner-admins - -# Modifications to the CredScan exceptions require admin approval. -/.config/CredScanSuppressions.json @microsoft/cbl-mariner-admins - -# Modification to what is considered "core packages" require admin approval. -/SPECS/core-packages/* @microsoft/cbl-mariner-admins - -# Modification to specific packages go to specific teams -/SPECS/installkernel/* @microsoft/cbl-mariner-kernel -/SPECS/kernel/* @microsoft/cbl-mariner-kernel -/SPECS/kernel-azure/* @microsoft/cbl-mariner-kernel -/SPECS/kernel-hci/* @microsoft/cbl-mariner-kernel -/SPECS/kernel-headers/* @microsoft/cbl-mariner-kernel -/SPECS/kernel-mshv/* @microsoft/cbl-mariner-kata-containers -/SPECS/kernel-uvm/* @microsoft/cbl-mariner-kata-containers -/SPECS-SIGNED/kernel-signed/* @microsoft/cbl-mariner-kernel -/SPECS-SIGNED/kernel-hci-signed/* @microsoft/cbl-mariner-kernel -/SPECS-SIGNED/kernel-azure-signed/* @microsoft/cbl-mariner-kernel -/SPECS-SIGNED/kernel-mstflint-signed/* @microsoft/cbl-mariner-kernel -/SPECS-SIGNED/kernel-mshv-signed/* @microsoft/cbl-mariner-kata-containers - -/SPECS/grub2/* @microsoft/cbl-mariner-bootloader -/SPECS/grubby/* @microsoft/cbl-mariner-bootloader -/SPECS/shim/* @microsoft/cbl-mariner-bootloader -/SPECS/shim-unsigned/* @microsoft/cbl-mariner-bootloader -/SPECS/shim-unsigned-x64/* @microsoft/cbl-mariner-bootloader -/SPECS/shim-unsigned-aarch64/* @microsoft/cbl-mariner-bootloader -/SPECS-SIGNED/grub2-efi-binary-signed/* @microsoft/cbl-mariner-bootloader - -/SPECS/dracut/* @microsoft/cbl-mariner-dracut -/SPECS/initramfs/* @microsoft/cbl-mariner-dracut -/SPECS/verity-read-only-root/* @microsoft/cbl-mariner-dracut - -/SPECS/systemd/* @microsoft/cbl-mariner-systemd - -/SPECS/bcc/* @microsoft/cbl-mariner-debug-tools -/SPECS/bpftrace/* @microsoft/cbl-mariner-debug-tools -/SPECS/crash/* @microsoft/cbl-mariner-debug-tools -/SPECS/gdb/* @microsoft/cbl-mariner-debug-tools -/SPECS/kexec-tools/* @microsoft/cbl-mariner-debug-tools - -/SPECS/openssl/* @microsoft/cbl-mariner-openssl -/SPECS/SymCrypt-OpenSSL/* @microsoft/cbl-mariner-openssl -/SPECS/SymCrypt/* @microsoft/cbl-mariner-openssl -/SPECS/KeysInUse-OpenSSL/* @microsoft/cbl-mariner-openssl - -/SPECS/dnf/* @microsoft/cbl-mariner-package-managers -/SPECS/dnf-plugins-core/* @microsoft/cbl-mariner-package-managers -/SPECS/rpm/* @microsoft/cbl-mariner-package-managers -/SPECS/tdnf/* @microsoft/cbl-mariner-package-managers - -/SPECS/moby-buildx/* @microsoft/cbl-mariner-container-runtime -/SPECS/moby-cli/* @microsoft/cbl-mariner-container-runtime -/SPECS/moby-containerd/* @microsoft/cbl-mariner-container-runtime -/SPECS/moby-containerd-cc/* @microsoft/cbl-mariner-kata-containers -/SPECS/moby-engine/* @microsoft/cbl-mariner-container-runtime -/SPECS/moby-runc/* @microsoft/cbl-mariner-container-runtime -/SPECS/kata-containers/* @microsoft/cbl-mariner-kata-containers -/SPECS/kata-containers-cc/* @microsoft/cbl-mariner-kata-containers -/SPECS/virtiofsd/* @microsoft/cbl-mariner-kata-containers - -/SPECS/cloud-hypervisor/* @microsoft/cbl-mariner-virtualization -/SPECS/hvloader/* @microsoft/cbl-mariner-kata-containers -/SPECS-SIGNED/hvloader-signed/* @microsoft/cbl-mariner-kata-containers - -/SPECS/cloud-init/* @microsoft/cbl-mariner-provisioning -/SPECS/walinuxagent/* @microsoft/cbl-mariner-provisioning - -# Modifications to the toolkit requires reviews from the toolkit team -/toolkit/ @microsoft/cbl-mariner-tooling - -# Docs to be reviewed by general CBL-Mariner devs -/toolkit/docs/ @microsoft/cbl-mariner-devs - -# Default image configurations to be reviewed by general CBL-Mariner devs -/toolkit/imageconfigs/ @microsoft/cbl-mariner-devs - -# Package and toolchain manifests to be reviewed by general CBL-Mariner devs -/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @microsoft/cbl-mariner-devs -/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @microsoft/cbl-mariner-devs -/toolkit/resources/manifests/package/toolchain_aarch64.txt @microsoft/cbl-mariner-devs -/toolkit/resources/manifests/package/toolchain_x86_64.txt @microsoft/cbl-mariner-devs - -# Modifications to the raw toolchain require admin approval. -/toolkit/scripts/toolchain/container/* @microsoft/cbl-mariner-admins -/toolkit/scripts/toolchain/cgmanifest.json @microsoft/cbl-mariner-admins -/toolkit/scripts/toolchain/create_toolchain_in_container.sh @microsoft/cbl-mariner-admins - -# Modifications to the trusted CA certificates require admin approval. -/SPECS/*ca-certificates*/* @microsoft/cbl-mariner-admins +# For stable release branches, ensure stable release maintainers are added as code reviewers +* @microsoft/cbl-mariner-stable-maintainers From ed62ba9d979a09bb1581d33353af4e85ac29cc19 Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Tue, 4 Jun 2024 00:08:36 -0400 Subject: [PATCH 14/31] Revert "Enable KNI module in DPDK build (#9246)" This reverts commit 84f147039873b610c3f9ec2330586ba3373ebbe1. --- SPECS/dpdk/dpdk.spec | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/SPECS/dpdk/dpdk.spec b/SPECS/dpdk/dpdk.spec index 409a1f8394c..549868b8822 100644 --- a/SPECS/dpdk/dpdk.spec +++ b/SPECS/dpdk/dpdk.spec @@ -1,10 +1,4 @@ %define _unpackaged_files_terminate_build 0 - -# Define variables for kernel version and source directory -%global KVERSION %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}-%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers)) -%global K_SRC %{_libdir}/modules/%{KVERSION}/build -%global moddestdir /lib/modules/%{KVERSION}/kernel/drivers/net/kni - # Add option to build without examples %define target %{machine_arch}-%{machine_tmpl}-linuxapp-gcc # machine_arch maps between rpm and dpdk arch name, often same as _target_cpu @@ -33,11 +27,10 @@ # Add option to build with examples, tools subpackages %bcond_with examples %bcond_without tools - Summary: Set of libraries and drivers for fast packet processing Name: dpdk Version: 21.11.2 -Release: 3%{?dist} +Release: 2%{?dist} License: BSD AND LGPLv2 AND GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -54,7 +47,6 @@ BuildRequires: meson BuildRequires: python3-pyelftools BuildRequires: python3-sphinx BuildRequires: zlib-devel -BuildRequires: kernel-devel # # The DPDK is designed to optimize througput of network traffic using, among # other techniques, carefully crafted assembly instructions. As such it @@ -122,8 +114,6 @@ CFLAGS="$(echo %{optflags} -fcommon)" \ -Ddrivers_install_subdir=dpdk-pmds \ -Denable_docs=true \ -Dmachine=default \ - -Denable_kmods=true \ - -Dkernel_dir=%{K_SRC} \ %if %{with examples} -Dexamples=all \ %endif @@ -138,12 +128,6 @@ CFLAGS="$(echo %{optflags} -fcommon)" \ %install %meson_install -# Install the kernel modules to the specified directory -mkdir -p %{buildroot}%{moddestdir} -echo "find %{_builddir}/dpdk-stable-%{version} -name rte_kni.ko -exec install -D -m 755 '{}' %{buildroot}%{moddestdir} \;" > install_kni.sh -chmod +x install_kni.sh -./install_kni.sh - %files # BSD %doc README MAINTAINERS @@ -156,7 +140,6 @@ chmod +x install_kni.sh %{_bindir}/dpdk-proc-info %{_libdir}/*.so.* %{pmddir}/*.so.* -%{moddestdir}/rte_kni.ko %files devel #BSD @@ -196,11 +179,6 @@ chmod +x install_kni.sh %endif %changelog -* Wed May 22 2024 Dinesh Kumar Ramasamy - 21.11.2-3 -- Enable KNI module in DPDK build -- Update spec file to set kernel source directory using KVERSION and K_SRC variables. -- Ensure correct installation directory for kernel modules using moddestdir variable. - * Wed Sep 20 2023 Jon Slobodzian - 21.11.2-2 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) From 4246a18833a8df46551bf0e42001e4560cca7a1c Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Tue, 4 Jun 2024 00:09:50 -0400 Subject: [PATCH 15/31] Revert "Fixed Perl automatic requires and provides. (#9226)" This reverts commit 6b8eb01bf00d3aa4c18b119481a3003918e603be. --- SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec | 5 +- SPECS/perl-DBI/perl-DBI.spec | 5 +- SPECS/perl-DBIx-Simple/perl-DBIx-Simple.spec | 5 +- SPECS/perl-Fedora-VSP/perl-Fedora-VSP.spec | 5 +- .../perl-Object-Accessor.spec | 5 +- .../perl-Test-Warnings.spec | 5 +- .../perl-Text-Template.spec | 5 +- SPECS/perl-generators/perl-generators.spec | 5 +- SPECS/perl/perl.spec | 5 +- .../manifests/package/pkggen_core_aarch64.txt | 116 ++--- .../manifests/package/pkggen_core_x86_64.txt | 116 ++--- .../manifests/package/toolchain_aarch64.txt | 398 +++++++++--------- .../manifests/package/toolchain_x86_64.txt | 398 +++++++++--------- .../build_official_toolchain_rpms.sh | 20 +- 14 files changed, 529 insertions(+), 564 deletions(-) diff --git a/SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec b/SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec index 06e364f73eb..f5d700bb78d 100644 --- a/SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec +++ b/SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec @@ -2,7 +2,7 @@ Summary: SQLite DBI Driver Name: perl-DBD-SQLite Version: 1.70 -Release: 3%{?dist} +Release: 2%{?dist} Group: Development/Libraries License: (GPL+ or Artistic) and Public Domain URL: http://search.cpan.org/dist/DBD-SQLite/ @@ -63,9 +63,6 @@ make test %{_mandir}/man3/* %changelog -* Thu May 23 2024 Pawel Winogrodzki - 1.70-3 -- Release bump to regenerate package's requires and provides. - * Mon Aug 01 2022 Muhammad Falak - 1.70-2 - Add BR on `perl(Test::More)` & `perl(Digest::MD5)` to fix ptest diff --git a/SPECS/perl-DBI/perl-DBI.spec b/SPECS/perl-DBI/perl-DBI.spec index 5508783c1de..1b556d847ad 100644 --- a/SPECS/perl-DBI/perl-DBI.spec +++ b/SPECS/perl-DBI/perl-DBI.spec @@ -5,7 +5,7 @@ Summary: A database access API for perl Name: perl-DBI Version: 1.643 -Release: 3%{?dist} +Release: 2%{?dist} Group: Development/Libraries License: GPL+ or Artistic URL: http://dbi.perl.org/ @@ -161,9 +161,6 @@ make test %{_mandir}/man3/*.3* %changelog -* Thu May 23 2024 Pawel Winogrodzki - 1.643-3 -- Release bump to regenerate package's requires and provides. - * Mon Aug 01 2022 Muhammad Falak - 1.643-2 - Add BR on `perl(blib)` & `perl(Test::More)` to fix ptest build diff --git a/SPECS/perl-DBIx-Simple/perl-DBIx-Simple.spec b/SPECS/perl-DBIx-Simple/perl-DBIx-Simple.spec index c314d6194d7..3998e4c4cff 100644 --- a/SPECS/perl-DBIx-Simple/perl-DBIx-Simple.spec +++ b/SPECS/perl-DBIx-Simple/perl-DBIx-Simple.spec @@ -2,7 +2,7 @@ Summary: Easy-to-use OO interface to DBI Name: perl-DBIx-Simple Version: 1.37 -Release: 7%{?dist} +Release: 6%{?dist} # License not mentioned in any of the source files and CPAN web page explicitly says it's unknown. License: Unknown Group: Development/Libraries @@ -58,9 +58,6 @@ make test %{_mandir}/man3/* %changelog -* Thu May 23 2024 Pawel Winogrodzki - 1.37-7 -- Release bump to regenerate package's requires and provides. - * Mon Aug 01 2022 Muhammad Falak - 1.37-6 - Add BR on `perl(Test::More)` to fix ptest diff --git a/SPECS/perl-Fedora-VSP/perl-Fedora-VSP.spec b/SPECS/perl-Fedora-VSP/perl-Fedora-VSP.spec index 61d1a0548e5..40b1cc46dc0 100644 --- a/SPECS/perl-Fedora-VSP/perl-Fedora-VSP.spec +++ b/SPECS/perl-Fedora-VSP/perl-Fedora-VSP.spec @@ -2,7 +2,7 @@ Summary: Perl version normalization for RPM Name: perl-Fedora-VSP Version: 0.001 -Release: 20%{?dist} +Release: 19%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Mariner @@ -50,9 +50,6 @@ make test %{_mandir}/man3/* %changelog -* Thu May 23 2024 Pawel Winogrodzki - 0.001-20 -- Release bump to regenerate package's requires and provides. - * Tue Aug 16 2022 Muhammad Falak - 0.001-19 - Add BR on `perl(Test::More)` to fix ptest diff --git a/SPECS/perl-Object-Accessor/perl-Object-Accessor.spec b/SPECS/perl-Object-Accessor/perl-Object-Accessor.spec index 5fd1eb8848f..8b7208bfc6d 100644 --- a/SPECS/perl-Object-Accessor/perl-Object-Accessor.spec +++ b/SPECS/perl-Object-Accessor/perl-Object-Accessor.spec @@ -1,7 +1,7 @@ Summary: Interface to create per object accessors Name: perl-Object-Accessor Version: 0.48 -Release: 10%{?dist} +Release: 9%{?dist} Group: Development/Libraries License: GPL+ or Artistic URL: https://metacpan.org/release/Object-Accessor @@ -53,9 +53,6 @@ make test %{_mandir}/man3/* %changelog -* Thu May 23 2024 Pawel Winogrodzki - 0.48-10 -- Release bump to regenerate package's requires and provides. - * Fri Jul 29 2022 Muhammad Falak - 0.48-9 - Add BR on `perl(ExtUtils::MakeMaker)` & other check deps to enable ptest diff --git a/SPECS/perl-Test-Warnings/perl-Test-Warnings.spec b/SPECS/perl-Test-Warnings/perl-Test-Warnings.spec index fe3e9c27eb6..0e6d7f44d28 100644 --- a/SPECS/perl-Test-Warnings/perl-Test-Warnings.spec +++ b/SPECS/perl-Test-Warnings/perl-Test-Warnings.spec @@ -1,7 +1,7 @@ Summary: Test for warnings and the lack of them in Perl Name: perl-Test-Warnings Version: 0.031 -Release: 3%{?dist} +Release: 2%{?dist} URL: https://metacpan.org/release/Test-Warnings License: GPL+ or Artistic Group: Development/Libraries @@ -44,9 +44,6 @@ make test %{_mandir}/man?/* %changelog -* Thu May 23 2024 Pawel Winogrodzki - 0.031-3 -- Release bump to regenerate package's requires and provides. - * Mon Aug 01 2022 Muhammad Falak - 0.031-2 - Add BR on `perl(Test::More)` to enable ptest diff --git a/SPECS/perl-Text-Template/perl-Text-Template.spec b/SPECS/perl-Text-Template/perl-Text-Template.spec index 15f883317a3..227b14edb60 100644 --- a/SPECS/perl-Text-Template/perl-Text-Template.spec +++ b/SPECS/perl-Text-Template/perl-Text-Template.spec @@ -1,7 +1,7 @@ Summary: Cross-platform path specification manipulation for Perl Name: perl-Text-Template Version: 1.60 -Release: 2%{?dist} +Release: 1%{?dist} URL: https://metacpan.org/pod/Text::Template License: GPL+ or Artistic Group: Development/Libraries @@ -43,9 +43,6 @@ make test %{_mandir}/man?/* %changelog -* Thu May 23 2024 Pawel Winogrodzki - 1.60-2 -- Release bump to regenerate package's requires and provides. - * Fri Apr 22 2022 Mateusz Malisz - 1.60-1 - Update to 1.60 diff --git a/SPECS/perl-generators/perl-generators.spec b/SPECS/perl-generators/perl-generators.spec index 4184e89de96..6dca73f8aeb 100644 --- a/SPECS/perl-generators/perl-generators.spec +++ b/SPECS/perl-generators/perl-generators.spec @@ -1,7 +1,7 @@ Summary: RPM Perl dependencies generators Name: perl-generators Version: 1.11 -Release: 10%{?dist} +Release: 9%{?dist} License: GPL+ Vendor: Microsoft Corporation Distribution: Mariner @@ -61,9 +61,6 @@ make test %{_rpmconfigdir}/fileattrs/perl*.attr %changelog -* Thu May 23 2024 Pawel Winogrodzki - 1.11-10 -- Release bump to regenerate package's requires and provides. - * Mon Aug 01 2022 Muhammad Falak - 1.11-9 - Add BR on `perl(Fedora::VSP)` to fix ptest build diff --git a/SPECS/perl/perl.spec b/SPECS/perl/perl.spec index 4140a4ccb6f..b761d242e31 100644 --- a/SPECS/perl/perl.spec +++ b/SPECS/perl/perl.spec @@ -127,7 +127,7 @@ License: GPL+ or Artistic Epoch: %{perl_epoch} Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 490%{?dist} +Release: 489%{?dist} Summary: Practical Extraction and Report Language Url: https://www.perl.org/ Vendor: Microsoft Corporation @@ -6820,9 +6820,6 @@ popd # Old changelog entries are preserved in CVS. %changelog -* Thu May 23 2024 Pawel Winogrodzki - 4:5.34.1-490 -- Release bump to regenerate package's requires and provides. - * Thu Apr 04 2024 Andrew Phelps - 4:5.34.1-489 - Add patch for CVE-2023-47100 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 78298db30b8..546a1aae2d3 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -103,64 +103,64 @@ libpipeline-devel-1.5.5-3.cm2.aarch64.rpm gdbm-1.21-1.cm2.aarch64.rpm gdbm-devel-1.21-1.cm2.aarch64.rpm gdbm-lang-1.21-1.cm2.aarch64.rpm -perl-B-1.82-490.cm2.aarch64.rpm -perl-Carp-1.52-490.cm2.noarch.rpm -perl-Class-Struct-0.66-490.cm2.noarch.rpm -perl-Data-Dumper-2.179-490.cm2.aarch64.rpm -perl-DynaLoader-1.50-490.cm2.aarch64.rpm -perl-Encode-3.08-490.cm2.aarch64.rpm -perl-Errno-1.33-490.cm2.aarch64.rpm -perl-Exporter-5.76-490.cm2.noarch.rpm -perl-Fcntl-1.14-490.cm2.aarch64.rpm -perl-File-Basename-2.85-490.cm2.noarch.rpm -perl-File-Compare-1.100.600-490.cm2.noarch.rpm -perl-File-Copy-2.35-490.cm2.noarch.rpm -perl-File-Path-2.18-490.cm2.noarch.rpm -perl-File-Temp-0.231.100-490.cm2.noarch.rpm -perl-File-stat-1.09-490.cm2.noarch.rpm -perl-FileHandle-2.03-490.cm2.noarch.rpm -perl-Getopt-Long-2.52-490.cm2.noarch.rpm -perl-Getopt-Std-1.13-490.cm2.noarch.rpm -perl-HTTP-Tiny-0.076-490.cm2.noarch.rpm -perl-I18N-Langinfo-0.19-490.cm2.aarch64.rpm -perl-IO-1.46-490.cm2.aarch64.rpm -perl-IPC-Open3-1.21-490.cm2.noarch.rpm -perl-MIME-Base64-3.16-490.cm2.aarch64.rpm -perl-POSIX-1.97-490.cm2.aarch64.rpm -perl-PathTools-3.80-490.cm2.aarch64.rpm -perl-Pod-Escapes-1.07-490.cm2.noarch.rpm -perl-Pod-Perldoc-3.28.01-490.cm2.noarch.rpm -perl-Pod-Simple-3.42-490.cm2.noarch.rpm -perl-Pod-Usage-2.01-490.cm2.noarch.rpm -perl-Scalar-List-Utils-1.55-490.cm2.aarch64.rpm -perl-SelectSaver-1.02-490.cm2.noarch.rpm -perl-Socket-2.031-490.cm2.aarch64.rpm -perl-Storable-3.23-490.cm2.aarch64.rpm -perl-Symbol-1.09-490.cm2.noarch.rpm -perl-Term-ANSIColor-5.01-490.cm2.noarch.rpm -perl-Term-Cap-1.17-490.cm2.noarch.rpm -perl-Text-ParseWords-3.30-490.cm2.noarch.rpm -perl-Text-Tabs+Wrap-2013.0523-490.cm2.noarch.rpm -perl-Thread-Queue-3.14-490.cm2.noarch.rpm -perl-Time-Local-1.300-490.cm2.noarch.rpm -perl-Unicode-Normalize-1.28-490.cm2.aarch64.rpm -perl-base-2.27-490.cm2.noarch.rpm -perl-constant-1.33-490.cm2.noarch.rpm -perl-if-0.60.900-490.cm2.noarch.rpm -perl-interpreter-5.34.1-490.cm2.aarch64.rpm -perl-libs-5.34.1-490.cm2.aarch64.rpm -perl-locale-1.10-490.cm2.noarch.rpm -perl-macros-5.34.1-490.cm2.noarch.rpm -perl-mro-1.25-490.cm2.aarch64.rpm -perl-overload-1.33-490.cm2.noarch.rpm -perl-overloading-0.02-490.cm2.noarch.rpm -perl-parent-0.238-490.cm2.noarch.rpm -perl-podlators-4.14-490.cm2.noarch.rpm -perl-subs-1.04-490.cm2.noarch.rpm -perl-threads-2.26-490.cm2.aarch64.rpm -perl-threads-shared-1.62-490.cm2.aarch64.rpm -perl-vars-1.05-490.cm2.noarch.rpm -perl-5.34.1-490.cm2.aarch64.rpm +perl-B-1.82-489.cm2.aarch64.rpm +perl-Carp-1.52-489.cm2.noarch.rpm +perl-Class-Struct-0.66-489.cm2.noarch.rpm +perl-Data-Dumper-2.179-489.cm2.aarch64.rpm +perl-DynaLoader-1.50-489.cm2.aarch64.rpm +perl-Encode-3.08-489.cm2.aarch64.rpm +perl-Errno-1.33-489.cm2.aarch64.rpm +perl-Exporter-5.76-489.cm2.noarch.rpm +perl-Fcntl-1.14-489.cm2.aarch64.rpm +perl-File-Basename-2.85-489.cm2.noarch.rpm +perl-File-Compare-1.100.600-489.cm2.noarch.rpm +perl-File-Copy-2.35-489.cm2.noarch.rpm +perl-File-Path-2.18-489.cm2.noarch.rpm +perl-File-Temp-0.231.100-489.cm2.noarch.rpm +perl-File-stat-1.09-489.cm2.noarch.rpm +perl-FileHandle-2.03-489.cm2.noarch.rpm +perl-Getopt-Long-2.52-489.cm2.noarch.rpm +perl-Getopt-Std-1.13-489.cm2.noarch.rpm +perl-HTTP-Tiny-0.076-489.cm2.noarch.rpm +perl-I18N-Langinfo-0.19-489.cm2.aarch64.rpm +perl-IO-1.46-489.cm2.aarch64.rpm +perl-IPC-Open3-1.21-489.cm2.noarch.rpm +perl-MIME-Base64-3.16-489.cm2.aarch64.rpm +perl-POSIX-1.97-489.cm2.aarch64.rpm +perl-PathTools-3.80-489.cm2.aarch64.rpm +perl-Pod-Escapes-1.07-489.cm2.noarch.rpm +perl-Pod-Perldoc-3.28.01-489.cm2.noarch.rpm +perl-Pod-Simple-3.42-489.cm2.noarch.rpm +perl-Pod-Usage-2.01-489.cm2.noarch.rpm +perl-Scalar-List-Utils-1.55-489.cm2.aarch64.rpm +perl-SelectSaver-1.02-489.cm2.noarch.rpm +perl-Socket-2.031-489.cm2.aarch64.rpm +perl-Storable-3.23-489.cm2.aarch64.rpm +perl-Symbol-1.09-489.cm2.noarch.rpm +perl-Term-ANSIColor-5.01-489.cm2.noarch.rpm +perl-Term-Cap-1.17-489.cm2.noarch.rpm +perl-Text-ParseWords-3.30-489.cm2.noarch.rpm +perl-Text-Tabs+Wrap-2013.0523-489.cm2.noarch.rpm +perl-Thread-Queue-3.14-489.cm2.noarch.rpm +perl-Time-Local-1.300-489.cm2.noarch.rpm +perl-Unicode-Normalize-1.28-489.cm2.aarch64.rpm +perl-base-2.27-489.cm2.noarch.rpm +perl-constant-1.33-489.cm2.noarch.rpm +perl-if-0.60.900-489.cm2.noarch.rpm +perl-interpreter-5.34.1-489.cm2.aarch64.rpm +perl-libs-5.34.1-489.cm2.aarch64.rpm +perl-locale-1.10-489.cm2.noarch.rpm +perl-macros-5.34.1-489.cm2.noarch.rpm +perl-mro-1.25-489.cm2.aarch64.rpm +perl-overload-1.33-489.cm2.noarch.rpm +perl-overloading-0.02-489.cm2.noarch.rpm +perl-parent-0.238-489.cm2.noarch.rpm +perl-podlators-4.14-489.cm2.noarch.rpm +perl-subs-1.04-489.cm2.noarch.rpm +perl-threads-2.26-489.cm2.aarch64.rpm +perl-threads-shared-1.62-489.cm2.aarch64.rpm +perl-vars-1.05-489.cm2.noarch.rpm +perl-5.34.1-489.cm2.aarch64.rpm texinfo-6.8-1.cm2.aarch64.rpm gtk-doc-1.33.2-1.cm2.noarch.rpm autoconf-2.71-3.cm2.noarch.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index b21064bf99e..fe9f188ed89 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -103,64 +103,64 @@ libpipeline-devel-1.5.5-3.cm2.x86_64.rpm gdbm-1.21-1.cm2.x86_64.rpm gdbm-devel-1.21-1.cm2.x86_64.rpm gdbm-lang-1.21-1.cm2.x86_64.rpm -perl-B-1.82-490.cm2.x86_64.rpm -perl-Carp-1.52-490.cm2.noarch.rpm -perl-Class-Struct-0.66-490.cm2.noarch.rpm -perl-Data-Dumper-2.179-490.cm2.x86_64.rpm -perl-DynaLoader-1.50-490.cm2.x86_64.rpm -perl-Encode-3.08-490.cm2.x86_64.rpm -perl-Errno-1.33-490.cm2.x86_64.rpm -perl-Exporter-5.76-490.cm2.noarch.rpm -perl-Fcntl-1.14-490.cm2.x86_64.rpm -perl-File-Basename-2.85-490.cm2.noarch.rpm -perl-File-Compare-1.100.600-490.cm2.noarch.rpm -perl-File-Copy-2.35-490.cm2.noarch.rpm -perl-File-Path-2.18-490.cm2.noarch.rpm -perl-File-Temp-0.231.100-490.cm2.noarch.rpm -perl-File-stat-1.09-490.cm2.noarch.rpm -perl-FileHandle-2.03-490.cm2.noarch.rpm -perl-Getopt-Long-2.52-490.cm2.noarch.rpm -perl-Getopt-Std-1.13-490.cm2.noarch.rpm -perl-HTTP-Tiny-0.076-490.cm2.noarch.rpm -perl-I18N-Langinfo-0.19-490.cm2.x86_64.rpm -perl-IO-1.46-490.cm2.x86_64.rpm -perl-IPC-Open3-1.21-490.cm2.noarch.rpm -perl-MIME-Base64-3.16-490.cm2.x86_64.rpm -perl-POSIX-1.97-490.cm2.x86_64.rpm -perl-PathTools-3.80-490.cm2.x86_64.rpm -perl-Pod-Escapes-1.07-490.cm2.noarch.rpm -perl-Pod-Perldoc-3.28.01-490.cm2.noarch.rpm -perl-Pod-Simple-3.42-490.cm2.noarch.rpm -perl-Pod-Usage-2.01-490.cm2.noarch.rpm -perl-Scalar-List-Utils-1.55-490.cm2.x86_64.rpm -perl-SelectSaver-1.02-490.cm2.noarch.rpm -perl-Socket-2.031-490.cm2.x86_64.rpm -perl-Storable-3.23-490.cm2.x86_64.rpm -perl-Symbol-1.09-490.cm2.noarch.rpm -perl-Term-ANSIColor-5.01-490.cm2.noarch.rpm -perl-Term-Cap-1.17-490.cm2.noarch.rpm -perl-Text-ParseWords-3.30-490.cm2.noarch.rpm -perl-Text-Tabs+Wrap-2013.0523-490.cm2.noarch.rpm -perl-Thread-Queue-3.14-490.cm2.noarch.rpm -perl-Time-Local-1.300-490.cm2.noarch.rpm -perl-Unicode-Normalize-1.28-490.cm2.x86_64.rpm -perl-base-2.27-490.cm2.noarch.rpm -perl-constant-1.33-490.cm2.noarch.rpm -perl-if-0.60.900-490.cm2.noarch.rpm -perl-interpreter-5.34.1-490.cm2.x86_64.rpm -perl-libs-5.34.1-490.cm2.x86_64.rpm -perl-locale-1.10-490.cm2.noarch.rpm -perl-macros-5.34.1-490.cm2.noarch.rpm -perl-mro-1.25-490.cm2.x86_64.rpm -perl-overload-1.33-490.cm2.noarch.rpm -perl-overloading-0.02-490.cm2.noarch.rpm -perl-parent-0.238-490.cm2.noarch.rpm -perl-podlators-4.14-490.cm2.noarch.rpm -perl-subs-1.04-490.cm2.noarch.rpm -perl-threads-2.26-490.cm2.x86_64.rpm -perl-threads-shared-1.62-490.cm2.x86_64.rpm -perl-vars-1.05-490.cm2.noarch.rpm -perl-5.34.1-490.cm2.x86_64.rpm +perl-B-1.82-489.cm2.x86_64.rpm +perl-Carp-1.52-489.cm2.noarch.rpm +perl-Class-Struct-0.66-489.cm2.noarch.rpm +perl-Data-Dumper-2.179-489.cm2.x86_64.rpm +perl-DynaLoader-1.50-489.cm2.x86_64.rpm +perl-Encode-3.08-489.cm2.x86_64.rpm +perl-Errno-1.33-489.cm2.x86_64.rpm +perl-Exporter-5.76-489.cm2.noarch.rpm +perl-Fcntl-1.14-489.cm2.x86_64.rpm +perl-File-Basename-2.85-489.cm2.noarch.rpm +perl-File-Compare-1.100.600-489.cm2.noarch.rpm +perl-File-Copy-2.35-489.cm2.noarch.rpm +perl-File-Path-2.18-489.cm2.noarch.rpm +perl-File-Temp-0.231.100-489.cm2.noarch.rpm +perl-File-stat-1.09-489.cm2.noarch.rpm +perl-FileHandle-2.03-489.cm2.noarch.rpm +perl-Getopt-Long-2.52-489.cm2.noarch.rpm +perl-Getopt-Std-1.13-489.cm2.noarch.rpm +perl-HTTP-Tiny-0.076-489.cm2.noarch.rpm +perl-I18N-Langinfo-0.19-489.cm2.x86_64.rpm +perl-IO-1.46-489.cm2.x86_64.rpm +perl-IPC-Open3-1.21-489.cm2.noarch.rpm +perl-MIME-Base64-3.16-489.cm2.x86_64.rpm +perl-POSIX-1.97-489.cm2.x86_64.rpm +perl-PathTools-3.80-489.cm2.x86_64.rpm +perl-Pod-Escapes-1.07-489.cm2.noarch.rpm +perl-Pod-Perldoc-3.28.01-489.cm2.noarch.rpm +perl-Pod-Simple-3.42-489.cm2.noarch.rpm +perl-Pod-Usage-2.01-489.cm2.noarch.rpm +perl-Scalar-List-Utils-1.55-489.cm2.x86_64.rpm +perl-SelectSaver-1.02-489.cm2.noarch.rpm +perl-Socket-2.031-489.cm2.x86_64.rpm +perl-Storable-3.23-489.cm2.x86_64.rpm +perl-Symbol-1.09-489.cm2.noarch.rpm +perl-Term-ANSIColor-5.01-489.cm2.noarch.rpm +perl-Term-Cap-1.17-489.cm2.noarch.rpm +perl-Text-ParseWords-3.30-489.cm2.noarch.rpm +perl-Text-Tabs+Wrap-2013.0523-489.cm2.noarch.rpm +perl-Thread-Queue-3.14-489.cm2.noarch.rpm +perl-Time-Local-1.300-489.cm2.noarch.rpm +perl-Unicode-Normalize-1.28-489.cm2.x86_64.rpm +perl-base-2.27-489.cm2.noarch.rpm +perl-constant-1.33-489.cm2.noarch.rpm +perl-if-0.60.900-489.cm2.noarch.rpm +perl-interpreter-5.34.1-489.cm2.x86_64.rpm +perl-libs-5.34.1-489.cm2.x86_64.rpm +perl-locale-1.10-489.cm2.noarch.rpm +perl-macros-5.34.1-489.cm2.noarch.rpm +perl-mro-1.25-489.cm2.x86_64.rpm +perl-overload-1.33-489.cm2.noarch.rpm +perl-overloading-0.02-489.cm2.noarch.rpm +perl-parent-0.238-489.cm2.noarch.rpm +perl-podlators-4.14-489.cm2.noarch.rpm +perl-subs-1.04-489.cm2.noarch.rpm +perl-threads-2.26-489.cm2.x86_64.rpm +perl-threads-shared-1.62-489.cm2.x86_64.rpm +perl-vars-1.05-489.cm2.noarch.rpm +perl-5.34.1-489.cm2.x86_64.rpm texinfo-6.8-1.cm2.x86_64.rpm gtk-doc-1.33.2-1.cm2.noarch.rpm autoconf-2.71-3.cm2.