Merge branch '2.0' into fasttrack/2.0

Author: jslobodzian

SPECS-EXTENDED/apache-commons-io/apache-commons-io-build.xml

@@ -10,7 +10,7 @@
 
   <property name="project.groupId" value="commons-io"/>
   <property name="project.artifactId" value="commons-io"/>
-  <property name="project.version" value="2.8.0"/>
+  <property name="project.version" value="2.14.0"/>
   <property name="project.name" value="Apache Commons IO"/>
   <property name="project.description" value="The Apache Commons IO library 
 contains utility classes, stream implementations, file filters, 

SPECS-EXTENDED/apache-commons-io/apache-commons-io.signatures.json

@@ -1,7 +1,7 @@
 {
  "Signatures": {
-  "apache-commons-io-build.xml": "3661f04824b5f93033dfc9f993a97f1435ff467f7e3cf5e2846f2d63a690ad3b",
-  "commons-io-2.8.0-src.tar.gz": "1e44c2b038bf825526305f0320b2e24dce039f399968326aab30c475ab765612",
-  "commons-io-2.8.0-src.tar.gz.asc": "5df617e9034a4e31cf7671af111edae1537dd14dc8d5e2fa4392a038f912df61"
+  "apache-commons-io-build.xml": "d7daa228b59ff41d5917745a77732bd31dc38dc1cea4edf1f65879c8ab82c4a2",
+  "commons-io-2.14.0-src.tar.gz": "306d53e907f491b9ac6b0e74e6ad9d8cbc0cf1b024cfb21df59a0c486fd181bc",
+  "commons-io-2.14.0-src.tar.gz.asc": "e46f87969e7accfa80aa194207c47d213730bc2427fb8ce7affbbfef5c3d1ec5"
  }
 }

SPECS-EXTENDED/apache-commons-io/apache-commons-io.spec

@@ -22,8 +22,8 @@ Distribution:   Mariner
 %define short_name      commons-%{base_name}
 %bcond_with tests
 Name:           apache-%{short_name}
-Version:        2.8.0
-Release:        2%{?dist}
+Version:        2.14.0
+Release:        1%{?dist}
 Summary:        Utilities to assist with developing IO functionality
 License:        Apache-2.0
 Group:          Development/Libraries/Java
@@ -93,6 +93,10 @@ cp -pr target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}
 %doc %{_javadocdir}/%{name}
 
 %changelog
+* Mon Oct 7 2024 Bhagyashri Pathak <[email protected]> - 2.14.0-1
+- Upgrade to 2.14.0 to fix the CVE-2024-47554.
+- License verified
+
 * Thu Oct 14 2021 Pawel Winogrodzki <[email protected]> - 2.8.0-2
 - Converting the 'Release' tag to the '[number].[distribution]' format.
 

SPECS-EXTENDED/apache-commons-io/commons-io-2.14.0-src.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEELbTx7w+nYezE6pNchv3H4qESYssFAmURZkQACgkQhv3H4qES
+YssmAAf+Opr906UCvufO2/ncd3Q2RuJDC24WoUlK8t18yNLTXcG1ZhxtqHn0ms/l
+D59OwQQaerBr2f/Y4dB1WLTg/XIrgtbmjImKk0iOXwVirb5etdXdnLUXf3oRvJG+
+C98BB26kY4QPYmRzQMFdf6AVRMZvva51c+u7zrKDOC0/VlxYPY8UlYQfCJ6Uyxqu
+TMUwQ1/cfSr65DIQui/X/RM09tGcyItb2wScZlGSq7FqtYNUj6GYAEZqhPeG74pq
+5xC19viyCGnTLO8LRaqmzmqidMPcYc95GqO9BiQDcI393qZJsq9GSxMwvIPcVJNp
+l6oNdUcPRxIf0yFJm47dmFtEeM4KXg==
+=+Thz
+-----END PGP SIGNATURE-----

SPECS-EXTENDED/apache-commons-io/commons-io-2.8.0-src.tar.gz.asc

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        5.15.167.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Oct 23 2024 Rachel Menge <[email protected]> - 5.15.167.1-2
+- Bump release to match kernel
+
 * Wed Sep 18 2024 CBL-Mariner Servicing Account <[email protected]> - 5.15.167.1-1
 - Auto-upgrade to 5.15.167.1
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "apr-1.7.2.tar.gz": "3d8999b216f7b6235343a4e3d456ce9379aa9a380ffb308512f133f0c5eb2db9"
+  "apr-1.7.5.tar.gz": "3375fa365d67bcf945e52b52cba07abea57ef530f40b281ffbe977a9251361db"
  }
 }

