From c063dbd02374ea1446f147ad47f703a3206078ac Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Fri, 3 Jan 2025 13:13:59 +0000 Subject: [PATCH 1/7] Fix CVE-2024-45338 in multiple packages --- .../CVE-2024-45338.patch | 64 +++++++++++++++++++ ...pplication-gateway-kubernetes-ingress.spec | 7 +- SPECS/cert-manager/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/cert-manager/cert-manager.spec | 7 +- SPECS/cf-cli/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/cf-cli/cf-cli.spec | 10 +-- SPECS/cni-plugins/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/cni/CVE-2024-45338.patch | 40 ++++++++++++ .../CVE-2024-45338.patch | 63 ++++++++++++++++++ .../containerized-data-importer.spec | 6 +- SPECS/cri-tools/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/cri-tools/cri-tools.spec | 6 +- SPECS/docker-buildx/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/docker-buildx/docker-buildx.spec | 6 +- SPECS/docker-compose/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/docker-compose/docker-compose.spec | 6 +- SPECS/gh/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/gh/gh.spec | 11 +++- SPECS/helm/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/helm/helm.spec | 11 +++- SPECS/ig/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/ig/ig.spec | 9 ++- SPECS/influxdb/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/influxdb/influxdb.spec | 6 +- .../CVE-2024-45338.patch | 63 ++++++++++++++++++ .../kube-vip-cloud-provider.spec | 6 +- SPECS/kubernetes/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/kubernetes/kubernetes.spec | 6 +- SPECS/kubevirt/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/kubevirt/kubevirt.spec | 6 +- SPECS/multus/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/multus/multus.spec | 6 +- SPECS/packer/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/packer/packer.spec | 6 +- SPECS/prometheus-adapter/CVE-2024-45338.patch | 63 ++++++++++++++++++ .../prometheus-adapter.spec | 6 +- .../CVE-2024-45338.patch | 63 ++++++++++++++++++ .../sriov-network-device-plugin.spec | 9 ++- SPECS/telegraf/CVE-2024-45338.patch | 63 ++++++++++++++++++ SPECS/telegraf/telegraf.spec | 6 +- 40 files changed, 1409 insertions(+), 28 deletions(-) create mode 100644 SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch create mode 100644 SPECS/cert-manager/CVE-2024-45338.patch create mode 100644 SPECS/cf-cli/CVE-2024-45338.patch create mode 100644 SPECS/cni-plugins/CVE-2024-45338.patch create mode 100644 SPECS/cni/CVE-2024-45338.patch create mode 100644 SPECS/containerized-data-importer/CVE-2024-45338.patch create mode 100644 SPECS/cri-tools/CVE-2024-45338.patch create mode 100644 SPECS/docker-buildx/CVE-2024-45338.patch create mode 100644 SPECS/docker-compose/CVE-2024-45338.patch create mode 100644 SPECS/gh/CVE-2024-45338.patch create mode 100644 SPECS/helm/CVE-2024-45338.patch create mode 100644 SPECS/ig/CVE-2024-45338.patch create mode 100644 SPECS/influxdb/CVE-2024-45338.patch create mode 100644 SPECS/kube-vip-cloud-provider/CVE-2024-45338.patch create mode 100644 SPECS/kubernetes/CVE-2024-45338.patch create mode 100644 SPECS/kubevirt/CVE-2024-45338.patch create mode 100644 SPECS/multus/CVE-2024-45338.patch create mode 100644 SPECS/packer/CVE-2024-45338.patch create mode 100644 SPECS/prometheus-adapter/CVE-2024-45338.patch create mode 100644 SPECS/sriov-network-device-plugin/CVE-2024-45338.patch create mode 100644 SPECS/telegraf/CVE-2024-45338.patch diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch new file mode 100644 index 00000000000..ecfb199d033 --- /dev/null +++ b/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch @@ -0,0 +1,64 @@ +From 16acb322637a8ee779fa757345d7aef0ac16e69e Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in + application-gateway-kubernetes-ingress + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 291c919..d93fe03 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec index 26746953b43..99e94cf9042 100644 --- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec +++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec @@ -2,7 +2,7 @@ Summary: Application Gateway Ingress Controller Name: application-gateway-kubernetes-ingress Version: 1.7.2 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -25,6 +25,7 @@ Source0: https://github.com/Azure/application-gateway-kubernetes-ingress/ Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2022-21698.patch Patch1: CVE-2022-41273.patch +Patch2: CVE-2024-45338.patch BuildRequires: golang >= 1.13 @@ -39,6 +40,7 @@ rm -rf vendor tar -xf %{SOURCE1} --no-same-owner %patch 0 -p1 -d vendor/github.com/prometheus/client_golang %patch 1 -p1 -d vendor/golang.org/x/net +%patch 2 -p1 %build export VERSION=%{version} @@ -57,6 +59,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/ %{_bindir}/appgw-ingress %changelog +* Tue Dec 31 2024 Rohit Rawat - 1.7.2-3 +- Add patch for CVE-2024-45338 + * Thu Jul 11 2024 Thien Trung Vuong - 1.7.2-2 - Add patch for CVE-2022-21698, CVE-2022-41273 - Move vendored tarball extraction into %prep and %changed from %autosetup to %setup diff --git a/SPECS/cert-manager/CVE-2024-45338.patch b/SPECS/cert-manager/CVE-2024-45338.patch new file mode 100644 index 00000000000..ead0b397891 --- /dev/null +++ b/SPECS/cert-manager/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From bda2595d9dbcd7805b5b78466753b9d1849945d2 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in cert-manager + +--- + cmd/ctl/vendor/golang.org/x/net/html/doctype.go | 2 +- + cmd/ctl/vendor/golang.org/x/net/html/foreign.go | 3 +-- + cmd/ctl/vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/cmd/ctl/vendor/golang.org/x/net/html/doctype.go b/cmd/ctl/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/cmd/ctl/vendor/golang.org/x/net/html/doctype.go ++++ b/cmd/ctl/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/cmd/ctl/vendor/golang.org/x/net/html/foreign.go b/cmd/ctl/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/cmd/ctl/vendor/golang.org/x/net/html/foreign.go ++++ b/cmd/ctl/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/cmd/ctl/vendor/golang.org/x/net/html/parse.go b/cmd/ctl/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/cmd/ctl/vendor/golang.org/x/net/html/parse.go ++++ b/cmd/ctl/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 777e932403a..a3e6172367f 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.12.13 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version # 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz # 2. /SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version} Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2024-45338.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -58,6 +59,7 @@ Webhook component providing API validation, mutation and conversion functionalit %prep %setup -q -a 1 +%autopatch -p1 %build @@ -103,6 +105,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Tue Dec 31 2024 Rohit Rawat - 1.12.13-2 +- Add patch for CVE-2024-45338 + * Mon Sep 16 2024 Jiri Appl - 1.12.13-1 - Upgrade to 1.12.13 which carries helm 3.14.2 to fix CVE-2024-26147 and CVE-2024-25620 diff --git a/SPECS/cf-cli/CVE-2024-45338.patch b/SPECS/cf-cli/CVE-2024-45338.patch new file mode 100644 index 00000000000..1c967eac508 --- /dev/null +++ b/SPECS/cf-cli/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 0d84094c36cc3a80da129773b966a3d5be4032ac Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in cf-cli + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/cf-cli/cf-cli.spec b/SPECS/cf-cli/cf-cli.spec index 81c451c70ae..e4a0ee2cc34 100644 --- a/SPECS/cf-cli/cf-cli.spec +++ b/SPECS/cf-cli/cf-cli.spec @@ -5,7 +5,7 @@ Summary: The official command line client for Cloud Foundry. Name: cf-cli # Note: Upgrading the package also warrants an upgrade in the CF_BUILD_SHA Version: 8.7.3 -Release: 4%{?dist} +Release: 5%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -34,6 +34,7 @@ Source1: cli-%{version}-vendor.tar.gz Patch0: CVE-2023-39325.patch Patch1: CVE-2024-24786.patch Patch2: CVE-2024-45337.patch +Patch3: CVE-2024-45338.patch BuildRequires: golang >= 1.18.3 %global debug_package %{nil} @@ -45,9 +46,7 @@ The official command line client for Cloud Foundry. %prep %setup -q -n cli-%{version} tar --no-same-owner -xf %{SOURCE1} -%patch 0 -p1 -%patch 1 -p1 -%patch 2 -p1 +%autopatch -p1 %build export GOPATH=%{our_gopath} @@ -69,6 +68,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf %{_bindir}/cf %changelog +* Tue Dec 31 2024 Rohit Rawat - 8.7.3-5 +- Add patch for CVE-2024-45338 + * Fri Dec 20 2024 Aurelien Bombo - 8.7.3-4 - Add patch for CVE-2024-45337 diff --git a/SPECS/cni-plugins/CVE-2024-45338.patch b/SPECS/cni-plugins/CVE-2024-45338.patch new file mode 100644 index 00000000000..4c13a54847a --- /dev/null +++ b/SPECS/cni-plugins/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 0292de27f5b71bcf2f161e9db8638359adf91233 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in cni-plugins + +--- + plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go | 2 +- + plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go | 3 +-- + plugins-1.4.0/vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go b/plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go ++++ b/plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go b/plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go ++++ b/plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/plugins-1.4.0/vendor/golang.org/x/net/html/parse.go b/plugins-1.4.0/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/plugins-1.4.0/vendor/golang.org/x/net/html/parse.go ++++ b/plugins-1.4.0/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/cni/CVE-2024-45338.patch b/SPECS/cni/CVE-2024-45338.patch new file mode 100644 index 00000000000..d709cd0dbfe --- /dev/null +++ b/SPECS/cni/CVE-2024-45338.patch @@ -0,0 +1,40 @@ +From 1b55265630116c30921241ac52dea71ac3d849fb Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in cni + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +-- +2.39.4 + diff --git a/SPECS/containerized-data-importer/CVE-2024-45338.patch b/SPECS/containerized-data-importer/CVE-2024-45338.patch new file mode 100644 index 00000000000..b1a7b333044 --- /dev/null +++ b/SPECS/containerized-data-importer/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 0c0cb82a7671b2aa12c5136ab9368245e3803985 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in containerized-data-importer + +--- + .../vendor/golang.org/x/net/html/doctype.go | 2 +- + .../vendor/golang.org/x/net/html/foreign.go | 3 +-- + .../vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec index fbc47de7800..e82fa5123d2 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.spec +++ b/SPECS/containerized-data-importer/containerized-data-importer.spec @@ -18,7 +18,7 @@ Summary: Container native virtualization Name: containerized-data-importer Version: 1.57.0 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -28,6 +28,7 @@ Source0: https://github.com/kubevirt/containerized-data-importer/archive/ Patch0: CVE-2024-3727.patch Patch1: CVE-2022-2879.patch Patch2: CVE-2024-24786.patch +Patch3: CVE-2024-45338.patch BuildRequires: golang BuildRequires: golang-packaging BuildRequires: libnbd-devel @@ -222,6 +223,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m %{_datadir}/cdi/manifests %changelog +* Tue Dec 31 2024 Rohit Rawat - 1.57.0-7 +- Add patch for CVE-2024-45338 + * Mon Nov 25 2024 Bala - 1.57.0-6 - Fix CVE-2024-24786 diff --git a/SPECS/cri-tools/CVE-2024-45338.patch b/SPECS/cri-tools/CVE-2024-45338.patch new file mode 100644 index 00000000000..7be58a8f1b8 --- /dev/null +++ b/SPECS/cri-tools/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 4c3991b57230d0c6ccfe44df44b9e735c2807f2a Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in cri-tools + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/cri-tools/cri-tools.spec b/SPECS/cri-tools/cri-tools.spec index 7597357fbef..8c62c818c29 100644 --- a/SPECS/cri-tools/cri-tools.spec +++ b/SPECS/cri-tools/cri-tools.spec @@ -7,13 +7,14 @@ Summary: CRI tools Name: cri-tools Version: 1.30.1 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Tools URL: https://github.com/kubernetes-sigs/cri-tools Source0: https://github.com/kubernetes-sigs/cri-tools/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2024-45338.patch BuildRequires: glib-devel BuildRequires: glibc-devel BuildRequires: golang @@ -44,6 +45,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} "${BUILD_FOLDER}/critest" %{_bindir}/critest %changelog +* Tue Dec 31 2024 Rohit Rawat - 1.30.1-2 +- Add patch for CVE-2024-45338 + * Fri Jul 12 2024 CBL-Mariner Servicing Account - 1.30.1-1 - Auto-upgrade to 1.30.1 - Fix CVE-2023-45288, CVE-2024-21626 and CVE-2024-24786 diff --git a/SPECS/docker-buildx/CVE-2024-45338.patch b/SPECS/docker-buildx/CVE-2024-45338.patch new file mode 100644 index 00000000000..37f51dc52c2 --- /dev/null +++ b/SPECS/docker-buildx/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From ce79afcc8f1a672e3f64d1ff7b5b707db79600d5 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in docker-buildx + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/docker-buildx/docker-buildx.spec b/SPECS/docker-buildx/docker-buildx.spec index 104ef7d328e..45df38c91ad 100644 --- a/SPECS/docker-buildx/docker-buildx.spec +++ b/SPECS/docker-buildx/docker-buildx.spec @@ -4,7 +4,7 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKi Name: docker-buildx # update "commit_hash" above when upgrading version Version: 0.14.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation @@ -12,6 +12,7 @@ Distribution: Azure Linux URL: https://www.github.com/docker/buildx Source0: https://github.com/docker/buildx/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: CVE-2024-45337.patch +Patch1: CVE-2024-45338.patch BuildRequires: bash BuildRequires: golang @@ -45,6 +46,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil %{_libexecdir}/docker/cli-plugins/docker-buildx %changelog +* Tue Dec 31 2024 Rohit Rawat - 0.14.0-3 +- Add patch for CVE-2024-45338 + * Fri Dec 20 2024 Aurelien Bombo - 0.14.0-2 - Add patch for CVE-2024-45337 diff --git a/SPECS/docker-compose/CVE-2024-45338.patch b/SPECS/docker-compose/CVE-2024-45338.patch new file mode 100644 index 00000000000..fd085545da8 --- /dev/null +++ b/SPECS/docker-compose/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From c21b7e1c46951fdca284e42ec86d34342183fc94 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in docker-compose + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/docker-compose/docker-compose.spec b/SPECS/docker-compose/docker-compose.spec index 6301797a965..e6e6de40784 100644 --- a/SPECS/docker-compose/docker-compose.spec +++ b/SPECS/docker-compose/docker-compose.spec @@ -1,7 +1,7 @@ Summary: Define and run multi-container applications with Docker Name: docker-compose Version: 2.27.0 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Source0: https://github.com/docker/compose/archive/refs/tags/v%{version}. # NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store. # After fixing any possible CVE for the vendored source, we must bump v1 -> v2 Source1: %{name}-%{version}-govendor-v1.tar.gz +Patch0: CVE-2024-45338.patch BuildRequires: golang Requires: docker-cli Obsoletes: moby-compose < %{version}-%{release} @@ -44,6 +45,9 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl %{_libexecdir}/docker/cli-plugins/docker-compose %changelog +* Tue Dec 31 2024 Rohit Rawat - 2.27.0-2 +- Add patch for CVE-2024-45338 + * Thu May 02 2024 CBL-Mariner Servicing Account - 2.27.0-1 - Auto-upgrade to 2.27.0 - address CVE-2024-23653 diff --git a/SPECS/gh/CVE-2024-45338.patch b/SPECS/gh/CVE-2024-45338.patch new file mode 100644 index 00000000000..7dc58f35e99 --- /dev/null +++ b/SPECS/gh/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From a61bc7a45809410b36644afd5a29c14f138a1485 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in gh + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec index 94177c846f3..7998e980055 100644 --- a/SPECS/gh/gh.spec +++ b/SPECS/gh/gh.spec @@ -1,7 +1,7 @@ Summary: GitHub official command line tool Name: gh Version: 2.62.