Merge for Mariner 2.0 January 2024 Update 2 (#7289)

.github/workflows/go-test-coverage.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
 
     - name: Set up Go 1.x
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: '${{ env.EXPECTED_GO_VERSION }}'
       id: go

.github/workflows/quickstart_1.0.yml

@@ -21,7 +21,7 @@ jobs:
         ref: '1.0-stable'
 
     - name: Set up Go 1.19
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: 1.19
       id: go
@@ -49,7 +49,7 @@ jobs:
         ref: '1.0-stable'
 
     - name: Set up Go 1.19
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: 1.19
       id: go
@@ -76,7 +76,7 @@ jobs:
         ref: '1.0-stable'
 
     - name: Set up Go 1.19
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: 1.19
       id: go

.github/workflows/quickstart_2.0.yml

@@ -21,7 +21,7 @@ jobs:
         ref: '2.0-stable'
 
     - name: Set up Go 1.20
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: 1.20
       id: go
@@ -50,7 +50,7 @@ jobs:
         ref: '2.0-stable'
 
     - name: Set up Go 1.20
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: 1.20
       id: go
@@ -78,7 +78,7 @@ jobs:
         ref: '2.0-stable'
 
     - name: Set up Go 1.20
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: 1.20
       id: go

SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
-Version:        5.15.139.1
+Version:        5.15.145.2
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Jan 16 2024 Gary Swalling <[email protected]> - 5.15.145.2-1
+- Update to 5.15.145.2
+
 * Tue Dec 05 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.139.1-1
 - Auto-upgrade to 5.15.139.1
 

SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec

@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.139.1
+Version:        5.15.145.2
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Jan 16 2024 Gary Swalling <[email protected]> - 5.15.145.2-1
+- Update to 5.15.145.2
+
 * Tue Dec 05 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.139.1-1
 - Auto-upgrade to 5.15.139.1
 

SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec

@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for MOS systems
 Name:           kernel-mos-signed-%{buildarch}
-Version:        5.15.139.1
+Version:        5.15.145.2
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -150,6 +150,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Jan 16 2024 Gary Swalling <[email protected]> - 5.15.145.2-1
+- Update to 5.15.145.2
+
 * Mon Dec 11 2023 Rachel Menge <[email protected]> - 5.15.139.1-1
 - Update to 5.15.139.1
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.139.1
+Version:        5.15.145.2
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Jan 16 2024 Gary Swalling <[email protected]> - 5.15.145.2-1
+- Update to 5.15.145.2
+
 * Tue Dec 05 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.139.1-1
 - Auto-upgrade to 5.15.139.1
 

