diff --git a/SPECS/kubernetes/CVE-2025-31133.patch b/SPECS/kubernetes/CVE-2025-31133.patch new file mode 100644 index 00000000000..e6c6f9944ed --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-31133.patch @@ -0,0 +1,151 @@ +From ab41549ce869d942c4f03f34454992f198cd7bde Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 24 Nov 2025 07:13:56 +0000 +Subject: [PATCH] Backport: handle /dev/null checks and mask multiple paths; + adjust stdio and devnull reopening logic + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport from existing Build 989296 of https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f.diff +--- + .../runc/libcontainer/init_linux.go | 11 ++--- + .../runc/libcontainer/rootfs_linux.go | 49 +++++++++++++++---- + .../runc/libcontainer/standard_init_linux.go | 8 +-- + 3 files changed, 47 insertions(+), 21 deletions(-) + +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go +index d9f18139..50c7a129 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go +@@ -432,19 +432,16 @@ func setupUser(config *initConfig) error { + // The ownership needs to match because it is created outside of the container and needs to be + // localized. + func fixStdioPermissions(u *user.ExecUser) error { +- var null unix.Stat_t +- if err := unix.Stat("/dev/null", &null); err != nil { +- return &os.PathError{Op: "stat", Path: "/dev/null", Err: err} +- } + for _, file := range []*os.File{os.Stdin, os.Stdout, os.Stderr} { + var s unix.Stat_t + if err := unix.Fstat(int(file.Fd()), &s); err != nil { + return &os.PathError{Op: "fstat", Path: file.Name(), Err: err} + } + +- // Skip chown if uid is already the one we want or any of the STDIO descriptors +- // were redirected to /dev/null. +- if int(s.Uid) == u.Uid || s.Rdev == null.Rdev { ++ // Skip chown if: ++ // - uid is already the one we want, or ++ // - fd is opened to /dev/null. ++ if int(s.Uid) == u.Uid || isDevNull(&s) { + continue + } + +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +index c701d6a2..abc7c5ea 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +@@ -360,7 +360,7 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error { + // Mask `/sys/fs/cgroup` to ensure it is read-only, even when `/sys` is mounted + // with `rbind,ro` (`runc spec --rootless` produces `rbind,ro` for `/sys`). + err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error { +- return maskPath(procfd, c.label) ++ return maskPaths([]string{procfd}, c.label) + }) + } + return err +@@ -653,27 +653,23 @@ func setupDevSymlinks(rootfs string) error { + // needs to be called after we chroot/pivot into the container's rootfs so that any + // symlinks are resolved locally. + func reOpenDevNull() error { +- var stat, devNullStat unix.Stat_t + file, err := os.OpenFile("/dev/null", os.O_RDWR, 0) + if err != nil { + return err + } + defer file.Close() //nolint: errcheck +- if err := unix.Fstat(int(file.Fd()), &devNullStat); err != nil { +- return &os.PathError{Op: "fstat", Path: file.Name(), Err: err} ++ if err := verifyDevNull(file); err != nil { ++ return fmt.Errorf("can't reopen /dev/null: %w", err) + } + for fd := 0; fd < 3; fd++ { ++ var stat unix.Stat_t + if err := unix.Fstat(fd, &stat); err != nil { + return &os.PathError{Op: "fstat", Path: "fd " + strconv.Itoa(fd), Err: err} + } +- if stat.Rdev == devNullStat.Rdev { ++ if isDevNull(&stat) { + // Close and re-open the fd. + if err := unix.Dup3(int(file.Fd()), fd, 0); err != nil { +- return &os.PathError{ +- Op: "dup3", +- Path: "fd " + strconv.Itoa(int(file.Fd())), +- Err: err, +- } ++ return err + } + } + } +@@ -1063,6 +1059,39 @@ func remountReadonly(m *configs.Mount) error { + // security issues from processes reading information from non-namespace aware + // mounts ( proc/kcore ). + // For files, maskPath bind mounts /dev/null over the top of the specified path. ++ ++func isDevNull(st *unix.Stat_t) bool { ++ return st.Mode&unix.S_IFMT == unix.S_IFCHR && st.Rdev == unix.Mkdev(1, 3) ++} ++ ++func verifyDevNull(f *os.File) error { ++ var st unix.Stat_t ++ if err := unix.Fstat(int(f.Fd()), &st); err != nil { ++ return &os.PathError{Op: "fstat", Path: f.Name(), Err: err} ++ } ++ if !isDevNull(&st) { ++ return errors.New("container's /dev/null is invalid") ++ } ++ return nil ++} ++ ++// maskPaths masks the top of the specified paths inside a container to avoid ++func maskPaths(paths []string, mountLabel string) error { ++ for _, path := range paths { ++ if err := mount("/dev/null", path, "", "", unix.MS_BIND, ""); err != nil && !errors.Is(err, os.ErrNotExist) { ++ if errors.Is(err, unix.ENOTDIR) { ++ if err := mount("tmpfs", path, "", "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("", mountLabel)); err != nil { ++ return err ++ } ++ continue ++ } ++ return err ++ } ++ } ++ return nil ++} ++ ++ + // For directories, maskPath mounts read-only tmpfs over the top of the specified path. + func maskPath(path string, mountLabel string) error { + if err := mount("/dev/null", path, "", "", unix.MS_BIND, ""); err != nil && !errors.Is(err, os.ErrNotExist) { +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go +index d1d94352..da407620 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go +@@ -141,11 +141,11 @@ func (l *linuxStandardInit) Init() error { + return fmt.Errorf("can't make %q read-only: %w", path, err) + } + } +- for _, path := range l.config.Config.MaskPaths { +- if err := maskPath(path, l.config.Config.MountLabel); err != nil { +- return fmt.Errorf("can't mask path %s: %w", path, err) +- } ++ ++ if err := maskPaths(l.config.Config.MaskPaths, l.config.Config.MountLabel); err != nil { ++ return err + } ++ + pdeath, err := system.GetParentDeathSignal() + if err != nil { + return fmt.Errorf("can't get pdeath signal: %w", err) +-- +2.45.4 + diff --git a/SPECS/kubernetes/CVE-2025-52565.patch b/SPECS/kubernetes/CVE-2025-52565.patch new file mode 100644 index 00000000000..b56d6c6b10d --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-52565.patch @@ -0,0 +1,299 @@ +From e04c763ae73afb0761a75db3846677631730ad29 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 24 Nov 2025 07:27:55 +0000 +Subject: [PATCH] Backport device node creation safety: use openat/mknodat, + inode verification, and AT_EMPTY_PATH wrappers; add GetPtyPeer; adjust + bind-mount device nodes + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport from existing Build 989298 of https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4.diff +--- + .../runc/internal/pathrs/pathrs.go | 41 +++++++++ + .../runc/internal/sys/opath_linux.go | 64 ++++++++++++++ + .../runc/libcontainer/rootfs_linux.go | 83 ++++++++++++++----- + .../runc/libcontainer/system/linux.go | 21 +++++ + 4 files changed, 189 insertions(+), 20 deletions(-) + create mode 100644 vendor/github.com/opencontainers/runc/internal/pathrs/pathrs.go + create mode 100644 vendor/github.com/opencontainers/runc/internal/sys/opath_linux.go + +diff --git a/vendor/github.com/opencontainers/runc/internal/pathrs/pathrs.go b/vendor/github.com/opencontainers/runc/internal/pathrs/pathrs.go +new file mode 100644 +index 00000000..3cb5c2e7 +--- /dev/null ++++ b/vendor/github.com/opencontainers/runc/internal/pathrs/pathrs.go +@@ -0,0 +1,41 @@ ++package pathrs ++ ++import ( ++ "fmt" ++ "os" ++ "path/filepath" ++ ++ "golang.org/x/sys/unix" ++) ++ ++// ProcThreadSelfOpen opens a path under /proc/thread-self with the given prefix and flags. ++// Returns the opened directory and a closer function. ++func ProcThreadSelfOpen(prefix string, flags int) (*os.File, func(), error) { ++ p := filepath.Join("/proc/thread-self", prefix) ++ fd, err := os.OpenFile(p, flags|unix.O_RDONLY, 0) ++ if err != nil { ++ return nil, nil, fmt.Errorf("open %s: %w", p, err) ++ } ++ return fd, func() {}, nil ++} ++ ++// MkdirAllInRootOpen ensures the given directory exists inside root and returns an open handle to it. ++func MkdirAllInRootOpen(root, dir string, mode os.FileMode) (*os.File, error) { ++ // Basic safety: ensure dir is inside root. ++ absDir := filepath.Clean(dir) ++ absRoot := filepath.Clean(root) ++ if absDir == absRoot { ++ return nil, fmt.Errorf("refusing to open root directory") ++ } ++ if !filepath.IsAbs(absDir) { ++ absDir = filepath.Join(absRoot, absDir) ++ } ++ if err := os.MkdirAll(absDir, mode); err != nil { ++ return nil, err ++ } ++ f, err := os.OpenFile(absDir, unix.O_DIRECTORY|unix.O_RDONLY, 0) ++ if err != nil { ++ return nil, &os.PathError{Op: "open", Path: absDir, Err: err} ++ } ++ return f, nil ++} +diff --git a/vendor/github.com/opencontainers/runc/internal/sys/opath_linux.go b/vendor/github.com/opencontainers/runc/internal/sys/opath_linux.go +new file mode 100644 +index 00000000..61d60346 +--- /dev/null ++++ b/vendor/github.com/opencontainers/runc/internal/sys/opath_linux.go +@@ -0,0 +1,64 @@ ++package sys ++ ++import ( ++ "fmt" ++ "os" ++ "runtime" ++ "strconv" ++ ++ "golang.org/x/sys/unix" ++) ++ ++// FchmodFile is a wrapper around fchmodat2(AT_EMPTY_PATH) with fallbacks for ++// older kernels. This is distinct from [File.Chmod] and [unix.Fchmod] in that ++// it works on O_PATH file descriptors. ++func FchmodFile(f *os.File, mode uint32) error { ++ err := unix.Fchmodat(int(f.Fd()), "", mode, unix.AT_EMPTY_PATH) ++ // If fchmodat2(2) is not available at all, golang.org/x/unix (probably ++ // in order to mirror glibc) returns EOPNOTSUPP rather than EINVAL ++ // (what the kernel actually returns for invalid flags, which is being ++ // emulated) or ENOSYS (which is what glibc actually sees). ++ if err != unix.EINVAL && err != unix.EOPNOTSUPP { //nolint:errorlint // unix errors are bare ++ // err == nil is implicitly handled ++ return os.NewSyscallError("fchmodat2 AT_EMPTY_PATH", err) ++ } ++ ++ // AT_EMPTY_PATH support was added to fchmodat2 in Linux 6.6 ++ // (5daeb41a6fc9d0d81cb2291884b7410e062d8fa1). The alternative for ++ // older kernels is to go through /proc. ++ fdDir, err2 := os.OpenFile("/proc/self/fd", unix.O_DIRECTORY|unix.O_RDONLY, 0) ++ if err2 != nil { ++ return fmt.Errorf("fchmodat2 AT_EMPTY_PATH fallback: %w", err2) ++ } ++ defer fdDir.Close() ++ ++ err = unix.Fchmodat(int(fdDir.Fd()), strconv.Itoa(int(f.Fd())), mode, 0) ++ if err != nil { ++ err = fmt.Errorf("fchmodat /proc/self/fd/%d: %w", f.Fd(), err) ++ } ++ runtime.KeepAlive(f) ++ return err ++} ++ ++// FchownFile is a wrapper around fchownat(AT_EMPTY_PATH). This is distinct ++// from [File.Chown] and [unix.Fchown] in that it works on O_PATH file ++// descriptors. ++func FchownFile(f *os.File, uid, gid int) error { ++ err := unix.Fchownat(int(f.Fd()), "", uid, gid, unix.AT_EMPTY_PATH) ++ runtime.KeepAlive(f) ++ return os.NewSyscallError("fchownat AT_EMPTY_PATH", err) ++} ++ ++// VerifyInode runs stat and statfs on the provided file descriptor and then ++// passes the results to the provided verification function. ++func VerifyInode(f *os.File, verify func(stat *unix.Stat_t, fs *unix.Statfs_t) error) error { ++ var st unix.Stat_t ++ if err := unix.Fstat(int(f.Fd()), &st); err != nil { ++ return fmt.Errorf("fstat on %s failed: %w", f.Name(), err) ++ } ++ var sfs unix.Statfs_t ++ if err := unix.Fstatfs(int(f.Fd()), &sfs); err != nil { ++ return fmt.Errorf("fstatfs on %s failed: %w", f.Name(), err) ++ } ++ return verify(&st, &sfs) ++} +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +index abc7c5ea..2087a972 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +@@ -12,6 +12,9 @@ import ( + "strings" + "time" + ++ "runtime" ++ "github.com/opencontainers/runc/internal/sys" ++ "github.com/opencontainers/runc/internal/pathrs" + securejoin "github.com/cyphar/filepath-securejoin" + "github.com/moby/sys/mountinfo" + "github.com/mrunalp/fileutils" +@@ -698,17 +701,18 @@ func createDevices(config *configs.Config) error { + return nil + } + +-func bindMountDeviceNode(rootfs, dest string, node *devices.Device) error { +- f, err := os.Create(dest) +- if err != nil && !os.IsExist(err) { +- return err +- } +- if f != nil { +- _ = f.Close() ++func bindMountDeviceNode(destDir *os.File, destName string, node *devices.Device) error { ++ dstFile, err := utils.Openat(destDir, destName, unix.O_CREAT|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0o000) ++ if err != nil { ++ return fmt.Errorf("create device inode %s: %w", node.Path, err) + } +- return utils.WithProcfd(rootfs, dest, func(procfd string) error { +- return mount(node.Path, dest, procfd, "bind", unix.MS_BIND, "") +- }) ++ defer dstFile.Close() ++ ++ dstFd, closer := utils.ProcThreadSelfFd(dstFile.Fd()) ++ defer closer() ++ ++ dstPath := filepath.Join(destDir.Name(), destName) ++ return mount(node.Path, dstPath, dstFd, "bind", unix.MS_BIND, "") + } + + // Creates the device node in the rootfs of the container. +@@ -717,28 +721,33 @@ func createDeviceNode(rootfs string, node *devices.Device, bind bool) error { + // The node only exists for cgroup reasons, ignore it here. + return nil + } +- dest, err := securejoin.SecureJoin(rootfs, node.Path) ++ destPath, err := securejoin.SecureJoin(rootfs, node.Path) + if err != nil { + return err + } +- if err := os.MkdirAll(filepath.Dir(dest), 0o755); err != nil { +- return err ++ if destPath == rootfs { ++ return fmt.Errorf("%w: mknod over rootfs", errRootfsToFile) ++ } ++ destDirPath, destName := filepath.Split(destPath) ++ destDir, err := pathrs.MkdirAllInRootOpen(rootfs, destDirPath, 0o755) ++ if err != nil { ++ return fmt.Errorf("mkdir parent of device inode %q: %w", node.Path, err) + } + if bind { +- return bindMountDeviceNode(rootfs, dest, node) ++ return bindMountDeviceNode(destDir, destName, node) + } +- if err := mknodDevice(dest, node); err != nil { ++ if err := mknodDevice(destDir, destName, node); err != nil { + if errors.Is(err, os.ErrExist) { + return nil + } else if errors.Is(err, os.ErrPermission) { +- return bindMountDeviceNode(rootfs, dest, node) ++ return bindMountDeviceNode(destDir, destName, node) + } + return err + } + return nil + } + +-func mknodDevice(dest string, node *devices.Device) error { ++func mknodDevice(destDir *os.File, destName string, node *devices.Device) error { + fileMode := node.FileMode + switch node.Type { + case devices.BlockDevice: +@@ -754,10 +763,44 @@ func mknodDevice(dest string, node *devices.Device) error { + if err != nil { + return err + } +- if err := unix.Mknod(dest, uint32(fileMode), int(dev)); err != nil { +- return &os.PathError{Op: "mknod", Path: dest, Err: err} ++ if err := unix.Mknodat(int(destDir.Fd()), destName, uint32(fileMode), int(dev)); err != nil { ++ return &os.PathError{Op: "mknodat", Path: filepath.Join(destDir.Name(), destName), Err: err} ++ } ++ ++ // Get a handle and verify that it matches the expected inode type and ++ // major:minor before we operate on it. ++ devFile, err := utils.Openat(destDir, destName, unix.O_NOFOLLOW|unix.O_PATH, 0) ++ if err != nil { ++ return fmt.Errorf("open new %c device inode %s: %w", node.Type, node.Path, err) + } +- return os.Chown(dest, int(node.Uid), int(node.Gid)) ++ defer devFile.Close() ++ ++ if err := sys.VerifyInode(devFile, func(stat *unix.Stat_t, _ *unix.Statfs_t) error { ++ if stat.Mode&unix.S_IFMT != uint32(fileMode)&unix.S_IFMT { ++ return fmt.Errorf("new %c device inode %s has incorrect ftype: %#x doesn't match expected %#v", ++ node.Type, node.Path, ++ stat.Mode&unix.S_IFMT, fileMode&unix.S_IFMT) ++ } ++ if stat.Rdev != dev { ++ return fmt.Errorf("new %c device inode %s has incorrect major:minor: %d:%d doesn't match expected %d:%d", ++ node.Type, node.Path, ++ unix.Major(stat.Rdev), unix.Minor(stat.Rdev), ++ unix.Major(dev), unix.Minor(dev)) ++ } ++ return nil ++ }); err != nil { ++ return err ++ } ++ ++ // Ensure permission bits (can be different because of umask). ++ if err := sys.FchmodFile(devFile, uint32(fileMode)); err != nil { ++ return fmt.Errorf("update new %c device inode %s file mode: %w", node.Type, node.Path, err) ++ } ++ if err := sys.FchownFile(devFile, int(node.Uid), int(node.Gid)); err != nil { ++ return fmt.Errorf("update new %c device inode %s owner: %w", node.Type, node.Path, err) ++ } ++ runtime.KeepAlive(devFile) ++ return nil + } + + // Get the parent mount point of directory passed in as argument. Also return +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go +index e1d6eb18..98ee1c6d 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go +@@ -102,3 +102,24 @@ func GetSubreaper() (int, error) { + + return int(i), nil + } ++ ++ ++// GetPtyPeer is a wrapper for ioctl(TIOCGPTPEER). ++func GetPtyPeer(ptyFd uintptr, unsafePeerPath string, flags int) (*os.File, error) { ++ // Make sure O_NOCTTY is always set -- otherwise runc might accidentally ++ // gain it as a controlling terminal. O_CLOEXEC also needs to be set to ++ // make sure we don't leak the handle either. ++ flags |= unix.O_NOCTTY | unix.O_CLOEXEC ++ ++ // There is no nice wrapper for this kind of ioctl in unix. ++ peerFd, _, errno := unix.Syscall( ++ unix.SYS_IOCTL, ++ ptyFd, ++ uintptr(unix.TIOCGPTPEER), ++ uintptr(flags), ++ ) ++ if errno != 0 { ++ return nil, os.NewSyscallError("ioctl TIOCGPTPEER", errno) ++ } ++ return os.NewFile(peerFd, unsafePeerPath), nil ++} +-- +2.45.4 + diff --git a/SPECS/kubernetes/CVE-2025-52881.patch b/SPECS/kubernetes/CVE-2025-52881.patch new file mode 100644 index 00000000000..c745ed4f827 --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-52881.patch @@ -0,0 +1,65 @@ +From f73db30d56017725441a6d3488ae1e9133795187 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 24 Nov 2025 08:10:08 +0000 +Subject: [PATCH] vendor(runc): drop EnsureProcHandle checks in apparmor and + utils; remove EnsureProcHandle function per upstream patch + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28.diff +--- + .../runc/libcontainer/apparmor/apparmor_linux.go | 4 +--- + .../runc/libcontainer/utils/utils_unix.go | 16 ---------------- + 2 files changed, 1 insertion(+), 19 deletions(-) + +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +index 8b1483c7..09e5a2d8 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +@@ -40,9 +40,7 @@ func setProcAttr(attr, value string) error { + } + defer f.Close() + +- if err := utils.EnsureProcHandle(f); err != nil { +- return err +- } ++ + + _, err = f.WriteString(value) + return err +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +index bf3237a2..ec0c1f87 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +@@ -12,18 +12,6 @@ import ( + "golang.org/x/sys/unix" + ) + +-// EnsureProcHandle returns whether or not the given file handle is on procfs. +-func EnsureProcHandle(fh *os.File) error { +- var buf unix.Statfs_t +- if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil { +- return fmt.Errorf("ensure %s is on procfs: %w", fh.Name(), err) +- } +- if buf.Type != unix.PROC_SUPER_MAGIC { +- return fmt.Errorf("%s is not on procfs", fh.Name()) +- } +- return nil +-} +- + type fdFunc func(fd int) + + // fdRangeFrom calls the passed fdFunc for each file descriptor that is open in +@@ -35,10 +23,6 @@ func fdRangeFrom(minFd int, fn fdFunc) error { + } + defer fdDir.Close() + +- if err := EnsureProcHandle(fdDir); err != nil { +- return err +- } +- + fdList, err := fdDir.Readdirnames(-1) + if err != nil { + return err +-- +2.45.4 + diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 83b68ae22a5..81c21873d7a 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.10 -Release: 14%{?dist} +Release: 15%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -27,6 +27,9 @@ Patch5: CVE-2024-51744.patch Patch6: CVE-2025-30204.patch Patch7: CVE-2025-22872.patch Patch8: CVE-2025-4563.patch +Patch9: CVE-2025-31133.patch +Patch10: CVE-2025-52565.patch +Patch11: CVE-2025-52881.patch BuildRequires: flex-devel BuildRequires: glibc-static >= 2.38-15%{?dist} BuildRequires: golang < 1.25 @@ -278,6 +281,9 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Mon Nov 24 2025 Azure Linux Security Servicing Account - 1.30.10-15 +- Patch for CVE-2025-52881, CVE-2025-52565, CVE-2025-31133 + * Thu Oct 23 2025 Kanishk Bansal - 1.30.10-14 - Bump to rebuild with updated glibc