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -15,6 +15,7 @@ Source1: %{name}-%{version}-vendor.tar.gz Patch0: 0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch Patch1: CVE-2024-54132.patch +Patch2: CVE-2024-45338.patch BuildRequires: golang < 1.23 BuildRequires: git @@ -26,10 +27,11 @@ Requires: git GitHub official command line tool. %prep -%autosetup -p1 -n cli-%{version} +%autosetup -N -n cli-%{version} +tar --no-same-owner -xf %{SOURCE1} +%autopatch -p1 %build -tar --no-same-owner -xf %{SOURCE1} export GOPATH=%{our_gopath} # No mod download use vednor cache locally export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external" @@ -58,6 +60,9 @@ make test %{_datadir}/zsh/site-functions/_gh %changelog +* Tue Dec 31 2024 Rohit Rawat - 2.62.0-3 +- Add patch for CVE-2024-45338 + * Fri Dec 13 2024 Sandeep Karambelkar - 2.62.0-2 - Patch CVE-2024-54132 diff --git a/SPECS/helm/CVE-2024-45338.patch b/SPECS/helm/CVE-2024-45338.patch new file mode 100644 index 00000000000..4c956abd518 --- /dev/null +++ b/SPECS/helm/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 4443cda74f412666ff93708059e2f856330a65b1 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in helm + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/helm/helm.spec b/SPECS/helm/helm.spec index 964f084345c..9c31d5446dd 100644 --- a/SPECS/helm/helm.spec +++ b/SPECS/helm/helm.spec @@ -2,7 +2,7 @@ Name: helm Version: 3.15.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Kubernetes Package Manager Group: Applications/Networking License: Apache 2.0 @@ -24,16 +24,18 @@ Source0: https://github.com/helm/helm/archive/refs/tags/v%{version}.tar.gz # -cf %%{name}-%%{version}-vendor.tar.gz vendor # Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2024-45338.patch BuildRequires: golang %description Helm is a tool that streamlines installing and managing Kubernetes applications. Think of it like apt/yum/homebrew for Kubernetes. %prep -%autosetup -p1 +%autosetup -N +tar -xf %{SOURCE1} --no-same-owner +%autopatch -p1 %build -tar -xf %{SOURCE1} --no-same-owner export VERSION=%{version} for cmd in cmd/* ; do go build -tags '' -ldflags '-w -s -X helm.sh/helm/v3/internal/version.version=v%{version} -X helm.sh/helm/v3/internal/version.metadata= -X helm.sh/helm/v3/internal/version.gitCommit= -X helm.sh/helm/v3/internal/version.gitTreeState=clean ' \ @@ -53,6 +55,9 @@ install -m 755 ./helm %{buildroot}%{_bindir} go test -v ./cmd/helm %changelog +* Tue Dec 31 2024 Rohit Rawat - 3.15.2-2 +- Add patch for CVE-2024-45338 + * Wed Jul 10 2024 Sumedh Sharma - 3.15.2-1 - Bump package version to address CVE-2023-45288 & CVE-2023-44487 - Remove patches fixed in sources diff --git a/SPECS/ig/CVE-2024-45338.patch b/SPECS/ig/CVE-2024-45338.patch new file mode 100644 index 00000000000..16c45e19f71 --- /dev/null +++ b/SPECS/ig/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From b19ec2e436cdacc39d10fbc8d74e8b44eb18082a Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in ig + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/ig/ig.spec b/SPECS/ig/ig.spec index 936193ec7bb..53ef0198d66 100644 --- a/SPECS/ig/ig.spec +++ b/SPECS/ig/ig.spec @@ -1,7 +1,7 @@ Summary: The eBPF tool and systems inspection framework for Kubernetes, containers and Linux hosts. Name: ig Version: 0.32.0 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache 2.0 and GPL 2.0 for eBPF code Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ Group: Tools/Container URL: https://github.com/inspektor-gadget/inspektor-gadget Source0: https://github.com/inspektor-gadget/inspektor-gadget/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-govendor-v1.tar.gz +Patch0: CVE-2024-45338.patch BuildRequires: golang < 1.23 @@ -18,8 +19,9 @@ Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kube This package contains ig, the local CLI flavor of Inspektor Gadget. %prep -%autosetup -n inspektor-gadget-%{version} +%autosetup -N -n inspektor-gadget-%{version} %setup -q -n inspektor-gadget-%{version} -T -D -a 1 +%autopatch -p1 %build CGO_ENABLED=0 go build \ @@ -64,6 +66,9 @@ fi %{_bindir}/ig %changelog +* Tue Dec 31 2024 Rohit Rawat - 0.32.0-3 +- Add patch for CVE-2024-45338 + * Tue Oct 15 2024 Muhammad Falak - 0.32.0-2 - Pin golang version to <= 1.22 diff --git a/SPECS/influxdb/CVE-2024-45338.patch b/SPECS/influxdb/CVE-2024-45338.patch new file mode 100644 index 00000000000..705661e43ef --- /dev/null +++ b/SPECS/influxdb/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From e90e8414742ccdfcb3271f23732428d8feb8b10d Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in influxdb + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec index be889511b1d..ea04223c1a1 100644 --- a/SPECS/influxdb/influxdb.spec +++ b/SPECS/influxdb/influxdb.spec @@ -18,7 +18,7 @@ Summary: Scalable datastore for metrics, events, and real-time analytics Name: influxdb Version: 2.7.3 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -60,6 +60,7 @@ Patch1: CVE-2019-0205.patch Patch2: CVE-2024-6104.patch Patch3: CVE-2023-45288.patch Patch4: CVE-2024-24786.patch +Patch5: CVE-2024-45338.patch BuildRequires: clang BuildRequires: golang BuildRequires: kernel-headers @@ -149,6 +150,9 @@ go test ./... %{_tmpfilesdir}/influxdb.conf %changelog +* Tue Dec 31 2024 Rohit Rawat - 2.7.3-8 +- Add patch for CVE-2024-45338 + - Mon Nov 25 2024 Bala - 2.7.3-7 - Fix CVE-2024-24786 diff --git a/SPECS/kube-vip-cloud-provider/CVE-2024-45338.patch b/SPECS/kube-vip-cloud-provider/CVE-2024-45338.patch new file mode 100644 index 00000000000..99b39a302aa --- /dev/null +++ b/SPECS/kube-vip-cloud-provider/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 9274c51605988b6e2747466d5d0e3f9053eeb781 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in kube-vip-cloud-provider + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec index f0a5e64c442..ce2cb9544e2 100644 --- a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec +++ b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec @@ -1,7 +1,7 @@ Summary: The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups Name: kube-vip-cloud-provider Version: 0.0.10 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 URL: https://github.com/kube-vip/kube-vip-cloud-provider Group: Applications/Text @@ -20,6 +20,7 @@ Source0: https://github.com/kube-vip/%{name}/archive/refs/tags/v%{version Source1: %{name}-%{version}-vendor.tar.gz Patch1: CVE-2023-47108.patch +Patch2: CVE-2024-45338.patch BuildRequires: golang >= 1.22 @@ -40,6 +41,9 @@ install kube-vip-cloud-provider %{buildroot}%{_bindir}/kube-vip-cloud-provider %{_bindir}/kube-vip-cloud-provider %changelog +* Tue Dec 31 2024 Rohit Rawat - 0.0.10-3 +- Add patch for CVE-2024-45338 + * Tue Sep 03 2024 Pawel Winogrodzki - 0.0.10-2 - Release bump to fix package information. diff --git a/SPECS/kubernetes/CVE-2024-45338.patch b/SPECS/kubernetes/CVE-2024-45338.patch new file mode 100644 index 00000000000..88242685780 --- /dev/null +++ b/SPECS/kubernetes/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 52a84b5210dad5dffe4b80c8c30fb0280eda2b20 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in kubernetes + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a9..bca3ae9a 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9dc..e8515d8e 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89eda..5b8374bf 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 26a094aa632..1f2255ff009 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.3 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -19,6 +19,7 @@ URL: https://kubernetes.io/ Source0: https://dl.k8s.io/v%{version}/kubernetes-src.tar.gz#/%{name}-v%{version}.tar.gz Source1: kubelet.service Patch0: CVE-2024-28180.patch +Patch1: CVE-2024-45338.patch BuildRequires: flex-devel BuildRequires: glibc-static >= 2.38-8%{?dist} BuildRequires: golang @@ -271,6 +272,9 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Tue Dec 31 2024 Rohit Rawat - 1.30.3-2 +- Add patch for CVE-2024-45338 + * Wed Dec 11 2024 CBL-Mariner Servicing Account - 1.30.3-1 - Auto-upgrade to 1.30.3 - Fix CVE-2024-10220 diff --git a/SPECS/kubevirt/CVE-2024-45338.patch b/SPECS/kubevirt/CVE-2024-45338.patch new file mode 100644 index 00000000000..28f41552da0 --- /dev/null +++ b/SPECS/kubevirt/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From aceb2accc5ecef6515d89802b235232a9b01628d Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in kubevirt + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index 485280f1c6a..aac863332b2 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -20,7 +20,7 @@ Summary: Container native virtualization Name: kubevirt Version: 1.2.0 -Release: 11%{?dist} +Release: 12%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -34,6 +34,7 @@ Patch0: Cleanup-housekeeping-cgroup-on-vm-del.patch Patch1: CVE-2023-48795.patch Patch2: CVE-2024-24786.patch Patch3: CVE-2024-45337.patch +Patch4: CVE-2024-45338.patch %global debug_package %{nil} BuildRequires: swtpm-tools BuildRequires: glibc-devel @@ -274,6 +275,9 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt %{_bindir}/virt-tests %changelog +* Tue Dec 31 2024 Rohit Rawat - 1.2.0-12 +- Add patch for CVE-2024-45338 + * Fri Dec 20 2024 Aurelien Bombo - 1.2.0-11 - Add patch for CVE-2024-45337 diff --git a/SPECS/multus/CVE-2024-45338.patch b/SPECS/multus/CVE-2024-45338.patch new file mode 100644 index 00000000000..368833dbca3 --- /dev/null +++ b/SPECS/multus/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 8525179eff5cd787a9dd5efc1cc6b84646c2d072 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in multus + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/multus/multus.spec b/SPECS/multus/multus.spec index ef01cbc9ef7..1b342f12b01 100644 --- a/SPECS/multus/multus.spec +++ b/SPECS/multus/multus.spec @@ -19,7 +19,7 @@ Summary: CNI plugin providing multiple interfaces in containers Name: multus Version: 4.0.2 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -30,6 +30,7 @@ Source0: https://github.com/k8snetworkplumbingwg/multus-cni/archive/refs/ Patch0: CVE-2023-3978.patch Patch1: CVE-2023-44487.patch Patch2: CVE-2023-45288.patch +Patch3: CVE-2024-45338.patch BuildRequires: golang BuildRequires: golang-packaging @@ -72,6 +73,9 @@ install -D -m0644 deployments/multus-daemonset-crio.yml %{buildroot}%{_datadir}/ %{_datarootdir}/k8s-yaml/multus/multus.yaml %changelog +* Tue Dec 31 2024 Rohit Rawat - 4.0.2-4 +- Add patch for CVE-2024-45338 + * Fri Nov 22 2024 Xiaohong Deng - 4.0.2-3 - Add patches to resolve CVE-2023-39325, CVE-2023-44487 and CVE-2023-45288. - CVE-2023-39325 is a subset of CVE-2023-44487 and the patches are combined. diff --git a/SPECS/packer/CVE-2024-45338.patch b/SPECS/packer/CVE-2024-45338.patch new file mode 100644 index 00000000000..5167b1dcd1b --- /dev/null +++ b/SPECS/packer/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From 62e2433333db7c766a437a77c92379fed0e1c82a Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in packer + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec index e818b1c155f..ec89b05bb5b 100644 --- a/SPECS/packer/packer.spec +++ b/SPECS/packer/packer.spec @@ -4,7 +4,7 @@ Summary: Tool for creating identical machine images for multiple platforms from a single source configuration. Name: packer Version: 1.9.5 -Release: 4%{?dist} +Release: 5%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -37,6 +37,7 @@ Patch2: CVE-2023-49569.patch Patch3: CVE-2024-6104.patch Patch4: CVE-2024-24786.patch Patch5: CVE-2024-45337.patch +Patch6: CVE-2024-45338.patch BuildRequires: golang >= 1.17.1 BuildRequires: kernel-headers BuildRequires: glibc-devel @@ -70,6 +71,9 @@ go test -mod=vendor %{_bindir}/packer %changelog +* Tue Dec 31 2024 Rohit Rawat - 1.9.5-5 +- Add patch for CVE-2024-45338 + * Fri Dec 20 2024 Aurelien Bombo - 1.9.5-4 - Add patch for CVE-2024-45337 diff --git a/SPECS/prometheus-adapter/CVE-2024-45338.patch b/SPECS/prometheus-adapter/CVE-2024-45338.patch new file mode 100644 index 00000000000..6cc6480cfe7 --- /dev/null +++ b/SPECS/prometheus-adapter/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From c0257297bbeee9a17ba588f7db88aeb7b9ec5b68 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in prometheus-adapter + +--- + .../vendor/golang.org/x/net/html/doctype.go | 2 +- + .../vendor/golang.org/x/net/html/foreign.go | 3 +-- + .../vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/prometheus-adapter/prometheus-adapter.spec b/SPECS/prometheus-adapter/prometheus-adapter.spec index e93e3c989e9..fcc3cb87fa1 100644 --- a/SPECS/prometheus-adapter/prometheus-adapter.spec +++ b/SPECS/prometheus-adapter/prometheus-adapter.spec @@ -1,12 +1,13 @@ Summary: Kubernetes Custom, Resource, and External Metric APIs implemented to work with Prometheus. Name: prometheus-adapter Version: 0.12.0 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://github.com/kubernetes-sigs/prometheus-adapter Source0: https://github.com/kubernetes-sigs/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2024-45338.patch BuildRequires: golang %description @@ -41,6 +42,9 @@ make test %doc README.md RELEASE.md %changelog +* Tue Dec 31 2024 Rohit Rawat - 0.12.0-2 +- Patch CVE-2024-45338 + * Fri Jul 12 2024 CBL-Mariner Servicing Account - 0.12.0-1 - Auto-upgrade to 0.12.0 - Fix CVE-2023-39325, CVE-2023-3978, CVE-2023-45142, CVE-2023-45288, and CVE-2024-24786 diff --git a/SPECS/sriov-network-device-plugin/CVE-2024-45338.patch b/SPECS/sriov-network-device-plugin/CVE-2024-45338.patch new file mode 100644 index 00000000000..826ea3904df --- /dev/null +++ b/SPECS/sriov-network-device-plugin/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From fac891dc1fe53f118a2669795aaf5db15b4f1558 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:13 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in sriov-network-device-plugin + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec b/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec index 373690e5a78..d350a1f1d72 100644 --- a/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec +++ b/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec @@ -1,13 +1,14 @@ Summary: Plugin for discovering and advertising networking resources Name: sriov-network-device-plugin Version: 3.7.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://github.com/k8snetworkplumbingwg/sriov-network-device-plugin Source0: https://github.com/k8snetworkplumbingwg/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2024-45338.patch BuildRequires: golang Requires: gawk Requires: hwdata @@ -17,8 +18,9 @@ sriov-network-device-plugin is Kubernetes device plugin for discovering and adve resources in the form of SR-IOV virtual functions and PCI physical functions %prep -%autosetup -p1 +%autosetup -N tar -xf %{SOURCE1} +%autopatch -p1 %build go build -mod vendor -o ./build/sriovdp ./cmd/sriovdp/ @@ -36,6 +38,9 @@ install -D -m0755 images/ddptool-1.0.1.12.tar.gz %{buildroot}%{_datadir}/%{name} %{_datadir}/%{name}/ddptool-1.0.1.12.tar.gz %changelog +* Tue Dec 31 2024 Rohit Rawat - 3.7.0-2 +- Patch CVE-2024-45338 + * Thu Jun 06 2024 CBL-Mariner Servicing Account - 3.7.0-1 - Auto-upgrade to 3.7.0 - address CVE-2022-1996 diff --git a/SPECS/telegraf/CVE-2024-45338.patch b/SPECS/telegraf/CVE-2024-45338.patch new file mode 100644 index 00000000000..6954b931e7d --- /dev/null +++ b/SPECS/telegraf/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From edbbeae3da83ff913d62080e63ce055621ab1e4f Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in telegraf + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a9..bca3ae9a 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9dc..e8515d8e 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89eda..5b8374bf 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index f222039a727..5d9db93c6f7 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.31.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Source0: %{url}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}. Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2024-37298.patch Patch1: CVE-2024-45337.patch +Patch2: CVE-2024-45338.patch BuildRequires: golang BuildRequires: systemd-devel Requires: logrotate @@ -78,6 +79,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Tue Dec 31 2024 Rohit Rawat - 1.31.0-4 +- Patch CVE-2024-45338 + * Wed Dec 18 2024 Aurelien Bombo - 1.31.0-3 - Patch CVE-2024-45337 From bc40d0c71519bb78ea02a1338cc5ba17e4de4af3 Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Fri, 3 Jan 2025 13:34:55 +0000 Subject: [PATCH 2/7] delete disputed patches --- SPECS/cni-plugins/CVE-2024-45338.patch | 63 -------------------------- SPECS/cni/CVE-2024-45338.patch | 40 ---------------- 2 files changed, 103 deletions(-) delete mode 100644 SPECS/cni-plugins/CVE-2024-45338.patch delete mode 100644 SPECS/cni/CVE-2024-45338.patch diff --git a/SPECS/cni-plugins/CVE-2024-45338.patch b/SPECS/cni-plugins/CVE-2024-45338.patch deleted file mode 100644 index 4c13a54847a..00000000000 --- a/SPECS/cni-plugins/CVE-2024-45338.