diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch deleted file mode 100644 index d182f16619a..00000000000 --- a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch +++ /dev/null @@ -1,364 +0,0 @@ -From 253029f7ffbade99588df59a8b89a35d99197fe0 Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Tue, 18 Jan 2022 10:19:28 +0100 -Subject: [PATCH] Port upstream patch - https://github.com/prometheus/client_golang/commit/9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 - -Differences: -- Removed tests -- Removed some comments that don't merge -- Line numbers and such - -Based on: - -From 9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 Mon Sep 17 00:00:00 2001 -From: Kemal Akkoyun -Date: Tue, 18 Jan 2022 10:19:28 +0100 -Subject: [PATCH] promhttp: Check validity of method and code label values - (#962) - -* Check validity of method and code label values - -Signed-off-by: Kemal Akkoyun - -* Use more flexibly functional option pattern for configuration - -Signed-off-by: Kemal Akkoyun - -* Update documentation - -Signed-off-by: Kemal Akkoyun - -* Simplify - -Signed-off-by: Kemal Akkoyun - -* Fix inconsistent method naming - -Signed-off-by: Kemal Akkoyun ---- - prometheus/promhttp/instrument_client.go | 28 ++++++-- - prometheus/promhttp/instrument_server.go | 82 ++++++++++++++++++------ - prometheus/promhttp/option.go | 31 +++++++++ - 3 files changed, 116 insertions(+), 25 deletions(-) - create mode 100644 prometheus/promhttp/option.go - -diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go -index 83c49b6..861b4d2 100644 ---- a/prometheus/promhttp/instrument_client.go -+++ b/prometheus/promhttp/instrument_client.go -@@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp - // http.RoundTripper to observe the request result with the provided CounterVec. - // The CounterVec must have zero, one, or two non-const non-curried labels. For - // those, the only allowed label names are "code" and "method". The function --// panics otherwise. Partitioning of the CounterVec happens by HTTP status code -+// panics otherwise. For the "method" label a predefined default label value set -+// is used to filter given values. Values besides predefined values will count -+// as `unknown` method.`WithExtraMethods` can be used to add more -+// methods to the set. Partitioning of the CounterVec happens by HTTP status code - // and/or HTTP method if the respective instance label names are present in the - // CounterVec. For unpartitioned counting, use a CounterVec with zero labels. - // -@@ -57,13 +60,18 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp - // is not incremented. - // - // See the example for ExampleInstrumentRoundTripperDuration for example usage. --func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper) RoundTripperFunc { -+func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { -+ rtOpts := &option{} -+ for _, o := range opts { -+ o(rtOpts) -+ } -+ - code, method := checkLabels(counter) - - return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { - resp, err := next.RoundTrip(r) - if err == nil { -- counter.With(labels(code, method, r.Method, resp.StatusCode)).Inc() -+ counter.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Inc() - } - return resp, err - }) -@@ -73,7 +81,10 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou - // http.RoundTripper to observe the request duration with the provided - // ObserverVec. The ObserverVec must have zero, one, or two non-const - // non-curried labels. For those, the only allowed label names are "code" and --// "method". The function panics otherwise. The Observe method of the Observer -+// "method". The function panics otherwise. For the "method" label a predefined -+// default label value set is used to filter given values. Values besides -+// predefined values will count as `unknown` method. `WithExtraMethods` -+// can be used to add more methods to the set. The Observe method of the Observer - // in the ObserverVec is called with the request duration in - // seconds. Partitioning happens by HTTP status code and/or HTTP method if the - // respective instance label names are present in the ObserverVec. For -@@ -85,14 +96,19 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou - // - // Note that this method is only guaranteed to never observe negative durations - // if used with Go1.9+. --func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper) RoundTripperFunc { -+func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { -+ rtOpts := &option{} -+ for _, o := range opts { -+ o(rtOpts) -+ } -+ - code, method := checkLabels(obs) - - return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { - start := time.Now() - resp, err := next.RoundTrip(r) - if err == nil { -- obs.With(labels(code, method, r.Method, resp.StatusCode)).Observe(time.Since(start).Seconds()) -+ obs.