merge 3.0-dev branch

microsoft · Jan 27, 2025 · 6d01cab · 6d01cab
2 parents 9d6e639 + 76dcc08
commit 6d01cab
Show file tree

Hide file tree

Showing 73 changed files with 3,528 additions and 174 deletions.
diff --git a/SPECS-SIGNED/mft_kernel-signed/mft_kernel-signed.spec b/SPECS-SIGNED/mft_kernel-signed/mft_kernel-signed.spec
@@ -5,14 +5,12 @@
 
 %global KVERSION %{target_kernel_version_full}
 
-%global _name kernel-mft
-
-Name:		 %{_name}
-Summary:	 %{name} Kernel Module for the %{KVERSION} kernel
-Version:	 4.30.0
-Release:	 1%{?dist}
-License:	 Dual BSD/GPLv2
-Group:		 System Environment/Kernel
+Name:            mft_kernel
+Summary:         %{name} Kernel Module for the %{KVERSION} kernel
+Version:         4.30.0
+Release:         1%{?dist}
+License:         Dual BSD/GPLv2
+Group:           System Environment/Kernel
 
 #
 # To populate these sources:
@@ -31,6 +29,11 @@ ExclusiveArch:  x86_64
 Requires:       kernel = %{target_kernel_version_full}
 Requires:       kmod
 
+# Azure Linux attempts to match the spec file name and the "Name" tag.
+# Upstream's mft_kernel spec set rpm name as kernel-mft. To comply, we
+# set "Name" as mft_kernel but add a "Provides" for kernel-mft.
+Provides:       kernel-mft = %{version}-%{release}
+
 %description
 mft kernel module(s)
 
@@ -58,7 +61,7 @@ rm -rf %{buildroot}
 
 %files
 %defattr(-,root,root,-)
-%license %{_datadir}/licenses/%{name}/COPYING
+%license %{_defaultlicensedir}/%{name}/COPYING
 /lib/modules/%{KVERSION}/updates/
 
 %changelog

diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch
@@ -0,0 +1,64 @@
+From 16acb322637a8ee779fa757345d7aef0ac16e69e Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <[email protected]>
+Date: Thu, 2 Jan 2025 10:22:13 +0000
+Subject: [PATCH] Fix CVE CVE-2024-45338 in
+ application-gateway-kubernetes-ingress
+
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 291c919..d93fe03 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.39.4
+
diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@@ -2,7 +2,7 @@
 Summary:        Application Gateway Ingress Controller
 Name:           application-gateway-kubernetes-ingress
 Version:        1.7.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -25,6 +25,7 @@ Source0:        https://github.com/Azure/application-gateway-kubernetes-ingress/
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2022-21698.patch
 Patch1:         CVE-2022-41273.patch
+Patch2:         CVE-2024-45338.patch
 
 BuildRequires:  golang >= 1.13
 
@@ -39,6 +40,7 @@ rm -rf vendor
 tar -xf %{SOURCE1} --no-same-owner
 %patch 0 -p1 -d vendor/github.com/prometheus/client_golang
 %patch 1 -p1 -d vendor/golang.org/x/net
+%patch 2 -p1
 
 %build
 export VERSION=%{version}
@@ -57,6 +59,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 %{_bindir}/appgw-ingress
 
 %changelog
+* Tue Dec 31 2024 Rohit Rawat <[email protected]> - 1.7.2-3
+- Add patch for CVE-2024-45338
+
 * Thu Jul 11 2024 Thien Trung Vuong <[email protected]> - 1.7.2-2
 - Add patch for CVE-2022-21698, CVE-2022-41273
 - Move vendored tarball extraction into %prep and %changed from %autosetup to %setup

