From 078f94479a894310a703f5098330913ff678f687 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Fri, 8 Aug 2025 10:17:15 +0000 Subject: [PATCH 1/2] Patch rust for CVE-2024-11738 --- SPECS/rust/CVE-2024-11738.patch | 35 +++++++++++++++++++++++++++++++++ SPECS/rust/rust.spec | 6 +++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 SPECS/rust/CVE-2024-11738.patch diff --git a/SPECS/rust/CVE-2024-11738.patch b/SPECS/rust/CVE-2024-11738.patch new file mode 100644 index 00000000000..22836637803 --- /dev/null +++ b/SPECS/rust/CVE-2024-11738.patch @@ -0,0 +1,35 @@ +From 874dd834f5444394deda1f7fcc19cc09afebf6bd Mon Sep 17 00:00:00 2001 +From: Kevin Wang +Date: Fri, 22 Nov 2024 20:48:01 +0800 +Subject: [PATCH] Record and restore the processed cursor in + first_handshake_message + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/rustls/rustls/pull/2231.patch +--- + vendor/rustls-0.23.13/src/conn.rs | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/vendor/rustls-0.23.13/src/conn.rs b/vendor/rustls-0.23.13/src/conn.rs +index 60b597ba5..d45d71fd0 100644 +--- a/vendor/rustls-0.23.13/src/conn.rs ++++ b/vendor/rustls-0.23.13/src/conn.rs +@@ -655,6 +655,7 @@ impl ConnectionCommon { + /// `process_handshake_messages()` path, specialized for the first handshake message. + pub(crate) fn first_handshake_message(&mut self) -> Result>, Error> { + let mut buffer_progress = BufferProgress::default(); ++ buffer_progress.add_processed(self.deframer_buffer.processed); + + let res = self + .core +@@ -665,6 +666,7 @@ impl ConnectionCommon { + ) + .map(|opt| opt.map(|pm| Message::try_from(pm).map(|m| m.into_owned()))); + ++ self.deframer_buffer.processed = buffer_progress.processed(); + match res? { + Some(Ok(msg)) => { + self.deframer_buffer +-- +2.45.4 + diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec index cc99939b2c1..24c552d9d82 100644 --- a/SPECS/rust/rust.spec +++ b/SPECS/rust/rust.spec @@ -9,7 +9,7 @@ Summary: Rust Programming Language Name: rust Version: 1.86.0 -Release: 3%{?dist} +Release: 4%{?dist} License: (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -42,6 +42,7 @@ Source5: https://static.rust-lang.org/dist/%{release_date}/cargo-%{stage0 Source6: https://static.rust-lang.org/dist/%{release_date}/rustc-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz Source7: https://static.rust-lang.org/dist/%{release_date}/rust-std-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz Patch0: CVE-2025-4574.patch +Patch1: CVE-2024-11738.patch BuildRequires: binutils BuildRequires: cmake # make sure rust relies on curl from CBL-Mariner (instead of using its vendored flavor) @@ -179,6 +180,9 @@ rm %{buildroot}%{_docdir}/docs/html/.lock %{_mandir}/man1/* %changelog +* Fri Aug 08 2025 Azure Linux Security Servicing Account - 1.86.0-4 +- Patch for CVE-2024-11738 + * Fri Jun 13 2025 Kavya Sree Kaitepalli - 1.86.0-3 - Patch CVE-2025-4574 From 571938d2cefea83b31546bf949404ad0e3995712 Mon Sep 17 00:00:00 2001 From: archana25-ms Date: Tue, 12 Aug 2025 09:11:03 +0000 Subject: [PATCH 2/2] Bump up release numbers for dependent packages --- SPECS-EXTENDED/389-ds-base/389-ds-base.spec | 5 ++++- SPECS-EXTENDED/ripgrep/ripgrep.spec | 5 ++++- SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec | 5 ++++- SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec | 5 ++++- SPECS/clamav/clamav.spec | 5 ++++- SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec | 5 ++++- SPECS/flux/flux.spec | 5 ++++- SPECS/influxdb/influxdb.spec | 5 ++++- SPECS/kata-containers-cc/kata-containers-cc.spec | 5 ++++- SPECS/kata-containers/kata-containers.spec | 5 ++++- SPECS/librsvg2/librsvg2.spec | 5 ++++- SPECS/mesa/mesa.spec | 5 ++++- SPECS/netavark/netavark.spec | 5 ++++- SPECS/rpm-ostree/rpm-ostree.spec | 5 ++++- SPECS/virtiofsd/virtiofsd.spec | 5 ++++- 15 files changed, 60 insertions(+), 15 deletions(-) diff --git a/SPECS-EXTENDED/389-ds-base/389-ds-base.spec b/SPECS-EXTENDED/389-ds-base/389-ds-base.spec index 40201181fd6..c99c47c9c16 100644 --- a/SPECS-EXTENDED/389-ds-base/389-ds-base.spec +++ b/SPECS-EXTENDED/389-ds-base/389-ds-base.spec @@ -68,7 +68,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (%{variant}) Name: 389-ds-base Version: 3.1.