SPECS/fluent-bit/CVE-2023-52284.patch

@@ -0,0 +1,154 @@
+diff --git a/lib/wasm-micro-runtime-WAMR-1.2.2/core/iwasm/interpreter/wasm_loader.c b/lib/wasm-micro-runtime-WAMR-1.2.2/core/iwasm/interpreter/wasm_loader.c
+index a3c4f42..eb7bf58 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.2.2/core/iwasm/interpreter/wasm_loader.c
++++ b/lib/wasm-micro-runtime-WAMR-1.2.2/core/iwasm/interpreter/wasm_loader.c
+@@ -5475,6 +5475,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf,
+     return true;
+ }
+
++#if WASM_ENABLE_FAST_INTERP == 0
+ static bool
+ wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt,
+                                uint8 type_push, uint8 type_pop, char *error_buf,
+@@ -5489,6 +5490,7 @@ wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt,
+         return false;
+     return true;
+ }
++#endif
+
+ static bool
+ wasm_loader_push_frame_csp(WASMLoaderContext *ctx, uint8 label_type,
+@@ -6165,27 +6167,6 @@ wasm_loader_pop_frame_offset(WASMLoaderContext *ctx, uint8 type,
+     return true;
+ }
+
+-static bool
+-wasm_loader_push_pop_frame_offset(WASMLoaderContext *ctx, uint8 pop_cnt,
+-                                  uint8 type_push, uint8 type_pop,
+-                                  bool disable_emit, int16 operand_offset,
+-                                  char *error_buf, uint32 error_buf_size)
+-{
+-    uint8 i;
+-
+-    for (i = 0; i < pop_cnt; i++) {
+-        if (!wasm_loader_pop_frame_offset(ctx, type_pop, error_buf,
+-                                          error_buf_size))
+-            return false;
+-    }
+-    if (!wasm_loader_push_frame_offset(ctx, type_push, disable_emit,
+-                                       operand_offset, error_buf,
+-                                       error_buf_size))
+-        return false;
+-
+-    return true;
+-}
+-
+ static bool
+ wasm_loader_push_frame_ref_offset(WASMLoaderContext *ctx, uint8 type,
+                                   bool disable_emit, int16 operand_offset,
+@@ -6219,12 +6200,24 @@ wasm_loader_push_pop_frame_ref_offset(WASMLoaderContext *ctx, uint8 pop_cnt,
+                                       bool disable_emit, int16 operand_offset,
+                                       char *error_buf, uint32 error_buf_size)
+ {
+-    if (!wasm_loader_push_pop_frame_offset(ctx, pop_cnt, type_push, type_pop,
+-                                           disable_emit, operand_offset,
+-                                           error_buf, error_buf_size))
++    uint8 i;
++
++    for (i = 0; i < pop_cnt; i++) {
++        if (!wasm_loader_pop_frame_offset(ctx, type_pop, error_buf,
++                                          error_buf_size))
++            return false;
++
++        if (!wasm_loader_pop_frame_ref(ctx, type_pop, error_buf,
++                                       error_buf_size))
++            return false;
++    }
++
++    if (!wasm_loader_push_frame_offset(ctx, type_push, disable_emit,
++                                       operand_offset, error_buf,
++                                       error_buf_size))
+         return false;
+-    if (!wasm_loader_push_pop_frame_ref(ctx, pop_cnt, type_push, type_pop,
+-                                        error_buf, error_buf_size))
++        
++    if (!wasm_loader_push_frame_ref(ctx, type_push, error_buf, error_buf_size))
+         return false;
+
+     return true;
+diff --git a/lib/wasm-micro-runtime-WAMR-1.2.2/core/iwasm/interpreter/wasm_mini_loader.c b/lib/wasm-micro-runtime-WAMR-1.2.2/core/iwasm/interpreter/wasm_mini_loader.c
+index aa5e18f..83be375 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.2.2/core/iwasm/interpreter/wasm_mini_loader.c
++++ b/lib/wasm-micro-runtime-WAMR-1.2.2/core/iwasm/interpreter/wasm_mini_loader.c
+@@ -3936,6 +3936,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf,
+     return true;
+ }
+
++#if WASM_ENABLE_FAST_INTERP == 0
+ static bool
+ wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt,
+                                uint8 type_push, uint8 type_pop, char *error_buf,
+@@ -3950,6 +3951,7 @@ wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt,
+         return false;
+     return true;
+ }
++#endif
+
+ static bool
+ wasm_loader_push_frame_csp(WASMLoaderContext *ctx, uint8 label_type,
+@@ -4607,25 +4609,6 @@ wasm_loader_pop_frame_offset(WASMLoaderContext *ctx, uint8 type,
+     return true;
+ }
+
+-static bool
+-wasm_loader_push_pop_frame_offset(WASMLoaderContext *ctx, uint8 pop_cnt,
+-                                  uint8 type_push, uint8 type_pop,
+-                                  bool disable_emit, int16 operand_offset,
+-                                  char *error_buf, uint32 error_buf_size)
+-{
+-    for (int i = 0; i < pop_cnt; i++) {
+-        if (!wasm_loader_pop_frame_offset(ctx, type_pop, error_buf,
+-                                          error_buf_size))
+-            return false;
+-    }
+-    if (!wasm_loader_push_frame_offset(ctx, type_push, disable_emit,
+-                                       operand_offset, error_buf,
+-                                       error_buf_size))
+-        return false;
+-
+-    return true;
+-}
+-
+ static bool
+ wasm_loader_push_frame_ref_offset(WASMLoaderContext *ctx, uint8 type,
+                                   bool disable_emit, int16 operand_offset,
+@@ -4659,12 +4642,24 @@ wasm_loader_push_pop_frame_ref_offset(WASMLoaderContext *ctx, uint8 pop_cnt,
+                                       bool disable_emit, int16 operand_offset,
+                                       char *error_buf, uint32 error_buf_size)
+ {
+-    if (!wasm_loader_push_pop_frame_offset(ctx, pop_cnt, type_push, type_pop,
+-                                           disable_emit, operand_offset,
+-                                           error_buf, error_buf_size))
++    uint8 i;
++
++    for (i = 0; i < pop_cnt; i++) {
++        if (!wasm_loader_pop_frame_offset(ctx, type_pop, error_buf,
++                                          error_buf_size))
++            return false;
++
++        if (!wasm_loader_pop_frame_ref(ctx, type_pop, error_buf,
++                                       error_buf_size))
++            return false;
++    }
++
++    if (!wasm_loader_push_frame_offset(ctx, type_push, disable_emit,
++                                       operand_offset, error_buf,
++                                       error_buf_size))
+         return false;
+-    if (!wasm_loader_push_pop_frame_ref(ctx, pop_cnt, type_push, type_pop,
+-                                        error_buf, error_buf_size))
++        
++    if (!wasm_loader_push_frame_ref(ctx, type_push, error_buf, error_buf_size))
+         return false;
+
+     return true;