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 0292de27f5b71bcf2f161e9db8638359adf91233 Mon Sep 17 00:00:00 2001 -From: Rohit Rawat -Date: Thu, 2 Jan 2025 10:22:13 +0000 -Subject: [PATCH] Fix CVE CVE-2024-45338 in cni-plugins - ---- - plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go | 2 +- - plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go | 3 +-- - plugins-1.4.0/vendor/golang.org/x/net/html/parse.go | 4 ++-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go b/plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go -index c484e5a..bca3ae9 100644 ---- a/plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go -+++ b/plugins-1.4.0/vendor/golang.org/x/net/html/doctype.go -@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { - } - } - if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && -- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { -+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { - quirks = true - } - } -diff --git a/plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go b/plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go -index 9da9e9d..e8515d8 100644 ---- a/plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go -+++ b/plugins-1.4.0/vendor/golang.org/x/net/html/foreign.go -@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { - if n.Data == "annotation-xml" { - for _, a := range n.Attr { - if a.Key == "encoding" { -- val := strings.ToLower(a.Val) -- if val == "text/html" || val == "application/xhtml+xml" { -+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { - return true - } - } -diff --git a/plugins-1.4.0/vendor/golang.org/x/net/html/parse.go b/plugins-1.4.0/vendor/golang.org/x/net/html/parse.go -index 46a89ed..5b8374b 100644 ---- a/plugins-1.4.0/vendor/golang.org/x/net/html/parse.go -+++ b/plugins-1.4.0/vendor/golang.org/x/net/html/parse.go -@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { - if p.tok.DataAtom == a.Input { - for _, t := range p.tok.Attr { - if t.Key == "type" { -- if strings.ToLower(t.Val) == "hidden" { -+ if strings.EqualFold(t.Val, "hidden") { - // Skip setting framesetOK = false - return true - } -@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { - return inHeadIM(p) - case a.Input: - for _, t := range p.tok.Attr { -- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { -+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { - p.addElement() - p.oe.pop() - return true --- -2.39.4 - diff --git a/SPECS/cni/CVE-2024-45338.patch b/SPECS/cni/CVE-2024-45338.patch deleted file mode 100644 index d709cd0dbfe..00000000000 --- a/SPECS/cni/CVE-2024-45338.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 1b55265630116c30921241ac52dea71ac3d849fb Mon Sep 17 00:00:00 2001 -From: Rohit Rawat -Date: Thu, 2 Jan 2025 10:22:13 +0000 -Subject: [PATCH] Fix CVE CVE-2024-45338 in cni - ---- - vendor/golang.org/x/net/html/doctype.go | 2 +- - vendor/golang.org/x/net/html/foreign.go | 3 +-- - 2 files changed, 2 insertions(+), 3 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go -index c484e5a..bca3ae9 100644 ---- a/vendor/golang.org/x/net/html/doctype.go -+++ b/vendor/golang.org/x/net/html/doctype.go -@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { - } - } - if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && -- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { -+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { - quirks = true - } - } -diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go -index 9da9e9d..e8515d8 100644 ---- a/vendor/golang.org/x/net/html/foreign.go -+++ b/vendor/golang.org/x/net/html/foreign.go -@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { - if n.Data == "annotation-xml" { - for _, a := range n.Attr { - if a.Key == "encoding" { -- val := strings.ToLower(a.Val) -- if val == "text/html" || val == "application/xhtml+xml" { -+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { - return true - } - } --- -2.39.4 - From d577e15e04517a8a510c517b5759e175ae185750 Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Wed, 8 Jan 2025 07:13:05 +0000 Subject: [PATCH 3/7] cert-manager: optimize patch command --- SPECS/cert-manager/cert-manager.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index a3e6172367f..8714aafdbf0 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -58,8 +58,7 @@ Summary: cert-manager's webhook binary Webhook component providing API validation, mutation and conversion functionality for cert-manager. %prep -%setup -q -a 1 -%autopatch -p1 +%autosetup -p1 -q -a 1 %build From d5821e90c6dec8644c697b187da066d3ceaa00bf Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Wed, 8 Jan 2025 07:33:27 +0000 Subject: [PATCH 4/7] Add Keda patch --- SPECS/keda/CVE-2024-45338.patch | 63 +++++++++++++++++++++++++++++++++ SPECS/keda/keda.spec | 6 +++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 SPECS/keda/CVE-2024-45338.patch diff --git a/SPECS/keda/CVE-2024-45338.patch b/SPECS/keda/CVE-2024-45338.patch new file mode 100644 index 00000000000..7dc58f35e99 --- /dev/null +++ b/SPECS/keda/CVE-2024-45338.patch @@ -0,0 +1,63 @@ +From a61bc7a45809410b36644afd5a29c14f138a1485 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Thu, 2 Jan 2025 10:22:12 +0000 +Subject: [PATCH] Fix CVE CVE-2024-45338 in gh + +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.39.4 + diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec index bd64f4b864f..4fb93aaf24a 