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Observe(time.Since(start).Seconds()) - } - return resp, err - }) -diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go -index 9db2438..91802f8 100644 ---- a/prometheus/promhttp/instrument_server.go -+++ b/prometheus/promhttp/instrument_server.go -@@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl - // - // Note that this method is only guaranteed to never observe negative durations - // if used with Go1.9+. --func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - if code { -@@ -67,14 +72,14 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht - d := newDelegator(w, nil) - next.ServeHTTP(d, r) - -- obs.With(labels(code, method, r.Method, d.Status())).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - now := time.Now() - next.ServeHTTP(w, r) -- obs.With(labels(code, method, r.Method, 0)).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - } - -@@ -91,20 +96,25 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht - // If the wrapped Handler panics, the Counter is not incremented. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(counter) - - if code { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - d := newDelegator(w, nil) - next.ServeHTTP(d, r) -- counter.With(labels(code, method, r.Method, d.Status())).Inc() -+ counter.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Inc() - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - next.ServeHTTP(w, r) -- counter.With(labels(code, method, r.Method, 0)).Inc() -+ counter.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Inc() - }) - } - -@@ -126,13 +136,18 @@ func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) - // if used with Go1.9+. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - now := time.Now() - d := newDelegator(w, func(status int) { -- obs.With(labels(code, method, r.Method, status)).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, status, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - next.ServeHTTP(d, r) - }) -@@ -154,7 +169,12 @@ func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Ha - // If the wrapped Handler panics, no values are reported. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - if code { -@@ -162,14 +182,14 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) - d := newDelegator(w, nil) - next.ServeHTTP(d, r) - size := computeApproximateRequestSize(r) -- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(size)) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(size)) - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - next.ServeHTTP(w, r) - size := computeApproximateRequestSize(r) -- obs.With(labels(code, method, r.Method, 0)).Observe(float64(size)) -+ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(float64(size)) - }) - } - -@@ -189,12 +209,18 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) - // If the wrapped Handler panics, no values are reported. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler) http.Handler { -+func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.Handler { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) -+ - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - d := newDelegator(w, nil) - next.ServeHTTP(d, r) -- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(d.Written())) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(d.Written())) - }) - } - -@@ -279,7 +305,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool { - // unnecessary allocations on each request. - var emptyLabels = prometheus.Labels{} - --func labels(code, method bool, reqMethod string, status int) prometheus.Labels { -+func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels { - if !(code || method) { - return emptyLabels - } -@@ -289,7 +315,7 @@ func labels(code, method bool, reqMethod string, status int) prometheus.Labels { - labels["code"] = sanitizeCode(status) - } - if method { -- labels["method"] = sanitizeMethod(reqMethod) -+ labels["method"] = sanitizeMethod(reqMethod, extraMethods...) - } - - return labels -@@ -319,7 +345,12 @@ func computeApproximateRequestSize(r *http.Request) int { - return s - } - --func sanitizeMethod(m string) string { -+// If the wrapped http.Handler has a known method, it will be sanitized and returned. -+// Otherwise, "unknown" will be returned. The known method list can be extended -+// as needed by using extraMethods parameter. -+func sanitizeMethod(m string, extraMethods ...string) string { -+ // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for -+ // the methods chosen as default. - switch m { - case "GET", "get": - return "get" -@@ -337,15 +368,25 @@ func sanitizeMethod(m string) string { - return "options" - case "NOTIFY", "notify": - return "notify" -+ case "TRACE", "trace": -+ return "trace" -+ case "PATCH", "patch": -+ return "patch" - default: -- return strings.ToLower(m) -+ for _, method := range