Merge branch '3.0-dev' into azure-autosec/rust/3.0/893441

Author: archana25-ms

.pipelines/templates/PackageBuild.yml

@@ -134,10 +134,6 @@ parameters:
     type: string
     default: ""
 
-  - name: pipArtifactFeeds
-    type: string
-    default: ""
-
   - name: publishLogs
     type: boolean
     default: true
@@ -167,12 +163,6 @@ steps:
     parameters:
       buildRepoRoot: ${{ parameters.buildRepoRoot }}
 
-  - ${{ if parameters.pipArtifactFeeds }}:
-      - task: PipAuthenticate@1
-        inputs:
-          artifactFeeds: "${{ parameters.pipArtifactFeeds }}"
-        displayName: "Authenticate to custom pip artifact feeds"
-
   - ${{ if parameters.customToolchainTarballName }}:
       - script: |
           toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"

.pipelines/templates/PackageBuildPRCheck.yml

@@ -136,7 +136,6 @@ stages:
                   maxCPU: "${{ configuration.maxCPUs }}"
                   outputArtifactsFolder: $(ob_outputDirectory)
                   outputRPMsTarballName: $(outputRPMsTarballName)
-                  pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
                   selfRepoName: self
                   testSuiteName: "[${{ configuration.name }}] Package test"
 
@@ -197,7 +196,6 @@ stages:
                   isUseCCache: true
                   maxCPU: "${{ configuration.maxCPUs }}"
                   outputArtifactsFolder: $(ob_outputDirectory)
-                  pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
                   selfRepoName: self
                   srpmPackList: "$(testListFromToolchain)"
                   testRerunList: "$(testListFromToolchain)"

.pipelines/templates/PackageTestResultsAnalysis.yml

@@ -32,9 +32,7 @@ parameters:
     default: "$(Agent.TempDirectory)"
 
 steps:
-    # TODO: the "--index-url" argument must be removed once accessing internal ADO feeds from fork PR checks is supported.
-  - bash: pip3 install --user junit_xml==1.9 --index-url https://pypi.org/simple
-    retryCountOnTaskFailure: 3
+  - bash: sudo tdnf install -y python3-junit-xml
     displayName: "Install Python dependencies"
 
   - task: PythonScript@0

SPECS-EXTENDED/389-ds-base/389-ds-base.spec

@@ -68,7 +68,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (%{variant})
 Name:             389-ds-base
 Version:          3.1.1
-Release:          5%{?dist}
+Release:          6%{?dist}
 License:          GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
 URL:              https://www.port389.org
 Vendor:           Microsoft Corporation
@@ -732,6 +732,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 3.1.1-6
+- Bump release to rebuild with rust
+
 * Fri Jun 13 2025 Kavya Sree Kaitepalli <[email protected]> - 3.1.1-5
 - Bump release to rebuild with rust
 

SPECS-EXTENDED/ripgrep/ripgrep.spec

@@ -20,7 +20,7 @@
 
 Name:           ripgrep
 Version:        13.0.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        A search tool that combines ag with grep
 License:        MIT AND Unlicense
 Vendor:         Microsoft Corporation
@@ -104,6 +104,9 @@ install -Dm 644 complete/_rg %{buildroot}%{_datadir}/zsh/site-functions/_rg
 %{_datadir}/zsh
 
 %changelog
+* Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 13.0.0-9
+- Bump release to rebuild with rust
+
 * Fri Jun 13 2025 Kavya Sree Kaitepalli <[email protected]> - 13.0.0-8
 - Bump release to rebuild with rust
 

SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec

@@ -2,7 +2,7 @@
 Summary:        Tool for generating C bindings to Rust code
 Name:           rust-cbindgen
 Version:        0.24.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -96,6 +96,9 @@ RUSTFLAGS=%{rustflags} cargo test --release
 %endif
 
 %changelog
+* Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 0.24.3-5
+- Bump release to rebuild with rust
+
 * Fri Jun 13 2025 Kavya Sree Kaitepalli <[email protected]> - 0.24.3-4
 - Bump release to rebuild with rust
 

SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec

@@ -3,7 +3,7 @@
 Summary: Tardev Snapshotter for containerd
 Name: tardev-snapshotter
 Version: 3.2.0.tardev1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 Vendor: Microsoft Corporation
@@ -67,6 +67,9 @@ fi
 %config(noreplace) %{_unitdir}/%{name}.service
 
 %changelog
+* Mon Jul 21 2025 Jyoti Kanase <[email protected]> - 3.2.0.tardev1-3
+- Bump release to rebuild with rust
+
 * Fri Jun 13 2025 Kavya Sree Kaitepalli <[email protected]> - 3.2.0.tardev1-2
 - Bump release to rebuild with rust
 

SPECS/apache-commons-lang3/CVE-2025-48924.patch

@@ -0,0 +1,100 @@
+From b424803abdb2bec818e4fbcb251ce031c22aca53 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <[email protected]>
+Date: Sat, 21 Sep 2024 17:23:08 -0400
+Subject: [PATCH] Rewrite ClassUtils.getClass() without recursion to avoid
+ StackOverflowError on very long inputs.
+
+- This was found fuzz testing Apache Commons Text which relies on
+ClassUtils.
+- OssFuzz Issue 42522972:
+apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security
+exception in org.apache.commons.lang3.ClassUtils.getClass
+
+Upstream Patch Reference: https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53.patch
+---
+ src/changes/changes.xml                       |  1 +
+ .../org/apache/commons/lang3/ClassUtils.java  | 46 +++++++++----------
+ 2 files changed, 23 insertions(+), 24 deletions(-)
+
+diff --git a/src/changes/changes.xml b/src/changes/changes.xml
+index 5731324..dd2577b 100644
+--- a/src/changes/changes.xml
++++ b/src/changes/changes.xml
+@@ -47,6 +47,7 @@ The <action> type attribute can be add,update,fix,remove.
+ 
+   <release version="3.8.1" date="2018-09-19" description="This release is a bugfix for Restoring Bundle-SymbolicName in the MANIFEST.mf file.">
+     <action issue="LANG-1419" type="fix" dev="chtompki">Restore BundleSymbolicName for OSGi</action>
++    <action                   type="fix" dev="ggregory" due-to="OSS-Fuzz, Gary Gregory">Rewrite ClassUtils.getClass(...) without recursion to avoid StackOverflowError on very long inputs. OSS-Fuzz Issue 42522972: apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in org.apache.commons.lang3.ClassUtils.getClass.</action>
+   </release>
+ 
+   <release version="3.8" date="2018-08-15" description="New features and bug fixes. Requires Java 7, supports Java 8, 9, 10.">
+diff --git a/src/main/java/org/apache/commons/lang3/ClassUtils.java b/src/main/java/org/apache/commons/lang3/ClassUtils.java
+index be9f0dd..a9ec195 100644
+--- a/src/main/java/org/apache/commons/lang3/ClassUtils.java
++++ b/src/main/java/org/apache/commons/lang3/ClassUtils.java
+@@ -985,30 +985,27 @@ public class ClassUtils {
+      */
+     public static Class<?> getClass(
+             final ClassLoader classLoader, final String className, final boolean initialize) throws ClassNotFoundException {
+-        try {
+-            Class<?> clazz;
+-            if (namePrimitiveMap.containsKey(className)) {
+-                clazz = namePrimitiveMap.get(className);
+-            } else {
+-                clazz = Class.forName(toCanonicalName(className), initialize, classLoader);
+-            }
+-            return clazz;
+-        } catch (final ClassNotFoundException ex) {
+-            // allow path separators (.) as inner class name separators
+-            final int lastDotIndex = className.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
+-
+-            if (lastDotIndex != -1) {
+-                try {
+-                    return getClass(classLoader, className.substring(0, lastDotIndex) +
+-                            INNER_CLASS_SEPARATOR_CHAR + className.substring(lastDotIndex + 1),
+-                            initialize);
+-                } catch (final ClassNotFoundException ex2) { // NOPMD
+-                    // ignore exception
++        // This method was re-written to avoid recursion and stack overflows found by fuzz testing.
++        String next = className;
++        int lastDotIndex = -1;
++        do {
++            try {
++                Class<?> clazz;
++                if (namePrimitiveMap.containsKey(next)) {
++                    clazz = namePrimitiveMap.get(next);
++                } else {
++                    clazz = Class.forName(toCanonicalName(next), initialize, classLoader);
++                }
++                return clazz;
++            } catch (final ClassNotFoundException ex) {
++                lastDotIndex = next.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
++                if (lastDotIndex != -1) {
++                    next = next.substring(0, lastDotIndex) +
++                            INNER_CLASS_SEPARATOR_CHAR + next.substring(lastDotIndex + 1);
+                 }
+             }
+-
+-            throw ex;
+-        }
++        } while (lastDotIndex != -1);
++        throw new ClassNotFoundException(next);
+     }
+ 
+     /**
+@@ -1124,9 +1121,10 @@ public class ClassUtils {
+     private static String toCanonicalName(String className) {
+         className = StringUtils.deleteWhitespace(className);
+         Validate.notNull(className, "className must not be null.");
+-        if (className.endsWith("[]")) {
++        final String arrayMarker = "[]";
++        if (className.endsWith(arrayMarker)) {
+             final StringBuilder classNameBuffer = new StringBuilder();
+-            while (className.endsWith("[]")) {
++            while (className.endsWith(arrayMarker)) {
+                 className = className.substring(0, className.length() - 2);
+                 classNameBuffer.append("[");
+             }
+-- 
+2.34.1
+

