[AUTO-CHERRYPICK] Upgrade mysql to 8.0.40 - branch main (#10809)

CBL-Mariner-Bot · realsdx · web-flow · commit 4dd3ddf0b05c · 2024-10-25T14:40:38.000-04:00
Co-authored-by: Sudipta Pandit &lt;sudpandit@microsoft.com&gt;
diff --git a/SPECS/mysql/CVE-2023-46218.patch b/SPECS/mysql/CVE-2023-46218.patch
diff --git a/SPECS/mysql/mysql.signatures.json b/SPECS/mysql/mysql.signatures.json
@@ -1,5 +1,5 @@
 {
-  "Signatures": {
-    "mysql-boost-8.0.36.tar.gz": "429c5f69f3722e31807e74119d157a023277af210bfee513443cae60ebd2a86d"
-  }
-}
+ "Signatures": {
+  "mysql-boost-8.0.40.tar.gz": "eb34a23d324584688199b4222242f4623ea7bca457a3191cd7a106c63a7837d9"
+ }
+}
diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec
@@ -1,6 +1,6 @@
 Summary:        MySQL.
 Name:           mysql
-Version:        8.0.36
+Version:        8.0.40
 Release:        1%{?dist}
 License:        GPLv2 with exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
@@ -9,7 +9,6 @@ Group:          Applications/Databases
 URL:            https://www.mysql.com
 Source0:        https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz
 Patch0:         CVE-2012-5627.nopatch
-Patch1:         CVE-2023-46218.patch
 BuildRequires:  cmake
 BuildRequires:  libtirpc-devel
 BuildRequires:  openssl-devel
@@ -98,6 +97,15 @@ fi
 %{_libdir}/pkgconfig/mysqlclient.pc
 
 %changelog
+* Fri Oct 18 2024 Sudipta Pandit <sudpandit@microsoft.com> - 8.0.40-1
+- Upgrade to 8.0.40 to fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130,
+  CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134,
+  CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237,
+  CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198,
+  CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096,
+  CVE-2024-21171, CVE-2024-21165, CVE-2023-46219
+- Remove patch for CVE-2023-46218 (fixed in 8.0.37)
+
 * Tue Jun 18 2024 Archana Choudhary <archana1@microsoft.com> - 8.0.36-1
 - Upgrade to 8.0.36 to fix 10 CVEs
 
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -13813,8 +13813,8 @@
         "type": "other",
         "other": {
           "name": "mysql",
-          "version": "8.0.36",
-          "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz"
+          "version": "8.0.40",
+          "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.40.tar.gz"
         }
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -13813,8 +13813,8 @@`
`13813`	`13813`	`"type": "other",`
`13814`	`13814`	`"other": {`
`13815`	`13815`	`"name": "mysql",`
`13816`		`- "version": "8.0.36",`
`13817`		`- "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz"`
	`13816`	`+ "version": "8.0.40",`
	`13817`	`+ "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.40.tar.gz"`
`13818`	`13818`	`}`
`13819`	`13819`	`}`
`13820`	`13820`	`},`