100644 --- a/SPECS/keda/keda.spec +++ b/SPECS/keda/keda.spec @@ -1,7 +1,7 @@ Summary: Kubernetes-based Event Driven Autoscaling Name: keda Version: 2.14.1 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -23,6 +23,7 @@ Source0: %{name}-%{version}.tar.gz # Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2024-6104.patch +Patch1: CVE-2024-45338.patch BuildRequires: golang >= 1.15 %description @@ -60,6 +61,9 @@ cp ./bin/keda-admission-webhooks %{buildroot}%{_bindir} %{_bindir}/%{name}-admission-webhooks %changelog +* Wed Jan 08 2025 - 2.14.1-2 +- Add patch for CVE-2024-45338 + * Fri Sep 27 2024 Archana Choudhary - 2.14.1-1 - Upgrade to 2.14.1 - Fix CVE-2024-35255 in github.com/Azure/azure-sdk-for-go/sdk/azidentity From 93657822d478298663feed4093d531d80fad4b36 Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Wed, 8 Jan 2025 07:36:23 +0000 Subject: [PATCH 5/7] cert-manager remove unsupported quiet option --- SPECS/cert-manager/cert-manager.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 8714aafdbf0..f4f1815c373 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -58,7 +58,7 @@ Summary: cert-manager's webhook binary Webhook component providing API validation, mutation and conversion functionality for cert-manager. %prep -%autosetup -p1 -q -a 1 +%autosetup -p1 -a 1 %build From aea7290facafa3e19df158d33820eb3d7095b4ab Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Thu, 9 Jan 2025 07:23:56 +0000 Subject: [PATCH 6/7] gh: optimize prep section code --- SPECS/gh/gh.spec | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec index 7998e980055..a9be1d5f93f 100644 --- a/SPECS/gh/gh.spec +++ b/SPECS/gh/gh.spec @@ -27,9 +27,7 @@ Requires: git GitHub official command line tool. %prep -%autosetup -N -n cli-%{version} -tar --no-same-owner -xf %{SOURCE1} -%autopatch -p1 +%autosetup -p1 -n cli-%{version} -a1 %build export GOPATH=%{our_gopath} From 579b2ee53fa1f0b2b6fb6ef9e0c86c1f4ed995fe Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Fri, 17 Jan 2025 18:09:17 +0000 Subject: [PATCH 7/7] revert packer changes which are already fixed --- SPECS/packer/CVE-2024-45338.patch | 63 ------------------------------- SPECS/packer/packer.spec | 6 +-- 2 files changed, 1 insertion(+), 68 deletions(-) delete mode 100644 SPECS/packer/CVE-2024-45338.patch diff --git a/SPECS/packer/CVE-2024-45338.patch b/SPECS/packer/CVE-2024-45338.patch deleted file mode 100644 index 5167b1dcd1b..00000000000 --- a/SPECS/packer/CVE-2024-45338.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 62e2433333db7c766a437a77c92379fed0e1c82a Mon Sep 17 00:00:00 2001 -From: Rohit Rawat -Date: Thu, 2 Jan 2025 10:22:12 +0000 -Subject: [PATCH] Fix CVE CVE-2024-45338 in packer - ---- - vendor/golang.org/x/net/html/doctype.go | 2 +- - vendor/golang.org/x/net/html/foreign.go | 3 +-- - vendor/golang.org/x/net/html/parse.go | 4 ++-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go -index c484e5a..bca3ae9 100644 ---- a/vendor/golang.org/x/net/html/doctype.go -+++ b/vendor/golang.org/x/net/html/doctype.go -@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { - } - } - if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && -- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { -+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { - quirks = true - } - } -diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go -index 9da9e9d..e8515d8 100644 ---- a/vendor/golang.org/x/net/html/foreign.go -+++ b/vendor/golang.org/x/net/html/foreign.go -@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { - if n.Data == "annotation-xml" { - for _, a := range n.Attr { - if a.Key == "encoding" { -- val := strings.ToLower(a.Val) -- if val == "text/html" || val == "application/xhtml+xml" { -+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { - return true - } - } -diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go -index 46a89ed..5b8374b 100644 ---- a/vendor/golang.org/x/net/html/parse.go -+++ b/vendor/golang.org/x/net/html/parse.go -@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { - if p.tok.DataAtom == a.Input { - for _, t := range p.tok.Attr { - if t.Key == "type" { -- if strings.ToLower(t.Val) == "hidden" { -+ if strings.EqualFold(t.Val, "hidden") { - // Skip setting framesetOK = false - return true - } -@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { - return inHeadIM(p) - case a.Input: - for _, t := range p.tok.Attr { -- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { -+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { - p.addElement() - p.oe.pop() - return true --- -2.39.4 - diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec index 99bce979599..5223e14d85e 100644 --- a/SPECS/packer/packer.spec +++ b/SPECS/packer/packer.spec @@ -4,7 +4,7 @@ Summary: Tool for creating identical machine images for multiple platforms from a single source configuration. Name: packer Version: 1.9.5 -Release: 6%{?dist} +Release: 5%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -35,7 +35,6 @@ Patch0: CVE-2022-3064.patch Patch1: CVE-2024-6104.patch Patch2: CVE-2024-24786.patch Patch3: CVE-2025-21613.patch -Patch4: CVE-2024-45338.patch BuildRequires: golang >= 1.21 BuildRequires: kernel-headers BuildRequires: glibc-devel @@ -69,9 +68,6 @@ go test -mod=vendor %{_bindir}/packer %changelog -* Tue Dec 31 2024 Rohit Rawat - 1.9.5-6 -- Add patch for CVE-2024-45338 - * Thu Jan 09 2025 Sudipta Pandit - 1.9.5-5 - Add patch for CVE-2025-21613 and CVE-2025-21614 - Remove patch for CVE-2023-45288, CVE-2023-49569, CVE-2024-45337