SPECS/apr/apr.signatures.json

@@ -1,14 +1,15 @@
 %define         aprver  1
 Summary:        The Apache Portable Runtime
 Name:           apr
-Version:        1.7.2
-Release:        2%{?dist}
+Version:        1.7.5
+Release:        1%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Libraries
 URL:            https://apr.apache.org/
 Source0:        https://dlcdn.apache.org/%{name}/%{name}-%{version}.tar.gz
+Patch0:         skip-known-test-failure.patch
 %if %{with_check}
 # test_serv_by_name test requires /etc/services file from iana-etc package
 BuildRequires:  iana-etc
@@ -25,7 +26,7 @@ Requires:       %{name} = %{version}-%{release}
 It contains the libraries and header files to create applications
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 ./configure --prefix=%{_prefix} \
@@ -64,6 +65,10 @@ make -j1 check
 %{_libdir}/pkgconfig
 
 %changelog
+* Wed Oct 16 2024 Muhammad Falak <[email protected]> - 1.7.5-1
+- Upgrade version to address CVE-2023-49582
+- Enable ptests
+
 * Wed Sep 20 2023 Jon Slobodzian <[email protected]> - 1.7.2-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 

SPECS/apr/apr.spec

@@ -0,0 +1,31 @@
+From d4aa66b790e48f4745bcc6623b286577f2e0aef0 Mon Sep 17 00:00:00 2001
+From: Muhammad Falak R Wani <[email protected]>
+Date: Wed, 16 Oct 2024 19:47:33 +0530
+Subject: [PATCH] test: skip known test failure
+
+Signed-off-by: Muhammad Falak R Wani <[email protected]>
+---
+ test/Makefile.in | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/test/Makefile.in b/test/Makefile.in
+index e3b71e0..b609c74 100644
+--- a/test/Makefile.in
++++ b/test/Makefile.in
+@@ -172,6 +172,13 @@ check: $(TESTALL_COMPONENTS) $(STDTEST_PORTABLE) $(STDTEST_NONPORTABLE)
+ 					progfailed="$$progfailed '$$prog mode $$mode'"; \
+ 				fi; \
+ 			done; \
++		elif test "$$prog" = 'testall'; then \
++			./$$prog -v -x testsock; \
++			status=$$?; \
++			if test $$status != 0; then \
++				teststatus=$$status; \
++				progfailed="$$progfailed $$prog"; \
++			fi; \
+ 	        else \
+ 			./$$prog -v; \
+ 			status=$$?; \
+-- 
+2.40.1
+

SPECS/apr/skip-known-test-failure.patch

@@ -0,0 +1,78 @@
+From 8ffa475fbdb33da97e8bf79cc5791ee8751fca5e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Thu, 06 Jul 2023 10:25:47 -0700
+Subject: [PATCH] html: only render content literally in the HTML namespace
+
+Per the WHATWG HTML specification, section 13.3, only append the literal
+content of a text node if we are in the HTML namespace.
+
+Thanks to Mohammad Thoriq Aziz for reporting this issue.
+
+Fixes golang/go#61615
+Fixes CVE-2023-3978
+
+Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1942896
+Reviewed-by: Tatiana Bradley <[email protected]>
+Run-TryBot: Roland Shoemaker <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+TryBot-Result: Security TryBots <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/514896
+Reviewed-by: Roland Shoemaker <[email protected]>
+TryBot-Result: Gopher Robot <[email protected]>
+Run-TryBot: Damien Neil <[email protected]>
+---
+
+diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go
+index 8b28031..e8c1233 100644
+--- a/vendor/golang.org/x/net/html/render.go
++++ b/vendor/golang.org/x/net/html/render.go
+@@ -194,9 +194,8 @@
+ 		}
+ 	}
+ 
+-	// Render any child nodes.
+-	switch n.Data {
+-	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++	// Render any child nodes
++	if childTextNodesAreLiteral(n) {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if c.Type == TextNode {
+ 				if _, err := w.WriteString(c.Data); err != nil {
+@@ -213,7 +212,7 @@
+ 			// last element in the file, with no closing tag.
+ 			return plaintextAbort
+ 		}
+-	default:
++	} else {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if err := render1(w, c); err != nil {
+ 				return err
+@@ -231,6 +230,27 @@
+ 	return w.WriteByte('>')
+ }
+ 
++func childTextNodesAreLiteral(n *Node) bool {
++	// Per WHATWG HTML 13.3, if the parent of the current node is a style,
++	// script, xmp, iframe, noembed, noframes, or plaintext element, and the
++	// current node is a text node, append the value of the node's data
++	// literally. The specification is not explicit about it, but we only
++	// enforce this if we are in the HTML namespace (i.e. when the namespace is
++	// "").
++	// NOTE: we also always include noscript elements, although the
++	// specification states that they should only be rendered as such if
++	// scripting is enabled for the node (which is not something we track).
++	if n.Namespace != "" {
++		return false
++	}
++	switch n.Data {
++	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++		return true
++	default:
++		return false
++	}
++}
++
+ // writeQuoted writes s to w surrounded by quotes. Normally it will use double
+ // quotes, but if s contains a double quote, it will use single quotes.
+ // It is used for writing the identifiers in a doctype declaration.