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 51425e43506..4edad6c7581 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -291,207 +291,207 @@ pcre-8.45-2.cm2.aarch64.rpm pcre-debuginfo-8.45-2.cm2.aarch64.rpm pcre-devel-8.45-2.cm2.aarch64.rpm pcre-libs-8.45-2.cm2.aarch64.rpm -perl-5.34.1-490.cm2.aarch64.rpm -perl-Archive-Tar-2.38-490.cm2.noarch.rpm -perl-Attribute-Handlers-1.01-490.cm2.noarch.rpm -perl-autodie-2.34-490.cm2.noarch.rpm -perl-AutoLoader-5.74-490.cm2.noarch.rpm -perl-AutoSplit-5.74-490.cm2.noarch.rpm -perl-autouse-1.11-490.cm2.noarch.rpm -perl-B-1.82-490.cm2.aarch64.rpm -perl-base-2.27-490.cm2.noarch.rpm -perl-Benchmark-1.23-490.cm2.noarch.rpm -perl-bignum-0.51-490.cm2.noarch.rpm -perl-blib-1.07-490.cm2.noarch.rpm -perl-Carp-1.52-490.cm2.noarch.rpm -perl-Class-Struct-0.66-490.cm2.noarch.rpm -perl-Compress-Raw-Bzip2-2.101-490.cm2.aarch64.rpm -perl-Compress-Raw-Zlib-2.101-490.cm2.aarch64.rpm -perl-Config-Extensions-0.03-490.cm2.noarch.rpm -perl-Config-Perl-V-0.33-490.cm2.noarch.rpm -perl-constant-1.33-490.cm2.noarch.rpm -perl-CPAN-2.28-490.cm2.noarch.rpm -perl-CPAN-Meta-2.150010-490.cm2.noarch.rpm -perl-CPAN-Meta-Requirements-2.140-490.cm2.noarch.rpm -perl-CPAN-Meta-YAML-0.018-490.cm2.noarch.rpm -perl-Data-Dumper-2.179-490.cm2.aarch64.rpm -perl-DBD-SQLite-1.70-3.cm2.aarch64.rpm -perl-DBD-SQLite-debuginfo-1.70-3.cm2.aarch64.rpm -perl-DBI-1.643-3.cm2.aarch64.rpm -perl-DBI-debuginfo-1.643-3.cm2.aarch64.rpm -perl-DBIx-Simple-1.37-7.cm2.noarch.rpm -perl-DBM_Filter-0.06-490.cm2.noarch.rpm -perl-debugger-1.60-490.cm2.noarch.rpm -perl-debuginfo-5.34.1-490.cm2.aarch64.rpm -perl-deprecate-0.04-490.cm2.noarch.rpm -perl-devel-5.34.1-490.cm2.aarch64.rpm -perl-Devel-Peek-1.30-490.cm2.aarch64.rpm -perl-Devel-PPPort-3.62-490.cm2.aarch64.rpm -perl-Devel-SelfStubber-1.06-490.cm2.noarch.rpm -perl-diagnostics-1.37-490.cm2.noarch.rpm -perl-Digest-1.19-490.cm2.noarch.rpm -perl-Digest-MD5-2.58-490.cm2.aarch64.rpm -perl-Digest-SHA-6.02-490.cm2.aarch64.rpm -perl-DirHandle-1.05-490.cm2.noarch.rpm -perl-doc-5.34.1-490.cm2.noarch.rpm -perl-Dumpvalue-2.27-490.cm2.noarch.rpm -perl-DynaLoader-1.50-490.cm2.aarch64.rpm -perl-Encode-3.08-490.cm2.aarch64.rpm -perl-Encode-devel-3.08-490.cm2.noarch.rpm -perl-encoding-3.00-490.cm2.aarch64.rpm -perl-encoding-warnings-0.13-490.cm2.noarch.rpm -perl-English-1.11-490.cm2.noarch.rpm -perl-Env-1.05-490.cm2.noarch.rpm -perl-Errno-1.33-490.cm2.aarch64.rpm -perl-experimental-0.024-490.cm2.noarch.rpm -perl-Exporter-5.76-490.cm2.noarch.rpm -perl-ExtUtils-CBuilder-0.280236-490.cm2.noarch.rpm -perl-ExtUtils-Command-7.62-490.cm2.noarch.rpm -perl-ExtUtils-Constant-0.25-490.cm2.noarch.rpm -perl-ExtUtils-Embed-1.35-490.cm2.noarch.rpm -perl-ExtUtils-Install-2.20-490.cm2.noarch.rpm -perl-ExtUtils-MakeMaker-7.62-490.cm2.noarch.rpm -perl-ExtUtils-Manifest-1.73-490.cm2.noarch.rpm -perl-ExtUtils-Miniperl-1.10-490.cm2.noarch.rpm -perl-ExtUtils-MM-Utils-7.44-490.cm2.noarch.rpm -perl-ExtUtils-ParseXS-3.43-490.cm2.noarch.rpm -perl-Fcntl-1.14-490.cm2.aarch64.rpm -perl-Fedora-VSP-0.001-20.cm2.noarch.rpm -perl-fields-2.27-490.cm2.noarch.rpm -perl-File-Basename-2.85-490.cm2.noarch.rpm -perl-File-Compare-1.100.600-490.cm2.noarch.rpm -perl-File-Copy-2.35-490.cm2.noarch.rpm -perl-File-DosGlob-1.12-490.cm2.aarch64.rpm -perl-File-Fetch-1.00-490.cm2.noarch.rpm -perl-File-Find-1.39-490.cm2.noarch.rpm -perl-File-Path-2.18-490.cm2.noarch.rpm -perl-File-stat-1.09-490.cm2.noarch.rpm -perl-File-Temp-0.231.100-490.cm2.noarch.rpm -perl-FileCache-1.10-490.cm2.noarch.rpm -perl-FileHandle-2.03-490.cm2.noarch.rpm -perl-filetest-1.03-490.cm2.noarch.rpm -perl-Filter-1.59-490.cm2.aarch64.rpm -perl-Filter-Simple-0.96-490.cm2.noarch.rpm -perl-FindBin-1.52-490.cm2.noarch.rpm -perl-GDBM_File-1.19-490.cm2.aarch64.rpm -perl-generators-1.11-10.cm2.noarch.rpm -perl-Getopt-Long-2.52-490.cm2.noarch.rpm -perl-Getopt-Std-1.13-490.cm2.noarch.rpm -perl-Hash-Util-0.25-490.cm2.aarch64.rpm -perl-Hash-Util-FieldHash-1.21-490.cm2.aarch64.rpm -perl-HTTP-Tiny-0.076-490.cm2.noarch.rpm -perl-I18N-Collate-1.02-490.cm2.noarch.rpm -perl-I18N-Langinfo-0.19-490.cm2.aarch64.rpm -perl-I18N-LangTags-0.45-490.cm2.noarch.rpm -perl-if-0.60.900-490.cm2.noarch.rpm -perl-interpreter-5.34.1-490.cm2.aarch64.rpm -perl-IO-1.46-490.cm2.aarch64.rpm -perl-IO-Compress-2.102-490.cm2.noarch.rpm -perl-IO-Socket-IP-0.41-490.cm2.noarch.rpm -perl-IO-Zlib-1.11-490.cm2.noarch.rpm -perl-IPC-Cmd-1.04-490.cm2.noarch.rpm -perl-IPC-Open3-1.21-490.cm2.noarch.rpm -perl-IPC-SysV-2.09-490.cm2.aarch64.rpm -perl-JSON-PP-4.06-490.cm2.noarch.rpm -perl-less-0.03-490.cm2.noarch.rpm -perl-lib-0.65-490.cm2.aarch64.rpm +perl-5.34.1-489.cm2.aarch64.rpm +perl-Archive-Tar-2.38-489.cm2.noarch.rpm +perl-Attribute-Handlers-1.01-489.cm2.noarch.rpm +perl-autodie-2.34-489.cm2.noarch.rpm +perl-AutoLoader-5.74-489.cm2.noarch.rpm +perl-AutoSplit-5.74-489.cm2.noarch.rpm +perl-autouse-1.11-489.cm2.noarch.rpm +perl-B-1.82-489.cm2.aarch64.rpm +perl-base-2.27-489.cm2.noarch.rpm +perl-Benchmark-1.23-489.cm2.noarch.rpm +perl-bignum-0.51-489.cm2.noarch.rpm +perl-blib-1.07-489.cm2.noarch.rpm +perl-Carp-1.52-489.cm2.noarch.rpm +perl-Class-Struct-0.66-489.cm2.noarch.rpm +perl-Compress-Raw-Bzip2-2.101-489.cm2.aarch64.rpm +perl-Compress-Raw-Zlib-2.101-489.cm2.aarch64.rpm +perl-Config-Extensions-0.03-489.cm2.noarch.rpm +perl-Config-Perl-V-0.33-489.cm2.noarch.rpm +perl-constant-1.33-489.cm2.noarch.rpm +perl-CPAN-2.28-489.cm2.noarch.rpm +perl-CPAN-Meta-2.150010-489.cm2.noarch.rpm +perl-CPAN-Meta-Requirements-2.140-489.cm2.noarch.rpm +perl-CPAN-Meta-YAML-0.018-489.cm2.noarch.rpm +perl-Data-Dumper-2.179-489.cm2.aarch64.rpm +perl-DBD-SQLite-1.70-2.cm2.aarch64.rpm +perl-DBD-SQLite-debuginfo-1.70-2.cm2.aarch64.rpm +perl-DBI-1.643-2.cm2.aarch64.rpm +perl-DBI-debuginfo-1.643-2.cm2.aarch64.rpm +perl-DBIx-Simple-1.37-6.cm2.noarch.rpm +perl-DBM_Filter-0.06-489.cm2.noarch.rpm +perl-debugger-1.60-489.cm2.noarch.rpm +perl-debuginfo-5.34.1-489.cm2.aarch64.rpm +perl-deprecate-0.04-489.cm2.noarch.rpm +perl-devel-5.34.1-489.cm2.aarch64.rpm +perl-Devel-Peek-1.30-489.cm2.aarch64.rpm +perl-Devel-PPPort-3.62-489.cm2.aarch64.rpm +perl-Devel-SelfStubber-1.06-489.cm2.noarch.rpm +perl-diagnostics-1.37-489.cm2.noarch.rpm +perl-Digest-1.19-489.cm2.noarch.rpm +perl-Digest-MD5-2.58-489.cm2.aarch64.rpm +perl-Digest-SHA-6.02-489.cm2.aarch64.rpm +perl-DirHandle-1.05-489.cm2.noarch.rpm +perl-doc-5.34.1-489.cm2.noarch.rpm +perl-Dumpvalue-2.27-489.cm2.noarch.rpm +perl-DynaLoader-1.50-489.cm2.aarch64.rpm +perl-Encode-3.08-489.cm2.aarch64.rpm +perl-Encode-devel-3.08-489.cm2.noarch.rpm +perl-encoding-3.00-489.cm2.aarch64.rpm +perl-encoding-warnings-0.13-489.cm2.noarch.rpm +perl-English-1.11-489.cm2.noarch.rpm +perl-Env-1.05-489.cm2.noarch.rpm +perl-Errno-1.33-489.cm2.aarch64.rpm +perl-experimental-0.024-489.cm2.noarch.rpm +perl-Exporter-5.76-489.cm2.noarch.rpm +perl-ExtUtils-CBuilder-0.280236-489.cm2.noarch.rpm +perl-ExtUtils-Command-7.62-489.cm2.noarch.rpm +perl-ExtUtils-Constant-0.25-489.cm2.noarch.rpm +perl-ExtUtils-Embed-1.35-489.cm2.noarch.rpm +perl-ExtUtils-Install-2.20-489.cm2.noarch.rpm +perl-ExtUtils-MakeMaker-7.62-489.cm2.noarch.rpm +perl-ExtUtils-Manifest-1.73-489.cm2.noarch.rpm +perl-ExtUtils-Miniperl-1.10-489.cm2.noarch.rpm +perl-ExtUtils-MM-Utils-7.44-489.cm2.noarch.rpm +perl-ExtUtils-ParseXS-3.43-489.cm2.noarch.rpm +perl-Fcntl-1.14-489.cm2.aarch64.rpm +perl-Fedora-VSP-0.001-19.cm2.noarch.rpm +perl-fields-2.27-489.cm2.noarch.rpm +perl-File-Basename-2.85-489.cm2.noarch.rpm +perl-File-Compare-1.100.600-489.cm2.noarch.rpm +perl-File-Copy-2.35-489.cm2.noarch.rpm +perl-File-DosGlob-1.12-489.cm2.aarch64.rpm +perl-File-Fetch-1.00-489.cm2.noarch.rpm +perl-File-Find-1.39-489.cm2.noarch.rpm +perl-File-Path-2.18-489.cm2.noarch.rpm +perl-File-stat-1.09-489.cm2.noarch.rpm +perl-File-Temp-0.231.100-489.cm2.noarch.rpm +perl-FileCache-1.10-489.cm2.noarch.rpm +perl-FileHandle-2.03-489.cm2.noarch.rpm +perl-filetest-1.03-489.cm2.noarch.rpm +perl-Filter-1.59-489.cm2.aarch64.rpm +perl-Filter-Simple-0.96-489.cm2.noarch.rpm +perl-FindBin-1.52-489.cm2.noarch.rpm +perl-GDBM_File-1.19-489.cm2.aarch64.rpm +perl-generators-1.11-9.cm2.noarch.rpm +perl-Getopt-Long-2.52-489.cm2.noarch.rpm +perl-Getopt-Std-1.13-489.cm2.noarch.rpm +perl-Hash-Util-0.25-489.cm2.aarch64.rpm +perl-Hash-Util-FieldHash-1.21-489.cm2.aarch64.rpm +perl-HTTP-Tiny-0.076-489.cm2.noarch.rpm +perl-I18N-Collate-1.02-489.cm2.noarch.rpm +perl-I18N-Langinfo-0.19-489.cm2.aarch64.rpm +perl-I18N-LangTags-0.45-489.cm2.noarch.rpm +perl-if-0.60.900-489.cm2.noarch.rpm +perl-interpreter-5.34.1-489.cm2.aarch64.rpm +perl-IO-1.46-489.cm2.aarch64.rpm +perl-IO-Compress-2.102-489.cm2.noarch.rpm +perl-IO-Socket-IP-0.41-489.cm2.noarch.rpm +perl-IO-Zlib-1.11-489.cm2.noarch.rpm +perl-IPC-Cmd-1.04-489.cm2.noarch.rpm +perl-IPC-Open3-1.21-489.cm2.noarch.rpm +perl-IPC-SysV-2.09-489.cm2.aarch64.rpm +perl-JSON-PP-4.06-489.cm2.noarch.rpm +perl-less-0.03-489.cm2.noarch.rpm +perl-lib-0.65-489.cm2.aarch64.rpm perl-libintl-perl-1.32-2.cm2.aarch64.rpm perl-libintl-perl-debuginfo-1.32-2.cm2.aarch64.rpm -perl-libnet-3.13-490.cm2.noarch.rpm -perl-libnetcfg-5.34.1-490.cm2.noarch.rpm -perl-libs-5.34.1-490.cm2.aarch64.rpm -perl-locale-1.10-490.cm2.noarch.rpm -perl-Locale-Maketext-1.29-490.cm2.noarch.rpm -perl-Locale-Maketext-Simple-0.21-490.cm2.noarch.rpm -perl-macros-5.34.1-490.cm2.noarch.rpm -perl-Math-BigInt-1.9998.18-490.cm2.noarch.rpm -perl-Math-BigInt-FastCalc-0.500.900-490.cm2.aarch64.rpm -perl-Math-BigRat-0.2614-490.cm2.noarch.rpm -perl-Math-Complex-1.59-490.cm2.noarch.rpm -perl-Memoize-1.03-490.cm2.noarch.rpm -perl-meta-notation-5.34.1-490.cm2.noarch.rpm -perl-MIME-Base64-3.16-490.cm2.aarch64.rpm -perl-Module-CoreList-5.20220313-490.cm2.noarch.rpm -perl-Module-CoreList-tools-5.20220313-490.cm2.noarch.rpm -perl-Module-Load-0.36-490.cm2.noarch.rpm -perl-Module-Load-Conditional-0.74-490.cm2.noarch.rpm -perl-Module-Loaded-0.08-490.cm2.noarch.rpm -perl-Module-Metadata-1.000037-490.cm2.noarch.rpm -perl-mro-1.25-490.cm2.aarch64.rpm -perl-NDBM_File-1.15-490.cm2.aarch64.rpm -perl-Net-1.02-490.cm2.noarch.rpm -perl-Net-Ping-2.74-490.cm2.noarch.rpm -perl-NEXT-0.68-490.cm2.noarch.rpm -perl-Object-Accessor-0.48-10.cm2.noarch.rpm -perl-ODBM_File-1.17-490.cm2.aarch64.rpm -perl-Opcode-1.50-490.cm2.aarch64.rpm -perl-open-1.12-490.cm2.noarch.rpm -perl-overload-1.33-490.cm2.noarch.rpm -perl-overloading-0.02-490.cm2.noarch.rpm -perl-Params-Check-0.38-490.cm2.noarch.rpm -perl-parent-0.238-490.cm2.noarch.rpm -perl-PathTools-3.80-490.cm2.aarch64.rpm -perl-Perl-OSType-1.010-490.cm2.noarch.rpm -perl-perlfaq-5.20210411-490.cm2.noarch.rpm -perl-PerlIO-via-QuotedPrint-0.09-490.cm2.noarch.rpm -perl-ph-5.34.1-490.cm2.aarch64.rpm -perl-Pod-Checker-1.74-490.cm2.noarch.rpm -perl-Pod-Escapes-1.07-490.cm2.noarch.rpm -perl-Pod-Functions-1.13-490.cm2.noarch.rpm -perl-Pod-Html-1.27-490.cm2.noarch.rpm -perl-Pod-Perldoc-3.28.01-490.cm2.noarch.rpm -perl-Pod-Simple-3.42-490.cm2.noarch.rpm -perl-Pod-Usage-2.01-490.cm2.noarch.rpm -perl-podlators-4.14-490.cm2.noarch.rpm -perl-POSIX-1.97-490.cm2.aarch64.rpm -perl-Safe-2.43-490.cm2.noarch.rpm -perl-Scalar-List-Utils-1.55-490.cm2.aarch64.rpm -perl-Search-Dict-1.07-490.cm2.noarch.rpm -perl-SelectSaver-1.02-490.cm2.noarch.rpm -perl-SelfLoader-1.26-490.cm2.noarch.rpm -perl-sigtrap-1.09-490.cm2.noarch.rpm -perl-Socket-2.031-490.cm2.aarch64.rpm -perl-sort-2.04-490.cm2.noarch.rpm -perl-Storable-3.23-490.cm2.aarch64.rpm -perl-subs-1.04-490.cm2.noarch.rpm -perl-Symbol-1.09-490.cm2.noarch.rpm -perl-Sys-Hostname-1.23-490.cm2.aarch64.rpm -perl-Sys-Syslog-0.36-490.cm2.aarch64.rpm -perl-Term-ANSIColor-5.01-490.cm2.noarch.rpm -perl-Term-Cap-1.17-490.cm2.noarch.rpm -perl-Term-Complete-1.403-490.cm2.noarch.rpm -perl-Term-ReadLine-1.17-490.cm2.noarch.rpm -perl-Test-1.31-490.cm2.noarch.rpm -perl-Test-Harness-3.43-490.cm2.noarch.rpm -perl-Test-Simple-1.302183-490.cm2.noarch.rpm -perl-Test-Warnings-0.031-3.cm2.noarch.rpm -perl-tests-5.34.1-490.cm2.aarch64.rpm -perl-Text-Abbrev-1.02-490.cm2.noarch.rpm -perl-Text-Balanced-2.04-490.cm2.noarch.rpm -perl-Text-ParseWords-3.30-490.cm2.noarch.rpm -perl-Text-Tabs+Wrap-2013.0523-490.cm2.noarch.rpm -perl-Text-Template-1.60-2.cm2.noarch.rpm -perl-Thread-3.05-490.cm2.noarch.rpm -perl-Thread-Queue-3.14-490.cm2.noarch.rpm -perl-Thread-Semaphore-2.13-490.cm2.noarch.rpm -perl-threads-2.26-490.cm2.aarch64.rpm -perl-threads-shared-1.62-490.cm2.aarch64.rpm -perl-Tie-4.6-490.cm2.noarch.rpm -perl-Tie-File-1.06-490.cm2.noarch.rpm -perl-Tie-Memoize-1.1-490.cm2.noarch.rpm -perl-Tie-RefHash-1.40-490.cm2.noarch.rpm -perl-Time-1.03-490.cm2.noarch.rpm -perl-Time-HiRes-1.9767-490.cm2.aarch64.rpm -perl-Time-Local-1.300-490.cm2.noarch.rpm -perl-Time-Piece-1.3401-490.cm2.aarch64.rpm -perl-Unicode-Collate-1.29-490.cm2.aarch64.rpm -perl-Unicode-Normalize-1.28-490.cm2.aarch64.rpm -perl-Unicode-UCD-0.75-490.cm2.noarch.rpm -perl-User-pwent-1.03-490.cm2.noarch.rpm -perl-utils-5.34.1-490.cm2.noarch.rpm -perl-vars-1.05-490.cm2.noarch.rpm -perl-version-0.99.28-490.cm2.noarch.rpm -perl-vmsish-1.04-490.cm2.noarch.rpm +perl-libnet-3.13-489.cm2.noarch.rpm +perl-libnetcfg-5.34.1-489.cm2.noarch.rpm +perl-libs-5.34.1-489.cm2.aarch64.rpm +perl-locale-1.10-489.cm2.noarch.rpm +perl-Locale-Maketext-1.29-489.cm2.noarch.rpm +perl-Locale-Maketext-Simple-0.21-489.cm2.noarch.rpm +perl-macros-5.34.1-489.cm2.noarch.rpm +perl-Math-BigInt-1.9998.18-489.cm2.noarch.rpm +perl-Math-BigInt-FastCalc-0.500.900-489.cm2.aarch64.rpm +perl-Math-BigRat-0.2614-489.cm2.noarch.rpm +perl-Math-Complex-1.59-489.cm2.noarch.rpm +perl-Memoize-1.03-489.cm2.noarch.rpm +perl-meta-notation-5.34.1-489.cm2.noarch.rpm +perl-MIME-Base64-3.16-489.cm2.aarch64.rpm +perl-Module-CoreList-5.20220313-489.cm2.noarch.rpm +perl-Module-CoreList-tools-5.20220313-489.cm2.noarch.rpm +perl-Module-Load-0.36-489.cm2.noarch.rpm +perl-Module-Load-Conditional-0.74-489.cm2.noarch.rpm +perl-Module-Loaded-0.08-489.cm2.noarch.rpm +perl-Module-Metadata-1.000037-489.cm2.noarch.rpm +perl-mro-1.25-489.cm2.aarch64.rpm +perl-NDBM_File-1.15-489.cm2.aarch64.rpm +perl-Net-1.02-489.cm2.noarch.rpm +perl-Net-Ping-2.74-489.cm2.noarch.rpm +perl-NEXT-0.68-489.cm2.noarch.rpm +perl-Object-Accessor-0.48-9.cm2.noarch.rpm +perl-ODBM_File-1.17-489.cm2.aarch64.rpm +perl-Opcode-1.50-489.cm2.aarch64.rpm +perl-open-1.12-489.cm2.noarch.rpm +perl-overload-1.33-489.cm2.noarch.rpm +perl-overloading-0.02-489.cm2.noarch.rpm +perl-Params-Check-0.38-489.cm2.noarch.rpm +perl-parent-0.238-489.cm2.noarch.rpm +perl-PathTools-3.80-489.cm2.aarch64.rpm +perl-Perl-OSType-1.010-489.cm2.noarch.rpm +perl-perlfaq-5.20210411-489.cm2.noarch.rpm +perl-PerlIO-via-QuotedPrint-0.09-489.cm2.noarch.rpm +perl-ph-5.34.1-489.cm2.aarch64.rpm +perl-Pod-Checker-1.74-489.cm2.noarch.rpm +perl-Pod-Escapes-1.07-489.cm2.noarch.rpm +perl-Pod-Functions-1.13-489.cm2.noarch.rpm +perl-Pod-Html-1.27-489.cm2.noarch.rpm +perl-Pod-Perldoc-3.28.01-489.cm2.noarch.rpm +perl-Pod-Simple-3.42-489.cm2.noarch.rpm +perl-Pod-Usage-2.01-489.cm2.noarch.rpm +perl-podlators-4.14-489.cm2.noarch.rpm +perl-POSIX-1.97-489.cm2.aarch64.rpm +perl-Safe-2.43-489.cm2.noarch.rpm +perl-Scalar-List-Utils-1.55-489.cm2.aarch64.rpm +perl-Search-Dict-1.07-489.cm2.noarch.rpm +perl-SelectSaver-1.02-489.cm2.noarch.rpm +perl-SelfLoader-1.26-489.cm2.noarch.rpm +perl-sigtrap-1.09-489.cm2.noarch.rpm +perl-Socket-2.031-489.cm2.aarch64.rpm +perl-sort-2.04-489.cm2.noarch.rpm +perl-Storable-3.23-489.cm2.aarch64.rpm +perl-subs-1.04-489.cm2.noarch.rpm +perl-Symbol-1.09-489.cm2.noarch.rpm +perl-Sys-Hostname-1.23-489.cm2.aarch64.rpm +perl-Sys-Syslog-0.36-489.cm2.aarch64.rpm +perl-Term-ANSIColor-5.01-489.cm2.noarch.rpm +perl-Term-Cap-1.17-489.cm2.noarch.rpm +perl-Term-Complete-1.403-489.cm2.noarch.rpm +perl-Term-ReadLine-1.17-489.cm2.noarch.rpm +perl-Test-1.31-489.cm2.noarch.rpm +perl-Test-Harness-3.43-489.cm2.noarch.rpm +perl-Test-Simple-1.302183-489.cm2.noarch.rpm +perl-Test-Warnings-0.031-2.cm2.noarch.rpm +perl-tests-5.34.1-489.cm2.aarch64.rpm +perl-Text-Abbrev-1.02-489.cm2.noarch.rpm +perl-Text-Balanced-2.04-489.cm2.noarch.rpm +perl-Text-ParseWords-3.30-489.cm2.noarch.rpm +perl-Text-Tabs+Wrap-2013.0523-489.cm2.noarch.rpm +perl-Text-Template-1.60-1.cm2.noarch.rpm +perl-Thread-3.05-489.cm2.noarch.rpm +perl-Thread-Queue-3.14-489.cm2.noarch.rpm +perl-Thread-Semaphore-2.13-489.cm2.noarch.rpm +perl-threads-2.26-489.cm2.aarch64.rpm +perl-threads-shared-1.62-489.cm2.aarch64.rpm +perl-Tie-4.6-489.cm2.noarch.rpm +perl-Tie-File-1.06-489.cm2.noarch.rpm +perl-Tie-Memoize-1.1-489.cm2.noarch.rpm +perl-Tie-RefHash-1.40-489.cm2.noarch.rpm +perl-Time-1.03-489.cm2.noarch.rpm +perl-Time-HiRes-1.9767-489.cm2.aarch64.rpm +perl-Time-Local-1.300-489.cm2.noarch.rpm +perl-Time-Piece-1.3401-489.cm2.aarch64.rpm +perl-Unicode-Collate-1.29-489.cm2.aarch64.rpm +perl-Unicode-Normalize-1.28-489.cm2.aarch64.rpm +perl-Unicode-UCD-0.75-489.cm2.noarch.rpm +perl-User-pwent-1.03-489.cm2.noarch.rpm +perl-utils-5.34.1-489.cm2.noarch.rpm +perl-vars-1.05-489.cm2.noarch.rpm +perl-version-0.99.28-489.cm2.noarch.rpm +perl-vmsish-1.04-489.cm2.noarch.rpm perl-XML-Parser-2.46-2.cm2.aarch64.rpm perl-XML-Parser-debuginfo-2.46-2.cm2.aarch64.rpm pinentry-1.2.0-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 9f236a3375e..345d9f3bc77 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -297,207 +297,207 @@ pcre-8.45-2.cm2.x86_64.rpm pcre-debuginfo-8.45-2.cm2.x86_64.rpm pcre-devel-8.45-2.cm2.x86_64.rpm pcre-libs-8.45-2.cm2.x86_64.rpm -perl-5.34.1-490.cm2.x86_64.rpm -perl-Archive-Tar-2.38-490.cm2.noarch.rpm -perl-Attribute-Handlers-1.01-490.cm2.noarch.rpm -perl-autodie-2.34-490.cm2.noarch.rpm -perl-AutoLoader-5.74-490.cm2.noarch.rpm -perl-AutoSplit-5.74-490.cm2.noarch.rpm -perl-autouse-1.11-490.cm2.noarch.rpm -perl-B-1.82-490.cm2.x86_64.rpm -perl-base-2.27-490.cm2.noarch.rpm -perl-Benchmark-1.23-490.cm2.noarch.rpm -perl-bignum-0.51-490.cm2.noarch.rpm -perl-blib-1.07-490.cm2.noarch.rpm -perl-Carp-1.52-490.cm2.noarch.rpm -perl-Class-Struct-0.66-490.cm2.noarch.rpm -perl-Compress-Raw-Bzip2-2.101-490.cm2.x86_64.rpm -perl-Compress-Raw-Zlib-2.101-490.cm2.x86_64.rpm -perl-Config-Extensions-0.03-490.cm2.noarch.rpm -perl-Config-Perl-V-0.33-490.cm2.noarch.rpm -perl-constant-1.33-490.cm2.noarch.rpm -perl-CPAN-2.28-490.cm2.noarch.rpm -perl-CPAN-Meta-2.150010-490.cm2.noarch.rpm -perl-CPAN-Meta-Requirements-2.140-490.cm2.noarch.rpm -perl-CPAN-Meta-YAML-0.018-490.cm2.noarch.rpm -perl-Data-Dumper-2.179-490.cm2.x86_64.rpm -perl-DBD-SQLite-1.70-3.cm2.x86_64.rpm -perl-DBD-SQLite-debuginfo-1.70-3.cm2.x86_64.rpm -perl-DBI-1.643-3.cm2.x86_64.rpm -perl-DBI-debuginfo-1.643-3.cm2.x86_64.rpm -perl-DBIx-Simple-1.37-7.cm2.noarch.rpm -perl-DBM_Filter-0.06-490.cm2.noarch.rpm -perl-debugger-1.60-490.cm2.noarch.rpm -perl-debuginfo-5.34.1-490.cm2.x86_64.rpm -perl-deprecate-0.04-490.cm2.noarch.rpm -perl-devel-5.34.1-490.cm2.x86_64.rpm -perl-Devel-Peek-1.30-490.cm2.x86_64.rpm -perl-Devel-PPPort-3.62-490.cm2.x86_64.rpm -perl-Devel-SelfStubber-1.06-490.cm2.noarch.rpm -perl-diagnostics-1.37-490.cm2.noarch.rpm -perl-Digest-1.19-490.cm2.noarch.rpm -perl-Digest-MD5-2.58-490.cm2.x86_64.rpm -perl-Digest-SHA-6.02-490.cm2.x86_64.rpm -perl-DirHandle-1.05-490.cm2.noarch.rpm -perl-doc-5.34.1-490.cm2.noarch.rpm -perl-Dumpvalue-2.27-490.cm2.noarch.rpm -perl-DynaLoader-1.50-490.cm2.x86_64.rpm -perl-Encode-3.08-490.cm2.x86_64.rpm -perl-Encode-devel-3.08-490.cm2.noarch.rpm -perl-encoding-3.00-490.cm2.x86_64.rpm -perl-encoding-warnings-0.13-490.cm2.noarch.rpm -perl-English-1.11-490.cm2.noarch.rpm -perl-Env-1.05-490.cm2.noarch.rpm -perl-Errno-1.33-490.cm2.x86_64.rpm -perl-experimental-0.024-490.cm2.noarch.rpm -perl-Exporter-5.76-490.cm2.noarch.rpm -perl-ExtUtils-CBuilder-0.280236-490.cm2.noarch.rpm -perl-ExtUtils-Command-7.62-490.cm2.noarch.rpm -perl-ExtUtils-Constant-0.25-490.cm2.noarch.rpm -perl-ExtUtils-Embed-1.35-490.cm2.noarch.rpm -perl-ExtUtils-Install-2.20-490.cm2.noarch.rpm -perl-ExtUtils-MakeMaker-7.62-490.cm2.noarch.rpm -perl-ExtUtils-Manifest-1.73-490.cm2.noarch.rpm -perl-ExtUtils-Miniperl-1.10-490.cm2.noarch.rpm -perl-ExtUtils-MM-Utils-7.44-490.cm2.noarch.rpm -perl-ExtUtils-ParseXS-3.43-490.cm2.noarch.rpm -perl-Fcntl-1.14-490.cm2.x86_64.rpm -perl-Fedora-VSP-0.001-20.cm2.noarch.rpm -perl-fields-2.27-490.cm2.noarch.rpm -perl-File-Basename-2.85-490.cm2.noarch.rpm -perl-File-Compare-1.100.600-490.cm2.noarch.rpm -perl-File-Copy-2.35-490.cm2.noarch.rpm -perl-File-DosGlob-1.12-490.cm2.x86_64.rpm -perl-File-Fetch-1.00-490.cm2.noarch.rpm -perl-File-Find-1.39-490.cm2.noarch.rpm -perl-File-Path-2.18-490.cm2.noarch.rpm -perl-File-stat-1.09-490.cm2.noarch.rpm -perl-File-Temp-0.231.100-490.cm2.noarch.rpm -perl-FileCache-1.10-490.cm2.noarch.rpm -perl-FileHandle-2.03-490.cm2.noarch.rpm -perl-filetest-1.03-490.cm2.noarch.rpm -perl-Filter-1.59-490.cm2.x86_64.rpm -perl-Filter-Simple-0.96-490.cm2.noarch.rpm -perl-FindBin-1.52-490.cm2.noarch.rpm -perl-GDBM_File-1.19-490.cm2.x86_64.rpm -perl-generators-1.11-10.cm2.noarch.rpm -perl-Getopt-Long-2.52-490.cm2.noarch.rpm -perl-Getopt-Std-1.13-490.cm2.noarch.rpm -perl-Hash-Util-0.25-490.cm2.x86_64.rpm -perl-Hash-Util-FieldHash-1.21-490.cm2.x86_64.rpm -perl-HTTP-Tiny-0.076-490.cm2.noarch.rpm -perl-I18N-Collate-1.02-490.cm2.noarch.rpm -perl-I18N-Langinfo-0.19-490.cm2.x86_64.rpm -perl-I18N-LangTags-0.45-490.cm2.noarch.rpm -perl-if-0.60.900-490.cm2.noarch.rpm -perl-interpreter-5.34.1-490.cm2.x86_64.rpm -perl-IO-1.46-490.cm2.x86_64.rpm -perl-IO-Compress-2.102-490.cm2.noarch.rpm -perl-IO-Socket-IP-0.41-490.cm2.noarch.rpm -perl-IO-Zlib-1.11-490.cm2.noarch.rpm -perl-IPC-Cmd-1.04-490.cm2.noarch.rpm -perl-IPC-Open3-1.21-490.cm2.noarch.rpm -perl-IPC-SysV-2.09-490.cm2.x86_64.rpm -perl-JSON-PP-4.06-490.cm2.noarch.rpm -perl-less-0.03-490.cm2.noarch.rpm -perl-lib-0.65-490.cm2.x86_64.rpm +perl-5.34.1-489.cm2.x86_64.rpm +perl-Archive-Tar-2.38-489.cm2.noarch.rpm +perl-Attribute-Handlers-1.01-489.cm2.noarch.rpm +perl-autodie-2.34-489.cm2.noarch.rpm +perl-AutoLoader-5.74-489.cm2.noarch.rpm +perl-AutoSplit-5.74-489.cm2.noarch.rpm +perl-autouse-1.11-489.cm2.noarch.rpm +perl-B-1.82-489.cm2.x86_64.rpm +perl-base-2.27-489.cm2.noarch.rpm +perl-Benchmark-1.23-489.cm2.noarch.rpm +perl-bignum-0.51-489.cm2.noarch.rpm +perl-blib-1.07-489.cm2.noarch.rpm +perl-Carp-1.52-489.cm2.noarch.rpm +perl-Class-Struct-0.66-489.cm2.noarch.rpm +perl-Compress-Raw-Bzip2-2.101-489.cm2.x86_64.rpm +perl-Compress-Raw-Zlib-2.101-489.cm2.x86_64.rpm +perl-Config-Extensions-0.03-489.cm2.noarch.rpm +perl-Config-Perl-V-0.33-489.cm2.noarch.rpm +perl-constant-1.33-489.cm2.noarch.rpm +perl-CPAN-2.28-489.cm2.noarch.rpm +perl-CPAN-Meta-2.150010-489.cm2.noarch.rpm +perl-CPAN-Meta-Requirements-2.140-489.cm2.noarch.rpm +perl-CPAN-Meta-YAML-0.018-489.cm2.noarch.rpm +perl-Data-Dumper-2.179-489.cm2.x86_64.rpm +perl-DBD-SQLite-1.70-2.cm2.x86_64.rpm +perl-DBD-SQLite-debuginfo-1.70-2.cm2.x86_64.rpm +perl-DBI-1.643-2.cm2.x86_64.rpm +perl-DBI-debuginfo-1.643-2.cm2.x86_64.rpm +perl-DBIx-Simple-1.37-6.cm2.noarch.rpm +perl-DBM_Filter-0.06-489.cm2.noarch.rpm +perl-debugger-1.60-489.cm2.noarch.rpm +perl-debuginfo-5.34.1-489.cm2.x86_64.rpm +perl-deprecate-0.04-489.cm2.noarch.rpm +perl-devel-5.34.1-489.cm2.x86_64.rpm +perl-Devel-Peek-1.30-489.cm2.x86_64.rpm +perl-Devel-PPPort-3.62-489.cm2.x86_64.rpm +perl-Devel-SelfStubber-1.06-489.cm2.noarch.rpm +perl-diagnostics-1.37-489.cm2.noarch.rpm +perl-Digest-1.19-489.cm2.noarch.rpm +perl-Digest-MD5-2.58-489.cm2.x86_64.rpm +perl-Digest-SHA-6.02-489.cm2.x86_64.rpm +perl-DirHandle-1.05-489.cm2.noarch.rpm +perl-doc-5.34.1-489.cm2.noarch.rpm +perl-Dumpvalue-2.27-489.cm2.noarch.rpm +perl-DynaLoader-1.50-489.cm2.x86_64.rpm +perl-Encode-3.08-489.cm2.x86_64.rpm +perl-Encode-devel-3.08-489.cm2.noarch.rpm +perl-encoding-3.00-489.cm2.x86_64.rpm +perl-encoding-warnings-0.13-489.cm2.noarch.rpm +perl-English-1.11-489.cm2.noarch.rpm +perl-Env-1.05-489.cm2.noarch.rpm +perl-Errno-1.33-489.cm2.x86_64.rpm +perl-experimental-0.024-489.cm2.noarch.rpm +perl-Exporter-5.76-489.cm2.noarch.rpm +perl-ExtUtils-CBuilder-0.280236-489.cm2.noarch.rpm +perl-ExtUtils-Command-7.62-489.cm2.noarch.rpm +perl-ExtUtils-Constant-0.25-489.cm2.noarch.rpm +perl-ExtUtils-Embed-1.35-489.cm2.noarch.rpm +perl-ExtUtils-Install-2.20-489.cm2.noarch.rpm +perl-ExtUtils-MakeMaker-7.62-489.cm2.noarch.rpm +perl-ExtUtils-Manifest-1.73-489.cm2.noarch.rpm +perl-ExtUtils-Miniperl-1.10-489.cm2.noarch.rpm +perl-ExtUtils-MM-Utils-7.44-489.cm2.noarch.rpm +perl-ExtUtils-ParseXS-3.43-489.cm2.noarch.rpm +perl-Fcntl-1.14-489.cm2.x86_64.rpm +perl-Fedora-VSP-0.001-19.cm2.noarch.rpm +perl-fields-2.27-489.cm2.noarch.rpm +perl-File-Basename-2.85-489.cm2.noarch.rpm +perl-File-Compare-1.100.600-489.cm2.noarch.rpm +perl-File-Copy-2.35-489.cm2.noarch.rpm +perl-File-DosGlob-1.12-489.cm2.x86_64.rpm +perl-File-Fetch-1.00-489.cm2.noarch.rpm +perl-File-Find-1.39-489.cm2.noarch.rpm +perl-File-Path-2.18-489.cm2.noarch.rpm +perl-File-stat-1.09-489.cm2.noarch.rpm +perl-File-Temp-0.231.100-489.cm2.noarch.rpm +perl-FileCache-1.10-489.cm2.noarch.rpm +perl-FileHandle-2.03-489.cm2.noarch.rpm +perl-filetest-1.03-489.cm2.noarch.rpm +perl-Filter-1.59-489.cm2.x86_64.rpm +perl-Filter-Simple-0.96-489.cm2.noarch.rpm +perl-FindBin-1.52-489.cm2.noarch.rpm +perl-GDBM_File-1.19-489.cm2.x86_64.rpm +perl-generators-1.11-9.cm2.noarch.rpm +perl-Getopt-Long-2.52-489.cm2.noarch.rpm +perl-Getopt-Std-1.13-489.cm2.noarch.rpm +perl-Hash-Util-0.25-489.cm2.x86_64.rpm +perl-Hash-Util-FieldHash-1.21-489.cm2.x86_64.rpm +perl-HTTP-Tiny-0.076-489.cm2.noarch.rpm +perl-I18N-Collate-1.02-489.cm2.noarch.rpm +perl-I18N-Langinfo-0.19-489.cm2.x86_64.rpm +perl-I18N-LangTags-0.45-489.cm2.noarch.rpm +perl-if-0.60.900-489.cm2.noarch.rpm +perl-interpreter-5.34.1-489.cm2.x86_64.rpm +perl-IO-1.46-489.cm2.x86_64.rpm +perl-IO-Compress-2.102-489.cm2.noarch.rpm +perl-IO-Socket-IP-0.41-489.cm2.noarch.rpm +perl-IO-Zlib-1.11-489.cm2.noarch.rpm +perl-IPC-Cmd-1.04-489.cm2.noarch.rpm +perl-IPC-Open3-1.21-489.cm2.noarch.rpm +perl-IPC-SysV-2.09-489.cm2.x86_64.rpm +perl-JSON-PP-4.06-489.cm2.noarch.rpm +perl-less-0.03-489.cm2.noarch.rpm +perl-lib-0.65-489.cm2.x86_64.rpm perl-libintl-perl-1.32-2.cm2.x86_64.rpm perl-libintl-perl-debuginfo-1.32-2.cm2.x86_64.rpm -perl-libnet-3.13-490.cm2.noarch.rpm -perl-libnetcfg-5.34.1-490.cm2.noarch.rpm -perl-libs-5.34.1-490.cm2.x86_64.rpm -perl-locale-1.10-490.cm2.noarch.rpm -perl-Locale-Maketext-1.29-490.cm2.noarch.rpm -perl-Locale-Maketext-Simple-0.21-490.cm2.noarch.rpm -perl-macros-5.34.1-490.cm2.noarch.rpm -perl-Math-BigInt-1.9998.18-490.cm2.noarch.rpm -perl-Math-BigInt-FastCalc-0.500.900-490.cm2.x86_64.rpm -perl-Math-BigRat-0.2614-490.cm2.noarch.rpm -perl-Math-Complex-1.59-490.cm2.noarch.rpm -perl-Memoize-1.03-490.cm2.noarch.rpm -perl-meta-notation-5.34.1-490.cm2.noarch.rpm -perl-MIME-Base64-3.16-490.cm2.x86_64.rpm -perl-Module-CoreList-5.20220313-490.cm2.noarch.rpm -perl-Module-CoreList-tools-5.20220313-490.cm2.noarch.rpm -perl-Module-Load-0.36-490.cm2.noarch.rpm -perl-Module-Load-Conditional-0.74-490.cm2.noarch.rpm -perl-Module-Loaded-0.08-490.cm2.noarch.rpm -perl-Module-Metadata-1.000037-490.cm2.noarch.rpm -perl-mro-1.25-490.cm2.x86_64.rpm -perl-NDBM_File-1.15-490.cm2.x86_64.rpm -perl-Net-1.02-490.cm2.noarch.rpm -perl-Net-Ping-2.74-490.cm2.noarch.rpm -perl-NEXT-0.68-490.cm2.noarch.rpm -perl-Object-Accessor-0.48-10.cm2.noarch.rpm -perl-ODBM_File-1.17-490.cm2.x86_64.rpm -perl-Opcode-1.50-490.cm2.x86_64.rpm -perl-open-1.12-490.cm2.noarch.rpm -perl-overload-1.33-490.cm2.noarch.rpm -perl-overloading-0.02-490.cm2.noarch.rpm -perl-Params-Check-0.38-490.cm2.noarch.rpm -perl-parent-0.238-490.cm2.noarch.rpm -perl-PathTools-3.80-490.cm2.x86_64.rpm -perl-Perl-OSType-1.010-490.cm2.noarch.rpm -perl-perlfaq-5.20210411-490.cm2.noarch.rpm -perl-PerlIO-via-QuotedPrint-0.09-490.cm2.noarch.rpm -perl-ph-5.34.1-490.cm2.x86_64.rpm -perl-Pod-Checker-1.74-490.cm2.noarch.rpm -perl-Pod-Escapes-1.07-490.cm2.noarch.rpm -perl-Pod-Functions-1.13-490.cm2.noarch.rpm -perl-Pod-Html-1.27-490.cm2.noarch.rpm -perl-Pod-Perldoc-3.28.01-490.cm2.noarch.rpm -perl-Pod-Simple-3.42-490.cm2.noarch.rpm -perl-Pod-Usage-2.01-490.cm2.noarch.rpm -perl-podlators-4.14-490.cm2.noarch.rpm -perl-POSIX-1.97-490.cm2.x86_64.rpm -perl-Safe-2.43-490.cm2.noarch.rpm -perl-Scalar-List-Utils-1.55-490.cm2.x86_64.rpm -perl-Search-Dict-1.07-490.cm2.noarch.rpm -perl-SelectSaver-1.02-490.cm2.noarch.rpm -perl-SelfLoader-1.26-490.cm2.noarch.rpm -perl-sigtrap-1.09-490.cm2.noarch.rpm -perl-Socket-2.031-490.cm2.x86_64.rpm -perl-sort-2.04-490.cm2.noarch.rpm -perl-Storable-3.23-490.cm2.x86_64.rpm -perl-subs-1.04-490.cm2.noarch.rpm -perl-Symbol-1.09-490.cm2.noarch.rpm -perl-Sys-Hostname-1.23-490.cm2.x86_64.rpm -perl-Sys-Syslog-0.36-490.cm2.x86_64.rpm -perl-Term-ANSIColor-5.01-490.cm2.noarch.rpm -perl-Term-Cap-1.17-490.cm2.noarch.rpm -perl-Term-Complete-1.403-490.cm2.noarch.rpm -perl-Term-ReadLine-1.17-490.cm2.noarch.rpm -perl-Test-1.31-490.cm2.noarch.rpm -perl-Test-Harness-3.43-490.cm2.noarch.rpm -perl-Test-Simple-1.302183-490.cm2.noarch.rpm -perl-Test-Warnings-0.031-3.cm2.noarch.rpm -perl-tests-5.34.1-490.cm2.x86_64.rpm -perl-Text-Abbrev-1.02-490.cm2.noarch.rpm -perl-Text-Balanced-2.04-490.cm2.noarch.rpm -perl-Text-ParseWords-3.30-490.cm2.noarch.rpm -perl-Text-Tabs+Wrap-2013.0523-490.cm2.noarch.rpm -perl-Text-Template-1.60-2.cm2.noarch.rpm -perl-Thread-3.05-490.cm2.noarch.rpm -perl-Thread-Queue-3.14-490.cm2.noarch.rpm -perl-Thread-Semaphore-2.13-490.cm2.noarch.rpm -perl-threads-2.26-490.cm2.x86_64.rpm -perl-threads-shared-1.62-490.cm2.x86_64.rpm -perl-Tie-4.6-490.cm2.noarch.rpm -perl-Tie-File-1.06-490.cm2.noarch.rpm -perl-Tie-Memoize-1.1-490.cm2.noarch.rpm -perl-Tie-RefHash-1.40-490.cm2.noarch.rpm -perl-Time-1.03-490.cm2.noarch.rpm -perl-Time-HiRes-1.9767-490.cm2.x86_64.rpm -perl-Time-Local-1.300-490.cm2.noarch.rpm -perl-Time-Piece-1.3401-490.cm2.x86_64.rpm -perl-Unicode-Collate-1.29-490.cm2.x86_64.rpm -perl-Unicode-Normalize-1.28-490.cm2.x86_64.rpm -perl-Unicode-UCD-0.75-490.cm2.noarch.rpm -perl-User-pwent-1.03-490.cm2.noarch.rpm -perl-utils-5.34.1-490.cm2.noarch.rpm -perl-vars-1.05-490.cm2.noarch.rpm -perl-version-0.99.28-490.cm2.noarch.rpm -perl-vmsish-1.04-490.cm2.noarch.rpm +perl-libnet-3.13-489.cm2.noarch.rpm +perl-libnetcfg-5.34.1-489.cm2.noarch.rpm +perl-libs-5.34.1-489.cm2.x86_64.rpm +perl-locale-1.10-489.cm2.noarch.rpm +perl-Locale-Maketext-1.29-489.cm2.noarch.rpm +perl-Locale-Maketext-Simple-0.21-489.cm2.noarch.rpm +perl-macros-5.34.1-489.cm2.noarch.rpm +perl-Math-BigInt-1.9998.18-489.cm2.noarch.rpm +perl-Math-BigInt-FastCalc-0.500.900-489.cm2.x86_64.rpm +perl-Math-BigRat-0.2614-489.cm2.noarch.rpm +perl-Math-Complex-1.59-489.cm2.noarch.rpm +perl-Memoize-1.03-489.cm2.noarch.rpm +perl-meta-notation-5.34.1-489.cm2.noarch.rpm +perl-MIME-Base64-3.16-489.cm2.x86_64.rpm +perl-Module-CoreList-5.20220313-489.cm2.noarch.rpm +perl-Module-CoreList-tools-5.20220313-489.cm2.noarch.rpm +perl-Module-Load-0.36-489.cm2.noarch.rpm +perl-Module-Load-Conditional-0.74-489.cm2.noarch.rpm +perl-Module-Loaded-0.08-489.cm2.noarch.rpm +perl-Module-Metadata-1.000037-489.cm2.noarch.rpm +perl-mro-1.25-489.cm2.x86_64.rpm +perl-NDBM_File-1.15-489.cm2.x86_64.rpm +perl-Net-1.02-489.cm2.noarch.rpm +perl-Net-Ping-2.74-489.cm2.noarch.rpm +perl-NEXT-0.68-489.cm2.noarch.rpm +perl-Object-Accessor-0.48-9.cm2.noarch.rpm +perl-ODBM_File-1.17-489.cm2.x86_64.rpm +perl-Opcode-1.50-489.cm2.x86_64.rpm +perl-open-1.12-489.cm2.noarch.rpm +perl-overload-1.33-489.cm2.noarch.rpm +perl-overloading-0.02-489.cm2.noarch.rpm +perl-Params-Check-0.38-489.cm2.noarch.rpm +perl-parent-0.238-489.cm2.noarch.rpm +perl-PathTools-3.80-489.cm2.x86_64.rpm +perl-Perl-OSType-1.010-489.cm2.noarch.rpm +perl-perlfaq-5.20210411-489.cm2.noarch.rpm +perl-PerlIO-via-QuotedPrint-0.09-489.cm2.noarch.rpm +perl-ph-5.34.1-489.cm2.x86_64.rpm +perl-Pod-Checker-1.74-489.cm2.noarch.rpm +perl-Pod-Escapes-1.07-489.cm2.noarch.rpm +perl-Pod-Functions-1.13-489.cm2.noarch.rpm +perl-Pod-Html-1.27-489.cm2.noarch.rpm +perl-Pod-Perldoc-3.28.01-489.cm2.noarch.rpm +perl-Pod-Simple-3.42-489.cm2.noarch.rpm +perl-Pod-Usage-2.01-489.cm2.noarch.rpm +perl-podlators-4.14-489.cm2.noarch.rpm +perl-POSIX-1.97-489.cm2.x86_64.rpm +perl-Safe-2.43-489.cm2.noarch.rpm +perl-Scalar-List-Utils-1.55-489.cm2.x86_64.rpm +perl-Search-Dict-1.07-489.cm2.noarch.rpm +perl-SelectSaver-1.02-489.cm2.noarch.rpm +perl-SelfLoader-1.26-489.cm2.noarch.rpm +perl-sigtrap-1.09-489.cm2.noarch.rpm +perl-Socket-2.031-489.cm2.x86_64.rpm +perl-sort-2.04-489.cm2.noarch.rpm +perl-Storable-3.23-489.cm2.x86_64.rpm +perl-subs-1.04-489.cm2.noarch.rpm +perl-Symbol-1.09-489.cm2.noarch.rpm +perl-Sys-Hostname-1.23-489.cm2.x86_64.rpm +perl-Sys-Syslog-0.36-489.cm2.x86_64.rpm +perl-Term-ANSIColor-5.01-489.cm2.noarch.rpm +perl-Term-Cap-1.17-489.cm2.noarch.rpm +perl-Term-Complete-1.403-489.cm2.noarch.rpm +perl-Term-ReadLine-1.17-489.cm2.noarch.rpm +perl-Test-1.31-489.cm2.noarch.rpm +perl-Test-Harness-3.43-489.cm2.noarch.rpm +perl-Test-Simple-1.302183-489.cm2.noarch.rpm +perl-Test-Warnings-0.031-2.cm2.noarch.rpm +perl-tests-5.34.1-489.cm2.x86_64.rpm +perl-Text-Abbrev-1.02-489.cm2.noarch.rpm +perl-Text-Balanced-2.04-489.cm2.noarch.rpm +perl-Text-ParseWords-3.30-489.cm2.noarch.rpm +perl-Text-Tabs+Wrap-2013.0523-489.cm2.noarch.rpm +perl-Text-Template-1.60-1.cm2.noarch.rpm +perl-Thread-3.05-489.cm2.noarch.rpm +perl-Thread-Queue-3.14-489.cm2.noarch.rpm +perl-Thread-Semaphore-2.13-489.cm2.noarch.rpm +perl-threads-2.26-489.cm2.x86_64.rpm +perl-threads-shared-1.62-489.cm2.x86_64.rpm +perl-Tie-4.6-489.cm2.noarch.rpm +perl-Tie-File-1.06-489.cm2.noarch.rpm +perl-Tie-Memoize-1.1-489.cm2.noarch.rpm +perl-Tie-RefHash-1.40-489.cm2.noarch.rpm +perl-Time-1.03-489.cm2.noarch.rpm +perl-Time-HiRes-1.9767-489.cm2.x86_64.rpm +perl-Time-Local-1.300-489.cm2.noarch.rpm +perl-Time-Piece-1.3401-489.cm2.x86_64.rpm +perl-Unicode-Collate-1.29-489.cm2.x86_64.rpm +perl-Unicode-Normalize-1.28-489.cm2.x86_64.rpm +perl-Unicode-UCD-0.75-489.cm2.noarch.rpm +perl-User-pwent-1.03-489.cm2.noarch.rpm +perl-utils-5.34.1-489.cm2.noarch.rpm +perl-vars-1.05-489.cm2.noarch.rpm +perl-version-0.99.28-489.cm2.noarch.rpm +perl-vmsish-1.04-489.cm2.noarch.rpm perl-XML-Parser-2.46-2.cm2.x86_64.rpm perl-XML-Parser-debuginfo-2.46-2.cm2.x86_64.rpm pinentry-1.2.0-1.cm2.x86_64.rpm diff --git a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh index c88690134a5..7775cac931a 100755 --- a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh +++ b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh @@ -394,20 +394,6 @@ chroot_and_install_rpms zlib build_rpm_in_chroot_no_install perl chroot_and_install_rpms perl -# perl-generators requires perl-Fedora-VSP -# All perl packages need perl-generators to correctly -# generate their run-time provides and requires. -build_rpm_in_chroot_no_install perl-Fedora-VSP -chroot_and_install_rpms perl-Fedora-VSP -build_rpm_in_chroot_no_install perl-generators -chroot_and_install_rpms perl-generators - -# Rebuilding perl packages with perl-generators installed. -# This only fixes the provides and requires - no need to re-install. -build_rpm_in_chroot_no_install perl -build_rpm_in_chroot_no_install perl-Fedora-VSP -build_rpm_in_chroot_no_install perl-generators - build_rpm_in_chroot_no_install flex build_rpm_in_chroot_no_install libarchive build_rpm_in_chroot_no_install diffutils @@ -439,6 +425,12 @@ build_rpm_in_chroot_no_install perl-Text-Template chroot_and_install_rpms perl-Text-Template build_rpm_in_chroot_no_install openssl +# perl-generators requires perl-Fedora-VSP +build_rpm_in_chroot_no_install perl-Fedora-VSP +chroot_and_install_rpms perl-Fedora-VSP +build_rpm_in_chroot_no_install perl-generators +chroot_and_install_rpms perl-generators + # build and install additional openjdk build dependencies build_rpm_in_chroot_no_install pcre chroot_and_install_rpms pcre From 3eef9c87e1cda29a05f754cfad5af30e521de375 Mon Sep 17 00:00:00 2001 From: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com> Date: Tue, 4 Jun 2024 15:21:33 -0700 Subject: [PATCH 16/31] openssl: only free buffers when done (#9309) --- ...read-buffers-if-we-re-not-using-them.patch | 67 +++++++++++++++++++ SPECS/openssl/openssl.spec | 11 ++- .../manifests/package/pkggen_core_aarch64.txt | 10 +-- .../manifests/package/pkggen_core_x86_64.txt | 10 +-- .../manifests/package/toolchain_aarch64.txt | 12 ++-- .../manifests/package/toolchain_x86_64.txt | 12 ++-- 6 files changed, 97 insertions(+), 25 deletions(-) create mode 100644 SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch diff --git a/SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch b/SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch new file mode 100644 index 00000000000..f5c67b87906 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch @@ -0,0 +1,67 @@ +From f7a045f3143fc6da2ee66bf52d8df04829590dd4 Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +--- + ssl/record/rec_layer_s3.c | 9 +++++++++ + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 1db1712a0..525c3abf4 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++ if (rl->rstate == SSL_ST_READ_BODY) ++ return 1; ++ if (RECORD_LAYER_processed_read_pending(rl)) ++ return 1; ++ return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index af56206e0..513ab3988 100644 +--- a/ssl/record/record.h ++++ b/ssl/record/record.h +@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index c01ad8291..356d65cb6 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -5248,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++ if (RECORD_LAYER_data_present(rl)) ++ return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.33.8 + diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec index 751c1484002..f7c06c707b7 100644 --- a/SPECS/openssl/openssl.spec +++ b/SPECS/openssl/openssl.spec @@ -4,7 +4,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1k -Release: 30%{?dist} +Release: 31%{?dist} License: OpenSSL Vendor: Microsoft Corporation Distribution: Mariner @@ -61,6 +61,7 @@ Patch37: CVE-2023-3817.patch Patch38: openssl-1.1.1-improve-safety-of-DH.patch Patch39: openssl-1.1.1-add-null-checks-where-contentinfo-data-can-be-null.patch Patch40: openssl-1.1.1-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch +Patch41: openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch BuildRequires: perl-Test-Warnings BuildRequires: perl-Text-Template BuildRequires: perl(FindBin) @@ -174,6 +175,7 @@ cp %{SOURCE4} test/ %patch38 -p1 %patch39 -p1 %patch40 -p1 +%patch41 -p1 %build # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be @@ -363,8 +365,11 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist %postun libs -p /sbin/ldconfig %changelog -* Fri Apr 19 2024 Tobias Brick - 1.1.1k-30 -* Fix unconstrained session cache growth in TLSv1.3 +* Tue Jun 04 2024 Tobias Brick - 1.1.1k-31 +- Only free the read buffers if we're not using them + +* Fri Apr 19 2024 Tobias Brick - 1.1.1k-30 +- Fix unconstrained session cache growth in TLSv1.3 * Wed Feb 14 2024 Tobias Brick - 1.1.1k-29 - Introduce patch to correctly address NULL ContentInfo data diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 546a1aae2d3..7a10f66b261 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm gtk-doc-1.33.2-1.cm2.noarch.rpm autoconf-2.71-3.cm2.noarch.rpm automake-1.16.5-1.cm2.noarch.rpm -openssl-1.1.1k-30.cm2.aarch64.rpm -openssl-devel-1.1.1k-30.cm2.aarch64.rpm -openssl-libs-1.1.1k-30.cm2.aarch64.rpm -openssl-perl-1.1.1k-30.cm2.aarch64.rpm -openssl-static-1.1.1k-30.cm2.aarch64.rpm +openssl-1.1.1k-31.cm2.aarch64.rpm +openssl-devel-1.1.1k-31.cm2.aarch64.rpm +openssl-libs-1.1.1k-31.cm2.aarch64.rpm +openssl-perl-1.1.1k-31.cm2.aarch64.rpm +openssl-static-1.1.1k-31.cm2.aarch64.rpm libcap-2.60-2.cm2.aarch64.rpm libcap-devel-2.60-2.cm2.aarch64.rpm debugedit-5.0-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index fe9f188ed89..18b0d860c1b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm gtk-doc-1.33.2-1.cm2.noarch.rpm autoconf-2.71-3.cm2.noarch.rpm automake-1.16.5-1.cm2.noarch.rpm -openssl-1.1.1k-30.cm2.x86_64.rpm -openssl-devel-1.1.1k-30.cm2.x86_64.rpm -openssl-libs-1.1.1k-30.cm2.x86_64.rpm -openssl-perl-1.1.1k-30.cm2.x86_64.rpm -openssl-static-1.1.1k-30.cm2.x86_64.rpm +openssl-1.1.1k-31.cm2.x86_64.rpm +openssl-devel-1.1.1k-31.cm2.x86_64.rpm +openssl-libs-1.1.1k-31.cm2.x86_64.rpm +openssl-perl-1.1.1k-31.cm2.x86_64.rpm +openssl-static-1.1.1k-31.cm2.x86_64.rpm libcap-2.60-2.cm2.x86_64.rpm libcap-devel-2.60-2.cm2.x86_64.rpm debugedit-5.0-2.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 4edad6c7581..d73f50d3e6b 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm npth-debuginfo-1.6-4.cm2.aarch64.rpm npth-devel-1.6-4.cm2.aarch64.rpm ntsysv-1.20-4.cm2.aarch64.rpm -openssl-1.1.1k-30.cm2.aarch64.rpm -openssl-debuginfo-1.1.1k-30.cm2.aarch64.rpm -openssl-devel-1.1.1k-30.cm2.aarch64.rpm -openssl-libs-1.1.1k-30.cm2.aarch64.rpm -openssl-perl-1.1.1k-30.cm2.aarch64.rpm -openssl-static-1.1.1k-30.cm2.aarch64.rpm +openssl-1.1.1k-31.cm2.aarch64.rpm +openssl-debuginfo-1.1.1k-31.cm2.aarch64.rpm +openssl-devel-1.1.1k-31.cm2.aarch64.rpm +openssl-libs-1.1.1k-31.cm2.aarch64.rpm +openssl-perl-1.1.1k-31.cm2.aarch64.rpm +openssl-static-1.1.1k-31.cm2.aarch64.rpm p11-kit-0.24.1-1.cm2.aarch64.rpm p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm p11-kit-devel-0.24.1-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 345d9f3bc77..803916c07aa 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm npth-debuginfo-1.6-4.cm2.x86_64.rpm npth-devel-1.6-4.cm2.x86_64.rpm ntsysv-1.20-4.cm2.x86_64.rpm -openssl-1.1.1k-30.cm2.x86_64.rpm -openssl-debuginfo-1.1.1k-30.cm2.x86_64.rpm -openssl-devel-1.1.1k-30.cm2.x86_64.rpm -openssl-libs-1.1.1k-30.cm2.x86_64.rpm -openssl-perl-1.1.1k-30.cm2.x86_64.rpm -openssl-static-1.1.1k-30.cm2.x86_64.rpm +openssl-1.1.1k-31.cm2.x86_64.rpm +openssl-debuginfo-1.1.1k-31.cm2.x86_64.rpm +openssl-devel-1.1.1k-31.cm2.x86_64.rpm +openssl-libs-1.1.1k-31.cm2.x86_64.rpm +openssl-perl-1.1.1k-31.cm2.x86_64.rpm +openssl-static-1.1.1k-31.cm2.x86_64.rpm p11-kit-0.24.1-1.cm2.x86_64.rpm p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm p11-kit-devel-0.24.1-1.cm2.x86_64.rpm From d03e5fd81fd11f0c9f89409eb2411c2346ba3c94 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 4 Jun 2024 21:53:17 -0700 Subject: [PATCH 17/31] [AUTO-CHERRYPICK] Fix fluent-bit CVE-2024-34250 with a patch - branch main (#9293) Co-authored-by: sindhu-karri <33163197+sindhu-karri@users.noreply.github.com> --- SPECS/fluent-bit/CVE-2024-34250.patch | 114 ++++++++++++++++++++++++++ SPECS/fluent-bit/fluent-bit.spec | 6 +- 2 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 SPECS/fluent-bit/CVE-2024-34250.patch diff --git a/SPECS/fluent-bit/CVE-2024-34250.patch b/SPECS/fluent-bit/CVE-2024-34250.patch new file mode 100644 index 00000000000..ffcae8c2327 --- /dev/null +++ b/SPECS/fluent-bit/CVE-2024-34250.patch @@ -0,0 +1,114 @@ +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c +index 2a06f42..87af852 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c +@@ -219,7 +219,10 @@ type2str(uint8 type) + static bool + is_32bit_type(uint8 type) + { +- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 ++ if (type == VALUE_TYPE_I32 ++ || type == VALUE_TYPE_F32 ++ /* the operand stack is in polymorphic state */ ++ || type == VALUE_TYPE_ANY + #if WASM_ENABLE_REF_TYPES != 0 + || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF + #endif +@@ -6690,6 +6693,7 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth, + int32 i, available_stack_cell; + uint16 cell_num; + ++ bh_assert(loader_ctx->csp_num > 0); + if (loader_ctx->csp_num < depth + 1) { + set_error_buf(error_buf, error_buf_size, + "unknown label, " +@@ -7758,8 +7762,7 @@ re_scan: + } + + if (available_stack_cell > 0) { +- if (is_32bit_type(*(loader_ctx->frame_ref - 1)) +- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) { ++ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) { + loader_ctx->frame_ref--; + loader_ctx->stack_cell_num--; + #if WASM_ENABLE_FAST_INTERP != 0 +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c +index 47ec549..157a82c 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c +@@ -51,7 +51,10 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string) + static bool + is_32bit_type(uint8 type) + { +- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 ++ if (type == VALUE_TYPE_I32 ++ || type == VALUE_TYPE_F32 ++ /* the operand stack is in polymorphic state */ ++ || type == VALUE_TYPE_ANY + #if WASM_ENABLE_REF_TYPES != 0 + || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF + #endif +@@ -3930,7 +3933,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf, + ctx->frame_ref--; + ctx->stack_cell_num--; + +- if (is_32bit_type(type) || *ctx->frame_ref == VALUE_TYPE_ANY) ++ if (is_32bit_type(type)) + return true; + + ctx->frame_ref--; +@@ -5839,13 +5842,11 @@ re_scan: + case WASM_OP_BR_TABLE: + { + uint8 *ret_types = NULL; +- uint32 ret_count = 0; ++ uint32 ret_count = 0, depth = 0; + #if WASM_ENABLE_FAST_INTERP == 0 +- uint8 *p_depth_begin, *p_depth; +- uint32 depth, j; + BrTableCache *br_table_cache = NULL; +- +- p_org = p - 1; ++ uint8 *p_depth_begin, *p_depth, *p_opcode = p - 1; ++ uint32 j; + #endif + + read_leb_uint32(p, p_end, count); +@@ -5854,6 +5855,16 @@ re_scan: + #endif + POP_I32(); + ++ /* Get each depth and check it */ ++ p_org = p; ++ for (i = 0; i <= count; i++) { ++ read_leb_uint32(p, p_end, depth); ++ bh_assert(loader_ctx->csp_num > 0); ++ bh_assert(loader_ctx->csp_num - 1 >= depth); ++ (void)depth; ++ } ++ p = p_org; ++ + #if WASM_ENABLE_FAST_INTERP == 0 + p_depth_begin = p_depth = p; + #endif +@@ -5879,8 +5890,8 @@ re_scan: + error_buf, error_buf_size))) { + goto fail; + } +- *p_org = EXT_OP_BR_TABLE_CACHE; +- br_table_cache->br_table_op_addr = p_org; ++ *p_opcode = EXT_OP_BR_TABLE_CACHE; ++ br_table_cache->br_table_op_addr = p_opcode; + br_table_cache->br_count = count; + /* Copy previous depths which are one byte */ + for (j = 0; j < i; j++) { +@@ -6099,8 +6110,7 @@ re_scan: + && !cur_block->is_stack_polymorphic)); + + if (available_stack_cell > 0) { +- if (is_32bit_type(*(loader_ctx->frame_ref - 1)) +- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) { ++ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) { + loader_ctx->frame_ref--; + loader_ctx->stack_cell_num--; + #if WASM_ENABLE_FAST_INTERP != 0 diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index df3c7a6defb..6c6c5e3daf2 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,12 +1,13 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit Version: 2.2.3 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner URL: https://fluentbit.io Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2024-34250.patch BuildRequires: bison BuildRequires: cmake BuildRequires: cyrus-sasl-devel @@ -80,6 +81,9 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Wed May 30 2024 Sindhu Karri - 2.2.3-2 +- Fix CVE-2024-34250 with a patch + * Tue May 28 2024 CBL-Mariner Servicing Account - 2.2.3-1 - Auto-upgrade to 2.2.3 - CVE-2024-4323 From 5f33b4845cdcc63b3dbf276f7245024583857930 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 4 Jun 2024 22:35:47 -0700 Subject: [PATCH 18/31] [AUTO-CHERRYPICK] reaper: address CVE-2024-4068 - branch main (#9298) Co-authored-by: Archana Choudhary <36061892+arc9693@users.noreply.github.com> --- SPECS/reaper/CVE-2018-11694.patch | 185 ------------ SPECS/reaper/CVE-2022-37601.patch | 39 --- SPECS/reaper/CVE-2023-26159.patch | 451 ---------------------------- SPECS/reaper/CVE-2023-28155.patch | 211 ------------- SPECS/reaper/reaper.signatures.json | 4 +- SPECS/reaper/reaper.spec | 23 +- 6 files changed, 14 insertions(+), 899 deletions(-) delete mode 100644 SPECS/reaper/CVE-2018-11694.patch delete mode 100644 SPECS/reaper/CVE-2022-37601.patch delete mode 100644 SPECS/reaper/CVE-2023-26159.patch delete mode 100644 SPECS/reaper/CVE-2023-28155.patch diff --git a/SPECS/reaper/CVE-2018-11694.patch b/SPECS/reaper/CVE-2018-11694.patch deleted file mode 100644 index 43f159afb7e..00000000000 --- a/SPECS/reaper/CVE-2018-11694.patch +++ /dev/null @@ -1,185 +0,0 @@ -Fixes CVE-2018-11694: https://nvd.nist.gov/vuln/detail/CVE-2018-11694, -which is a vulnerability in libsass module version 3.5.5 -[Even though NVD lists CPE upto including 3.5.4, 3.5.5 also contains the -vulnerable code.] - -This patch adpats fixes in libsass sources for the mentioned CVE: -Patch: https://github.com/sass/libsass/pull/2760 -Patch: https://github.com/sass/libsass/pull/2762 -Issue: https://github.com/sass/libsass/issues/2663 - -From 2214ae16d9d9ec4c102c56a53ff5fb8d25217dd4 Mon Sep 17 00:00:00 2001 -From: -Date: Fri, 4 Aug 2023 15:04:06 +0530 -Subject: [PATCH] Disallow parent selectors in selector-append. - Fix crash in selector-append('.x~~', 'a') - ---- - .../node-sass/src/libsass/src/functions.cpp | 26 +++++++++++-------- - .../node-sass/src/libsass/src/parser.cpp | 14 +++++----- - .../node-sass/src/libsass/src/parser.hpp | 13 +++++----- - 3 files changed, 29 insertions(+), 24 deletions(-) - -diff --git a/node_modules/node-sass/src/libsass/src/functions.cpp b/node_modules/node-sass/src/libsass/src/functions.cpp -index c9999fc3..4227d4de 100644 ---- a/node_modules/node-sass/src/libsass/src/functions.cpp -+++ b/node_modules/node-sass/src/libsass/src/functions.cpp -@@ -240,13 +240,13 @@ namespace Sass { - std::stringstream msg; - msg << argname << ": null is not a valid selector: it must be a string,\n"; - msg << "a list of strings, or a list of lists of strings for `" << function_name(sig) << "'"; -- error(msg.str(), pstate, traces); -+ error(msg.str(), exp->pstate(), traces); - } - if (String_Constant_Ptr str = Cast(exp)) { - str->quote_mark(0); - } - std::string exp_src = exp->to_string(ctx.c_options); -- return Parser::parse_selector(exp_src.c_str(), ctx, traces); -+ return Parser::parse_selector(exp_src.c_str(), ctx, traces, exp->pstate(), pstate.src); - } - - template <> -@@ -255,13 +255,13 @@ namespace Sass { - if (exp->concrete_type() == Expression::NULL_VAL) { - std::stringstream msg; - msg << argname << ": null is not a string for `" << function_name(sig) << "'"; -- error(msg.str(), pstate, traces); -+ error(msg.str(), exp->pstate(), traces); - } - if (String_Constant_Ptr str = Cast(exp)) { - str->quote_mark(0); - } - std::string exp_src = exp->to_string(ctx.c_options); -- Selector_List_Obj sel_list = Parser::parse_selector(exp_src.c_str(), ctx, traces); -+ Selector_List_Obj sel_list = Parser::parse_selector(exp_src.c_str(), ctx, traces, exp->pstate(), pstate.src); - if (sel_list->length() == 0) return NULL; - Complex_Selector_Obj first = sel_list->first(); - if (!first->tail()) return first->head(); -@@ -1970,7 +1970,7 @@ namespace Sass { - str->quote_mark(0); - } - std::string exp_src = exp->to_string(ctx.c_options); -- Selector_List_Obj sel = Parser::parse_selector(exp_src.c_str(), ctx, traces); -+ Selector_List_Obj sel = Parser::parse_selector(exp_src.c_str(), ctx, traces, exp->pstate(), pstate.src); - parsedSelectors.push_back(sel); - } - -@@ -2023,7 +2023,9 @@ namespace Sass { - str->quote_mark(0); - } - std::string exp_src = exp->to_string(); -- Selector_List_Obj sel = Parser::parse_selector(exp_src.c_str(), ctx, traces); -+ Selector_List_Obj sel = Parser::parse_selector(exp_src.c_str(), ctx, traces, -+ exp->pstate(), pstate.src, -+ /*allow_parent=*/false); - parsedSelectors.push_back(sel); - } - -@@ -2077,11 +2079,13 @@ namespace Sass { - - // TODO: Add check for namespace stuff - -- // append any selectors in childSeq's head -- parentSeqClone->innermost()->head()->concat(base->head()); -- -- // Set parentSeqClone new tail -- parentSeqClone->innermost()->tail( base->tail() ); -+ Complex_Selector_Ptr lastComponent = parentSeqClone->mutable_last(); -+ if (lastComponent->head() == nullptr) { -+ std::string msg = "Parent \"" + parentSeqClone->to_string() + "\" is incompatible with \"" + base->to_string() + "\""; -+ error(msg, pstate, traces); -+ } -+ lastComponent->head()->concat(base->head()); -+ lastComponent->tail(base->tail()); - - newElements.push_back(parentSeqClone); - } -diff --git a/node_modules/node-sass/src/libsass/src/parser.cpp b/node_modules/node-sass/src/libsass/src/parser.cpp -index 28fe0224..8d916269 100644 ---- a/node_modules/node-sass/src/libsass/src/parser.cpp -+++ b/node_modules/node-sass/src/libsass/src/parser.cpp -@@ -30,11 +30,11 @@ namespace Sass { - using namespace Constants; - using namespace Prelexer; - -- Parser Parser::from_c_str(const char* beg, Context& ctx, Backtraces traces, ParserState pstate, const char* source) -+ Parser Parser::from_c_str(const char* beg, Context& ctx, Backtraces traces, ParserState pstate, const char* source, bool allow_parent) - { - pstate.offset.column = 0; - pstate.offset.line = 0; -- Parser p(ctx, pstate, traces); -+ Parser p(ctx, pstate, traces, allow_parent); - p.source = source ? source : beg; - p.position = beg ? beg : p.source; - p.end = p.position + strlen(p.position); -@@ -44,11 +44,11 @@ namespace Sass { - return p; - } - -- Parser Parser::from_c_str(const char* beg, const char* end, Context& ctx, Backtraces traces, ParserState pstate, const char* source) -+ Parser Parser::from_c_str(const char* beg, const char* end, Context& ctx, Backtraces traces, ParserState pstate, const char* source, bool allow_parent) - { - pstate.offset.column = 0; - pstate.offset.line = 0; -- Parser p(ctx, pstate, traces); -+ Parser p(ctx, pstate, traces, allow_parent); - p.source = source ? source : beg; - p.position = beg ? beg : p.source; - p.end = end ? end : p.position + strlen(p.position); -@@ -66,10 +66,9 @@ namespace Sass { - pstate.offset.line = 0; - } - -- Selector_List_Obj Parser::parse_selector(const char* beg, Context& ctx, Backtraces traces, ParserState pstate, const char* source) -+ Selector_List_Obj Parser::parse_selector(const char* beg, Context& ctx, Backtraces traces, ParserState pstate, const char* source, bool allow_parent) - { -- Parser p = Parser::from_c_str(beg, ctx, traces, pstate, source); -- // ToDo: ruby sass errors on parent references -+ Parser p = Parser::from_c_str(beg, ctx, traces, pstate, source, allow_parent); - // ToDo: remap the source-map entries somehow - return p.parse_selector_list(false); - } -@@ -818,6 +817,7 @@ namespace Sass { - // parse parent selector - else if (lex< exactly<'&'> >(false)) - { -+ if (!allow_parent) error("Parent selectors aren't allowed here."); - // this produces a linefeed!? - seq->has_parent_reference(true); - seq->append(SASS_MEMORY_NEW(Parent_Selector, pstate)); -diff --git a/node_modules/node-sass/src/libsass/src/parser.hpp b/node_modules/node-sass/src/libsass/src/parser.hpp -index d2a6ddc1..2371dfca 100644 ---- a/node_modules/node-sass/src/libsass/src/parser.hpp -+++ b/node_modules/node-sass/src/libsass/src/parser.hpp -@@ -48,23 +48,24 @@ namespace Sass { - Backtraces traces; - size_t indentation; - size_t nestings; -+ bool allow_parent; - - Token lexed; - -- Parser(Context& ctx, const ParserState& pstate, Backtraces traces) -+ Parser(Context& ctx, const ParserState& pstate, Backtraces traces, bool allow_parent = true) - : ParserState(pstate), ctx(ctx), block_stack(), stack(0), last_media_block(), - source(0), position(0), end(0), before_token(pstate), after_token(pstate), -- pstate(pstate), traces(traces), indentation(0), nestings(0) -+ pstate(pstate), traces(traces), indentation(0), nestings(0), allow_parent(allow_parent) - { - stack.push_back(Scope::Root); - } - - // static Parser from_string(const std::string& src, Context& ctx, ParserState pstate = ParserState("[STRING]")); -- static Parser from_c_str(const char* src, Context& ctx, Backtraces, ParserState pstate = ParserState("[CSTRING]"), const char* source = 0); -- static Parser from_c_str(const char* beg, const char* end, Context& ctx, Backtraces, ParserState pstate = ParserState("[CSTRING]"), const char* source = 0); -- static Parser from_token(Token t, Context& ctx, Backtraces, ParserState pstate = ParserState("[TOKEN]"), const char* source = 0); -+ static Parser from_c_str(const char* src, Context& ctx, Backtraces, ParserState pstate = ParserState("[CSTRING]"), const char* source = nullptr, bool allow_parent = true); -+ static Parser from_c_str(const char* beg, const char* end, Context& ctx, Backtraces, ParserState pstate = ParserState("[CSTRING]"), const char* source = nullptr, bool allow_parent = true); -+ static Parser from_token(Token t, Context& ctx, Backtraces, ParserState pstate = ParserState("[TOKEN]"), const char* source = nullptr); - // special static parsers to convert strings into certain selectors -- static Selector_List_Obj parse_selector(const char* src, Context& ctx, Backtraces, ParserState pstate = ParserState("[SELECTOR]"), const char* source = 0); -+ static Selector_List_Obj parse_selector(const char* src, Context& ctx, Backtraces, ParserState pstate = ParserState("[SELECTOR]"), const char* source = nullptr, bool allow_parent = true); - - #ifdef __clang__ - diff --git a/SPECS/reaper/CVE-2022-37601.patch b/SPECS/reaper/CVE-2022-37601.patch deleted file mode 100644 index a187cce2e3d..00000000000 --- a/SPECS/reaper/CVE-2022-37601.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/node_modules/loader-utils/lib/parseQuery.js b/node_modules/loader-utils/lib/parseQuery.js -index 12b3efc6..3dd7cb9b 100644 ---- a/node_modules/loader-utils/lib/parseQuery.js -+++ b/node_modules/loader-utils/lib/parseQuery.js -@@ -26,7 +26,7 @@ function parseQuery(query) { - } - - const queryArgs = query.split(/[,&]/g); -- const result = {}; -+ const result = Object.create(null); - - queryArgs.forEach((arg) => { - const idx = arg.indexOf('='); -diff --git a/node_modules/style-loader/node_modules/loader-utils/lib/parseQuery.js b/node_modules/style-loader/node_modules/loader-utils/lib/parseQuery.js -index fdca007d..4a201a2e 100644 ---- a/node_modules/style-loader/node_modules/loader-utils/lib/parseQuery.js -+++ b/node_modules/style-loader/node_modules/loader-utils/lib/parseQuery.js -@@ -26,7 +26,7 @@ function parseQuery(query) { - } - - const queryArgs = query.split(/[,&]/g); -- const result = {}; -+ const result = Object.create(null); - - queryArgs.forEach((arg) => { - const idx = arg.indexOf('='); -diff --git a/node_modules/url-loader/node_modules/loader-utils/lib/parseQuery.js b/node_modules/url-loader/node_modules/loader-utils/lib/parseQuery.js -index fdca007d..4a201a2e 100644 ---- a/node_modules/url-loader/node_modules/loader-utils/lib/parseQuery.js -+++ b/node_modules/url-loader/node_modules/loader-utils/lib/parseQuery.js -@@ -26,7 +26,7 @@ function parseQuery(query) { - } - - const queryArgs = query.split(/[,&]/g); -- const result = {}; -+ const result = Object.create(null); - - queryArgs.forEach((arg) => { - const idx = arg.indexOf('='); diff --git a/SPECS/reaper/CVE-2023-26159.patch b/SPECS/reaper/CVE-2023-26159.patch deleted file mode 100644 index 49bc9ab4e10..00000000000 --- a/SPECS/reaper/CVE-2023-26159.patch +++ /dev/null @@ -1,451 +0,0 @@ -diff --git a/node_modules/follow-redirects/index.js b/node_modules/follow-redirects/index.js -index 212f00a..3232a72 100644 ---- a/node_modules/follow-redirects/index.js -+++ b/node_modules/follow-redirects/index.js -@@ -6,6 +6,29 @@ var Writable = require("stream").Writable; - var assert = require("assert"); - var debug = require("./debug"); - -+// Whether to use the native URL object or the legacy url module -+var useNativeURL = false; -+try { -+ assert(new URL()); -+} -+catch (error) { -+ useNativeURL = error.code === "ERR_INVALID_URL"; -+} -+ -+// URL fields to preserve in copy operations -+var preservedUrlFields = [ -+ "auth", -+ "host", -+ "hostname", -+ "href", -+ "path", -+ "pathname", -+ "port", -+ "protocol", -+ "query", -+ "search", -+]; -+ - // Create handlers that pass events from native requests - var events = ["abort", "aborted", "connect", "error", "socket", "timeout"]; - var eventHandlers = Object.create(null); -@@ -16,13 +39,19 @@ events.forEach(function (event) { - }); - - // Error types with codes -+var InvalidUrlError = createErrorType( -+ "ERR_INVALID_URL", -+ "Invalid URL", -+ TypeError -+); - var RedirectionError = createErrorType( - "ERR_FR_REDIRECTION_FAILURE", - "Redirected request failed" - ); - var TooManyRedirectsError = createErrorType( - "ERR_FR_TOO_MANY_REDIRECTS", -- "Maximum number of redirects exceeded" -+ "Maximum number of redirects exceeded", -+ RedirectionError - ); - var MaxBodyLengthExceededError = createErrorType( - "ERR_FR_MAX_BODY_LENGTH_EXCEEDED", -@@ -33,6 +62,9 @@ var WriteAfterEndError = createErrorType( - "write after end" - ); - -+// istanbul ignore next -+var destroy = Writable.prototype.destroy || noop; -+ - // An HTTP(S) request that can be redirected - function RedirectableRequest(options, responseCallback) { - // Initialize the request -@@ -54,7 +86,13 @@ function RedirectableRequest(options, responseCallback) { - // React to responses of native requests - var self = this; - this._onNativeResponse = function (response) { -- self._processResponse(response); -+ try { -+ self._processResponse(response); -+ } -+ catch (cause) { -+ self.emit("error", cause instanceof RedirectionError ? -+ cause : new RedirectionError({ cause: cause })); -+ } - }; - - // Perform the first request -@@ -63,10 +101,17 @@ function RedirectableRequest(options, responseCallback) { - RedirectableRequest.prototype = Object.create(Writable.prototype); - - RedirectableRequest.prototype.abort = function () { -- abortRequest(this._currentRequest); -+ destroyRequest(this._currentRequest); -+ this._currentRequest.abort(); - this.emit("abort"); - }; - -+RedirectableRequest.prototype.destroy = function (error) { -+ destroyRequest(this._currentRequest, error); -+ destroy.call(this, error); -+ return this; -+}; -+ - // Writes buffered data to the current native request - RedirectableRequest.prototype.write = function (data, encoding, callback) { - // Writing is not allowed if end has been called -@@ -75,10 +120,10 @@ RedirectableRequest.prototype.write = function (data, encoding, callback) { - } - - // Validate input and shift parameters if necessary -- if (!(typeof data === "string" || typeof data === "object" && ("length" in data))) { -+ if (!isString(data) && !isBuffer(data)) { - throw new TypeError("data should be a string, Buffer or Uint8Array"); - } -- if (typeof encoding === "function") { -+ if (isFunction(encoding)) { - callback = encoding; - encoding = null; - } -@@ -107,11 +152,11 @@ RedirectableRequest.prototype.write = function (data, encoding, callback) { - // Ends the current native request - RedirectableRequest.prototype.end = function (data, encoding, callback) { - // Shift parameters if necessary -- if (typeof data === "function") { -+ if (isFunction(data)) { - callback = data; - data = encoding = null; - } -- else if (typeof encoding === "function") { -+ else if (isFunction(encoding)) { - callback = encoding; - encoding = null; - } -@@ -179,6 +224,7 @@ RedirectableRequest.prototype.setTimeout = function (msecs, callback) { - self.removeListener("abort", clearTimer); - self.removeListener("error", clearTimer); - self.removeListener("response", clearTimer); -+ self.removeListener("close", clearTimer); - if (callback) { - self.removeListener("timeout", callback); - } -@@ -205,6 +251,7 @@ RedirectableRequest.prototype.setTimeout = function (msecs, callback) { - this.on("abort", clearTimer); - this.on("error", clearTimer); - this.on("response", clearTimer); -+ this.on("close", clearTimer); - - return this; - }; -@@ -263,8 +310,7 @@ RedirectableRequest.prototype._performRequest = function () { - var protocol = this._options.protocol; - var nativeProtocol = this._options.nativeProtocols[protocol]; - if (!nativeProtocol) { -- this.emit("error", new TypeError("Unsupported protocol " + protocol)); -- return; -+ throw new TypeError("Unsupported protocol " + protocol); - } - - // If specified, use the agent corresponding to the protocol -@@ -288,7 +334,7 @@ RedirectableRequest.prototype._performRequest = function () { - url.format(this._options) : - // When making a request to a proxy, […] - // a client MUST send the target URI in absolute-form […]. -- this._currentUrl = this._options.path; -+ this._options.path; - - // End a redirected request - // (The first request must be ended explicitly with RedirectableRequest#end) -@@ -356,15 +402,14 @@ RedirectableRequest.prototype._processResponse = function (response) { - } - - // The response is a redirect, so abort the current request -- abortRequest(this._currentRequest); -+ destroyRequest(this._currentRequest); - // Discard the remainder of the response to avoid waiting for data - response.destroy(); - - // RFC7231§6.4: A client SHOULD detect and intervene - // in cyclical redirections (i.e., "infinite" redirection loops). - if (++this._redirectCount > this._options.maxRedirects) { -- this.emit("error", new TooManyRedirectsError()); -- return; -+ throw new TooManyRedirectsError(); - } - - // Store the request headers if applicable -@@ -398,38 +443,28 @@ RedirectableRequest.prototype._processResponse = function (response) { - var currentHostHeader = removeMatchingHeaders(/^host$/i, this._options.headers); - - // If the redirect is relative, carry over the host of the last request -- var currentUrlParts = url.parse(this._currentUrl); -+ var currentUrlParts = parseUrl(this._currentUrl); - var currentHost = currentHostHeader || currentUrlParts.host; - var currentUrl = /^\w+:/.test(location) ? this._currentUrl : - url.format(Object.assign(currentUrlParts, { host: currentHost })); - -- // Determine the URL of the redirection -- var redirectUrl; -- try { -- redirectUrl = url.resolve(currentUrl, location); -- } -- catch (cause) { -- this.emit("error", new RedirectionError(cause)); -- return; -- } -- - // Create the redirected request -- debug("redirecting to", redirectUrl); -+ var redirectUrl = resolveUrl(location, currentUrl); -+ debug("redirecting to", redirectUrl.href); - this._isRedirect = true; -- var redirectUrlParts = url.parse(redirectUrl); -- Object.assign(this._options, redirectUrlParts); -+ spreadUrlObject(redirectUrl, this._options); - - // Drop confidential headers when redirecting to a less secure protocol - // or to a different domain that is not a superdomain -- if (redirectUrlParts.protocol !