extraMethods { -+ if strings.EqualFold(m, method) { -+ return strings.ToLower(m) -+ } -+ } -+ return "unknown" - } - } - - // If the wrapped http.Handler has not set a status code, i.e. the value is --// currently 0, santizeCode will return 200, for consistency with behavior in -+// currently 0, sanitizeCode will return 200, for consistency with behavior in - // the stdlib. - func sanitizeCode(s int) string { -+ // See for accepted codes https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml - switch s { - case 100: - return "100" -@@ -442,6 +483,9 @@ func sanitizeCode(s int) string { - return "511" - - default: -- return strconv.Itoa(s) -+ if s >= 100 && s <= 599 { -+ return strconv.Itoa(s) -+ } -+ return "unknown" - } - } -diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go -new file mode 100644 -index 0000000..35e41bd ---- /dev/null -+++ b/prometheus/promhttp/option.go -@@ -0,0 +1,31 @@ -+// Copyright 2022 The Prometheus Authors -+// Licensed under the Apache License, Version 2.0 (the "License"); -+// you may not use this file except in compliance with the License. -+// You may obtain a copy of the License at -+// -+// http://www.apache.org/licenses/LICENSE-2.0 -+// -+// Unless required by applicable law or agreed to in writing, software -+// distributed under the License is distributed on an "AS IS" BASIS, -+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+// See the License for the specific language governing permissions and -+// limitations under the License. -+ -+package promhttp -+ -+// Option are used to configure a middleware or round tripper.. -+type Option func(*option) -+ -+type option struct { -+ extraMethods []string -+} -+ -+// WithExtraMethods adds additional HTTP methods to the list of allowed methods. -+// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for the default list. -+// -+// See the example for ExampleInstrumentHandlerWithExtraMethods for example usage. -+func WithExtraMethods(methods ...string) Option { -+ return func(o *option) { -+ o.extraMethods = methods -+ } -+} --- -2.33.8 - diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-41273.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2022-41273.patch deleted file mode 100644 index 9357743fb59..00000000000 --- a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-41273.patch +++ /dev/null @@ -1,124 +0,0 @@ -diff --git a/http2/hpack/hpack.go b/http2/hpack/hpack.go -index b184a27..7a1d976 100644 ---- a/http2/hpack/hpack.go -+++ b/http2/hpack/hpack.go -@@ -359,6 +359,7 @@ - - var hf HeaderField - wantStr := d.emitEnabled || it.indexed() -+ var undecodedName undecodedString - if nameIdx > 0 { - ihf, ok := d.at(nameIdx) - if !ok { -@@ -366,15 +367,27 @@ - } - hf.Name = ihf.Name - } else { -- hf.Name, buf, err = d.readString(buf, wantStr) -+ undecodedName, buf, err = d.readString(buf) - if err != nil { - return err - } - } -- hf.Value, buf, err = d.readString(buf, wantStr) -+ undecodedValue, buf, err := d.readString(buf) - if err != nil { - return err - } -+ if wantStr { -+ if nameIdx <= 0 { -+ hf.Name, err = d.decodeString(undecodedName) -+ if err != nil { -+ return err -+ } -+ } -+ hf.Value, err = d.decodeString(undecodedValue) -+ if err != nil { -+ return err -+ } -+ } - d.buf = buf - if it.indexed() { - d.dynTab.add(hf) -@@ -459,46 +472,52 @@ - return 0, origP, errNeedMore - } - --// readString decodes an hpack string from p. -+// readString reads an hpack string from p. - // --// wantStr is whether s will be used. If false, decompression and --// []byte->string garbage are skipped if s will be ignored --// anyway. This does mean that huffman decoding errors for non-indexed --// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server --// is returning an error anyway, and because they're not indexed, the error --// won't affect the decoding state. --func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { -+// It returns a reference to the encoded string data to permit deferring decode costs -+// until after the caller verifies all data is present. -+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { - if len(p) == 0 { -- return "", p, errNeedMore -+ return u, p, errNeedMore - } - isHuff := p[0]&128 != 0 - strLen, p, err := readVarInt(7, p) - if err != nil { -- return "", p, err -+ return u, p, err - } - if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { -- return "", nil, ErrStringLength -+ // Returning an error here means Huffman decoding errors -+ // for non-indexed strings past the maximum string length -+ // are ignored, but the server is returning an error anyway -+ // and because the string is not indexed the error will not -+ // affect the decoding state. -+ return u, nil, ErrStringLength - } - if uint64(len(p)) < strLen { -- return "", p, errNeedMore -+ return u, p, errNeedMore - } -- if !isHuff { -- if wantStr { -- s = string(p[:strLen]) -- } -- return s, p[strLen:], nil -- } -+ u.isHuff = isHuff -+ u.b = p[:strLen] -+ return u, p[strLen:], nil -+} - -- if wantStr { -- buf := bufPool.Get().