SPECS/apache-commons-lang3/apache-commons-lang3.spec

@@ -18,7 +18,7 @@
 Summary:        Apache Commons Lang Package
 Name:           apache-%{short_name}
 Version:        3.8.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -27,6 +27,7 @@ URL:            https://commons.apache.org/proper/commons-lang
 Source0:        https://archive.apache.org/dist/commons/lang/source/%{short_name}-%{version}-src.tar.gz
 Source1:        build.xml
 Source2:        default.properties
+Patch0:         CVE-2025-48924.patch
 BuildRequires:  ant
 BuildRequires:  ant-junit
 BuildRequires:  fdupes
@@ -57,9 +58,8 @@ Group:          Documentation/HTML
 Javadoc for %{name}.
 
 %prep
-%setup -q -n %{short_name}-%{version}-src
-cp %{SOURCE1} .
-cp %{SOURCE2} .
+%autosetup -n %{short_name}-%{version}-src -p1
+cp %{SOURCE1} %{SOURCE2} .
 sed -i 's/\r//' *.txt
 
 %pom_remove_parent .
@@ -98,6 +98,9 @@ cp -pr target/apidocs/* %{buildroot}%{_javadocdir}/%{name}/
 %{_javadocdir}/%{name}
 
 %changelog
+* Wed Jul 16 2025 Aninda Pradhan <[email protected]> - 3.8.1-6
+- Addressed CVE-2025-48924
+
 * Fri Mar 17 2023 Mykhailo Bykhovtsev <[email protected]> - 3.8.1-5
 - Moved from extended to core
 - License verified

SPECS/ceph/CVE-2024-48916.patch

@@ -0,0 +1,31 @@
+From be105ab62fd4c93be9f9e5896e28c702534b0c56 Mon Sep 17 00:00:00 2001
+From: Pritha Srivastava <[email protected]>
+Date: Tue, 5 Nov 2024 12:03:00 +0530
+Subject: [PATCH] rgw/sts: fix to disallow unsupported JWT algorithms while
+ authenticating AssumeRoleWithWebIdentity using JWT obtained from an external
+ IDP.
+
+fixes: https://tracker.ceph.com/issues/68836
+
+Signed-off-by: Pritha Srivastava <[email protected]>
+---
+ src/rgw/rgw_rest_sts.cc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
+index 09f77f61d..23328236a 100644
+--- a/src/rgw/rgw_rest_sts.cc
++++ b/src/rgw/rgw_rest_sts.cc
+@@ -444,6 +444,9 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec
+                               .allow_algorithm(jwt::algorithm::ps512{cert});
+ 
+                 verifier.verify(decoded);
++              } else {
++                ldpp_dout(dpp, 0) << "Unsupported algorithm: " << algorithm << dendl;
++                throw -EINVAL;
+               }
+             } catch (std::runtime_error& e) {
+               ldpp_dout(dpp, 0) << "Signature validation failed: " << e.what() << dendl;
+-- 
+2.45.4
+