== currentUrlParts.protocol && -- redirectUrlParts.protocol !== "https:" || -- redirectUrlParts.host !== currentHost && -- !isSubdomain(redirectUrlParts.host, currentHost)) { -+ if (redirectUrl.protocol !== currentUrlParts.protocol && -+ redirectUrl.protocol !== "https:" || -+ redirectUrl.host !== currentHost && -+ !isSubdomain(redirectUrl.host, currentHost)) { - removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); - } - - // Evaluate the beforeRedirect callback -- if (typeof beforeRedirect === "function") { -+ if (isFunction(beforeRedirect)) { - var responseDetails = { - headers: response.headers, - statusCode: statusCode, -@@ -439,23 +474,12 @@ RedirectableRequest.prototype._processResponse = function (response) { - method: method, - headers: requestHeaders, - }; -- try { -- beforeRedirect(this._options, responseDetails, requestDetails); -- } -- catch (err) { -- this.emit("error", err); -- return; -- } -+ beforeRedirect(this._options, responseDetails, requestDetails); - this._sanitizeOptions(this._options); - } - - // Perform the redirected request -- try { -- this._performRequest(); -- } -- catch (cause) { -- this.emit("error", new RedirectionError(cause)); -- } -+ this._performRequest(); - }; - - // Wraps the key/value object of protocols with redirect functionality -@@ -475,26 +499,19 @@ function wrap(protocols) { - - // Executes a request, following redirects - function request(input, options, callback) { -- // Parse parameters -- if (typeof input === "string") { -- var urlStr = input; -- try { -- input = urlToOptions(new URL(urlStr)); -- } -- catch (err) { -- /* istanbul ignore next */ -- input = url.parse(urlStr); -- } -+ // Parse parameters, ensuring that input is an object -+ if (isURL(input)) { -+ input = spreadUrlObject(input); - } -- else if (URL && (input instanceof URL)) { -- input = urlToOptions(input); -+ else if (isString(input)) { -+ input = spreadUrlObject(parseUrl(input)); - } - else { - callback = options; -- options = input; -+ options = validateUrl(input); - input = { protocol: protocol }; - } -- if (typeof options === "function") { -+ if (isFunction(options)) { - callback = options; - options = null; - } -@@ -505,6 +522,9 @@ function wrap(protocols) { - maxBodyLength: exports.maxBodyLength, - }, input, options); - options.nativeProtocols = nativeProtocols; -+ if (!isString(options.host) && !isString(options.hostname)) { -+ options.hostname = "::1"; -+ } - - assert.equal(options.protocol, protocol, "protocol mismatch"); - debug("options", options); -@@ -527,27 +547,57 @@ function wrap(protocols) { - return exports; - } - --/* istanbul ignore next */ - function noop() { /* empty */ } - --// from https://github.com/nodejs/node/blob/master/lib/internal/url.js --function urlToOptions(urlObject) { -- var options = { -- protocol: urlObject.protocol, -- hostname: urlObject.hostname.startsWith("[") ? -- /* istanbul ignore next */ -- urlObject.hostname.slice(1, -1) : -- urlObject.hostname, -- hash: urlObject.hash, -- search: urlObject.search, -- pathname: urlObject.pathname, -- path: urlObject.pathname + urlObject.search, -- href: urlObject.href, -- }; -- if (urlObject.port !== "") { -- options.port = Number(urlObject.port); -+function parseUrl(input) { -+ var parsed; -+ /* istanbul ignore else */ -+ if (useNativeURL) { -+ parsed = new URL(input); - } -- return options; -+ else { -+ // Ensure the URL is valid and absolute -+ parsed = validateUrl(url.parse(input)); -+ if (!isString(parsed.protocol)) { -+ throw new InvalidUrlError({ input }); -+ } -+ } -+ return parsed; -+} -+ -+function resolveUrl(relative, base) { -+ /* istanbul ignore next */ -+ return useNativeURL ? new URL(relative, base) : parseUrl(url.resolve(base, relative)); -+} -+ -+function validateUrl(input) { -+ if (/^\[/.test(input.hostname) && !/^\[[:0-9a-f]+\]$/i.test(input.hostname)) { -+ throw new InvalidUrlError({ input: input.href || input }); -+ } -+ if (/^\[/.test(input.host) && !/^\[[:0-9a-f]+\](:\d+)?$/i.test(input.host)) { -+ throw new InvalidUrlError({ input: input.href || input }); -+ } -+ return input; -+} -+ -+function spreadUrlObject(urlObject, target) { -+ var spread = target || {}; -+ for (var key of preservedUrlFields) { -+ spread[key] = urlObject[key]; -+ } -+ -+ // Fix IPv6 hostname -+ if (spread.hostname.startsWith("[")) { -+ spread.hostname = spread.hostname.slice(1, -1); -+ } -+ // Ensure port is a number -+ if (spread.port !== "") { -+ spread.port = Number(spread.port); -+ } -+ // Concatenate path -+ spread.path = spread.search ? spread.pathname + spread.search : spread.pathname; -+ -+ return spread; - } - - function removeMatchingHeaders(regex, headers) { -@@ -562,37 +612,60 @@ function removeMatchingHeaders(regex, headers) { - undefined : String(lastValue).trim(); - } - --function createErrorType(code, defaultMessage) { -- function CustomError(cause) { -+function createErrorType(code, message, baseClass) { -+ // Create constructor -+ function CustomError(properties) { - Error.captureStackTrace(this, this.constructor); -- if (!cause) { -- this.message = defaultMessage; -- } -- else { -- this.message = defaultMessage + ": " + cause.message; -- this.cause = cause; -- } -- } -- CustomError.prototype = new Error(); -- CustomError.prototype.constructor = CustomError; -- CustomError.prototype.name = "Error [" + code + "]"; -- CustomError.prototype.code = code; -+ Object.assign(this, properties || {}); -+ this.code = code; -+ this.message = this.cause ? message + ": " + this.cause.message : message; -+ } -+ -+ // Attach constructor and set default properties -+ CustomError.prototype = new (baseClass || Error)(); -+ Object.defineProperties(CustomError.prototype, { -+ constructor: { -+ value: CustomError, -+ enumerable: false, -+ }, -+ name: { -+ value: "Error [" + code + "]", -+ enumerable: false, -+ }, -+ }); - return CustomError; - } - --function abortRequest(request) { -+function destroyRequest(request, error) { - for (var event of events) { - request.removeListener(event, eventHandlers[event]); - } - request.on("error", noop); -- request.abort(); -+ request.destroy(error); - } - - function isSubdomain(subdomain, domain) { -- const dot = subdomain.length - domain.length - 1; -+ assert(isString(subdomain) && isString(domain)); -+ var dot = subdomain.length - domain.length - 1; - return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain); - } - -+function isString(value) { -+ return typeof value === "string" || value instanceof String; -+} -+ -+function isFunction(value) { -+ return typeof value === "function"; -+} -+ -+function isBuffer(value) { -+ return typeof value === "object" && ("length" in value); -+} -+ -+function isURL(value) { -+ return URL && value instanceof URL; -+} -+ - // Exports - module.exports = wrap({ http: http, https: https }); - module.exports.wrap = wrap; diff --git a/SPECS/reaper/CVE-2023-28155.patch b/SPECS/reaper/CVE-2023-28155.patch deleted file mode 100644 index dcfe0b1ef98..00000000000 --- a/SPECS/reaper/CVE-2023-28155.patch +++ /dev/null @@ -1,211 +0,0 @@ -Fixes CVE-2023-28155: https://nvd.nist.gov/vuln/detail/CVE-2023-28155, which is a vulnerability -in the the request module that is used by this package. - -Note that request is deprecated (see https://github.com/request/request for details), so this -has not and will never be fixed in the request module itself. However, there is a pull request -that fixes it. - -Adapted by tobiasb@microsoft.com from a pull request for a patch to request: - https://github.com/request/request/pull/3444/files - -From d42332182512e56ba68446f49c3e3711e04301a2 Mon Sep 17 00:00:00 2001 -From: -Date: Sun, 12 Mar 2023 19:47:24 +0100 -Subject: [PATCH 1/5] Added option "allowInsecureRedirect" - ---- -PATCH NOTE -- ORIGINAL: - lib/redirect.js | 6 +++++- -PATCH NOTE -- UPDATE: - node_modules/request/lib/redirect.js | 6 +++++- - -PATCH NOTE: These tests are not included in the module we use, so they are not included in this patch. - tests/test-httpModule.js | 3 ++- - tests/test-redirect.js | 15 ++++++++++++++- - -PATCH NOTE -- ORIGINAL: - 3 files changed, 21 insertions(+), 3 deletions(-) -PATCH NOTE -- UPDATED: - 1 file changed, 5 insertions(+), 1 deletion(-) - -# PATCH NOTE -- ORIGINAL: -#diff --git a/lib/redirect.js b/lib/redirect.js -# PATCH NOTE -- UPDATED with path used within the source tarball: -diff --git a/node_modules/request/lib/redirect.js b/node_modules/request/lib/redirect.js - -index b9150e77c..770c7f41b 100644 -# PATCH NOTE -- ORIGINAL: -# --- a/lib/redirect.js -# +++ b/lib/redirect.js -# PATCH NOTE -- UPDATED with path used within the source tarball: ---- a/node_modules/request/lib/redirect.js -+++ b/node_modules/request/lib/redirect.js - -@@ -14,6 +14,7 @@ function Redirect (request) { - this.redirects = [] - this.redirectsFollowed = 0 - this.removeRefererHeader = false -+ this.allowInsecureRedirect = false - } - - Redirect.prototype.onRequest = function (options) { -@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) { - if (options.followOriginalHttpMethod !== undefined) { - self.followOriginalHttpMethod = options.followOriginalHttpMethod - } -+ if (options.allowInsecureRedirect !== undefined) { -+ self.allowInsecureRedirect = options.allowInsecureRedirect; -+ } - } - - Redirect.prototype.redirectTo = function (response) { -@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) { - request.uri = url.parse(redirectTo) - - // handle the case where we change protocol from https to http or vice versa -- if (request.uri.protocol !== uriPrev.protocol) { -+ if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) { - delete request.agent - } - -# PATCH NOTE: The rest of the diffs are not applied because they are tests and not -# included in the source tarball. -# diff --git a/tests/test-httpModule.js b/tests/test-httpModule.js -# index 4d4e236bf..a59c427b1 100644 -# --- a/tests/test-httpModule.js -# +++ b/tests/test-httpModule.js -# @@ -70,7 +70,8 @@ function runTests (name, httpModules) { -# tape(name, function (t) { -# var toHttps = 'http://localhost:' + plainServer.port + '/to_https' -# var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain' -# - var options = { httpModules: httpModules, strictSSL: false } -# + var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true } -# + var optionsSecure = { httpModules: httpModules, strictSSL: false } -# var modulesTest = httpModules || {} - -# clearFauxRequests() -# diff --git a/tests/test-redirect.js b/tests/test-redirect.js -# index b7b5ca676..48b4982e4 100644 -# --- a/tests/test-redirect.js -# +++ b/tests/test-redirect.js -# @@ -345,7 +345,8 @@ tape('http to https redirect', function (t) { -# hits = {} -# request.get({ -# uri: require('url').parse(s.url + '/ssl'), -# - rejectUnauthorized: false -# + rejectUnauthorized: false, -# + allowInsecureRedirect: true -# }, function (err, res, body) { -# t.equal(err, null) -# t.equal(res.statusCode, 200) -# @@ -354,6 +355,18 @@ tape('http to https redirect', function (t) { -# }) -# }) - -# +tape('http to https redirect should fail without the explicit "allowInsecureRedirect" option', function (t) { -# + hits = {} -# + request.get({ -# + uri: require('url').parse(s.url + '/ssl'), -# + rejectUnauthorized: false -# + }, function (err, res, body) { -# + t.notEqual(err, null) -# + t.equal(err.code, "ERR_INVALID_PROTOCOL","Failed to cross-protocol redirect") -# + t.end() -# + }) -# +}) -# + -# tape('should have referer header by default when following redirect', function (t) { -# request.post({ -# uri: s.url + '/temp', - -# From 9d69d750f39cc5ab6f3b011e17472bc28b14dc22 Mon Sep 17 00:00:00 2001 -# From: Szymon Drosdzol -# Date: Sun, 12 Mar 2023 19:50:09 +0100 -# Subject: [PATCH 2/5] Documented allowInsecureRedirect in Readme - -# --- -# README.md | 1 + -# 1 file changed, 1 insertion(+) - -# diff --git a/README.md b/README.md -# index 42290d5ce..dd432a768 100644 -# --- a/README.md -# +++ b/README.md -# @@ -809,6 +809,7 @@ The first argument can be either a `url` or an `options` object. The only requir -# - `followOriginalHttpMethod` - by default we redirect to HTTP method GET. you can enable this property to redirect to the original HTTP method (default: `false`) -# - `maxRedirects` - the maximum number of redirects to follow (default: `10`) -# - `removeRefererHeader` - removes the referer header when a redirect happens (default: `false`). **Note:** if true, referer header set in the initial request is preserved during redirect chain. -# +- `allowInsecureRedirect` - allows cross-protocol redirects (HTTP to HTTPS and vice versa). **Warning:** may lead to bypassing anti SSRF filters - -# --- - - -# From 8a15249d182e54a261b1539846f76d913a6904f4 Mon Sep 17 00:00:00 2001 -# From: SzymonDrosdzol <84710686+SzymonDrosdzol@users.noreply.github.com> -# Date: Fri, 17 Mar 2023 10:09:46 +0100 -# Subject: [PATCH 3/5] Removed semicolon - -# Co-authored-by: legobeat <109787230+legobeat@users.noreply.github.com> -# --- -# lib/redirect.js | 2 +- -# 1 file changed, 1 insertion(+), 1 deletion(-) - -# diff --git a/lib/redirect.js b/lib/redirect.js -# index 770c7f41b..2864f9f2a 100644 -# --- a/lib/redirect.js -# +++ b/lib/redirect.js -# @@ -42,7 +42,7 @@ Redirect.prototype.onRequest = function (options) { -# self.followOriginalHttpMethod = options.followOriginalHttpMethod -# } -# if (options.allowInsecureRedirect !== undefined) { -# - self.allowInsecureRedirect = options.allowInsecureRedirect; -# + self.allowInsecureRedirect = options.allowInsecureRedirect -# } -# } - - -# From 8535868fc88f24ed652d3f290bfd553a2cdbb811 Mon Sep 17 00:00:00 2001 -# From: SzymonDrosdzol <84710686+SzymonDrosdzol@users.noreply.github.com> -# Date: Fri, 17 Mar 2023 10:12:09 +0100 -# Subject: [PATCH 4/5] Code style fix - -# Co-authored-by: Kevin van Rijn <6368561+kevinvanrijn@users.noreply.github.com> -# --- -# tests/test-redirect.js | 2 +- -# 1 file changed, 1 insertion(+), 1 deletion(-) - -# diff --git a/tests/test-redirect.js b/tests/test-redirect.js -# index 48b4982e4..3e1957604 100644 -# --- a/tests/test-redirect.js -# +++ b/tests/test-redirect.js -# @@ -362,7 +362,7 @@ tape('http to https redirect should fail without the explicit "allowInsecureRedi -# rejectUnauthorized: false -# }, function (err, res, body) { -# t.notEqual(err, null) -# - t.equal(err.code, "ERR_INVALID_PROTOCOL","Failed to cross-protocol redirect") -# + t.equal(err.code, 'ERR_INVALID_PROTOCOL', 'Failed to cross-protocol redirect') -# t.end() -# }) -# }) - -# From 43647c4bd6e451f350267d5236463b4248dbc8df Mon Sep 17 00:00:00 2001 -# From: SzymonDrosdzol <84710686+SzymonDrosdzol@users.noreply.github.com> -# Date: Fri, 17 Mar 2023 10:22:33 +0100 -# Subject: [PATCH 5/5] Removed leftover declaration - -# --- -# tests/test-httpModule.js | 1 - -# 1 file changed, 1 deletion(-) - -# diff --git a/tests/test-httpModule.js b/tests/test-httpModule.js -# index a59c427b1..f12382fe6 100644 -# --- a/tests/test-httpModule.js -# +++ b/tests/test-httpModule.js -# @@ -71,7 +71,6 @@ function runTests (name, httpModules) { -# var toHttps = 'http://localhost:' + plainServer.port + '/to_https' -# var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain' -# var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true } -# - var optionsSecure = { httpModules: httpModules, strictSSL: false } -# var modulesTest = httpModules || {} - -# clearFauxRequests() diff --git a/SPECS/reaper/reaper.signatures.json b/SPECS/reaper/reaper.signatures.json index b5e85568f9c..bf4d8f2779c 100755 --- a/SPECS/reaper/reaper.signatures.json +++ b/SPECS/reaper/reaper.signatures.json @@ -2,11 +2,11 @@ "Signatures": { "cassandra-reaper-3.1.1.tar.gz": "6efe52195ad4a3c3b7a6f928bafa60d3df011709d9bc918e717033bf86d724d8", "reaper-bower-cache-3.1.1.tar.gz": "a8532fe1d28f6d2c99a5e0d08b17b85465617931d49c7d27450ed328e59c0b08", - "reaper-bower-components-3.1.1.tar.gz": "213f956916bbfaa02eb880bd9e17d0ab41985987e7b95a925fde5f7c2e8bd44f", + "reaper-bower-components-3.1.1-1.tar.gz": "51f5b03b3f56966f5fbfe28a13e0a74003cf33372ff4ba13fd82c6fe79092033", "reaper-local-lib-node-modules-3.1.1.tar.gz": "8daf9a8726a85ca31b024a5bab60a357fe927f670908955cdd9b106bf9c6bd60", "reaper-local-n-3.1.1-1.tar.gz": "e60ecf1c982c8cd44b35da02aec6de5b1f8f0df562f290f9bb905d03f9eefa68", "reaper-m2-cache-3.1.1.tar.gz": "14103df496c6bfd1bf2690b45e6082e3411872f7332f03a68cf5d8e28fc6b27f", "reaper-npm-cache-3.1.1.tar.gz": "1fd8fd9438ef682cccceaaf49d0e65ec50eb7145c20f27253a3521c731e79585", - "reaper-srcui-node-modules-3.1.1.tar.gz": "182d346f73d29544cabec090877f1a63ead6914371cd3db11aac5e5f4ec3c5dc" + "reaper-srcui-node-modules-3.1.1-1.tar.gz": "edd67243e97838657e09513f639a8e7c81fbb813353a19eba3949f79fb9e3e9e" } } \ No newline at end of file diff --git a/SPECS/reaper/reaper.spec b/SPECS/reaper/reaper.spec index a8c5aa4e0d4..90e8693e5b8 100755 --- a/SPECS/reaper/reaper.spec +++ b/SPECS/reaper/reaper.spec @@ -1,10 +1,11 @@ %global debug_package %{nil} %define local_n_release 1 +%define local_srcui_release 1 %define srcdir cassandra-%{name}-%{version} -%define bower_components reaper-bower-components-%{version}.tar.gz -%define srcui_node_modules reaper-srcui-node-modules-%{version}.tar.gz +%define bower_components reaper-bower-components-%{version}-%{local_srcui_release}.tar.gz +%define srcui_node_modules reaper-srcui-node-modules-%{version}-%{local_srcui_release}.tar.gz %define bower_cache reaper-bower-cache-%{version}.tar.gz %define maven_cache reaper-m2-cache-%{version}.tar.gz %define npm_cache reaper-npm-cache-%{version}.tar.gz @@ -14,7 +15,7 @@ Summary: Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters. Name: reaper Version: 3.1.1 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -38,10 +39,6 @@ Source5: %{npm_cache} Source6: %{local_lib_node_modules} # v14.18.0 node binary under /usr/local Source7: %{local_n} -Patch0: CVE-2022-37601.patch -Patch1: CVE-2023-28155.patch -Patch2: CVE-2018-11694.patch -Patch3: CVE-2023-26159.patch BuildRequires: git BuildRequires: javapackages-tools BuildRequires: maven @@ -111,10 +108,6 @@ tar xf %{SOURCE1} echo "Installing npm_modules" tar fx %{SOURCE2} -patch -p1 --input %{PATCH0} -patch -p1 --input %{PATCH1} -patch -p1 --input %{PATCH2} -patch -p1 --input %{PATCH3} popd # Building using maven in offline mode. @@ -185,6 +178,14 @@ fi %{_unitdir}/cassandra-%{name}.service %changelog +* Thu May 23 2024 Archana Choudhary - 3.1.1-9 +- Repackage and update src/ui node modules and bower components to 3.1.1-1 +- Address CVE-2024-4068 by upgrading the version of the npm module "braces" to 3.0.3 +- Remove patch for CVE-2023-28155 as request npm module upgraded to 2.88.2 +- Remove patch for CVE-2018-11694 as node-sass npm module upgraded to 4.14.1 +- Remove patch for CVE-2022-37601 as loader-utils npm module upgraded to 1.4.2 +- Remove patch for CVE-2023-26159 as follow-redirects npm module upgraded to 1.15.6 + * Thu Jan 11 2024 Henry Li - 3.1.1-8 - Apply patch to resolve CVE-2023-26159 From ff0a669b98e67f7e1199a8a40d94f4359543036d Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 4 Jun 2024 22:35:59 -0700 Subject: [PATCH 19/31] [AUTO-CHERRYPICK] hvloader: address openssl related CVEs (CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304) - branch main (#9303) Co-authored-by: Archana Choudhary <36061892+arc9693@users.noreply.github.com> --- SPECS-SIGNED/hvloader-signed/hvloader-signed.spec | 5 ++++- SPECS/hvloader/hvloader.signatures.json | 2 +- SPECS/hvloader/hvloader.spec | 9 +++++++-- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec index 3f8043e96cc..089d9b026e1 100644 --- a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec +++ b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec @@ -6,7 +6,7 @@ Summary: Signed HvLoader.efi for %{buildarch} systems Name: hvloader-signed-%{buildarch} Version: 1.0.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -69,6 +69,9 @@ popd /boot/efi/HvLoader.efi %changelog +* Fri May 31 2024 Archana Choudhary - 1.0.1-3.cm2 +- Update version for consistency with hvloader spec + * Fri May 10 2024 Archana Choudhary - 1.0.1-2 - Update version for consistency with hvloader spec diff --git a/SPECS/hvloader/hvloader.signatures.json b/SPECS/hvloader/hvloader.signatures.json index cca88bd8b41..36414ed04c5 100644 --- a/SPECS/hvloader/hvloader.signatures.json +++ b/SPECS/hvloader/hvloader.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "hvloader-1.0.1.tar.gz": "4e0a15cfab98a89a0a93f747df876ea3ee5366c3ffbd158c28e296bf52c7dfba", - "edk2-stable202302-submodules.tar.gz": "6e0c992145070d4f9e907a2baf9441b264927902537e888d20d2749055d52f20", + "edk2-stable202305-submodules.tar.gz": "98ad582dde1cedaa1d0767d92968c47c7102a94b1ab1cd6ca5c95eee2acbaa71", "target-x86.txt": "fcf4f427d3b80e67296be2a1d17ec124d65f673d4f6ea37d238f8d3fc1ddc4b8" } } diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec index b039a7f5a0e..88a3190fdc7 100644 --- a/SPECS/hvloader/hvloader.spec +++ b/SPECS/hvloader/hvloader.spec @@ -1,10 +1,10 @@ %define debug_package %{nil} %define name_github HvLoader -%define edk2_tag edk2-stable202302 +%define edk2_tag edk2-stable202305 Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader. Name: hvloader Version: 1.0.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -58,6 +58,11 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{ /boot/efi/HvLoader.efi %changelog +* Fri May 31 2024 Archana Choudhary - 1.0.1-3 +- Update edk2_tag to edk2-stable202305 +- Publish edk2-stable202305-submodules source +- Correct the resolution of openssl related CVEs (CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304) that were not successfully addressed in the previous update + * Wed May 08 2024 Archana Choudhary - 1.0.1-2 - Update edk2_tag to edk2-stable202302 - Publish edk2-stable202302-submodules source From ec2c66e0fad8843ea460229244f6ce0096ccf1e9 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 4 Jun 2024 23:27:29 -0700 Subject: [PATCH 20/31] [AUTO-CHERRYPICK] Patch apparmor for CVE-2024-31755 - branch main (#9302) Co-authored-by: Sumynwa --- SPECS/apparmor/CVE-2024-31755.patch | 40 +++++++++++++++++++++++++++++ SPECS/apparmor/apparmor.spec | 6 ++++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 SPECS/apparmor/CVE-2024-31755.patch diff --git a/SPECS/apparmor/CVE-2024-31755.patch b/SPECS/apparmor/CVE-2024-31755.patch new file mode 100644 index 00000000000..1b3c9d20046 --- /dev/null +++ b/SPECS/apparmor/CVE-2024-31755.patch @@ -0,0 +1,40 @@ +commit 7e4d5dabe7a9b754c601f214e65b544e67ba9f59 +Author: Up-wind +Date: Mon Mar 25 20:07:11 2024 +0800 + + Add NULL check to cJSON_SetValuestring() + + If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer dereference will happen. + + This commit adds the NULL check of valuestring before it is dereferenced. + +--- + binutils/cJSON.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/binutils/cJSON.c b/binutils/cJSON.c +index 541934c..e85ac11 100644 +--- a/binutils/cJSON.c ++++ b/binutils/cJSON.c +@@ -393,6 +393,7 @@ CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number) + return object->valuedouble = number; + } + ++/* Note: when passing a NULL valuestring, cJSON_SetValuestring treats this as an error and return NULL */ + CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) + { + char *copy = NULL; +@@ -401,8 +402,8 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) + { + return NULL; + } +- /* return NULL if the object is corrupted */ +- if (object->valuestring == NULL) ++ /* return NULL if the object is corrupted or valuestring is NULL */ ++ if (object->valuestring == NULL || valuestring == NULL) + { + return NULL; + } +-- +2.25.1 + diff --git a/SPECS/apparmor/apparmor.spec b/SPECS/apparmor/apparmor.spec index 0975937612e..c546ed90ecd 100644 --- a/SPECS/apparmor/apparmor.spec +++ b/SPECS/apparmor/apparmor.spec @@ -1,7 +1,7 @@ Summary: AppArmor is an effective and easy-to-use Linux application security system. Name: apparmor Version: 3.0.4 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -10,6 +10,7 @@ URL: https://launchpad.net/apparmor Source0: https://launchpad.net/apparmor/3.0/3.0.4/+download/%{name}-%{version}.tar.gz Patch1: apparmor-service-start-fix.patch Patch2: CVE-2023-50471.patch +Patch3: CVE-2024-31755.patch # CVE-2016-1585 has no upstream fix as of 2020/09/28 Patch100: CVE-2016-1585.nopatch BuildRequires: apr @@ -354,6 +355,9 @@ make DESTDIR=%{buildroot} install %exclude %{perl_archlib}/perllocal.pod %changelog +* Thu May 30 2024 Sumedh Sharma - 3.0.4-4 +- Add patch for CVE-2024-31755 + * Wed Dec 27 2023 Dallas Delaney - 3.0.4-3 - Add patch for CVE-2023-50471 and CVE-2023-50472 From 776397772968920feb24dee47de53937d434980c Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 4 Jun 2024 23:28:19 -0700 Subject: [PATCH 21/31] [AUTO-CHERRYPICK] Patch dhcp for CVE-2023-2828 - branch main (#9306) Co-authored-by: Sumynwa --- SPECS/dhcp/CVE-2023-2828.patch | 190 +++++++++++++++++++++++++++++++++ SPECS/dhcp/dhcp.spec | 6 +- 2 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 SPECS/dhcp/CVE-2023-2828.patch diff --git a/SPECS/dhcp/CVE-2023-2828.patch b/SPECS/dhcp/CVE-2023-2828.patch new file mode 100644 index 00000000000..576b74149c8 --- /dev/null +++ b/SPECS/dhcp/CVE-2023-2828.patch @@ -0,0 +1,190 @@ +Backported patch upstream to apply to CBL-Mariner. +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a + +From da0eafcdee52147e72d407cc3b9f179378ee1d3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 30 May 2023 08:46:17 +0200 +Subject: [PATCH] Improve RBT overmem cache cleaning + +When cache memory usage is over the configured cache size (overmem) and +we are cleaning unused entries, it might not be enough to clean just two +entries if the entries to be expired are smaller than the newly added +rdata. This could be abused by an attacker to cause a remote Denial of +Service by possibly running out of the operating system memory. + +Currently, the addrdataset() tries to do a single TTL-based cleaning +considering the serve-stale TTL and then optionally moves to overmem +cleaning if we are in that condition. Then the overmem_purge() tries to +do another single TTL based cleaning from the TTL heap and then continue +with LRU-based cleaning up to 2 entries cleaned. + +Squash the TTL-cleaning mechanism into single call from addrdataset(), +but ignore the serve-stale TTL if we are currently overmem. + +Then instead of having a fixed number of entries to clean, pass the size +of newly added rdatasetheader to the overmem_purge() function and +cleanup at least the size of the newly added data. This prevents the +cache going over the configured memory limit (`max-cache-size`). + +Additionally, refactor the overmem_purge() function to reduce for-loop +nesting for readability. +--- + bind_ln/lib/dns/rbtdb.c | 102 ++++++++++++++++++------------ + 1 file changed, 60 insertions(+), 42 deletions(-) + +diff --git a/bind_ln/lib/dns/rbtdb.c b/bind_ln/lib/dns/rbtdb.c +index 3ee1876..68b45d8 100644 +--- a/bind_ln/lib/dns/rbtdb.c ++++ b/bind_ln/lib/dns/rbtdb.c +@@ -815,7 +815,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + bool tree_locked, expire_t reason); + static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, +- isc_stdtime_t now, bool tree_locked); ++ size_t purgesize, bool tree_locked); + static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, + rdatasetheader_t *newheader); + static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, +@@ -6817,6 +6817,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, + + static dns_dbmethods_t zone_methods; + ++static size_t ++rdataset_size(rdatasetheader_t *header) { ++ if (!NONEXISTENT(header)) { ++ return (dns_rdataslab_size((unsigned char *)header, ++ sizeof(*header))); ++ } ++ ++ return (sizeof(*header)); ++} ++ + static isc_result_t + addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, +@@ -6971,7 +6981,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + + if (cache_is_overmem) +- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked); ++ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), tree_locked); + + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); +@@ -6986,10 +6996,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + cleanup_dead_nodes(rbtdb, rbtnode->locknum); + + header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1); +- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) +- expire_header(rbtdb, header, tree_locked, +- expire_ttl); ++ if (header != NULL) { ++ dns_ttl_t rdh_ttl = header->rdh_ttl; + ++ if (rdh_ttl < now - RBTDB_VIRTUAL) { ++ expire_header(rbtdb, header, tree_locked, ++ expire_ttl); ++ } ++ } + /* + * If we've been holding a write lock on the tree just for + * cleaning, we can release it now. However, we still need the +@@ -10494,54 +10508,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); + } + +-/*% +- * Purge some expired and/or stale (i.e. unused for some period) cache entries +- * under an overmem condition. To recover from this condition quickly, up to +- * 2 entries will be purged. This process is triggered while adding a new +- * entry, and we specifically avoid purging entries in the same LRU bucket as +- * the one to which the new entry will belong. Otherwise, we might purge +- * entries of the same name of different RR types while adding RRsets from a +- * single response (consider the case where we're adding A and AAAA glue records +- * of the same NS name). ++static size_t ++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, ++ bool tree_locked) { ++ rdatasetheader_t *header, *header_prev; ++ size_t purged = 0; ++ ++ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); ++ header != NULL && purged <= purgesize; header = header_prev) ++ { ++ header_prev = ISC_LIST_PREV(header, link); ++ /* ++ * Unlink the entry at this point to avoid checking it ++ * again even if it's currently used someone else and ++ * cannot be purged at this moment. This entry won't be ++ * referenced any more (so unlinking is safe) since the ++ * TTL was reset to 0. ++ */ ++ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); ++ size_t header_size = rdataset_size(header); ++ expire_header(rbtdb, header, tree_locked, expire_lru); ++ purged += header_size; ++ } ++ ++ return (purged); ++} ++ ++ /*% ++ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache ++ * entries under the overmem condition. To recover from this condition quickly, ++ * we cleanup entries up to the size of newly added rdata (passed as purgesize). ++ * ++ * This process is triggered while adding a new entry, and we specifically avoid ++ * purging entries in the same LRU bucket as the one to which the new entry will ++ * belong. Otherwise, we might purge entries of the same name of different RR ++ * types while adding RRsets from a single response (consider the case where ++ * we're adding A and AAAA glue records of the same NS name). + */ + static void + overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, +- isc_stdtime_t now, bool tree_locked) ++ size_t purgesize, bool tree_locked) + { +- rdatasetheader_t *header, *header_prev; + unsigned int locknum; +- int purgecount = 2; ++ size_t purged = 0; + + for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; +- locknum != locknum_start && purgecount > 0; ++ locknum != locknum_start && purged <= purgesize; + locknum = (locknum + 1) % rbtdb->node_lock_count) { + NODE_LOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + +- header = isc_heap_element(rbtdb->heaps[locknum], 1); +- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) { +- expire_header(rbtdb, header, tree_locked, +- expire_ttl); +- purgecount--; +- } +- +- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); +- header != NULL && purgecount > 0; +- header = header_prev) { +- header_prev = ISC_LIST_PREV(header, link); +- /* +- * Unlink the entry at this point to avoid checking it +- * again even if it's currently used someone else and +- * cannot be purged at this moment. This entry won't be +- * referenced any more (so unlinking is safe) since the +- * TTL was reset to 0. +- */ +- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, +- link); +- expire_header(rbtdb, header, tree_locked, +- expire_lru); +- purgecount--; +- } ++ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged, ++ tree_locked); + + NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); +-- +2.25.1 + diff --git a/SPECS/dhcp/dhcp.spec b/SPECS/dhcp/dhcp.spec index 3349cbffca8..c570b4764b2 100644 --- a/SPECS/dhcp/dhcp.spec +++ b/SPECS/dhcp/dhcp.spec @@ -1,13 +1,14 @@ Summary: Dynamic host configuration protocol Name: dhcp Version: 4.4.3 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 Url: https://www.isc.org/dhcp/ Source0: ftp://ftp.isc.org/isc/dhcp/%{version}/%{name}-%{version}.tar.gz Patch0: CVE-2022-38177.patch Patch1: CVE-2022-38178.patch Patch2: CVE-2022-2795.patch +Patch3: CVE-2023-2828.patch Group: System Environment/Base Vendor: Microsoft Corporation Distribution: Mariner @@ -178,6 +179,9 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/ %{_mandir}/man8/dhclient.8.gz %changelog +* Wed May 29 2024 Sumedh Sharma - 4.4.3-3 +- Fix CVE-2023-2828 + * Tue Apr 30 2024 Elaine Zhao - 4.4.3-2 - Fix CVE-2022-38177, CVE-2022-38178, CVE-2022-2795 for bundled bind From 4e90dd61c165a167d96987d1eb63c49d6ceae721 Mon Sep 17 00:00:00 2001 From: Saul Paredes <30801614+Redent0r@users.noreply.github.com> Date: Wed, 5 Jun 2024 12:40:57 -0700 Subject: [PATCH 22/31] kata(-cc): upgrade to LSG release v2405.9.2 (#9261) Co-authored-by: Dallas Delaney Co-authored-by: CBL-Mariner Servicing Account --- .../kernel-mshv-signed.spec | 7 +- SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md | 2 +- SPECS/LICENSES-AND-NOTICES/data/licenses.json | 1 + .../cloud-hypervisor-cvm.signatures.json | 7 + .../cloud-hypervisor-cvm.spec | 216 ++++++++++++++++++ SPECS/cloud-hypervisor-cvm/config.toml | 50 ++++ .../cloud-hypervisor.signatures.json | 10 +- SPECS/cloud-hypervisor/cloud-hypervisor.spec | 7 +- .../kata-containers-cc.signatures.json | 4 +- .../kata-containers-cc.spec | 9 +- .../kata-containers.signatures.json | 4 +- SPECS/kata-containers/kata-containers.spec | 5 +- SPECS/kernel-mshv/config | 39 +++- SPECS/kernel-mshv/kernel-mshv.signatures.json | 12 +- SPECS/kernel-mshv/kernel-mshv.spec | 7 +- SPECS/kernel-uvm/config | 25 +- SPECS/kernel-uvm/kernel-uvm.signatures.json | 10 +- SPECS/kernel-uvm/kernel-uvm.spec | 7 +- cgmanifest.json | 26 ++- 19 files changed, 389 insertions(+), 59 deletions(-) create mode 100644 SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json create mode 100644 SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec create mode 100644 SPECS/cloud-hypervisor-cvm/config.toml diff --git a/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec b/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec index 39f9ee3628d..f4fe895e41c 100644 --- a/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec +++ b/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec @@ -6,8 +6,8 @@ %define uname_r %{version}-%{release} Summary: Signed MSHV-enabled Linux Kernel for %{buildarch} systems Name: kernel-mshv-signed-%{buildarch} -Version: 5.15.126.mshv9 -Release: 3%{?dist} +Version: 5.15.157.mshv1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg %exclude /lib/modules/%{uname_r}/build %changelog +* Tue May 14 2024 CBL-Mariner Servicing Account - 5.15.157.mshv1-1 +- Auto-upgrade to 5.15.157.mshv1 + * Mon Apr 01 2024 Cameron Baird - 5.15.126.mshv9-3 - BuildRequires: grub2-rpm-macros to expand mkconfig configuration requirement diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md index 40d7da9f037..17e6aeabe5e 100644 --- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md +++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md @@ -9,7 +9,7 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | -| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azl-compliance
azure-iot-sdk-c
azure-storage-cpp
azurelinux-sysinfo
bazel
blobfuse
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor
cmake-fedora
coredns
csi-driver-lvm
dcos-cli
debugedit
dejavu-fonts
distroless-packages
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
hvloader
hvloader-signed
installkernel
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-azure-signed
kernel-hci-signed
kernel-mos-signed
kernel-mshv-signed
kernel-signed
KeysInUse-OpenSSL
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
livepatch-5.15.102.1-1.cm2
livepatch-5.15.102.1-3.cm2
livepatch-5.15.107.1-1.cm2
livepatch-5.15.110.1-1.cm2
livepatch-5.15.111.1-1.cm2
livepatch-5.15.112.1-1.cm2
livepatch-5.15.112.1-2.cm2
livepatch-5.15.116.1-1.cm2
livepatch-5.15.116.1-2.cm2
livepatch-5.15.122.1-2.cm2
livepatch-5.15.125.1-1.cm2
livepatch-5.15.125.1-2.cm2
livepatch-5.15.126.1-1.cm2
livepatch-5.15.131.1-1.cm2
livepatch-5.15.131.1-3.cm2
livepatch-5.15.94.1-1.cm2
livepatch-5.15.94.1-1.cm2-signed
livepatch-5.15.95.1-1.cm2
livepatch-5.15.98.1-1.cm2
livepatching
lld
lld16
local-path-provisioner
lsb-release
ltp
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
maven3
mm-common
moby-buildx
moby-cli
moby-compose
moby-containerd
moby-containerd-cc
moby-engine
moby-runc
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
nmi
node-problem-detector
ntopng
opentelemetry-cpp
osslsigncode
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-logutils
python-nocasedict
python-opt-einsum
python-pecan
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-tensorflow-estimator
python-yamlloader
R
rabbitmq-server
reaper
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-aws-eventstream
rubygem-aws-partitions
rubygem-aws-sdk-core
rubygem-aws-sdk-kms
rubygem-aws-sdk-s3
rubygem-aws-sdk-sqs
rubygem-aws-sigv4
rubygem-bigdecimal
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-s3
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-td
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser.rb
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-td
rubygem-td-client
rubygem-td-logger
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
sdbus-cpp
sgx-backwards-compatability
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
swupdate
SymCrypt
SymCrypt-OpenSSL
tensorflow
terraform
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
verity-read-only-root
vnstat
zstd | +| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azl-compliance
azure-iot-sdk-c
azure-storage-cpp
azurelinux-sysinfo
bazel
blobfuse
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor
cloud-hypervisor-cvm
cmake-fedora
coredns
csi-driver-lvm
dcos-cli
debugedit
dejavu-fonts
distroless-packages
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
hvloader
hvloader-signed
installkernel
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-azure-signed
kernel-hci-signed
kernel-mos-signed
kernel-mshv-signed
kernel-signed
KeysInUse-OpenSSL
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
livepatch-5.15.102.1-1.cm2
livepatch-5.15.102.1-3.cm2
livepatch-5.15.107.1-1.cm2
livepatch-5.15.110.1-1.cm2
livepatch-5.15.111.1-1.cm2
livepatch-5.15.112.1-1.cm2
livepatch-5.15.112.1-2.cm2
livepatch-5.15.116.1-1.cm2
livepatch-5.15.116.1-2.cm2
livepatch-5.15.122.1-2.cm2
livepatch-5.15.125.1-1.cm2
livepatch-5.15.125.1-2.cm2
livepatch-5.15.126.1-1.cm2
livepatch-5.15.131.1-1.cm2
livepatch-5.15.131.1-3.cm2
livepatch-5.15.94.1-1.cm2
livepatch-5.15.94.1-1.cm2-signed
livepatch-5.15.95.1-1.cm2
livepatch-5.15.98.1-1.cm2
livepatching
lld
lld16
local-path-provisioner
lsb-release
ltp
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
maven3
mm-common
moby-buildx
moby-cli
moby-compose
moby-containerd
moby-containerd-cc
moby-engine
moby-runc
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
nmi
node-problem-detector
ntopng
opentelemetry-cpp
osslsigncode
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-logutils
python-nocasedict
python-opt-einsum
python-pecan
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-tensorflow-estimator
python-yamlloader
R
rabbitmq-server
reaper
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-aws-eventstream
rubygem-aws-partitions
rubygem-aws-sdk-core
rubygem-aws-sdk-kms
rubygem-aws-sdk-s3
rubygem-aws-sdk-sqs
rubygem-aws-sigv4
rubygem-bigdecimal
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-s3
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-td
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser.rb
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-td
rubygem-td-client
rubygem-td-logger
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
sdbus-cpp
sgx-backwards-compatability
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
swupdate
SymCrypt
SymCrypt-OpenSSL
tensorflow
terraform
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
verity-read-only-root
vnstat
zstd | | Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan | | Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad | | NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | knem
libnvidia-container
mlnx-ofa_kernel
mlnx-tools
mlx-bootctl
nvidia-container-runtime
nvidia-container-toolkit
nvidia-docker2
ofed-scripts
perftest | diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json index 3b89138790c..468868ee820 100644 --- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json +++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json @@ -2165,6 +2165,7 @@ "check-restart", "clamav", "cloud-hypervisor", + "cloud-hypervisor-cvm", "cmake-fedora", "coredns", "csi-driver-lvm", diff --git a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json new file mode 100644 index 00000000000..f04f2f31375 --- /dev/null +++ b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json @@ -0,0 +1,7 @@ +{ + "Signatures": { + "cloud-hypervisor-cvm-38.0.72-vendor.tar.gz": "6092868ed042c0397e4e96f2572a59d80491662b6c68fd210fe458a8f7d0d429", + "cloud-hypervisor-cvm-38.0.72.tar.gz": "e6d15d99c5d9ec4bede43ef8fac971d2cc0ae49a7eafffc6ca7e5b948ed4282a", + "config.toml": "74c28b7520c157109b8990b325fe8f13504e56561a9bac51499d4c6bf4a66e52" + } +} \ No newline at end of file diff --git a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec new file mode 100644 index 00000000000..bb7fb68dcef --- /dev/null +++ b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec @@ -0,0 +1,216 @@ +%define using_rustup 0 +%define using_musl_libc 0 +%define using_vendored_crates 1 + +Name: cloud-hypervisor-cvm +Summary: Cloud Hypervisor CVM is an open source Virtual Machine Monitor (VMM) that enables running SEV SNP enabled VMs on top of MSHV using the IGVM file format as payload. +Version: 38.0.72 +Release: 1%{?dist} +License: ASL 2.0 OR BSD-3-clause +Vendor: Microsoft Corporation +Distribution: Mariner +Group: Applications/System +URL: https://github.com/microsoft/cloud-hypervisor +Source0: https://github.com/microsoft/cloud-hypervisor/archive/refs/tags/msft/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +%if 0%{?using_vendored_crates} +# Note: the %%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME. +# To update the cache and config.toml run: +# tar -xf %{name}-%{version}.tar.gz +# cd %{name}-%{version} +# cargo vendor > config.toml +# tar -czf %{name}-%{version}-cargo.tar.gz vendor/ +# rename the tarball to %{name}-%{version}-cargo.tar.gz when updating version +Source1: %{name}-%{version}-vendor.tar.gz +Source2: config.toml +%endif + +Conflicts: cloud-hypervisor + +BuildRequires: binutils +BuildRequires: gcc +BuildRequires: git +BuildRequires: glibc-devel +BuildRequires: openssl-devel + +%if ! 0%{?using_rustup} +BuildRequires: rust >= 1.62.0 +BuildRequires: cargo >= 1.62.0 +%endif + +Requires: bash +Requires: glibc +Requires: libgcc +Requires: libcap + +ExclusiveArch: x86_64 + +%ifarch x86_64 +%define rust_def_target x86_64-unknown-linux-gnu +%define cargo_pkg_feature_opts --no-default-features --features "mshv,kvm,sev_snp,igvm" +%endif +%ifarch aarch64 +%define rust_def_target aarch64-unknown-linux-gnu +%define cargo_pkg_feature_opts --all +%endif + +%if 0%{?using_musl_libc} +%ifarch x86_64 +%define rust_musl_target x86_64-unknown-linux-musl +%endif +%ifarch aarch64 +%define rust_musl_target aarch64-unknown-linux-musl +%endif +%endif + +%if 0%{?using_vendored_crates} +%define cargo_offline --offline +%endif + +%description +Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM. The project focuses on exclusively running modern, cloud workloads, on top of a limited set of hardware architectures and platforms. Cloud workloads refers to those that are usually run by customers inside a cloud provider. For our purposes this means modern Linux* distributions with most I/O handled by paravirtualised devices (i.e. virtio), no requirement for legacy devices and recent CPUs and KVM. + +%prep + +%setup -q -n cloud-hypervisor-%{version} +%if 0%{?using_vendored_crates} +tar xf %{SOURCE1} +mkdir -p .cargo +cp %{SOURCE2} .cargo/ +%endif + +%install +install -d %{buildroot}%{_bindir} +install -D -m755 ./target/%{rust_def_target}/release/cloud-hypervisor %{buildroot}%{_bindir} + +%if 0%{?using_musl_libc} +install -d %{buildroot}%{_libdir}/cloud-hypervisor/static +install -D -m755 target/%{rust_musl_target}/release/cloud-hypervisor %{buildroot}%{_libdir}/cloud-hypervisor/static +install -D -m755 target/%{rust_musl_target}/release/ch-remote %{buildroot}%{_libdir}/cloud-hypervisor/static +%endif + + +%build +cargo_version=$(cargo --version) +if [[ $? -ne 0 ]]; then + echo "Cargo not found, please install cargo. exiting" + exit 0 +fi + +%if 0%{?using_rustup} +which rustup +if [[ $? -ne 0 ]]; then + echo "Rustup not found please install rustup #curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh" +fi +%endif + +echo ${cargo_version} + +%if 0%{?using_rustup} +rustup target list --installed | grep x86_64-unknown-linux-gnu +if [[ $? -ne 0 ]]; then + echo "Target x86_64-unknown-linux-gnu not found, please install(#rustup target add x86_64-unknown-linux-gnu). exiting" +fi + %if 0%{?using_musl_libc} +rustup target list --installed | grep x86_64-unknown-linux-musl +if [[ $? -ne 0 ]]; then + echo "Target x86_64-unknown-linux-musl not found, please install(#rustup target add x86_64-unknown-linux-musl). exiting" +fi + %endif +%endif + +%if 0%{?using_vendored_crates} +# For vendored build, prepend this so openssl-sys doesn't trigger full OpenSSL build +export OPENSSL_NO_VENDOR=1 +%endif +cargo build --release --target=%{rust_def_target} %{cargo_pkg_feature_opts} %{cargo_offline} +%if 0%{?using_musl_libc} +cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{cargo_offline} +%endif + +%files +%defattr(-,root,root,-) +%caps(cap_net_admin=ep) %{_bindir}/cloud-hypervisor +%if 0%{?using_musl_libc} +%{_libdir}/cloud-hypervisor/static/ch-remote +%caps(cap_net_admim=ep) %{_libdir}/cloud-hypervisor/static/cloud-hypervisor +%endif +%license LICENSE-APACHE +%license LICENSE-BSD-3-Clause + +%changelog +* Wed May 15 2024 Saul Paredes - 38.0.72-1 +- Initial CBL-Mariner import from Azure +- Upgrade to v38.0.72 +- Update install to match cloud-hypervisor install locations +- Add conflicts with cloud-hypervisor +- License verified. + +* Mon Nov 6 2023 Dallas Delaney - 32.0.314-2000 +- Upgrade to v32.0.314 + +* Thu Sep 21 2023 Saul Paredes - 32.0.209-2000 +- Upgrade to v32.0.209 + +* Fri Sep 15 2023 Saul Paredes - 32.0.192-2000 +- Upgrade to v32.0.192 + +* Tue Aug 1 2023 Saul Paredes - 32.0.0-2000 +- Accomodate cloud-hypervisor + +* Fri May 19 2023 Anatol Belski - 32.0.0-1000 +- Upgrade to v32.0 + +* Wed Apr 19 2023 Anatol Belski - 31.1.0-1000 +- Upgrade to v31.1 + +* Thu Apr 06 2023 Anatol Belski - 31.0.0-1000 +- Upgrade to v31.0 + +* Fri Feb 24 2023 Anatol Belski - 30.0.0-1000 +- Upgrade to v30.0 + +* Sun Jan 15 2023 Anatol Belski - 29.0.0-1000 +- Upgrade to v29.0 + +* Thu Dec 15 2022 Anatol Belski - 28.1.0-1000 +- Upgrade to v28.1 + +* Thu Nov 17 2022 Anatol Belski - 28.0.0-1000 +- Upgrade to v28.0 + +* Wed Oct 12 2022 Anatol Belski - 27.0.0-1001 +- Spec refactoring towards pulling an arbitrary revision + +* Wed Oct 05 2022 Anatol Belski - 27.0-1 +- Upgrade to 27.0 + +* Thu Sep 15 2022 Anatol Belski - 26.0-2 +- Unbundle tarballs from git + +* Wed Aug 17 2022 Anatol Belski - 26.0-1 +- Pull release 26.0 for Mariner from upstream + +* Tue May 16 2022 Anatol Belski - 23.1-0 +- Initial import 23.1 for Mariner from upstream + +* Thu Apr 13 2022 Rob Bradford 23.0-0 +- Update to 23.0 + +* Thu Mar 03 2022 Rob Bradford 22.0-0 +- Update to 22.0 + +* Thu Jan 20 2022 Rob Bradford 21.0-0 +- Update to 21.0 + +* Thu Dec 02 2021 Sebastien Boeuf 20.0-0 +- Update to 20.0 + +* Mon Nov 08 2021 Fabiano Fidêncio 19.0-0 +- Update to 19.0 + +* Fri May 28 2021 Muminul Islam 15.0-0 +- Update version to 15.0 + +* Wed Jul 22 2020 Muminul Islam 0.8.0-0 +- Initial version + diff --git a/SPECS/cloud-hypervisor-cvm/config.toml b/SPECS/cloud-hypervisor-cvm/config.toml new file mode 100644 index 00000000000..28e2cc3014f --- /dev/null +++ b/SPECS/cloud-hypervisor-cvm/config.toml @@ -0,0 +1,50 @@ +[source.crates-io] +replace-with = "vendored-sources" + +[source."git+https://github.com/cloud-hypervisor/kvm-bindings?branch=ch-v0.7.0"] +git = "https://github.com/cloud-hypervisor/kvm-bindings" +branch = "ch-v0.7.0" +replace-with = "vendored-sources" + +[source."git+https://github.com/cloud-hypervisor/versionize_derive?branch=ch-0.1.6"] +git = "https://github.com/cloud-hypervisor/versionize_derive" +branch = "ch-0.1.6" +replace-with = "vendored-sources" + +[source."git+https://github.com/firecracker-microvm/micro-http?branch=main"] +git = "https://github.com/firecracker-microvm/micro-http" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/microsoft/igvm?branch=main"] +git = "https://github.com/microsoft/igvm" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/acpi_tables?branch=main"] +git = "https://github.com/rust-vmm/acpi_tables" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/mshv?branch=main"] +git = "https://github.com/rust-vmm/mshv" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/vfio-user?branch=main"] +git = "https://github.com/rust-vmm/vfio-user" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/vfio?branch=main"] +git = "https://github.com/rust-vmm/vfio" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/vm-fdt?branch=main"] +git = "https://github.com/rust-vmm/vm-fdt" +branch = "main" +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json b/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json index 163a303dec9..c0753fbbf62 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json @@ -1,7 +1,7 @@ { - "Signatures": { - "cloud-hypervisor-32.0-cargo.tar.gz": "2dd7ca374109ba337afeb0ff95d5edac8193431ec74cdbb6b1a400c600f4d915", - "cloud-hypervisor-32.0.tar.gz": "b9754a5ecd26697e5416a642345b2f35f4fdc983a83d540d740978309f2eb419", - "config.toml": "6d2aeec19782ae17eb2708262b0a7c551db3cc36b56542abca18d577de042458" - } + "Signatures": { + "cloud-hypervisor-32.0-cargo.tar.gz": "2dd7ca374109ba337afeb0ff95d5edac8193431ec74cdbb6b1a400c600f4d915", + "cloud-hypervisor-32.0.tar.gz": "b9754a5ecd26697e5416a642345b2f35f4fdc983a83d540d740978309f2eb419", + "config.toml": "6d2aeec19782ae17eb2708262b0a7c551db3cc36b56542abca18d577de042458" + } } \ No newline at end of file diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.spec b/SPECS/cloud-hypervisor/cloud-hypervisor.spec index ca9342d2489..891593cf771 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.spec +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.spec @@ -5,7 +5,7 @@ Summary: Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM. Name: cloud-hypervisor Version: 32.0 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 OR BSD-3-clause Vendor: Microsoft Corporation Distribution: Mariner @@ -28,6 +28,8 @@ Patch2: CVE-2023-50711-vhost.patch Patch3: CVE-2023-50711-versionize.patch %endif +Conflicts: cloud-hypervisor-cvm + BuildRequires: binutils BuildRequires: gcc BuildRequires: git @@ -162,6 +164,9 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{ %license LICENSE-BSD-3-Clause %changelog +* Mon May 20 2024 Saul Paredes - 32.0-4 +- Add conflicts with cloud-hypervisor-cvm + * Mon Jan 15 2024 Sindhu Karri - 32.0-3 - Patch CVE-2023-50711 in vendor/vmm-sys-util, vendor/vhost, vendor/versionize diff --git a/SPECS/kata-containers-cc/kata-containers-cc.signatures.json b/SPECS/kata-containers-cc/kata-containers-cc.signatures.json index e677273b01a..15284fecffd 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.signatures.json +++ b/SPECS/kata-containers-cc/kata-containers-cc.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "mariner-coco-build-uvm.sh": "4f2be6965d8c4d7919fd201a68160fc8ab02a1be50a336abbfea13f16a6ffb89", - "kata-containers-cc-3.2.0.azl1-cargo.tar.gz": "e9225097732f0e9be4da806dac9189c94b43e76dc54b964d1c07beaf8ea65e36", - "kata-containers-cc-3.2.0.azl1.tar.gz": "1c0461a0bcb6920888955ad54c6542b8adfce939e008e6c89f102cf4baeb74a4" + "kata-containers-cc-3.2.0.azl2.tar.gz": "49265e0ecd21af4ed8f23398d1e46ef9961786cb44f40fe582abff06c1c1a873", + "kata-containers-cc-3.2.0.azl2-cargo.tar.gz": "ddf919a672200f0fb53d1cb6c66d6b1c401cf26368541c750d9a12e62da605a1" } } diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index a00762a7c82..46a3cd913b4 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -12,7 +12,7 @@ %global debug_package %{nil} Name: kata-containers-cc -Version: 3.2.0.azl1 +Version: 3.2.0.azl2 Release: 1%{?dist} Summary: Kata Confidential Containers package developed for Confidential Containers on AKS License: ASL 2.0 @@ -158,10 +158,9 @@ mkdir -p %{buildroot}%{share_kata} mkdir -p %{buildroot}%{coco_path}/libexec mkdir -p %{buildroot}/etc/systemd/system/containerd.service.d/ -# for testing policy/snapshotter without SEV SNP we use CH (with kernel-uvm and initrd) instead of CH-CVM with IGVM # Note: our kata-containers config toml expects cloud-hypervisor and kernel under a certain path/name, so we align this through symlinks here ln -s /usr/bin/cloud-hypervisor %{buildroot}%{coco_bin}/cloud-hypervisor -ln -s /usr/bin/cloud-hypervisor-cvm %{buildroot}%{coco_bin}/cloud-hypervisor-snp +ln -s /usr/bin/cloud-hypervisor %{buildroot}%{coco_bin}/cloud-hypervisor-snp # this is again for testing without SEV SNP ln -s /usr/share/cloud-hypervisor/vmlinux.bin %{buildroot}%{share_kata}/vmlinux.container @@ -289,6 +288,10 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu %changelog +* Wed May 29 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-1 +- Auto-upgrade to 3.2.0.azl2 +- Update cloud-hypervisor-snp symlink to also point to /usr/bin/cloud-hypervisor + * Thu May 02 2024 CBL-Mariner Servicing Account - 3.2.0.azl1-1 - Auto-upgrade to 3.2.0.azl1 - Remove opa diff --git a/SPECS/kata-containers/kata-containers.signatures.json b/SPECS/kata-containers/kata-containers.signatures.json index b621b7c58b4..61927a54ba2 100644 --- a/SPECS/kata-containers/kata-containers.signatures.json +++ b/SPECS/kata-containers/kata-containers.