(*bytes.Buffer) -- buf.Reset() // don't trust others -- defer bufPool.Put(buf) -- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { -- buf.Reset() -- return "", nil, err -- } -- s = buf.String() -- buf.Reset() // be nice to GC -+type undecodedString struct { -+ isHuff bool -+ b []byte -+} -+ -+func (d *Decoder) decodeString(u undecodedString) (string, error) { -+ if !u.isHuff { -+ return string(u.b), nil - } -- return s, p[strLen:], nil -+ buf := bufPool.Get().(*bytes.Buffer) -+ buf.Reset() // don't trust others -+ var s string -+ err := huffmanDecode(buf, d.maxStrLen, u.b) -+ if err == nil { -+ s = buf.String() -+ } -+ buf.Reset() // be nice to GC -+ bufPool.Put(buf) -+ return s, err - } diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch deleted file mode 100644 index ecfb199d033..00000000000 --- a/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 16acb322637a8ee779fa757345d7aef0ac16e69e Mon Sep 17 00:00:00 2001 -From: Rohit Rawat -Date: Thu, 2 Jan 2025 10:22:13 +0000 -Subject: [PATCH] Fix CVE CVE-2024-45338 in - application-gateway-kubernetes-ingress - ---- - vendor/golang.org/x/net/html/doctype.go | 2 +- - vendor/golang.org/x/net/html/foreign.go | 3 +-- - vendor/golang.org/x/net/html/parse.go | 4 ++-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go -index c484e5a..bca3ae9 100644 ---- a/vendor/golang.org/x/net/html/doctype.go -+++ b/vendor/golang.org/x/net/html/doctype.go -@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { - } - } - if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && -- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { -+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { - quirks = true - } - } -diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go -index 9da9e9d..e8515d8 100644 ---- a/vendor/golang.org/x/net/html/foreign.go -+++ b/vendor/golang.org/x/net/html/foreign.go -@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { - if n.Data == "annotation-xml" { - for _, a := range n.Attr { - if a.Key == "encoding" { -- val := strings.ToLower(a.Val) -- if val == "text/html" || val == "application/xhtml+xml" { -+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { - return true - } - } -diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go -index 291c919..d93fe03 100644 ---- a/vendor/golang.org/x/net/html/parse.go -+++ b/vendor/golang.org/x/net/html/parse.go -@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { - if p.tok.DataAtom == a.Input { - for _, t := range p.tok.Attr { - if t.Key == "type" { -- if strings.ToLower(t.Val) == "hidden" { -+ if strings.EqualFold(t.Val, "hidden") { - // Skip setting framesetOK = false - return true - } -@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { - return inHeadIM(p) - case a.Input: - for _, t := range p.tok.Attr { -- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { -+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { - p.addElement() - p.oe.pop() - return true --- -2.39.4 - diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json index 1492f857abb..0bd7b0b16e8 100644 --- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json +++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "application-gateway-kubernetes-ingress-1.7.2-vendor.tar.gz": "c7ed26c959d032de3be6b14717ea0703b3543df299c77aa1d553f11b13b88a0e", - "application-gateway-kubernetes-ingress-1.7.2.tar.gz": "df1ca6b5a5c328521fea35d4fea5edc48e0214324986f263e2f7d960a8a6acd8" + "application-gateway-kubernetes-ingress-1.7.7-govendor-v1.tar.gz": "75b49d0831e436fdef44c1d69fccd495441ef37e20cac949a31bc4fedea60537", + "application-gateway-kubernetes-ingress-1.7.7.tar.gz": "a5b81630e0be41373d11f53813461dad2f825d1b5a250bb243011a783ba8d4f9" } } diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec index 99e94cf9042..6347ae3ab43 100644 --- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec +++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec @@ -1,46 +1,30 @@ %global debug_package %{nil} Summary: Application Gateway Ingress Controller Name: application-gateway-kubernetes-ingress -Version: 1.7.2 -Release: 3%{?dist} +Version: 1.7.7 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux Group: Applications/Networking URL: https://github.com/Azure/application-gateway-kubernetes-ingress Source0: https://github.com/Azure/application-gateway-kubernetes-ingress/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz -# Below is a manually created tarball, no download link. -# We're using vendored Go modules from this tarball, since network is disabled during build time. -# How to re-build this file: -# 1. wget https://github.com/Azure/%%{name}/archive/refs/tags/%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz -# 2. tar -xf %%{name}-%%{version}.tar.gz -# 3. cd %%{name}-%%{version} -# 4. go mod vendor -# 5. tar --sort=name \ -# --mtime="2021-04-26 00:00Z" \ -# --owner=0 --group=0 --numeric-owner \ -# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ -# -cf %%{name}-%%{version}-vendor.tar.gz vendor -# -Source1: %{name}-%{version}-vendor.tar.gz -Patch0: CVE-2022-21698.patch -Patch1: CVE-2022-41273.patch -Patch2: CVE-2024-45338.patch - -BuildRequires: golang >= 1.13 +# Leverage the `generate_source_tarball.sh` to create the vendor sources +# NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store. +# After fixing any possible CVE for the vendored source, we must bump v1 -> v2 +Source1: %{name}-%{version}-govendor-v1.tar.gz + +BuildRequires: golang >= 1.23 %description This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster. %prep -%autosetup -N +%autosetup rm -rf vendor tar -xf %{SOURCE1} --no-same-owner -%patch 0 -p1 -d vendor/github.com/prometheus/client_golang -%patch 1 -p1 -d vendor/golang.org/x/net -%patch 2 -p1 %build export VERSION=%{version} @@ -59,6 +43,10 @@ cp appgw-ingress %{buildroot}%{_bindir}/ %{_bindir}/appgw-ingress %changelog +* Fri Jan 31 2025 Gary Swalling - 1.7.7-1 +- Upgrade to v1.7.7 with golang.org/x/net v0.33.0 for CVE-2023-39325, CVE-2023-44487 +- Removed patches which are no longer needed + * Tue Dec 31 2024 Rohit Rawat - 1.7.2-3 - Add patch for CVE-2024-45338 @@ -96,7 +84,7 @@ cp appgw-ingress %{buildroot}%{_bindir}/ * Fri Feb 03 2023 CBL-Mariner Servicing Account - 1.4.0-8 - Bump release to rebuild with go 1.19.5 -* Tues Jan 24 2023 Adit Jha - 1.4.0-7 +* Tue Jan 24 2023 Adit Jha - 1.4.0-7 - Bump release to rebuild vendor repoistory which contain patch fix for CVE-2021-4235, CVE-2022-3064 * Wed Jan 18 2023 CBL-Mariner Servicing Account - 1.4.0-6 diff --git a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh index fcab42ea772..6609b85e3d2 100755 --- a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh +++ b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh @@ -7,15 +7,17 @@ set -e PKG_VERSION="" SRC_TARBALL="" +VENDOR_VERSION="1" OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # parameters: # -# --srcTarball : src tarball file -# this file contains the 'initial' source code of the component -# and should be replaced with the new/modified src code -# --outFolder : folder where to copy the new tarball(s) -# --pkgVersion : package version +# --srcTarball : src tarball file +# this file contains the 'initial' source code of the component +# and should be replaced with the new/modified src code +# --outFolder : folder where to copy the new tarball(s) +# --pkgVersion : package version +# --vendorVersion : vendor version # PARAMS="" while (( "$#" )); do @@ -47,6 +49,15 @@ while (( "$#" )); do exit 1 fi ;; + --vendorVersion) + if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + VENDOR_VERSION=$2 + shift 2 + else + echo "Error: Argument for $1 is missing" >&2 + exit 1 + fi + ;; -*|--*=) # unsupported flags echo "Error: Unsupported flag $1" >&2 exit 1 @@ -58,9 +69,10 @@ while (( "$#" )); do esac done -echo "--srcTarball -> $SRC_TARBALL" -echo "--outFolder -> $OUT_FOLDER" -echo "--pkgVersion -> $PKG_VERSION" +echo "--srcTarball -> $SRC_TARBALL" +echo "--outFolder -> $OUT_FOLDER" +echo "--pkgVersion -> $PKG_VERSION" +echo "--vendorVersion -> $VENDOR_VERSION" if [ -z "$PKG_VERSION" ]; then echo "--pkgVersion parameter cannot be empty" @@ -75,10 +87,15 @@ function cleanup { } trap cleanup EXIT +TARBALL_FOLDER="$tmpdir/tarballFolder" +mkdir -p $TARBALL_FOLDER +cp $SRC_TARBALL $tmpdir + pushd $tmpdir > /dev/null -NAME_VER="application-gateway-kubernetes-ingress-$PKG_VERSION" -VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-vendor.tar.gz" +PKG_NAME="application-gateway-kubernetes-ingress" +NAME_VER="$PKG_NAME-$PKG_VERSION" +VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-govendor-v$VENDOR_VERSION.tar.gz" echo "Unpacking source tarball..." tar -xf $SRC_TARBALL @@ -92,7 +109,7 @@ tar --sort=name \ --mtime="2021-04-26 00:00Z" \ --owner=0 --group=0 --numeric-owner \ --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ - -cf "$VENDOR_TARBALL" vendor + -czf "$VENDOR_TARBALL" vendor popd > /dev/null -echo "application-gateway-kubernetes-ingress vendored modules are available at $VENDOR_TARBALL" +echo "$PKG_NAME vendored modules are available at $VENDOR_TARBALL" diff --git a/cgmanifest.json b/cgmanifest.json index fcc4a46f5cd..787ca7df406 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -495,8 +495,8 @@ "type": "other", "other": { "name": "application-gateway-kubernetes-ingress", - "version": "1.7.2", - "downloadUrl": "https://github.com/Azure/application-gateway-kubernetes-ingress/archive/refs/tags/1.7.2.tar.gz" + "version": "1.7.7", + "downloadUrl": "https://github.com/Azure/application-gateway-kubernetes-ingress/archive/refs/tags/1.7.7.tar.gz" } } },