SPECS/fluent-bit/fluent-bit.spec

@@ -1,13 +1,14 @@
 Summary:        Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
 Name:           fluent-bit
 Version:        2.1.10
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://fluentbit.io
 Source0:        https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         CVE-2023-48105.patch
+Patch1:         CVE-2023-52284.patch
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  cyrus-sasl-devel
@@ -38,7 +39,7 @@ Requires:       %{name} = %{version}
 Development files for %{name}
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 
@@ -81,6 +82,10 @@ Development files for %{name}
 %{_libdir}/fluent-bit/*.so
 
 %changelog
+* Wed Jan 10 2024 Henry Li <[email protected]> - 2.1.10-3
+- Address CVE-2023-52284
+- Change to autosetup
+
 * Wed Dec 06 2023 Chris Gunn <[email protected]> - 2.1.10-2
 - CVE-2023-48105
 

SPECS/hyperv-daemons/hyperv-daemons.signatures.json

@@ -7,6 +7,6 @@
     "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f",
     "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
     "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-    "kernel-5.15.139.1.tar.gz": "7dc657637a9ef4d2491eeae364e6ab0132ea4db3b1a9db7c2601eaf009200459"
+    "kernel-5.15.145.2.tar.gz": "5f09cdfe9d04b035d98d5aa5b22dd03e3cd6350ace51dab5c3ceea9283da7b0a"
   }
 }

SPECS/hyperv-daemons/hyperv-daemons.spec

@@ -8,7 +8,7 @@
 %global udev_prefix 70
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        5.15.139.1
+Version:        5.15.145.2
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@@ -219,6 +219,9 @@ fi
 %{_sbindir}/lsvmbus
 
 %changelog
+* Tue Jan 16 2024 Gary Swalling <[email protected]> - 5.15.145.2-1
+- Update to 5.15.145.2
+
 * Tue Dec 05 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.139.1-1
 - Auto-upgrade to 5.15.139.1
 

SPECS/kernel-azure/config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.139.1 Kernel Configuration
+# Linux/x86_64 5.15.145.2 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y

SPECS/kernel-azure/config_aarch64

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.15.139.1 Kernel Configuration
+# Linux/arm64 5.15.145.2 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y
@@ -3385,7 +3385,6 @@ CONFIG_DWMAC_ROCKCHIP=m
 CONFIG_DWMAC_SUN8I=m
 CONFIG_DWMAC_IMX8=m
 # CONFIG_DWMAC_INTEL_PLAT is not set
-# CONFIG_DWMAC_LOONGSON is not set
 # CONFIG_STMMAC_PCI is not set
 CONFIG_NET_VENDOR_SUN=y
 CONFIG_HAPPYMEAL=m