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "50-kata": "fb108c6337b3d3bf80b43ab04f2bf9a3bdecd29075ebd16320aefe8f81c502a7", "mariner-build-uvm.sh": "a0fbee4def82ee492eab64a8b5a948c2fef125fa1ca5686aafa0a80c64144068", - "kata-containers-3.2.0.azl1-cargo.tar.gz": "9fb37f5141d09d359f9ddbd6588ddc0f0a58c20e7d8da3e96037f6549b283015", - "kata-containers-3.2.0.azl1.tar.gz": "140118610896fd3ef6c63649e06a9a4d2380dc1fbf2d82ec676245c06ffb6f36" + "kata-containers-3.2.0.azl2-cargo.tar.gz": "830c90cc6e44f492e6366012f8834ae6fc84bd790edf678c23003368c288b98c", + "kata-containers-3.2.0.azl2.tar.gz": "ab65f23787347fae11cf07e0a380e925e9f7b6f0f862ef6440a683b816206011" } } diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index 4f5408e637a..68369d8e79a 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -38,7 +38,7 @@ Summary: Kata Containers Name: kata-containers -Version: 3.2.0.azl1 +Version: 3.2.0.azl2 Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation @@ -215,6 +215,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu %changelog +* Wed May 29 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-1 +- Auto-upgrade to 3.2.0.azl2 + * Thu May 02 2024 CBL-Mariner Servicing Account - 3.2.0.azl1-1 - Auto-upgrade to 3.2.0.azl1 diff --git a/SPECS/kernel-mshv/config b/SPECS/kernel-mshv/config index 05a8d42aa11..03db4e9e2d6 100644 --- a/SPECS/kernel-mshv/config +++ b/SPECS/kernel-mshv/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.126.mshv9 Kernel Configuration +# Linux/x86_64 5.15.157.mshv1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y @@ -491,6 +491,8 @@ CONFIG_CPU_IBPB_ENTRY=y CONFIG_CPU_IBRS_ENTRY=y CONFIG_CPU_SRSO=y # CONFIG_GDS_FORCE_MITIGATION is not set +CONFIG_MITIGATION_RFDS=y +CONFIG_MITIGATION_SPECTRE_BHI=y CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y @@ -768,6 +770,9 @@ CONFIG_GCC_PLUGINS=y # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set # CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set # CONFIG_GCC_PLUGIN_RANDSTRUCT is not set +CONFIG_FUNCTION_ALIGNMENT_4B=y +CONFIG_FUNCTION_ALIGNMENT_16B=y +CONFIG_FUNCTION_ALIGNMENT=16 # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -1161,6 +1166,7 @@ CONFIG_NFT_HASH=m CONFIG_NFT_TPROXY=m # CONFIG_NFT_SYNPROXY is not set # CONFIG_NF_FLOW_TABLE is not set +CONFIG_NF_FLOW_TABLE_PROCFS=y CONFIG_NETFILTER_XTABLES=y # @@ -1458,7 +1464,6 @@ CONFIG_NET_SCHED=y # # Queueing/Scheduling # -CONFIG_NET_SCH_CBQ=m CONFIG_NET_SCH_HTB=m CONFIG_NET_SCH_HFSC=m CONFIG_NET_SCH_PRIO=m @@ -1472,7 +1477,6 @@ CONFIG_NET_SCH_TBF=m CONFIG_NET_SCH_ETF=m # CONFIG_NET_SCH_TAPRIO is not set CONFIG_NET_SCH_GRED=m -CONFIG_NET_SCH_DSMARK=m CONFIG_NET_SCH_NETEM=m CONFIG_NET_SCH_DRR=m CONFIG_NET_SCH_MQPRIO=m @@ -1500,8 +1504,6 @@ CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m CONFIG_CLS_U32_PERF=y CONFIG_CLS_U32_MARK=y -CONFIG_NET_CLS_RSVP=m -CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_FLOW=m CONFIG_NET_CLS_CGROUP=m CONFIG_NET_CLS_BPF=m @@ -3649,7 +3651,6 @@ CONFIG_MFD_INTEL_LPSS_PCI=m # CONFIG_MFD_SM501 is not set # CONFIG_MFD_SKY81452 is not set # CONFIG_MFD_SYSCON is not set -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -5164,18 +5165,28 @@ CONFIG_VIRTIO_PCI_LIB=y CONFIG_VIRTIO_MENU=y CONFIG_VIRTIO_PCI=y CONFIG_VIRTIO_PCI_LEGACY=y +# CONFIG_VIRTIO_VDPA is not set # CONFIG_VIRTIO_PMEM is not set CONFIG_VIRTIO_BALLOON=y CONFIG_VIRTIO_MEM=m # CONFIG_VIRTIO_INPUT is not set CONFIG_VIRTIO_MMIO=y # CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set -# CONFIG_VDPA is not set +CONFIG_VDPA=m +CONFIG_VDPA_SIM=m +CONFIG_VDPA_SIM_NET=m +CONFIG_VDPA_SIM_BLOCK=m +# CONFIG_VDPA_USER is not set +# CONFIG_IFCVF is not set +# CONFIG_MLX5_VDPA_NET is not set +# CONFIG_VP_VDPA is not set CONFIG_VHOST_IOTLB=m +CONFIG_VHOST_RING=m CONFIG_VHOST=m CONFIG_VHOST_MENU=y CONFIG_VHOST_NET=m CONFIG_VHOST_VSOCK=m +CONFIG_VHOST_VDPA=m # CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set # @@ -5185,6 +5196,7 @@ CONFIG_HYPERV=y CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=y CONFIG_HYPERV_BALLOON=y +CONFIG_HYPERV_NONTLFS_HEADERS=y CONFIG_MSHV=y CONFIG_MSHV_ROOT=y # CONFIG_MSHV_VTL is not set @@ -5472,12 +5484,17 @@ CONFIG_IIO_ST_ACCEL_I2C_3AXIS=m # CONFIG_MAX9611 is not set # CONFIG_MCP3422 is not set # CONFIG_NAU7802 is not set -# CONFIG_STX104 is not set # CONFIG_TI_ADC081C is not set # CONFIG_TI_ADS1015 is not set # CONFIG_XILINX_XADC is not set # end of Analog to digital converters +# +# Analog to digital and digital to analog converters +# +# CONFIG_STX104 is not set +# end of Analog to digital and digital to analog converters + # # Analog Front Ends # @@ -6071,8 +6088,7 @@ CONFIG_NFS_DEBUG=y CONFIG_NFS_DISABLE_UDP_SUPPORT=y # CONFIG_NFS_V4_2_READ_PLUS is not set CONFIG_NFSD=m -CONFIG_NFSD_V2_ACL=y -CONFIG_NFSD_V3=y +# CONFIG_NFSD_V2 is not set CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V4=y CONFIG_NFSD_PNFS=y @@ -6670,8 +6686,9 @@ CONFIG_DEBUG_INFO=y CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y # CONFIG_DEBUG_INFO_DWARF4 is not set # CONFIG_DEBUG_INFO_DWARF5 is not set -# CONFIG_DEBUG_INFO_BTF is not set +CONFIG_DEBUG_INFO_BTF=y CONFIG_PAHOLE_HAS_SPLIT_BTF=y +CONFIG_DEBUG_INFO_BTF_MODULES=y # CONFIG_GDB_SCRIPTS is not set CONFIG_FRAME_WARN=2048 CONFIG_STRIP_ASM_SYMS=y diff --git a/SPECS/kernel-mshv/kernel-mshv.signatures.json b/SPECS/kernel-mshv/kernel-mshv.signatures.json index deff3dd75d8..ce0523c0b98 100644 --- a/SPECS/kernel-mshv/kernel-mshv.signatures.json +++ b/SPECS/kernel-mshv/kernel-mshv.signatures.json @@ -1,8 +1,8 @@ { - "Signatures": { - "kernel-mshv-5.15.126.mshv9.tar.gz": "3ed864ec26340e02b95696784f870eee53ad1e0ba1f30bd9545704bb45a5a2f2", - "50_mariner_mshv.cfg": "0a5fcad1efb1fd37f910f675c5303210a2aeeef9e089d804510ce40ff9b26369", - "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "b266255bd7dfef022aabb578cf928f3435025562a723a95fab6c2ee62acd00ea" - } + "Signatures": { + "50_mariner_mshv.cfg": "0a5fcad1efb1fd37f910f675c5303210a2aeeef9e089d804510ce40ff9b26369", + "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", + "config": "a83f8b5ccf093bae011d89575b410418e31f8705f6cf9ed291b0cfe1ea5896c9", + "kernel-mshv-5.15.157.mshv1.tar.gz": "8240745a0820ee383ebaf8750877c1189772dc0253cd0658deab199fb2140a4b" + } } diff --git a/SPECS/kernel-mshv/kernel-mshv.spec b/SPECS/kernel-mshv/kernel-mshv.spec index a9b97eaeb9f..e68eaa07960 100644 --- a/SPECS/kernel-mshv/kernel-mshv.spec +++ b/SPECS/kernel-mshv/kernel-mshv.spec @@ -10,8 +10,8 @@ Summary: Mariner kernel that has MSHV Host support Name: kernel-mshv -Version: 5.15.126.mshv9 -Release: 3%{?dist} +Version: 5.15.157.mshv1 +Release: 1%{?dist} License: GPLv2 Group: Development/Tools Vendor: Microsoft Corporation @@ -248,6 +248,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg %{_includedir}/perf/perf_dlfilter.h %changelog +* Tue May 14 2024 CBL-Mariner Servicing Account - 5.15.157.mshv1-1 +- Auto-upgrade to 5.15.157.mshv1 + * Mon Apr 01 2024 Cameron Baird - 5.15.126.mshv9-3 - Bump release to match kernel-mshv-signed package diff --git a/SPECS/kernel-uvm/config b/SPECS/kernel-uvm/config index 6f8f3369d08..4aab5a035d8 100644 --- a/SPECS/kernel-uvm/config +++ b/SPECS/kernel-uvm/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 6.1.0.mshv16 Kernel Configuration +# Linux/x86_64 6.1.58.mshv4 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y @@ -170,7 +170,8 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y CONFIG_CC_HAS_INT128=y CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" -CONFIG_GCC12_NO_ARRAY_BOUNDS=y +CONFIG_GCC11_NO_ARRAY_BOUNDS=y +CONFIG_CC_NO_ARRAY_BOUNDS=y CONFIG_ARCH_SUPPORTS_INT128=y # CONFIG_NUMA_BALANCING is not set CONFIG_CGROUPS=y @@ -440,6 +441,8 @@ CONFIG_RETHUNK=y CONFIG_CPU_UNRET_ENTRY=y CONFIG_CPU_IBPB_ENTRY=y CONFIG_CPU_IBRS_ENTRY=y +CONFIG_CPU_SRSO=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y @@ -596,6 +599,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_ARCH_WANTS_NO_INSTR=y @@ -870,6 +874,7 @@ CONFIG_SECRETMEM=y # CONFIG_ANON_VMA_NAME is not set # CONFIG_USERFAULTFD is not set # CONFIG_LRU_GEN is not set +CONFIG_LOCK_MM_AND_FIND_VMA=y # # Data Access Monitoring @@ -919,6 +924,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -1268,12 +1274,9 @@ CONFIG_NET_SCH_FQ=y # CONFIG_NET_CLS=y # CONFIG_NET_CLS_BASIC is not set -# CONFIG_NET_CLS_TCINDEX is not set # CONFIG_NET_CLS_ROUTE4 is not set # CONFIG_NET_CLS_FW is not set # CONFIG_NET_CLS_U32 is not set -# CONFIG_NET_CLS_RSVP is not set -# CONFIG_NET_CLS_RSVP6 is not set # CONFIG_NET_CLS_FLOW is not set CONFIG_NET_CLS_CGROUP=y # CONFIG_NET_CLS_BPF is not set @@ -1573,7 +1576,9 @@ CONFIG_VIRTIO_BLK=y # CONFIG_MISC_RTSX_PCI is not set # CONFIG_HABANA_AI is not set # CONFIG_UACCE is not set -# CONFIG_PVPANIC is not set +CONFIG_PVPANIC=y +# CONFIG_PVPANIC_MMIO is not set +CONFIG_PVPANIC_PCI=y # end of Misc devices # @@ -2265,6 +2270,7 @@ CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y CONFIG_HYPERV=y CONFIG_HYPERV_TIMER=y # CONFIG_HYPERV_BALLOON is not set +# CONFIG_DXGKRNL is not set # end of Microsoft Hyper-V guest support # CONFIG_GREYBUS is not set @@ -2589,7 +2595,7 @@ CONFIG_CIFS_STATS2=y # CONFIG_CIFS_SWN_UPCALL is not set # CONFIG_CIFS_ROOT is not set # CONFIG_SMB_SERVER is not set -CONFIG_SMBFS_COMMON=y +CONFIG_SMBFS=y # CONFIG_CODA_FS is not set # CONFIG_AFS_FS is not set CONFIG_9P_FS=y @@ -3060,7 +3066,10 @@ CONFIG_OBJTOOL=y # # Generic Kernel Debugging Instruments # -# CONFIG_MAGIC_SYSRQ is not set +CONFIG_MAGIC_SYSRQ=y +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1 +CONFIG_MAGIC_SYSRQ_SERIAL=y +CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE="" # CONFIG_DEBUG_FS is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set diff --git a/SPECS/kernel-uvm/kernel-uvm.signatures.json b/SPECS/kernel-uvm/kernel-uvm.signatures.json index f1a56aca498..53a34a7323a 100644 --- a/SPECS/kernel-uvm/kernel-uvm.signatures.json +++ b/SPECS/kernel-uvm/kernel-uvm.signatures.json @@ -1,6 +1,6 @@ { - "Signatures": { - "config": "875ddf9294126989d10aeae4ab0fb31c0e4152d3f15c0a6fe8db29540576bd7c", - "kernel-uvm-6.1.0.mshv16.tar.gz": "f0453c3665387a2a87743782347dbccb6c0a2da1f1e9f35c04acd6ba9a9fd92c" - } -} \ No newline at end of file + "Signatures": { + "config": "f94bc8a7c5e0507b3a19e0771ff0798862bac30aa5ababc0cc05ce60e3fdf9de", + "kernel-uvm-6.1.58.mshv4.tar.gz": "81ac99ab06cf7df0845f0bd596b394658fb3f1801d0ad985f5b64ffa3d90e80a" + } +} diff --git a/SPECS/kernel-uvm/kernel-uvm.spec b/SPECS/kernel-uvm/kernel-uvm.spec index 86df5d251b8..757a5c589e1 100644 --- a/SPECS/kernel-uvm/kernel-uvm.spec +++ b/SPECS/kernel-uvm/kernel-uvm.spec @@ -10,8 +10,8 @@ Summary: Linux Kernel for Kata UVM Name: kernel-uvm -Version: 6.1.0.mshv16 -Release: 2%{?dist} +Version: 6.1.58.mshv4 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -154,6 +154,9 @@ find %{buildroot}/lib/modules -name '*.ko' -exec chmod u+x {} + %{_prefix}/src/linux-headers-%{uname_r} %changelog +* Tue May 14 2024 CBL-Mariner Servicing Account - 6.1.58.mshv4-1 +- Auto-upgrade to 6.1.58.mshv4 + * Wed Mar 27 2024 Archana Choudhary - 6.1.0.mshv16-2 - Enable CIFS modules diff --git a/cgmanifest.json b/cgmanifest.json index 36ca5562015..e5c7f5946cd 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1812,6 +1812,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "cloud-hypervisor-cvm", + "version": "38.0.72", + "downloadUrl": "https://github.com/microsoft/cloud-hypervisor/archive/refs/tags/msft/v38.0.72.tar.gz" + } + } + }, { "component": { "type": "other", @@ -8061,8 +8071,8 @@ "type": "other", "other": { "name": "kata-containers", - "version": "3.2.0.azl1", - "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.azl1.tar.gz" + "version": "3.2.0.azl2", + "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.azl2.tar.gz" } } }, @@ -8071,8 +8081,8 @@ "type": "other", "other": { "name": "kata-containers-cc", - "version": "3.2.0.azl1", - "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.azl1.tar.gz" + "version": "3.2.0.azl2", + "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.azl2.tar.gz" } } }, @@ -8191,8 +8201,8 @@ "type": "other", "other": { "name": "kernel-mshv", - "version": "5.15.126.mshv9", - "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-mshv-5.15.126.mshv9.tar.gz" + "version": "5.15.157.mshv1", + "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-mshv-5.15.157.mshv1.tar.gz" } } }, @@ -8211,8 +8221,8 @@ "type": "other", "other": { "name": "kernel-uvm", - "version": "6.1.0.mshv16", - "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-uvm-6.1.0.mshv16.tar.gz" + "version": "6.1.58.mshv4", + "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-uvm-6.1.58.mshv4.tar.gz" } } }, From 0d51af78bbe953956ae5501e06b6b9b9154b6562 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 6 Jun 2024 11:28:44 -0700 Subject: [PATCH 23/31] [AUTO-CHERRYPICK] CVE-2022-34169: docbook-style-xsl - upgrade embedded xalan jar from 2.7.2 to 2.7.3 (fasttrrack/2.0) - branch main (#9308) Co-authored-by: bfjelds --- .../docbook-style-xsl.signatures.json | 3 ++- SPECS/docbook-style-xsl/docbook-style-xsl.spec | 16 ++++++++++++++-- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 2 +- 6 files changed, 20 insertions(+), 7 deletions(-) diff --git a/SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json b/SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json index 222adbd7c19..12f7e862dc2 100644 --- a/SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json +++ b/SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json @@ -1,5 +1,6 @@ { "Signatures": { - "docbook-xsl-1.79.1.tar.bz2": "725f452e12b296956e8bfb876ccece71eeecdd14b94f667f3ed9091761a4a968" + "docbook-xsl-1.79.1.tar.bz2": "725f452e12b296956e8bfb876ccece71eeecdd14b94f667f3ed9091761a4a968", + "xalan-j_2_7_3-bin.tar.gz": "c3a36e027f91acbec3f2139343a4798a943f8b2957aab1cfb2eb57f4aeadccbc" } } \ No newline at end of file diff --git a/SPECS/docbook-style-xsl/docbook-style-xsl.spec b/SPECS/docbook-style-xsl/docbook-style-xsl.spec index 3a89b3f20bf..3d8a7709098 100644 --- a/SPECS/docbook-style-xsl/docbook-style-xsl.spec +++ b/SPECS/docbook-style-xsl/docbook-style-xsl.spec @@ -1,13 +1,15 @@ Summary: Docbook-xsl-1.79.1 Name: docbook-style-xsl Version: 1.79.1 -Release: 13%{?dist} -License: ASL 2.0 +Release: 14%{?dist} +License: DMIT Vendor: Microsoft Corporation Distribution: Mariner Group: Development/Tools URL: https://www.docbook.org Source0: http://downloads.sourceforge.net/docbook/docbook-xsl-%{version}.tar.bz2 +# CVE-2022-34169: xalan 2.7.2 has security issue that is solved in 2.7.3 +Source1: https://dlcdn.apache.org/xalan/xalan-j/binaries/xalan-j_2_7_3-bin.tar.gz BuildRequires: libxml2 BuildRequires: zip Requires: docbook-dtd-xml @@ -24,6 +26,12 @@ allowing you to utilize transformations already written for that standard. %prep %setup -q -n docbook-xsl-%{version} +# CVE-2022-34169: xalan 2.7.2 has security issue that is solved by 2.7.3, +# so replace the embedded jar files in docbook-xsl release before continuing +mkdir ./CVE-2022-34169 +tar -xf %{SOURCE1} -C ./CVE-2022-34169 +mv ./CVE-2022-34169/xalan-j_2_7_3/*.jar ./tools/lib/. +rm -rf ./CVE-2022-34169 %build zip -d tools/lib/jython.jar Lib/distutils/command/wininst-6.exe @@ -102,6 +110,10 @@ fi %{_docdir}/* %changelog +* Mon Jun 03 2024 Brian Fjeldstad - 1.79.1-14 +- Fix CVE-2022-34169 by using newer release of xalan +- License should be DMIT. License verified + * Sat May 09 2020 Nick Samson - 1.79.1-10 - Added %%license line automatically diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 7a10f66b261..773b4f1a96b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -197,7 +197,7 @@ createrepo_c-0.17.5-1.cm2.aarch64.rpm libxml2-2.10.4-3.cm2.aarch64.rpm libxml2-devel-2.10.4-3.cm2.aarch64.rpm docbook-dtd-xml-4.5-11.cm2.noarch.rpm -docbook-style-xsl-1.79.1-13.cm2.noarch.rpm +docbook-style-xsl-1.79.1-14.cm2.noarch.rpm libsepol-3.2-2.cm2.aarch64.rpm glib-2.71.0-2.cm2.aarch64.rpm libltdl-2.4.6-8.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 18b0d860c1b..d9111b4c210 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -197,7 +197,7 @@ createrepo_c-0.17.5-1.cm2.x86_64.rpm libxml2-2.10.4-3.cm2.x86_64.rpm libxml2-devel-2.10.4-3.cm2.x86_64.rpm docbook-dtd-xml-4.5-11.cm2.noarch.rpm -docbook-style-xsl-1.79.1-13.cm2.noarch.rpm +docbook-style-xsl-1.79.1-14.cm2.noarch.rpm libsepol-3.2-2.cm2.x86_64.rpm glib-2.71.0-2.cm2.x86_64.rpm libltdl-2.4.6-8.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index d73f50d3e6b..be184558ac1 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -56,7 +56,7 @@ debugedit-debuginfo-5.0-2.cm2.aarch64.rpm diffutils-3.8-2.cm2.aarch64.rpm diffutils-debuginfo-3.8-2.cm2.aarch64.rpm docbook-dtd-xml-4.5-11.cm2.noarch.rpm -docbook-style-xsl-1.79.1-13.cm2.noarch.rpm +docbook-style-xsl-1.79.1-14.cm2.noarch.rpm dwz-0.14-2.cm2.aarch64.rpm dwz-debuginfo-0.14-2.cm2.aarch64.rpm e2fsprogs-1.46.5-3.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 803916c07aa..4a3ac265920 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -59,7 +59,7 @@ debugedit-debuginfo-5.0-2.cm2.x86_64.rpm diffutils-3.8-2.cm2.x86_64.rpm diffutils-debuginfo-3.8-2.cm2.x86_64.rpm docbook-dtd-xml-4.5-11.cm2.noarch.rpm -docbook-style-xsl-1.79.1-13.cm2.noarch.rpm +docbook-style-xsl-1.79.1-14.cm2.noarch.rpm dwz-0.14-2.cm2.x86_64.rpm dwz-debuginfo-0.14-2.cm2.x86_64.rpm e2fsprogs-1.46.5-3.cm2.x86_64.rpm From 6b57d92440c7aadf73fa3f9b0e61ef87032da61d Mon Sep 17 00:00:00 2001 From: sindhu-karri <33163197+sindhu-karri@users.noreply.github.com> Date: Fri, 7 Jun 2024 02:09:50 +0530 Subject: [PATCH 24/31] Fix Fluent-bit issues #8198 and #8025 (#9121) Fixes https://microsoft.visualstudio.com/OS/_workitems/edit/50531424 --- SPECS/fluent-bit/fix_issue_8025.patch | 779 ++++++++++++++++++ SPECS/fluent-bit/fluent-bit.spec | 8 +- .../in_emitter_fix_issue_8198.patch | 661 +++++++++++++++ 3 files changed, 1447 insertions(+), 1 deletion(-) create mode 100644 SPECS/fluent-bit/fix_issue_8025.patch create mode 100644 SPECS/fluent-bit/in_emitter_fix_issue_8198.patch diff --git a/SPECS/fluent-bit/fix_issue_8025.patch b/SPECS/fluent-bit/fix_issue_8025.patch new file mode 100644 index 00000000000..d5d97590822 --- /dev/null +++ b/SPECS/fluent-bit/fix_issue_8025.patch @@ -0,0 +1,779 @@ +From c60999c186c23cff79dad4dd31c838404ace228e Mon Sep 17 00:00:00 2001 +From: "jinyong.choi" +Date: Wed, 18 Oct 2023 23:58:38 +0900 +Subject: [PATCH 1/2] in_tail: Delete unmanaged inodes from db during startup + (#8025) (1/2) + +To prevent incorrect inode references, +FluentBit automatically removes unmanaged inodes during startup. + +Signed-off-by: jinyong.choi +--- + plugins/in_tail/tail.c | 9 ++ + plugins/in_tail/tail_db.c | 161 +++++++++++++++++++++++++++++++ + plugins/in_tail/tail_db.h | 3 + + plugins/in_tail/tail_sql.h | 22 +++++ + tests/runtime/in_tail.c | 189 +++++++++++++++++++++++++++++++++++++ + 5 files changed, 384 insertions(+) + +diff --git a/plugins/in_tail/tail.c b/plugins/in_tail/tail.c +index 34a0fec3dbd..37b1f4f6c68 100644 +--- a/plugins/in_tail/tail.c ++++ b/plugins/in_tail/tail.c +@@ -372,6 +372,15 @@ static int in_tail_init(struct flb_input_instance *in, + /* Scan path */ + flb_tail_scan(ctx->path_list, ctx); + ++#ifdef FLB_HAVE_SQLDB ++ /* Delete stale files that are not monitored from the database */ ++ ret = flb_tail_db_stale_file_delete(in, config, ctx); ++ if (ret == -1) { ++ flb_tail_config_destroy(ctx); ++ return -1; ++ } ++#endif ++ + /* + * After the first scan (on start time), all new files discovered needs to be + * read from head, so we switch the 'read_from_head' flag to true so any +diff --git a/plugins/in_tail/tail_db.c b/plugins/in_tail/tail_db.c +index 664963b6dba..99242f8a15b 100644 +--- a/plugins/in_tail/tail_db.c ++++ b/plugins/in_tail/tail_db.c +@@ -168,6 +168,42 @@ static int db_file_insert(struct flb_tail_file *file, struct flb_tail_config *ct + return flb_sqldb_last_id(ctx->db); + } + ++static int stmt_add_param_concat(struct flb_tail_config *ctx, ++ flb_sds_t *stmt_sql, uint64_t count) ++{ ++ uint64_t idx; ++ flb_sds_t sds_tmp; ++ ++ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_START_PARAM, ++ SQL_STMT_START_PARAM_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: param start"); ++ return -1; ++ } ++ *stmt_sql = sds_tmp; ++ ++ for (idx = 1; idx < count; idx++) { ++ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_ADD_PARAM, ++ SQL_STMT_ADD_PARAM_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: add param"); ++ return -1; ++ } ++ ++ *stmt_sql = sds_tmp; ++ } ++ ++ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_PARAM_END, ++ SQL_STMT_PARAM_END_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: param end"); ++ return -1; ++ } ++ *stmt_sql = sds_tmp; ++ ++ return 0; ++} ++ + int flb_tail_db_file_set(struct flb_tail_file *file, + struct flb_tail_config *ctx) + { +@@ -275,3 +311,128 @@ int flb_tail_db_file_delete(struct flb_tail_file *file, + flb_plg_debug(ctx->ins, "db: file deleted from database: %s", file->name); + return 0; + } ++ ++/* ++ * Delete stale file from database ++ */ ++int flb_tail_db_stale_file_delete(struct flb_input_instance *ins, ++ struct flb_config *config, ++ struct flb_tail_config *ctx) ++{ ++ int ret = -1; ++ size_t sql_size; ++ uint64_t idx; ++ uint64_t file_count = ctx->files_static_count; ++ flb_sds_t stale_delete_sql; ++ flb_sds_t sds_tmp; ++ sqlite3_stmt *stmt_delete_inodes = NULL; ++ struct mk_list *tmp; ++ struct mk_list *head; ++ struct flb_tail_file *file; ++ ++ if (!ctx->db) { ++ return 0; ++ } ++ ++ /* Create a stmt sql buffer */ ++ sql_size = SQL_DELETE_STALE_FILE_START_LEN; ++ sql_size += SQL_DELETE_STALE_FILE_WHERE_LEN; ++ sql_size += SQL_STMT_START_PARAM_LEN; ++ sql_size += SQL_STMT_PARAM_END_LEN; ++ sql_size += SQL_STMT_END_LEN; ++ if (file_count > 0) { ++ sql_size += (SQL_STMT_ADD_PARAM_LEN * file_count); ++ } ++ ++ stale_delete_sql = flb_sds_create_size(sql_size + 1); ++ if (!stale_delete_sql) { ++ flb_plg_error(ctx->ins, "cannot allocate buffer for stale_delete_sql:" ++ " size: %zu", sql_size); ++ return -1; ++ } ++ ++ /* Create a stmt sql */ ++ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_DELETE_STALE_FILE_START, ++ SQL_DELETE_STALE_FILE_START_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_error(ctx->ins, ++ "error concatenating stale_delete_sql: start"); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ stale_delete_sql = sds_tmp; ++ ++ if (file_count > 0) { ++ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_DELETE_STALE_FILE_WHERE, ++ SQL_DELETE_STALE_FILE_WHERE_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_error(ctx->ins, ++ "error concatenating stale_delete_sql: where"); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ stale_delete_sql = sds_tmp; ++ ++ ret = stmt_add_param_concat(ctx, &stale_delete_sql, file_count); ++ if (ret == -1) { ++ flb_plg_error(ctx->ins, ++ "error concatenating stale_delete_sql: param"); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ } ++ ++ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_STMT_END, SQL_STMT_END_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_error(ctx->ins, ++ "error concatenating stale_delete_sql: end"); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ stale_delete_sql = sds_tmp; ++ ++ /* Prepare stmt */ ++ ret = sqlite3_prepare_v2(ctx->db->handler, stale_delete_sql, -1, ++ &stmt_delete_inodes, 0); ++ if (ret != SQLITE_OK) { ++ flb_plg_error(ctx->ins, "error preparing database SQL statement:" ++ " stmt_delete_inodes sql:%s, ret=%d", stale_delete_sql, ++ ret); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ ++ /* Bind parameters */ ++ idx = 1; ++ mk_list_foreach_safe(head, tmp, &ctx->files_static) { ++ file = mk_list_entry(head, struct flb_tail_file, _head); ++ ret = sqlite3_bind_int64(stmt_delete_inodes, idx, file->inode); ++ if (ret != SQLITE_OK) { ++ flb_plg_error(ctx->ins, "error binding to stmt_delete_inodes:" ++ " inode=%lu, ret=%d", file->inode, ret); ++ sqlite3_finalize(stmt_delete_inodes); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ idx++; ++ } ++ ++ /* Run the delete inodes */ ++ ret = sqlite3_step(stmt_delete_inodes); ++ if (ret != SQLITE_DONE) { ++ sqlite3_finalize(stmt_delete_inodes); ++ flb_sds_destroy(stale_delete_sql); ++ flb_plg_error(ctx->ins, "cannot execute delete stale inodes: ret=%d", ++ ret); ++ return -1; ++ } ++ ++ ret = sqlite3_changes(ctx->db->handler); ++ flb_plg_info(ctx->ins, "db: delete unmonitored stale inodes from the" ++ " database: count=%d", ret); ++ ++ sqlite3_finalize(stmt_delete_inodes); ++ flb_sds_destroy(stale_delete_sql); ++ ++ return 0; ++} +diff --git a/plugins/in_tail/tail_db.h b/plugins/in_tail/tail_db.h +index 7b5355d229c..b1fde721d29 100644 +--- a/plugins/in_tail/tail_db.h ++++ b/plugins/in_tail/tail_db.h +@@ -40,4 +40,7 @@ int flb_tail_db_file_rotate(const char *new_name, + struct flb_tail_config *ctx); + int flb_tail_db_file_delete(struct flb_tail_file *file, + struct flb_tail_config *ctx); ++int flb_tail_db_stale_file_delete(struct flb_input_instance *ins, ++ struct flb_config *config, ++ struct flb_tail_config *ctx); + #endif +diff --git a/plugins/in_tail/tail_sql.h b/plugins/in_tail/tail_sql.h +index 855933a0149..bf724f318cd 100644 +--- a/plugins/in_tail/tail_sql.h ++++ b/plugins/in_tail/tail_sql.h +@@ -53,6 +53,28 @@ + #define SQL_DELETE_FILE \ + "DELETE FROM in_tail_files WHERE id=@id;" + ++#define SQL_STMT_START_PARAM "(?" ++#define SQL_STMT_START_PARAM_LEN (sizeof(SQL_STMT_START_PARAM) - 1) ++ ++#define SQL_STMT_ADD_PARAM ",?" ++#define SQL_STMT_ADD_PARAM_LEN (sizeof(SQL_STMT_ADD_PARAM) - 1) ++ ++#define SQL_STMT_PARAM_END ")" ++#define SQL_STMT_PARAM_END_LEN (sizeof(SQL_STMT_PARAM_END) - 1) ++ ++#define SQL_STMT_END ";" ++#define SQL_STMT_END_LEN (sizeof(SQL_STMT_END) - 1) ++ ++#define SQL_DELETE_STALE_FILE_START \ ++ "DELETE FROM in_tail_files " ++#define SQL_DELETE_STALE_FILE_START_LEN \ ++ (sizeof(SQL_DELETE_STALE_FILE_START) - 1) ++ ++#define SQL_DELETE_STALE_FILE_WHERE \ ++ "WHERE inode NOT IN " ++#define SQL_DELETE_STALE_FILE_WHERE_LEN \ ++ (sizeof(SQL_DELETE_STALE_FILE_WHERE) - 1) ++ + #define SQL_PRAGMA_SYNC \ + "PRAGMA synchronous=%i;" + +diff --git a/tests/runtime/in_tail.c b/tests/runtime/in_tail.c +index ee5fba88744..74accb66ed6 100644 +--- a/tests/runtime/in_tail.c ++++ b/tests/runtime/in_tail.c +@@ -1545,6 +1545,194 @@ void flb_test_db() + test_tail_ctx_destroy(ctx); + unlink(db); + } ++ ++void flb_test_db_delete_stale_file() ++{ ++ struct flb_lib_out_cb cb_data; ++ struct test_tail_ctx *ctx; ++ char *org_file[] = {"test_db.log", "test_db_stale.log"}; ++ char *tmp_file[] = {"test_db.log"}; ++ char *path = "test_db.log, test_db_stale.log"; ++ char *move_file[] = {"test_db_stale.log", "test_db_stale_new.log"}; ++ char *new_file[] = {"test_db.log", "test_db_stale_new.log"}; ++ char *new_path = "test_db.log, test_db_stale_new.log"; ++ char *db = "test_db.db"; ++ char *msg_init = "hello world"; ++ char *msg_end = "hello db end"; ++ int i; ++ int ret; ++ int num; ++ int unused; ++ ++ unlink(db); ++ ++ clear_output_num(); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &org_file[0], ++ sizeof(org_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", path, ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ ret = flb_output_set(ctx->flb, ctx->o_ffd, ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* Start the engine */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ ret = write_msg(ctx, msg_init, strlen(msg_init)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ num = get_output_num(); ++ if (!TEST_CHECK(num > 0)) { ++ TEST_MSG("no output"); ++ } ++ ++ if (ctx->fds != NULL) { ++ for (i=0; ifd_num; i++) { ++ close(ctx->fds[i]); ++ } ++ flb_free(ctx->fds); ++ } ++ flb_stop(ctx->flb); ++ flb_destroy(ctx->flb); ++ flb_free(ctx); ++ ++ /* re-init to use db */ ++ clear_output_num(); ++ ++ /* ++ * Changing the file name from 'test_db_stale.log' to ++ * 'test_db_stale_new.log.' In this scenario, it is assumed that the ++ * file was deleted after the FluentBit was terminated. However, since ++ * the FluentBit was shutdown, the inode remains in the database. ++ * The reason for renaming is to preserve the existing file for later use. ++ */ ++ ret = rename(move_file[0], move_file[1]); ++ TEST_CHECK(ret == 0); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &tmp_file[0], ++ sizeof(tmp_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", path, ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* ++ * Start the engine ++ * FluentBit will delete stale inodes. ++ */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ if (ctx->fds != NULL) { ++ for (i=0; ifd_num; i++) { ++ close(ctx->fds[i]); ++ } ++ flb_free(ctx->fds); ++ } ++ flb_stop(ctx->flb); ++ flb_destroy(ctx->flb); ++ flb_free(ctx); ++ ++ /* re-init to use db */ ++ clear_output_num(); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &new_file[0], ++ sizeof(new_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", new_path, ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* ++ * Start the engine ++ * 'test_db_stale_new.log.' is a new file. ++ * The inode of 'test_db_stale.log' was deleted previously. ++ * So, it reads from the beginning of the file. ++ */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ ret = write_msg(ctx, msg_end, strlen(msg_end)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ num = get_output_num(); ++ if (!TEST_CHECK(num == 3)) { ++ /* 3 = ++ * test_db.log : "hello db end" ++ * test_db_stale.log : "msg_init" + "hello db end" ++ */ ++ TEST_MSG("num error. expect=3 got=%d", num); ++ } ++ ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++} + #endif /* FLB_HAVE_SQLDB */ + + /* Test list */ +@@ -1569,6 +1757,7 @@ TEST_LIST = { + + #ifdef FLB_HAVE_SQLDB + {"db", flb_test_db}, ++ {"db_delete_stale_file", flb_test_db_delete_stale_file}, + #endif + + #ifdef in_tail + +From d06114cbb1419ef9e8969b897730de07b64cfe28 Mon Sep 17 00:00:00 2001 +From: "jinyong.choi" +Date: Thu, 19 Oct 2023 00:37:36 +0900 +Subject: [PATCH 2/2] in_tail: Introducing the compare_filename option to + db_file_exists (#8025)(2/2) + +When checking the existence of a file's inode, if the 'compare_filename' +option is enabled, it is modified to compare the filename as well. +If the inode matches but the filename is different, it removes the stale +inode from the database. + +Signed-off-by: jinyong.choi +--- + plugins/in_tail/tail.c | 8 ++ + plugins/in_tail/tail_config.h | 1 + + plugins/in_tail/tail_db.c | 58 ++++++++++++- + tests/runtime/in_tail.c | 148 ++++++++++++++++++++++++++++++++++ + 4 files changed, 213 insertions(+), 2 deletions(-) + +diff --git a/plugins/in_tail/tail.c b/plugins/in_tail/tail.c +index 37b1f4f6c68..52bf2ed6d40 100644 +--- a/plugins/in_tail/tail.c ++++ b/plugins/in_tail/tail.c +@@ -734,6 +734,14 @@ static struct flb_config_map config_map[] = { + "provides higher performance. Note that WAL is not compatible with " + "shared network file systems." + }, ++ { ++ FLB_CONFIG_MAP_BOOL, "db.compare_filename", "false", ++ 0, FLB_TRUE, offsetof(struct flb_tail_config, compare_filename), ++ "This option determines whether to check both the inode and the filename " ++ "when retrieving file information from the db." ++ "'true' verifies both the inode and filename, while 'false' checks only " ++ "the inode (default)." ++ }, + #endif + + /* Multiline Options */ +diff --git a/plugins/in_tail/tail_config.h b/plugins/in_tail/tail_config.h +index dcfa54e0264..c0263b46503 100644 +--- a/plugins/in_tail/tail_config.h ++++ b/plugins/in_tail/tail_config.h +@@ -107,6 +107,7 @@ struct flb_tail_config { + struct flb_sqldb *db; + int db_sync; + int db_locking; ++ int compare_filename; + flb_sds_t db_journal_mode; + sqlite3_stmt *stmt_get_file; + sqlite3_stmt *stmt_insert_file; +diff --git a/plugins/in_tail/tail_db.c b/plugins/in_tail/tail_db.c +index 99242f8a15b..6f535ea646b 100644 +--- a/plugins/in_tail/tail_db.c ++++ b/plugins/in_tail/tail_db.c +@@ -95,9 +95,38 @@ int flb_tail_db_close(struct flb_sqldb *db) + return 0; + } + ++static int flb_tail_db_file_delete_by_id(struct flb_tail_config *ctx, ++ uint64_t id) ++{ ++ int ret; ++ ++ /* Bind parameters */ ++ ret = sqlite3_bind_int64(ctx->stmt_delete_file, 1, id); ++ if (ret != SQLITE_OK) { ++ flb_plg_error(ctx->ins, "db: error binding id=%"PRIu64", ret=%d", id, ret); ++ return -1; ++ } ++ ++ ret = sqlite3_step(ctx->stmt_delete_file); ++ ++ sqlite3_clear_bindings(ctx->stmt_delete_file); ++ sqlite3_reset(ctx->stmt_delete_file); ++ ++ if (ret != SQLITE_DONE) { ++ flb_plg_error(ctx->ins, "db: error deleting stale entry from database:" ++ " id=%"PRIu64, id); ++ return -1; ++ } ++ ++ flb_plg_info(ctx->ins, "db: stale file deleted from database:" ++ " id=%"PRIu64, id); ++ return 0; ++} ++ + /* +- * Check if an file inode exists in the database. Return FLB_TRUE or +- * FLB_FALSE ++ * Check if an file inode exists in the database. ++ * If the 'compare_filename' option is enabled, ++ * it checks along with the filename. Return FLB_TRUE or FLB_FALSE + */ + static int db_file_exists(struct flb_tail_file *file, + struct flb_tail_config *ctx, +@@ -105,6 +134,7 @@ static int db_file_exists(struct flb_tail_file *file, + { + int ret; + int exists = FLB_FALSE; ++ const unsigned char *name; + + /* Bind parameters */ + sqlite3_bind_int64(ctx->stmt_get_file, 1, file->inode); +@@ -116,11 +146,30 @@ static int db_file_exists(struct flb_tail_file *file, + /* id: column 0 */ + *id = sqlite3_column_int64(ctx->stmt_get_file, 0); + ++ /* name: column 1 */ ++ name = sqlite3_column_text(ctx->stmt_get_file, 1); ++ if (ctx->compare_filename && name == NULL) { ++ flb_plg_error(ctx->ins, "db: error getting name: id=%"PRIu64, *id); ++ return -1; ++ } ++ + /* offset: column 2 */ + *offset = sqlite3_column_int64(ctx->stmt_get_file, 2); + + /* inode: column 3 */ + *inode = sqlite3_column_int64(ctx->stmt_get_file, 3); ++ ++ /* Checking if the file's name and inode match exactly */ ++ if (ctx->compare_filename) { ++ if (flb_tail_target_file_name_cmp((char *) name, file) != 0) { ++ exists = FLB_FALSE; ++ flb_plg_debug(ctx->ins, "db: exists stale file from database:" ++ " id=%"PRIu64" inode=%"PRIu64" offset=%"PRIu64 ++ " name=%s file_inode=%"PRIu64" file_name=%s", ++ *id, *inode, *offset, name, file->inode, ++ file->name); ++ } ++ } + } + else if (ret == SQLITE_DONE) { + /* all good */ +@@ -221,6 +270,11 @@ int flb_tail_db_file_set(struct flb_tail_file *file, + } + + if (ret == FLB_FALSE) { ++ /* Delete stale file of same inode */ ++ if (ctx->compare_filename && id > 0) { ++ flb_tail_db_file_delete_by_id(ctx, id); ++ } ++ + /* Get the database ID for this file */ + file->db_id = db_file_insert(file, ctx); + } +diff --git a/tests/runtime/in_tail.c b/tests/runtime/in_tail.c +index 74accb66ed6..90d8832bc79 100644 +--- a/tests/runtime/in_tail.c ++++ b/tests/runtime/in_tail.c +@@ -1733,6 +1733,153 @@ void flb_test_db_delete_stale_file() + test_tail_ctx_destroy(ctx); + unlink(db); + } ++ ++void flb_test_db_compare_filename() ++{ ++ struct flb_lib_out_cb cb_data; ++ struct test_tail_ctx *ctx; ++ char *org_file[] = {"test_db.log"}; ++ char *moved_file[] = {"test_db_moved.log"}; ++ char *db = "test_db.db"; ++ char *msg_init = "hello world"; ++ char *msg_moved = "hello world moved"; ++ char *msg_end = "hello db end"; ++ int i; ++ int ret; ++ int num; ++ int unused; ++ ++ unlink(db); ++ ++ clear_output_num(); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &org_file[0], ++ sizeof(org_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", org_file[0], ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ "db.compare_filename", "true", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ ret = flb_output_set(ctx->flb, ctx->o_ffd, ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* Start the engine */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ ret = write_msg(ctx, msg_init, strlen(msg_init)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ num = get_output_num(); ++ if (!TEST_CHECK(num > 0)) { ++ TEST_MSG("no output"); ++ } ++ ++ if (ctx->fds != NULL) { ++ for (i=0; ifd_num; i++) { ++ close(ctx->fds[i]); ++ } ++ flb_free(ctx->fds); ++ } ++ flb_stop(ctx->flb); ++ flb_destroy(ctx->flb); ++ flb_free(ctx); ++ ++ /* re-init to use db */ ++ clear_output_num(); ++ ++ /* ++ * Changing the file name from 'test_db.log' to 'test_db_moved.log.' ++ * In this scenario, it is assumed that the FluentBit has been terminated, ++ * and the file has been recreated with the same inode, with offsets equal ++ * to or greater than the previous file. ++ */ ++ ret = rename(org_file[0], moved_file[0]); ++ TEST_CHECK(ret == 0); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &moved_file[0], ++ sizeof(moved_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", moved_file[0], ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ "db.compare_filename", "true", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* ++ * Start the engine ++ * The file has been newly created, and due to the 'db.compare_filename' ++ * option being set to true, it compares filenames to consider it a new ++ * file even if the inode is the same. If the option is set to false, ++ * it can be assumed to be the same file as before. ++ */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ ret = write_msg(ctx, msg_moved, strlen(msg_moved)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = write_msg(ctx, msg_end, strlen(msg_end)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ num = get_output_num(); ++ if (!TEST_CHECK(num == 3)) { ++ /* 3 = msg_init + msg_moved + msg_end */ ++ TEST_MSG("num error. expect=3 got=%d", num); ++ } ++ ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++} + #endif /* FLB_HAVE_SQLDB */ + + /* Test list */ +@@ -1758,6 +1905,7 @@ TEST_LIST = { + #ifdef FLB_HAVE_SQLDB + {"db", flb_test_db}, + {"db_delete_stale_file", flb_test_db_delete_stale_file}, ++ {"db_compare_filename", flb_test_db_compare_filename}, + #endif + + #ifdef in_tail diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index 6c6c5e3daf2..9bf83a66bbb 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,13 +1,15 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit Version: 2.2.3 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner URL: https://fluentbit.io Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: CVE-2024-34250.patch +Patch1: in_emitter_fix_issue_8198.patch +Patch2: fix_issue_8025.patch BuildRequires: bison BuildRequires: cmake BuildRequires: cyrus-sasl-devel @@ -81,6 +83,10 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Wed Jun 05 2024 Sindhu Karri - 2.2.3-3 +- Apply patch in_emitter_fix_issue_8198.patch to fix #8198 ( Potential log loss during high load at Multiline & Rewrite Tag Filter (in_emitter) ) +- Fix issue #8025 with a patch ( in_tail: missing log for offset processing due to non-existent old inodes in sqlite ) + * Wed May 30 2024 Sindhu Karri - 2.2.3-2 - Fix CVE-2024-34250 with a patch diff --git a/SPECS/fluent-bit/in_emitter_fix_issue_8198.patch b/SPECS/fluent-bit/in_emitter_fix_issue_8198.patch new file mode 100644 index 00000000000..d9861ab126d --- /dev/null +++ b/SPECS/fluent-bit/in_emitter_fix_issue_8198.patch @@ -0,0 +1,661 @@ +From feb424367d08666dd9fb0a6405f05c19b6678873 Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Fri, 9 Feb 2024 23:46:32 +0100 +Subject: [PATCH 1/6] in_emitter: Fix to prevent single record chunks and do + pause on mem_buf_limit + +The current code creates a situation, where only one record per chunk + is created. In case of a non-existing ring-buffer, the old mechanism is used. + +Also the in_emitter plugin continued to accept records even after the +set emitter_mem_buf_limit was reached. This commit implements a +check if the plugin was paused and returns accordingly. + +Signed-off-by: Richard Treu +--- + plugins/in_emitter/emitter.c | 67 +++++++++++++++++++++++++++++++++--- + 1 file changed, 62 insertions(+), 5 deletions(-) + +diff --git a/plugins/in_emitter/emitter.c b/plugins/in_emitter/emitter.c +index 62886d1346c..532a629b924 100644 +--- a/plugins/in_emitter/emitter.c ++++ b/plugins/in_emitter/emitter.c +@@ -31,6 +31,9 @@ + + #define DEFAULT_EMITTER_RING_BUFFER_FLUSH_FREQUENCY 2000 + ++/* return values */ ++#define FLB_EMITTER_BUSY 3 ++ + struct em_chunk { + flb_sds_t tag; + struct msgpack_sbuffer mp_sbuf; /* msgpack sbuffer */ +@@ -39,6 +42,7 @@ struct em_chunk { + }; + + struct flb_emitter { ++ int coll_fd; /* collector id */ + struct mk_list chunks; /* list of all pending chunks */ + struct flb_input_instance *ins; /* input instance */ + struct flb_ring_buffer *msgs; /* ring buffer for cross-thread messages */ +@@ -97,7 +101,6 @@ int static do_in_emitter_add_record(struct em_chunk *ec, + em_chunk_destroy(ec); + return -1; + } +- /* Release the echunk */ + em_chunk_destroy(ec); + return 0; + } +@@ -118,6 +121,12 @@ int in_emitter_add_record(const char *tag, int tag_len, + ctx = (struct flb_emitter *) in->context; + ec = NULL; + ++ /* Restricted by mem_buf_limit */ ++ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) { ++ flb_plg_debug(ctx->ins, "emitter memory buffer limit reached. Not accepting record."); ++ return FLB_EMITTER_BUSY; ++ } ++ + /* Use the ring buffer first if it exists */ + if (ctx->msgs) { + memset(&temporary_chunk, 0, sizeof(struct em_chunk)); +@@ -161,8 +170,7 @@ int in_emitter_add_record(const char *tag, int tag_len, + + /* Append raw msgpack data */ + msgpack_sbuffer_write(&ec->mp_sbuf, buf_data, buf_size); +- +- return do_in_emitter_add_record(ec, in); ++ return 0; + } + + /* +@@ -191,6 +199,34 @@ static int in_emitter_ingest_ring_buffer(struct flb_input_instance *in, + return ret; + } + ++static int cb_queue_chunks(struct flb_input_instance *in, ++ struct flb_config *config, void *data) ++{ ++ int ret; ++ struct mk_list *tmp; ++ struct mk_list *head; ++ struct em_chunk *echunk; ++ struct flb_emitter *ctx; ++ ++ /* Get context */ ++ ctx = (struct flb_emitter *) data; ++ ++ /* Try to enqueue chunks under our limits */ ++ mk_list_foreach_safe(head, tmp, &ctx->chunks) { ++ echunk = mk_list_entry(head, struct em_chunk, _head); ++ ++ /* Associate this backlog chunk to this instance into the engine */ ++ ret = do_in_emitter_add_record(echunk, in); ++ if (ret == -1) { ++ flb_error("[in_emitter] error registering chunk with tag: %s", ++ echunk->tag); ++ continue; ++ } ++ } ++ ++ return 0; ++} ++ + static int in_emitter_start_ring_buffer(struct flb_input_instance *in, struct flb_emitter *ctx) + { + if (ctx->ring_buffer_size <= 0) { +@@ -257,6 +293,15 @@ static int cb_emitter_init(struct flb_input_instance *in, + return -1; + } + } ++ else{ ++ ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 50000000, config); ++ if (ret < 0) { ++ flb_error("[in_emitter] could not create collector"); ++ flb_free(ctx); ++ return -1; ++ } ++ ctx->coll_fd = ret; ++ } + + /* export plugin context */ + flb_input_set_context(in, ctx); +@@ -264,6 +309,18 @@ static int cb_emitter_init(struct flb_input_instance *in, + return 0; + } + ++static void cb_emitter_pause(void *data, struct flb_config *config) ++{ ++ struct flb_emitter *ctx = data; ++ flb_input_collector_pause(ctx->coll_fd, ctx->ins); ++} ++ ++static void cb_emitter_resume(void *data, struct flb_config *config) ++{ ++ struct flb_emitter *ctx = data; ++ flb_input_collector_resume(ctx->coll_fd, ctx->ins); ++} ++ + static int cb_emitter_exit(void *data, struct flb_config *config) + { + struct mk_list *tmp; +@@ -312,8 +369,8 @@ struct flb_input_plugin in_emitter_plugin = { + .cb_ingest = NULL, + .cb_flush_buf = NULL, + .config_map = config_map, +- .cb_pause = NULL, +- .cb_resume = NULL, ++ .cb_pause = cb_emitter_pause, ++ .cb_resume = cb_emitter_resume, + .cb_exit = cb_emitter_exit, + + /* This plugin can only be configured and invoked by the Engine only */ + +From 37826b66b29d1ad867d220313178c3feac9b792a Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Thu, 11 Apr 2024 23:53:10 +0200 +Subject: [PATCH 2/6] filter_multiline: Pause source input plugins on filter + pause This commit will pause the inputs (sending to multiline) to not loose + any in-flight records. + +Signed-off-by: Richard Treu +--- + plugins/filter_multiline/ml.c | 14 ++++++++++++-- + plugins/filter_multiline/ml.h | 4 +++- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/plugins/filter_multiline/ml.c b/plugins/filter_multiline/ml.c +index 41b1b8a4d64..ced8ec83739 100644 +--- a/plugins/filter_multiline/ml.c ++++ b/plugins/filter_multiline/ml.c +@@ -176,7 +176,7 @@ static int flush_callback(struct flb_ml_parser *parser, + /* Emit record with original tag */ + flb_plg_trace(ctx->ins, "emitting from %s to %s", stream->input_name, stream->tag); + ret = in_emitter_add_record(stream->tag, flb_sds_len(stream->tag), buf_data, buf_size, +- ctx->ins_emitter); ++ ctx->ins_emitter, ctx->i_ins); + + return ret; + } +@@ -526,7 +526,8 @@ static void partial_timer_cb(struct flb_config *config, void *data) + ret = in_emitter_add_record(packer->tag, flb_sds_len(packer->tag), + packer->log_encoder.output_buffer, + packer->log_encoder.output_length, +- ctx->ins_emitter); ++ ctx->ins_emitter, ++ ctx->i_ins); + if (ret < 0) { + /* this shouldn't happen in normal execution */ + flb_plg_warn(ctx->ins, +@@ -741,6 +742,15 @@ static int cb_ml_filter(const void *data, size_t bytes, + return FLB_FILTER_NOTOUCH; + } + ++ if (ctx->i_ins == NULL){ ++ ctx->i_ins = i_ins; ++ } ++ if (ctx->i_ins != i_ins) { ++ flb_plg_trace(ctx->ins, "input instance changed from %s to %s", ++ ctx->i_ins->name, i_ins->name); ++ ctx->i_ins = i_ins; ++ } ++ + /* 'partial_message' mode */ + if (ctx->partial_mode == FLB_TRUE) { + return ml_filter_partial(data, bytes, tag, tag_len, +diff --git a/plugins/filter_multiline/ml.h b/plugins/filter_multiline/ml.h +index 59bf6c7e826..cae8fb64166 100644 +--- a/plugins/filter_multiline/ml.h ++++ b/plugins/filter_multiline/ml.h +@@ -73,6 +73,7 @@ struct ml_ctx { + size_t emitter_mem_buf_limit; /* Emitter buffer limit */ + struct flb_input_instance *ins_emitter; /* emitter input plugin instance */ + struct flb_config *config; /* Fluent Bit context */ ++ struct flb_input_instance *i_ins; /* Fluent Bit input instance (last used)*/ + + #ifdef FLB_HAVE_METRICS + struct cmt_counter *cmt_emitted; +@@ -82,6 +83,7 @@ struct ml_ctx { + /* Register external function to emit records, check 'plugins/in_emitter' */ + int in_emitter_add_record(const char *tag, int tag_len, + const char *buf_data, size_t buf_size, +- struct flb_input_instance *in); ++ struct flb_input_instance *in, ++ struct flb_input_instance *i_ins); + + #endif + +From 2087601806b39719ac64c2862f81e7c5222efd3a Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Thu, 11 Apr 2024 23:55:40 +0200 +Subject: [PATCH 3/6] filter_rewrite_tag: Pause source input plugins on filter + pause This commit will pause the inputs (sending to rewrite_tag) to not loose + any in-flight records. + +Signed-off-by: Richard Treu +--- + plugins/filter_rewrite_tag/rewrite_tag.c | 7 ++++--- + plugins/filter_rewrite_tag/rewrite_tag.h | 3 ++- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/plugins/filter_rewrite_tag/rewrite_tag.c b/plugins/filter_rewrite_tag/rewrite_tag.c +index 01b0f168fe2..c8bfe029350 100644 +--- a/plugins/filter_rewrite_tag/rewrite_tag.c ++++ b/plugins/filter_rewrite_tag/rewrite_tag.c +@@ -355,7 +355,8 @@ static int ingest_inline(struct flb_rewrite_tag *ctx, + */ + static int process_record(const char *tag, int tag_len, msgpack_object map, + const void *buf, size_t buf_size, int *keep, +- struct flb_rewrite_tag *ctx, int *matched) ++ struct flb_rewrite_tag *ctx, int *matched, ++ struct flb_input_instance *i_ins) + { + int ret; + flb_sds_t out_tag; +@@ -404,7 +405,7 @@ static int process_record(const char *tag, int tag_len, msgpack_object map, + if (!ret) { + /* Emit record with new tag */ + ret = in_emitter_add_record(out_tag, flb_sds_len(out_tag), buf, buf_size, +- ctx->ins_emitter); ++ ctx->ins_emitter, i_ins); + } + else { + ret = 0; +@@ -489,7 +490,7 @@ static int cb_rewrite_tag_filter(const void *data, size_t bytes, + * If a record was emitted, the variable 'keep' will define if the record must + * be preserved or not. + */ +- is_emitted = process_record(tag, tag_len, map, (char *) data + pre, off - pre, &keep, ctx, &is_matched); ++ is_emitted = process_record(tag, tag_len, map, (char *) data + pre, off - pre, &keep, ctx, &is_matched, i_ins); + if (is_emitted == FLB_TRUE) { + /* A record with the new tag was emitted */ + emitted_num++; +diff --git a/plugins/filter_rewrite_tag/rewrite_tag.h b/plugins/filter_rewrite_tag/rewrite_tag.h +index 11c0535fde1..d73b49f12eb 100644 +--- a/plugins/filter_rewrite_tag/rewrite_tag.h ++++ b/plugins/filter_rewrite_tag/rewrite_tag.h +@@ -57,7 +57,8 @@ struct flb_rewrite_tag { + /* Register external function to emit records, check 'plugins/in_emitter' */ + int in_emitter_add_record(const char *tag, int tag_len, + const char *buf_data, size_t buf_size, +- struct flb_input_instance *in); ++ struct flb_input_instance *in, ++ struct flb_input_instance *i_ins); + int in_emitter_get_collector_id(struct flb_input_instance *in); + + + +From 64214ada1ded5afc1dae042473b50fa1f8dc9467 Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Thu, 11 Apr 2024 23:57:15 +0200 +Subject: [PATCH 4/6] in_emitter: Pause source input plugins on in_emitter + pause This commit will pause all known inputs (sending to multiline) to not + loose any in-flight records. in_emitter will keep track of all sending input + plugins and actively pause/resume them in case in_emitter is paused/resumed. + +Signed-off-by: Richard Treu +--- + plugins/in_emitter/emitter.c | 77 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 73 insertions(+), 4 deletions(-) + +diff --git a/plugins/in_emitter/emitter.c b/plugins/in_emitter/emitter.c +index 532a629b924..8092a7954ee 100644 +--- a/plugins/in_emitter/emitter.c ++++ b/plugins/in_emitter/emitter.c +@@ -32,7 +32,7 @@ + #define DEFAULT_EMITTER_RING_BUFFER_FLUSH_FREQUENCY 2000 + + /* return values */ +-#define FLB_EMITTER_BUSY 3 ++#define FLB_EMITTER_BUSY -2 + + struct em_chunk { + flb_sds_t tag; +@@ -41,12 +41,18 @@ struct em_chunk { + struct mk_list _head; + }; + ++struct input_ref { ++ struct flb_input_instance *i_ins; ++ struct mk_list _head; ++}; ++ + struct flb_emitter { + int coll_fd; /* collector id */ + struct mk_list chunks; /* list of all pending chunks */ + struct flb_input_instance *ins; /* input instance */ + struct flb_ring_buffer *msgs; /* ring buffer for cross-thread messages */ + int ring_buffer_size; /* size of the ring buffer */ ++ struct mk_list i_ins_list; /* instance list of linked/sending inputs */ + }; + + struct em_chunk *em_chunk_create(const char *tag, int tag_len, +@@ -89,6 +95,12 @@ int static do_in_emitter_add_record(struct em_chunk *ec, + struct flb_emitter *ctx = (struct flb_emitter *) in->context; + int ret; + ++ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) { ++ flb_plg_debug(ctx->ins, "_emitter %s paused. Not processing records.", ++ ctx->ins->name); ++ return FLB_EMITTER_BUSY; ++ } ++ + /* Associate this backlog chunk to this instance into the engine */ + ret = flb_input_log_append(in, + ec->tag, flb_sds_len(ec->tag), +@@ -111,15 +123,45 @@ int static do_in_emitter_add_record(struct em_chunk *ec, + */ + int in_emitter_add_record(const char *tag, int tag_len, + const char *buf_data, size_t buf_size, +- struct flb_input_instance *in) ++ struct flb_input_instance *in, ++ struct flb_input_instance *i_ins) + { + struct em_chunk temporary_chunk; + struct mk_list *head; ++ struct input_ref *i_ref; ++ bool ref_found; ++ struct mk_list *tmp; ++ + struct em_chunk *ec; + struct flb_emitter *ctx; + + ctx = (struct flb_emitter *) in->context; + ec = NULL; ++ /* Iterate over list of already known (source) inputs */ ++ /* If new, add it to the list to be able to pause it later on */ ++ ref_found = false; ++ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) { ++ i_ref = mk_list_entry(head, struct input_ref, _head); ++ if(i_ref->i_ins == i_ins){ ++ ref_found = true; ++ break; ++ } ++ } ++ if (!ref_found) { ++ i_ref = flb_malloc(sizeof(struct input_ref)); ++ if (!i_ref) { ++ flb_errno(); ++ return FLB_FILTER_NOTOUCH; ++ } ++ i_ref->i_ins = i_ins; ++ mk_list_add(&i_ref->_head, &ctx->i_ins_list); ++ /* If in_emitter is paused, but new input plugin is not paused, pause it */ ++ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE && ++ flb_input_buf_paused(i_ins) == FLB_FALSE) { ++ flb_input_pause(i_ins); ++ } ++ } ++ + + /* Restricted by mem_buf_limit */ + if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) { +@@ -268,6 +310,8 @@ static int cb_emitter_init(struct flb_input_instance *in, + ctx->ins = in; + mk_list_init(&ctx->chunks); + ++ mk_list_init(&ctx->i_ins_list); ++ + + ret = flb_input_config_map_set(in, (void *) ctx); + if (ret == -1) { +@@ -294,7 +338,7 @@ static int cb_emitter_init(struct flb_input_instance *in, + } + } + else{ +- ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 50000000, config); ++ ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 25000000, config); + if (ret < 0) { + flb_error("[in_emitter] could not create collector"); + flb_free(ctx); +@@ -312,13 +356,31 @@ static int cb_emitter_init(struct flb_input_instance *in, + static void cb_emitter_pause(void *data, struct flb_config *config) + { + struct flb_emitter *ctx = data; ++ struct mk_list *tmp; ++ struct mk_list *head; ++ struct input_ref *i_ref; ++ ++ /* Pause all known senders */ + flb_input_collector_pause(ctx->coll_fd, ctx->ins); ++ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) { ++ i_ref = mk_list_entry(head, struct input_ref, _head); ++ flb_input_pause(i_ref->i_ins); ++ } + } + + static void cb_emitter_resume(void *data, struct flb_config *config) + { + struct flb_emitter *ctx = data; ++ struct mk_list *tmp; ++ struct mk_list *head; ++ struct input_ref *i_ref; ++ ++ /* Resume all known senders */ + flb_input_collector_resume(ctx->coll_fd, ctx->ins); ++ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) { ++ i_ref = mk_list_entry(head, struct input_ref, _head); ++ flb_input_resume(i_ref->i_ins); ++ } + } + + static int cb_emitter_exit(void *data, struct flb_config *config) +@@ -328,9 +390,9 @@ static int cb_emitter_exit(void *data, struct flb_config *config) + struct flb_emitter *ctx = data; + struct em_chunk *echunk; + struct em_chunk ec; ++ struct input_ref *i_ref; + int ret; + +- + mk_list_foreach_safe(head, tmp, &ctx->chunks) { + echunk = mk_list_entry(head, struct em_chunk, _head); + mk_list_del(&echunk->_head); +@@ -346,6 +408,13 @@ static int cb_emitter_exit(void *data, struct flb_config *config) + flb_ring_buffer_destroy(ctx->msgs); + } + ++ mk_list_foreach_safe(head,tmp, &ctx->i_ins_list) { ++ i_ref = mk_list_entry(head, struct input_ref, _head); ++ mk_list_del(&i_ref->_head); ++ flb_free(i_ref); ++ } ++ ++ + flb_free(ctx); + return 0; + } + +From f6137ec60bdffc6f5c80e491b463541702438772 Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Fri, 12 Apr 2024 00:00:39 +0200 +Subject: [PATCH 5/6] flb_input: Add missing input resume message This commit + will add a resume message, when a paused input plugin is resumed. + +Signed-off-by: Richard Treu +--- + src/flb_input.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/flb_input.c b/src/flb_input.c +index a990a9d2805..7b614ccdb44 100644 +--- a/src/flb_input.c ++++ b/src/flb_input.c +@@ -1729,6 +1729,7 @@ int flb_input_resume(struct flb_input_instance *ins) + flb_input_thread_instance_resume(ins); + } + else { ++ flb_info("[input] resume %s", flb_input_name(ins)); + ins->p->cb_resume(ins->context, ins->config); + } + } + +From 3162d0c3db2f7df9392c6d880280b923002066b1 Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Fri, 12 Apr 2024 00:02:03 +0200 +Subject: [PATCH 6/6] tests: filter_multiline: Add test for in_emitter pause by + using multiline This commit will add a test for pause functionality of + in_emitter. The test uses a small emitter buffer size, so the in_emitter will + definitely be paused. + +Signed-off-by: Richard Treu +--- + tests/runtime/filter_multiline.c | 124 +++++++++++++++++++++++++++++++ + 1 file changed, 124 insertions(+) + +diff --git a/tests/runtime/filter_multiline.c b/tests/runtime/filter_multiline.c +index 18253a5b2c7..ed6ffb6b7cb 100644 +--- a/tests/runtime/filter_multiline.c ++++ b/tests/runtime/filter_multiline.c +@@ -2,6 +2,7 @@ + + #include + #include ++#include + #include "flb_tests_runtime.h" + + struct filter_test { +@@ -120,7 +121,34 @@ static int cb_check_str_list(void *record, size_t size, void *data) + return 0; + } + ++void wait_with_timeout(uint32_t timeout_ms, int *output_num, int expected) ++{ ++ struct flb_time start_time; ++ struct flb_time end_time; ++ struct flb_time diff_time; ++ uint64_t elapsed_time_flb = 0; ++ ++ flb_time_get(&start_time); ++ ++ while (true) { ++ *output_num = get_output_num(); ++ ++ if (*output_num == expected) { ++ break; ++ } ++ ++ flb_time_msleep(100); ++ flb_time_get(&end_time); ++ flb_time_diff(&end_time, &start_time, &diff_time); ++ elapsed_time_flb = flb_time_to_nanosec(&diff_time) / 1000000; + ++ if (elapsed_time_flb > timeout_ms) { ++ flb_warn("[timeout] elapsed_time: %ld", elapsed_time_flb); ++ // Reached timeout. ++ break; ++ } ++ } ++} + + static struct filter_test *filter_test_create(struct flb_lib_out_cb *data) + { +@@ -682,6 +710,100 @@ static void flb_test_ml_buffered_16_streams() + filter_test_destroy(ctx); + } + ++/* This test will test the pausing of in_emitter */ ++static void flb_test_ml_buffered_16_streams_pausing() ++{ ++ struct flb_lib_out_cb cb_data; ++ struct filter_test *ctx; ++ int i_ffds[16] = {0}; ++ int ffd_num = sizeof(i_ffds)/sizeof(int); ++ int ret; ++ int i; ++ int j; ++ int bytes; ++ int len; ++ char line_buf[2048] = {0}; ++ char tag_buf[32] = {0}; ++ int line_num; ++ int num; ++ ++ char *expected_strs[] = {"Exception in thread main java.lang.IllegalStateException: ..null property\\n at com.example.myproject.Author.getBookIds(xx.java:38)\\n at com.example.myproject.Bootstrap.main(Bootstrap.java:14)\\nCaused by: java.lang.NullPointerException\\n at com.example.myproject.Book.getId(Book.java:22)\\n at com.example.myproject.Author.getBookIds(Author.java:35)\\n ... 1 more"}; ++ ++ struct str_list expected = { ++ .size = sizeof(expected_strs)/sizeof(char*), ++ .lists = &expected_strs[0], ++ .ignore_min_line_num = 64, ++ }; ++ ++ char *ml_logs[] = {"Exception in thread main java.lang.IllegalStateException: ..null property", ++ " at com.example.myproject.Author.getBookIds(xx.java:38)", ++ " at com.example.myproject.Bootstrap.main(Bootstrap.java:14)", ++ "Caused by: java.lang.NullPointerException", ++ " at com.example.myproject.Book.getId(Book.java:22)", ++ " at com.example.myproject.Author.getBookIds(Author.java:35)", ++ " ... 1 more", ++ "single line"}; ++ ++ cb_data.cb = cb_check_str_list; ++ cb_data.data = (void *)&expected; ++ ++ clear_output_num(); ++ ++ line_num = sizeof(ml_logs)/sizeof(char*); ++ ++ /* Create test context */ ++ ctx = filter_test_create((void *) &cb_data); ++ if (!ctx) { ++ exit(EXIT_FAILURE); ++ } ++ flb_service_set(ctx->flb, ++ "Flush", "0.100000000", ++ "Grace", "2", ++ NULL); ++ ++ i_ffds[0] = ctx->i_ffd; ++ for (i=1; iflb, (char *) "lib", NULL); ++ TEST_CHECK(i_ffds[i] >= 0); ++ sprintf(&tag_buf[0], "test%d", i); ++ flb_input_set(ctx->flb, i_ffds[i], "tag", tag_buf, NULL); ++ } ++ ++ /* Configure filter */ ++ /* Set mem_buf_limit small, so in_emitter will be paused */ ++ ret = flb_filter_set(ctx->flb, ctx->f_ffd, ++ "multiline.key_content", "log", ++ "multiline.parser", "java", ++ "buffer", "on", ++ "debug_flush", "on", ++ "emitter_mem_buf_limit", "1k", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ ++ /* Start the engine */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ for (i=0; iflb, i_ffds[j], &line_buf[0], len); ++ TEST_CHECK(bytes == len); ++ } ++ } ++ wait_with_timeout(20000, &num, ffd_num); ++ ++ if (!TEST_CHECK(num > 0)) { ++ TEST_MSG("output error. got %d expect more than 0 records.", num); ++ /* The internal flb_lib_push cannot be paused, so records may be lost */ ++ /* However, there should be at least some records */ ++ } ++ ++ filter_test_destroy(ctx); ++} ++ + + + +@@ -695,5 +817,7 @@ TEST_LIST = { + + {"flb_test_multiline_partial_message_concat" , flb_test_multiline_partial_message_concat }, + {"flb_test_multiline_partial_message_concat_two_ids" , flb_test_multiline_partial_message_concat_two_ids }, ++ ++ {"ml_buffered_16_streams_pausing" , flb_test_ml_buffered_16_streams_pausing }, + {NULL, NULL} + }; From 7b83725990aee6d4abddcdd3931b45cc5a3997dc Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Fri, 7 Jun 2024 14:34:36 -0700 Subject: [PATCH 25/31] Upgrade kernel to 5.15.158.2 (#9358) 5.15.157.1 introduced a failure with network hairpinning on AKS. Upgrade to 5.15.158.2 which has the commit [dceb683] reverted. --- .../kernel-azure-signed.spec | 5 ++++- .../kernel-hci-signed/kernel-hci-signed.spec | 5 ++++- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- SPECS/hyperv-daemons/CVE-2024-35848.nopatch | 3 --- .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++++- SPECS/kernel-azure/config | 2 +- SPECS/kernel-azure/config_aarch64 | 2 +- .../kernel-azure/kernel-azure.signatures.json | 6 +++--- SPECS/kernel-azure/kernel-azure.spec | 5 ++++- SPECS/kernel-hci/config | 2 +- SPECS/kernel-hci/kernel-hci.signatures.json | 4 ++-- SPECS/kernel-hci/kernel-hci.spec | 5 ++++- .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/CVE-2024-26900.nopatch | 3 --- SPECS/kernel/config | 2 +- SPECS/kernel/config_aarch64 | 2 +- SPECS/kernel/kernel.signatures.json | 6 +++--- SPECS/kernel/kernel.spec | 5 ++++- cgmanifest.json | 20 +++++++++---------- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 4 ++-- 25 files changed, 62 insertions(+), 44 deletions(-) delete mode 100644 SPECS/hyperv-daemons/CVE-2024-35848.nopatch delete mode 100644 SPECS/kernel/CVE-2024-26900.nopatch diff --git a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec index b26ee43dca0..361e932e2e8 100644 --- a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec +++ b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for Azure Name: kernel-azure-signed-%{buildarch} -Version: 5.15.159.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + * Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 - Auto-upgrade to 5.15.159.1 diff --git a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec index 68ceaec6efb..0019e0b0414 100644 --- a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec +++ b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for HCI Name: kernel-hci-signed-%{buildarch} -Version: 5.15.159.