diff --git a/SPECS/cert-manager/CVE-2024-45338.patch b/SPECS/cert-manager/CVE-2024-45338.patch
@@ -0,0 +1,63 @@
+From bda2595d9dbcd7805b5b78466753b9d1849945d2 Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <[email protected]>
+Date: Thu, 2 Jan 2025 10:22:12 +0000
+Subject: [PATCH] Fix CVE CVE-2024-45338 in cert-manager
+
+---
+ cmd/ctl/vendor/golang.org/x/net/html/doctype.go | 2 +-
+ cmd/ctl/vendor/golang.org/x/net/html/foreign.go | 3 +--
+ cmd/ctl/vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/cmd/ctl/vendor/golang.org/x/net/html/doctype.go b/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
++++ b/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/cmd/ctl/vendor/golang.org/x/net/html/foreign.go b/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
++++ b/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/cmd/ctl/vendor/golang.org/x/net/html/parse.go b/cmd/ctl/vendor/golang.org/x/net/html/parse.go
+index 46a89ed..5b8374b 100644
+--- a/cmd/ctl/vendor/golang.org/x/net/html/parse.go
++++ b/cmd/ctl/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.39.4
+
diff --git a/SPECS/cert-manager/cert-manager.signatures.json b/SPECS/cert-manager/cert-manager.signatures.json
@@ -1,6 +1,6 @@
 {
- "Signatures": {
-  "cert-manager-1.12.13-vendor.tar.gz": "18894907e56205351f148a1aae828db6752d1189557d618720d782295abe4f84",
-  "cert-manager-1.12.13.tar.gz": "1bd650f7d066f98e2566397787caf938737c64ef4ab41284246acaffcdac7eb1"
- }
-}
+  "Signatures": {
+    "cert-manager-1.12.15.tar.gz": "2c556e4c47753a5cd48510297bc5cab2b0943b7de1b3898df598a0ee969c8e72",
+    "cert-manager-1.12.15-vendor.tar.gz": "20afae660bffb8a636185aa920c1ada8bd345bae773ebe9e277b490ddc1bad49"
+  }
+}
diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec
@@ -1,7 +1,7 @@
 Summary:        Automatically provision and manage TLS certificates in Kubernetes
 Name:           cert-manager
-Version:        1.12.13
-Release:        2%{?dist}
+Version:        1.12.15
+Release:        1%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,6 +14,7 @@ Source0:        https://github.com/jetstack/%{name}/archive/refs/tags/v%{version
 # 2. <repo-root>/SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version}
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2024-45337.patch
+Patch1:         CVE-2024-45338.patch
 BuildRequires:  golang
 Requires:       %{name}-acmesolver
 Requires:       %{name}-cainjector
@@ -104,6 +105,12 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
 %{_bindir}/webhook
 
 %changelog
+* Mon Jan 20 2025 CBL-Mariner Servicing Account <[email protected]> - 1.12.15-1
+- Auto-upgrade to 1.12.15 - none
+
+* Tue Dec 31 2024 Rohit Rawat <[email protected]> - 1.12.13-3
+- Add patch for CVE-2024-45338
+
 * Wed Jan 08 2025 Muhammad Falak <[email protected]> - 1.12.13-2
 - Patch CVE-2024-45337
 

diff --git a/SPECS/cf-cli/CVE-2024-45338.patch b/SPECS/cf-cli/CVE-2024-45338.patch
@@ -0,0 +1,63 @@
+From 0d84094c36cc3a80da129773b966a3d5be4032ac Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <[email protected]>
+Date: Thu, 2 Jan 2025 10:22:13 +0000
+Subject: [PATCH] Fix CVE CVE-2024-45338 in cf-cli
+
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 46a89ed..5b8374b 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.39.4
+
diff --git a/SPECS/cf-cli/cf-cli.spec b/SPECS/cf-cli/cf-cli.spec
@@ -5,7 +5,7 @@ Summary:        The official command line client for Cloud Foundry.
 Name:           cf-cli
 # Note: Upgrading the package also warrants an upgrade in the CF_BUILD_SHA
 Version:        8.7.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -34,6 +34,7 @@ Source1:        cli-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-39325.patch
 Patch1:         CVE-2024-24786.patch
 Patch2:         CVE-2024-45337.patch
+Patch3:         CVE-2024-45338.patch
 
 BuildRequires:  golang >= 1.18.3
 %global debug_package %{nil}
@@ -45,9 +46,7 @@ The official command line client for Cloud Foundry.
 %prep
 %setup -q -n cli-%{version}
 tar --no-same-owner -xf %{SOURCE1}
-%patch 0 -p1
-%patch 1 -p1
-%patch 2 -p1
+%autopatch -p1
 
 %build
 export GOPATH=%{our_gopath}
@@ -69,6 +68,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
 %{_bindir}/cf
 
 %changelog
+* Tue Dec 31 2024 Rohit Rawat <[email protected]> - 8.7.3-5
+- Add patch for CVE-2024-45338
+
 * Fri Dec 20 2024 Aurelien Bombo <[email protected]> - 8.7.3-4
 - Add patch for CVE-2024-45337