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + * Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 - Auto-upgrade to 5.15.159.1 diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index a00e8454208..a653691a317 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.15.159.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + * Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 - Auto-upgrade to 5.15.159.1 diff --git a/SPECS/hyperv-daemons/CVE-2024-35848.nopatch b/SPECS/hyperv-daemons/CVE-2024-35848.nopatch deleted file mode 100644 index 2a7d2f2a860..00000000000 --- a/SPECS/hyperv-daemons/CVE-2024-35848.nopatch +++ /dev/null @@ -1,3 +0,0 @@ -CVE-2024-35848 - in version 5.15.159.1 -upstream: f42c97027fb75776e2e9358d16bf4a99aeb04cf2 -stable: 26d32bec4c6d255a03762f33c637bfa3718be15a diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 26b832bb774..3f8befe9742 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index dcfc5f62f60..1631f9e2c40 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.15.159.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -219,6 +219,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + * Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 - Auto-upgrade to 5.15.159.1 diff --git a/SPECS/kernel-azure/config b/SPECS/kernel-azure/config index 302e2e28e07..ff6707020a2 100644 --- a/SPECS/kernel-azure/config +++ b/SPECS/kernel-azure/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.159.1 Kernel Configuration +# Linux/x86_64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/config_aarch64 b/SPECS/kernel-azure/config_aarch64 index 9a88a176c9e..9c2822f6220 100644 --- a/SPECS/kernel-azure/config_aarch64 +++ b/SPECS/kernel-azure/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.159.1 Kernel Configuration +# Linux/arm64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/kernel-azure.signatures.json b/SPECS/kernel-azure/kernel-azure.signatures.json index 4c66263ed65..df2048e9d92 100644 --- a/SPECS/kernel-azure/kernel-azure.signatures.json +++ b/SPECS/kernel-azure/kernel-azure.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "77c866dee4e6ade4d24a525f66c839d6000164cc77022122bf7c799783f569da", - "config_aarch64": "82d3529ac9b6bba268991521d177cfc158f8b5d7dfe22016b5015935fcbb3b82", + "config": "7650bca555140f8b2c2e6b03709da0a8d730993215e9d28751068c799100c7bf", + "config_aarch64": "1c9733a974fa2aa7f38ae3c05887921cb7e94db0f2d5e37f85780da5824dab38", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/kernel-azure/kernel-azure.spec b/SPECS/kernel-azure/kernel-azure.spec index 7e30833cd45..5f18e514b46 100644 --- a/SPECS/kernel-azure/kernel-azure.spec +++ b/SPECS/kernel-azure/kernel-azure.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel-azure -Version: 5.15.159.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -420,6 +420,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + * Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 - Auto-upgrade to 5.15.159.1 diff --git a/SPECS/kernel-hci/config b/SPECS/kernel-hci/config index 8d165af96e0..8c432a9df1e 100644 --- a/SPECS/kernel-hci/config +++ b/SPECS/kernel-hci/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.159.1 Kernel Configuration +# Linux/x86_64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hci/kernel-hci.signatures.json b/SPECS/kernel-hci/kernel-hci.signatures.json index 1fc99cbd62b..6af05f9b10d 100644 --- a/SPECS/kernel-hci/kernel-hci.signatures.json +++ b/SPECS/kernel-hci/kernel-hci.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "a87f0f1b7b22e314f5570892020bc99928eb108c86f2612db1a5a30274f4e9c7", - "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" + "config": "c8c6eb36480dc13723e2c29f8df52b2557c88c5fd2c6b28acedd763f90954855", + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/kernel-hci/kernel-hci.spec b/SPECS/kernel-hci/kernel-hci.spec index a56ddfb2772..e0788a07278 100644 --- a/SPECS/kernel-hci/kernel-hci.spec +++ b/SPECS/kernel-hci/kernel-hci.spec @@ -17,7 +17,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for HCI Name: kernel-hci -Version: 5.15.159.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -547,6 +547,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + * Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 - Auto-upgrade to 5.15.159.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index e0cc1d2e957..1226bbd6072 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index b73cdb4ecaa..bb81130cdde 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -11,7 +11,7 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.15.159.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -73,6 +73,9 @@ done %endif %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + * Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 - Auto-upgrade to 5.15.159.1 diff --git a/SPECS/kernel/CVE-2024-26900.nopatch b/SPECS/kernel/CVE-2024-26900.nopatch deleted file mode 100644 index 2f8092715db..00000000000 --- a/SPECS/kernel/CVE-2024-26900.nopatch +++ /dev/null @@ -1,3 +0,0 @@ -CVE-2024-26900 - in version 5.15.159.1 -upstream: 6cf350658736681b9d6b0b6e58c5c76b235bb4c4 -stable: f3a1787dc48213f6caea5ba7d47e0222e7fa34a9 diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 84845cefb45..e9f1648a87d 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.159.1 Kernel Configuration +# Linux/x86_64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index da1d71a5702..4dd532bba17 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.159.1 Kernel Configuration +# Linux/arm64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 618728097de..f9ae0436f3a 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "06d85c7e3e286274d246f834eaf37258e13b0b391421376fa55f243230d728e9", - "config_aarch64": "9de72286da24a8e90052238d13f24621a48835a1b45a35740887ad27ef749448", + "config": "4c524dadcc8f306d8cd9e34ba5aa03cf1fb6b1f40fca0b811861ac09d916f4a8", + "config_aarch64": "764d801459dd24b7676b30a6fa05c68bf544ff8b577bd8085adbe01d56b8c697", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.159.1.tar.gz": "2936521edcf244601b35cc6bbda543ea39a5b65d938789499d347832a3cdbd0a" + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 928f3f3bc0e..84e20b0b7bb 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel -Version: 5.15.159.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -426,6 +426,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + * Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 - Auto-upgrade to 5.15.159.1 diff --git a/cgmanifest.json b/cgmanifest.json index e5c7f5946cd..bc128179d24 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -6560,8 +6560,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.15.159.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" + "version": "5.15.158.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" } } }, @@ -8151,8 +8151,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.15.159.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" + "version": "5.15.158.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" } } }, @@ -8161,8 +8161,8 @@ "type": "other", "other": { "name": "kernel-azure", - "version": "5.15.159.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" + "version": "5.15.158.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" } } }, @@ -8171,8 +8171,8 @@ "type": "other", "other": { "name": "kernel-hci", - "version": "5.15.159.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" + "version": "5.15.158.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" } } }, @@ -8181,8 +8181,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.15.159.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.159.1.tar.gz" + "version": "5.15.158.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.158.2.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 773b4f1a96b..bc2feecbd8b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.aarch64.rpm -kernel-headers-5.15.159.1-1.cm2.noarch.rpm +kernel-headers-5.15.158.2-1.cm2.noarch.rpm glibc-2.35-7.cm2.aarch64.rpm glibc-devel-2.35-7.cm2.aarch64.rpm glibc-i18n-2.35-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index d9111b4c210..0e05ce84966 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-20.cm2.x86_64.rpm -kernel-headers-5.15.159.1-1.cm2.noarch.rpm +kernel-headers-5.15.158.2-1.cm2.noarch.rpm glibc-2.35-7.cm2.x86_64.rpm glibc-devel-2.35-7.cm2.x86_64.rpm glibc-i18n-2.35-7.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index be184558ac1..207ade588d1 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.aarch64.rpm kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm -kernel-headers-5.15.159.1-1.cm2.noarch.rpm +kernel-headers-5.15.158.2-1.cm2.noarch.rpm kmod-29-2.cm2.aarch64.rpm kmod-debuginfo-29-2.cm2.aarch64.rpm kmod-devel-29-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 4a3ac265920..54d771d66eb 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -141,8 +141,8 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.x86_64.rpm kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm -kernel-cross-headers-5.15.159.1-1.cm2.noarch.rpm -kernel-headers-5.15.159.1-1.cm2.noarch.rpm +kernel-cross-headers-5.15.158.2-1.cm2.noarch.rpm +kernel-headers-5.15.158.2-1.cm2.noarch.rpm kmod-29-2.cm2.x86_64.rpm kmod-debuginfo-29-2.cm2.x86_64.rpm kmod-devel-29-2.cm2.x86_64.rpm From 3a89a883d269f6cd68004c3b4827d9eb4f351fe1 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 7 Jun 2024 14:41:53 -0700 Subject: [PATCH 26/31] [AUTO-CHERRYPICK] Upgrade openvswitch to 2.17.9 to fix CVE-2023-5366 and CVE-2023-3966 - branch main (#9301) Co-authored-by: Bala --- SPECS/openvswitch/CVE-2023-1668.patch | 436 ------------------ SPECS/openvswitch/openvswitch.signatures.json | 6 +- SPECS/openvswitch/openvswitch.spec | 9 +- cgmanifest.json | 4 +- 4 files changed, 11 insertions(+), 444 deletions(-) delete mode 100644 SPECS/openvswitch/CVE-2023-1668.patch diff --git a/SPECS/openvswitch/CVE-2023-1668.patch b/SPECS/openvswitch/CVE-2023-1668.patch deleted file mode 100644 index e4c169d591e..00000000000 --- a/SPECS/openvswitch/CVE-2023-1668.patch +++ /dev/null @@ -1,436 +0,0 @@ -From 27fb5db7f727ffc056f024f9ba4936facccb5f40 Mon Sep 17 00:00:00 2001 -From: Aaron Conole -Date: Fri, 31 Mar 2023 17:17:27 -0400 -Subject: [PATCH] ofproto-dpif-xlate: Always mask ip proto field. - -The ofproto layer currently treats nw_proto field as overloaded to mean -both that a proper nw layer exists, as well as the value contained in -the header for the nw proto. However, this is incorrect behavior as -relevant standards permit that any value, including '0' should be treated -as a valid value. - -Because of this overload, when the ofproto layer builds action list for -a packet with nw_proto of 0, it won't build the complete action list that -we expect to be built for the packet. That will cause a bad behavior -where all packets passing the datapath will fall into an incomplete -action set. - -The fix here is to unwildcard nw_proto, allowing us to preserve setting -actions for protocols which we know have support for the actions we -program. This means that a traffic which contains nw_proto == 0 cannot -cause connectivity breakage with other traffic on the link. - -Reported-by: David Marchand -Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873 -Acked-by: Ilya Maximets -Signed-off-by: Aaron Conole -Signed-off-by: Ilya Maximets ---- - include/openvswitch/meta-flow.h | 4 + - lib/meta-flow.c | 25 +++++ - ofproto/ofproto-dpif-xlate.c | 8 ++ - tests/ofproto-dpif.at | 18 ++-- - tests/ofproto.at | 182 ++++++++++++++++++++++++++++++++ - tests/packet-type-aware.at | 2 +- - 6 files changed, 229 insertions(+), 10 deletions(-) - -diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h -index 045dce8f5..3b0220aaa 100644 ---- a/include/openvswitch/meta-flow.h -+++ b/include/openvswitch/meta-flow.h -@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue *subvalue, struct ds *s); - void field_array_set(enum mf_field_id id, const union mf_value *, - struct field_array *); - -+/* Mask the required l3 prerequisites if a 'set' action occurs. */ -+void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *, -+ struct flow_wildcards *); -+ - #ifdef __cplusplus - } - #endif -diff --git a/lib/meta-flow.c b/lib/meta-flow.c -index c576ae620..474344194 100644 ---- a/lib/meta-flow.c -+++ b/lib/meta-flow.c -@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x) - bitmap_not(x.bm, MFF_N_IDS); - return x; - } -+ -+void -+mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl, -+ struct flow_wildcards *wc) -+{ -+ if (is_ip_any(fl) && -+ ((mf->id == MFF_IPV4_SRC) || -+ (mf->id == MFF_IPV4_DST) || -+ (mf->id == MFF_IPV6_SRC) || -+ (mf->id == MFF_IPV6_DST) || -+ (mf->id == MFF_IPV6_LABEL) || -+ (mf->id == MFF_IP_DSCP) || -+ (mf->id == MFF_IP_ECN) || -+ (mf->id == MFF_IP_TTL))) { -+ WC_MASK_FIELD(wc, nw_proto); -+ } else if ((fl->dl_type == htons(ETH_TYPE_ARP)) && -+ ((mf->id == MFF_ARP_OP) || -+ (mf->id == MFF_ARP_SHA) || -+ (mf->id == MFF_ARP_THA) || -+ (mf->id == MFF_ARP_SPA) || -+ (mf->id == MFF_ARP_TPA))) { -+ /* mask only the lower 8 bits. */ -+ wc->masks.nw_proto = 0xff; -+ } -+} -diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c -index 8a28b29d4..c9bd075a9 100644 ---- a/ofproto/ofproto-dpif-xlate.c -+++ b/ofproto/ofproto-dpif-xlate.c -@@ -5186,6 +5186,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids) - } - - ctx->wc->masks.nw_ttl = 0xff; -+ WC_MASK_FIELD(ctx->wc, nw_proto); - if (flow->nw_ttl > 1) { - flow->nw_ttl--; - return false; -@@ -7094,6 +7095,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - case OFPACT_SET_IPV4_SRC: - if (flow->dl_type == htons(ETH_TYPE_IP)) { - memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src); -+ WC_MASK_FIELD(wc, nw_proto); - flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4; - } - break; -@@ -7101,12 +7103,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - case OFPACT_SET_IPV4_DST: - if (flow->dl_type == htons(ETH_TYPE_IP)) { - memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst); -+ WC_MASK_FIELD(wc, nw_proto); - flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4; - } - break; - - case OFPACT_SET_IP_DSCP: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_tos |= IP_DSCP_MASK; - flow->nw_tos &= ~IP_DSCP_MASK; - flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp; -@@ -7115,6 +7119,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_SET_IP_ECN: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_tos |= IP_ECN_MASK; - flow->nw_tos &= ~IP_ECN_MASK; - flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn; -@@ -7123,6 +7128,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_SET_IP_TTL: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_ttl = 0xff; - flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl; - } -@@ -7190,6 +7196,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - /* Set the field only if the packet actually has it. */ - if (mf_are_prereqs_ok(mf, flow, wc)) { -+ mf_set_mask_l3_prereqs(mf, flow, wc); - mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), wc); - mf_set_flow_value_masked(mf, set_field->value, - ofpact_set_field_mask(set_field), -@@ -7246,6 +7253,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_DEC_TTL: - wc->masks.nw_ttl = 0xff; -+ WC_MASK_FIELD(wc, nw_proto); - if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) { - return; - } -diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at -index bc981f8fc..71c267b3a 100644 ---- a/tests/ofproto-dpif.at -+++ b/tests/ofproto-dpif.at -@@ -720,7 +720,7 @@ table=2 ip actions=set_field:192.168.3.91->ip_src,output(11) - AT_CHECK([ovs-ofctl -O OpenFlow12 add-flows br0 flows.txt]) - AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=1,nw_tos=0,nw_ttl=128,nw_frag=no,icmp_type=8,icmp_code=0'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: 10,set(ipv4(src=192.168.3.91)),11,set(ipv4(src=192.168.3.90)),13 - ]) - OVS_VSWITCHD_STOP -@@ -783,7 +783,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds - # Must match on the source address to be able to restore it's value for - # the second bucket - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 - ]) - OVS_VSWITCHD_STOP -@@ -815,7 +815,7 @@ done - AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/dp_hash(.*\/0xf)/dp_hash(0xXXXX\/0xf)/' | sed 's/packets.*actions:/actions:/' | strip_ufid | strip_used | sort], [0], [dnl - flow-dump from the main thread: - recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:hash(sym_l4(0)),recirc(0x1) --recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 -+recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,proto=1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 - ]) - - OVS_VSWITCHD_STOP -@@ -830,7 +830,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds - # Must match on the source address to be able to restore it's value for - # the third bucket - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 - ]) - OVS_VSWITCHD_STOP -@@ -1407,17 +1407,17 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=2,frag=no)' -generate], [0], [stdout]) - AT_CHECK([tail -4 stdout], [0], [ - Final flow: ip,in_port=1,vlan_tci=0x0000,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=111,nw_tos=0,nw_ecn=0,nw_ttl=1,nw_frag=no --Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=2,nw_frag=no -+Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=2,nw_frag=no - Datapath actions: set(ipv4(ttl=1)),2,userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)),4 - ]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=3,frag=no)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=3,nw_frag=no -+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=3,nw_frag=no - Datapath actions: set(ipv4(ttl=2)),2,set(ipv4(ttl=1)),3,4 - ]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x86dd),ipv6(src=::1,dst=::2,label=0,proto=10,tclass=0x70,hlimit=128,frag=no)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_ttl=128,nw_frag=no -+ [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_proto=10,nw_ttl=128,nw_frag=no - Datapath actions: set(ipv6(hlimit=127)),2,set(ipv6(hlimit=126)),3,4 - ]) - -@@ -1527,7 +1527,7 @@ AT_CHECK([ovs-vsctl -- \ - --id=@q2 create Queue dscp=2], [0], [ignore]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(9),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=1.1.1.1,dst=2.2.2.2,proto=1,tos=0xff,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,skb_priority=0,eth,ip,in_port=9,nw_tos=252,nw_frag=no -+ [Megaflow: recirc_id=0,skb_priority=0,eth,icmp,in_port=9,nw_tos=252,nw_frag=no - Datapath actions: dnl - 100,dnl - set(ipv4(tos=0x4/0xfc)),set(skb_priority(0x1)),1,dnl -@@ -11703,7 +11703,7 @@ ovs-ofctl dump-flows br0 - - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.10.10.2,dst=10.10.10.1,proto=1,tos=1,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) - AT_CHECK([tail -3 stdout], [0], [dnl --Megaflow: recirc_id=0,eth,ip,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no -+Megaflow: recirc_id=0,eth,icmp,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no - Datapath actions: drop - Translation failed (Recursion too deep), packet is dropped. - ]) -diff --git a/tests/ofproto.at b/tests/ofproto.at -index 39c3b0470..32bde5b5a 100644 ---- a/tests/ofproto.at -+++ b/tests/ofproto.at -@@ -6448,3 +6448,185 @@ verify_deleted - - OVS_VSWITCHD_STOP(["/nw_dst,output=2 -+table=0 in_port=1 priority=83,ip,nw_dst=192.168.1.15,actions=set_field:192.168.21.26->nw_src,output=2 -+table=0 in_port=1 priority=82,ip,nw_dst=192.168.1.14,actions=set_field:0x40->nw_tos,output=2 -+table=0 in_port=1 priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl send a proto 0 packet to try and poison the DP flow path -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ -+ '5054000000075054000000050800450000548de140004000289fc0a801c4c0a8011408003bf60002001bbf080a640000000032ad010000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 -+]) -+ -+dnl Send ICMP for mod nw_src and mod nw_dst -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.20,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will dec TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.19,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod ECN -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.18,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.17,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set DST -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.16,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set SRC -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.14,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.10,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=63)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.14,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.16,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.26)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.17,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.18,proto=1,tos=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x2/0x3)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.19,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=8)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.20)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.21.26)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.20.21)),2 -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ -+AT_SETUP([ofproto - implicit mask of ipv6 proto with HOPOPT field]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+ -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=77,ip6,ipv6_dst=111:db8::3,actions=dec_ttl,output=2 -+table=0 in_port=1 priority=76,ip6,ipv6_dst=111:db8::4,actions=mod_nw_ttl:8,output=2 -+table=0 in_port=1 priority=75,ip6,ipv6_dst=111:db8::5,actions=mod_nw_ecn:2,output=2 -+table=0 in_port=1 priority=74,ip6,ipv6_dst=111:db8::6,actions=mod_nw_tos:0x40,output=2 -+table=0 in_port=1 priority=73,ip6,ipv6_dst=111:db8::7,actions=set_field:2112:db8::2->ipv6_dst,output=2 -+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::8,actions=set_field:2112:db8::3->ipv6_src,output=2 -+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::9,actions=set_field:44->ipv6_label,output=2 -+table=0 in_port=1 priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl send a proto 0 packet to try and poison the DP flow path -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=0,tclass=0,hlimit=64,frag=no)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) -+]) -+ -+dnl Send ICMP for mod nw_src and mod nw_dst -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::4,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will dec TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::5,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::6,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod ECN -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::7,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will set LABEL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::9,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=63)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::4,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=8)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::5,proto=1,tclass=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x2/0x3)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::6,proto=1,tclass=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::7,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(dst=2112:db8::2)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::9,label=0,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(label=0x2c)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(src=2112:db8::3)),2 -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ -+AT_SETUP([ofproto - implicit mask of ARP OPer field]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+ -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=77,arp,arp_sha=00:01:02:03:04:06,actions=set_field:0x1->arp_op,2 -+table=0 in_port=1 priority=76,arp,arp_sha=00:01:02:03:04:07,actions=set_field:00:02:03:04:05:06->arp_sha,2 -+table=0 in_port=1 priority=75,arp,arp_sha=00:01:02:03:04:08,actions=set_field:ff:00:00:00:00:ff->arp_tha,2 -+table=0 in_port=1 priority=74,arp,arp_sha=00:01:02:03:04:09,actions=set_field:172.31.110.26->arp_spa,2 -+table=0 in_port=1 priority=73,arp,arp_sha=00:01:02:03:04:0a,actions=set_field:172.31.110.10->arp_tpa,2 -+table=0 in_port=1 priority=1,actions=drop -+]) -+ -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl Send op == 0 packet -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ -+ 'ffffffffffffaa55aa550000080600010800060400000001020304070c0a00010000000000000c0a0002']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 -+]) -+ -+dnl Send op 2 -> set op -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=2,sha=00:01:02:03:04:06,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set SHA -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:07,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set THA -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set SIP -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:09,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set TIP -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a,tha=ff:ff:ff:ff:ff:ff)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=2,sha=00:01:02:03:04:06), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(sip=172.31.110.1,op=1,sha=00:01:02:03:04:09), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -diff --git a/tests/packet-type-aware.at b/tests/packet-type-aware.at -index 054dcc9cc..38d839e85 100644 ---- a/tests/packet-type-aware.at -+++ b/tests/packet-type-aware.at -@@ -1021,7 +1021,7 @@ AT_CHECK([ - ], [0], [flow-dump from the main thread: - recirc_id(0),in_port(p0),packet_type(ns=0,id=0),eth(src=aa:bb:cc:00:00:02,dst=aa:bb:cc:00:00:01),eth_type(0x0800),ipv4(dst=20.0.0.1,proto=47,frag=no), packets:3, bytes:378, used:0.0s, actions:tnl_pop(gre_sys) - tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0),in_port(gre_sys),packet_type(ns=1,id=0x8847),eth_type(0x8847),mpls(label=999/0x0,tc=0/0,ttl=64/0x0,bos=1/1), packets:3, bytes:264, used:0.0s, actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),pop_mpls(eth_type=0x800),recirc(0x1) --tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br -+tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=1,ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br - ]) - - ovs-appctl time/warp 1000 --- -2.25.1 - diff --git a/SPECS/openvswitch/openvswitch.signatures.json b/SPECS/openvswitch/openvswitch.signatures.json index 1b0c6bc4d11..fac94de951b 100644 --- a/SPECS/openvswitch/openvswitch.signatures.json +++ b/SPECS/openvswitch/openvswitch.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "openvswitch-2.17.5.tar.gz": "5a8c9efb3522923746588a7ca510c10bb0ac52b9c89df276ddbc8673116dc106" - } + "Signatures": { + "openvswitch-2.17.9.tar.gz": "e1b3fa472676626853f22d63f959e5ad061e1bf57e1bbd444d0ed88f947ef8b1" + } } \ No newline at end of file diff --git a/SPECS/openvswitch/openvswitch.spec b/SPECS/openvswitch/openvswitch.spec index 8c620b8d5bc..8c2736eebb5 100644 --- a/SPECS/openvswitch/openvswitch.spec +++ b/SPECS/openvswitch/openvswitch.spec @@ -7,8 +7,8 @@ Summary: Open vSwitch daemon/database/utilities Name: openvswitch -Version: 2.17.5 -Release: 3%{?dist} +Version: 2.17.9 +Release: 1%{?dist} License: ASL 2.0 AND LGPLv2+ AND SISSL Vendor: Microsoft Corporation Distribution: Mariner @@ -50,7 +50,6 @@ Requires(post): /bin/sed Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -Patch0: CVE-2023-1668.patch %description @@ -374,6 +373,10 @@ fi %{_unitdir}/openvswitch-ipsec.service %changelog +* Fri May 31 2023 Bala - 2.17.9-1 +- Upgrade to 2.17.9 to fix CVE-2023-5366 and CVE-2023-3966 +- Remove patch CVE-2023-1668.patch as the CVE fix is available from 2.17.6 + * Wed Sep 20 2023 Jon Slobodzian - 2.17.5-3 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/cgmanifest.json b/cgmanifest.json index bc128179d24..72396983b78 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -15584,8 +15584,8 @@ "type": "other", "other": { "name": "openvswitch", - "version": "2.17.5", - "downloadUrl": "http://openvswitch.org/releases/openvswitch-2.17.5.tar.gz" + "version": "2.17.9", + "downloadUrl": "http://openvswitch.org/releases/openvswitch-2.17.9.tar.gz" } } }, From e2c8d9e5dad01c0a43e709dce71433956110de76 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 7 Jun 2024 14:54:22 -0700 Subject: [PATCH 27/31] [FASTTRACK-CHERRYPICK] openssl: Fix CVE-2023-50782 affecting python-cryptography - branch main (#9318) Co-authored-by: J Camposeco <108859819+jcamposeco@users.noreply.github.com> Co-authored-by: Juan Camposeco --- ...enssl-1.1.1-pkcs1-implicit-rejection.patch | 1141 +++++++++++++++++ SPECS/openssl/openssl.spec | 11 +- .../manifests/package/pkggen_core_aarch64.txt | 10 +- .../manifests/package/pkggen_core_x86_64.txt | 10 +- .../manifests/package/toolchain_aarch64.txt | 12 +- .../manifests/package/toolchain_x86_64.txt | 12 +- 6 files changed, 1171 insertions(+), 25 deletions(-) create mode 100644 SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch diff --git a/SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch b/SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch new file mode 100644 index 00000000000..f3c2b9b66f4 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch @@ -0,0 +1,1141 @@ +--- openssl-1.1.1k/doc/man3/EVP_PKEY_CTX_ctrl.pod.pkcs1-implicit-rejection 2023-11-17 17:29:02.881552878 +0100 ++++ openssl-1.1.1k/doc/man3/EVP_PKEY_CTX_ctrl.pod 2023-11-17 17:29:02.923553658 +0100 +@@ -256,6 +256,15 @@ B