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0 URL: https://www.port389.org Vendor: Microsoft Corporation @@ -732,6 +732,9 @@ exit 0 %endif %changelog +* Tue Aug 12 2025 Archana Shettigar - 3.1.1-7 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 3.1.1-6 - Bump release to rebuild with rust diff --git a/SPECS-EXTENDED/ripgrep/ripgrep.spec b/SPECS-EXTENDED/ripgrep/ripgrep.spec index 333711ff21b..a8b89109322 100644 --- a/SPECS-EXTENDED/ripgrep/ripgrep.spec +++ b/SPECS-EXTENDED/ripgrep/ripgrep.spec @@ -20,7 +20,7 @@ Name: ripgrep Version: 13.0.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: A search tool that combines ag with grep License: MIT AND Unlicense Vendor: Microsoft Corporation @@ -104,6 +104,9 @@ install -Dm 644 complete/_rg %{buildroot}%{_datadir}/zsh/site-functions/_rg %{_datadir}/zsh %changelog +* Tue Aug 12 2025 Archana Shettigar - 13.0.0-10 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 13.0.0-9 - Bump release to rebuild with rust diff --git a/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec b/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec index 8641aac2b2a..6cff14e2945 100644 --- a/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec +++ b/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec @@ -2,7 +2,7 @@ Summary: Tool for generating C bindings to Rust code Name: rust-cbindgen Version: 0.24.3 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -96,6 +96,9 @@ RUSTFLAGS=%{rustflags} cargo test --release %endif %changelog +* Tue Aug 12 2025 Archana Shettigar - 0.24.3-6 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 0.24.3-5 - Bump release to rebuild with rust diff --git a/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec b/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec index 06d21213428..f31d6280f25 100644 --- a/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec +++ b/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec @@ -3,7 +3,7 @@ Summary: Tardev Snapshotter for containerd Name: tardev-snapshotter Version: 3.2.0.tardev1 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation @@ -67,6 +67,9 @@ fi %config(noreplace) %{_unitdir}/%{name}.service %changelog +* Tue Aug 12 2025 Archana Shettigar - 3.2.0.tardev1-4 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 3.2.0.tardev1-3 - Bump release to rebuild with rust diff --git a/SPECS/clamav/clamav.spec b/SPECS/clamav/clamav.spec index 9b36c72f4cd..67ae044b146 100644 --- a/SPECS/clamav/clamav.spec +++ b/SPECS/clamav/clamav.spec @@ -1,7 +1,7 @@ Summary: Open source antivirus engine Name: clamav Version: 1.0.9 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 AND BSD AND bzip2-1.0.4 AND GPLv2 AND LGPLv2+ AND MIT AND Public Domain AND UnRar Vendor: Microsoft Corporation Distribution: Azure Linux @@ -136,6 +136,9 @@ fi %dir %attr(-,clamav,clamav) %{_sharedstatedir}/clamav %changelog +* Tue Aug 12 2025 Archana Shettigar - 1.0.9-3 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 1.0.9-2 - Bump release to rebuild with rust diff --git a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec index 50bb34e5add..91282fb0063 100644 --- a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec +++ b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec @@ -5,7 +5,7 @@ Name: cloud-hypervisor-cvm Summary: Cloud Hypervisor CVM is an open source Virtual Machine Monitor (VMM) that enables running SEV SNP enabled VMs on top of MSHV using the IGVM file format as payload. Version: 41.0.79 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 OR BSD-3-clause Vendor: Microsoft Corporation Distribution: Azure Linux @@ -136,6 +136,9 @@ cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{c %license LICENSES/CC-BY-4.0.txt %changelog +* Tue Aug 12 2025 Archana Shettigar - 41.0.79-4 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 41.0.79-3 - Bump release to rebuild with rust diff --git a/SPECS/flux/flux.spec b/SPECS/flux/flux.spec index 7d165c8eb2d..e15f724c49d 100644 --- a/SPECS/flux/flux.spec +++ b/SPECS/flux/flux.spec @@ -22,7 +22,7 @@ Summary: Influx data language Name: flux Version: 0.194.5 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -146,6 +146,9 @@ RUSTFLAGS=%{rustflags} cargo test --release %{_includedir}/influxdata/flux.h %changelog +* Tue Aug 12 2025 Archana Shettigar - 0.194.5-7 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 0.194.5-6 - Bump release to rebuild with rust diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec index f4754745812..6a91886e021 100644 --- a/SPECS/influxdb/influxdb.spec +++ b/SPECS/influxdb/influxdb.spec @@ -18,7 +18,7 @@ Summary: Scalable datastore for metrics, events, and real-time analytics Name: influxdb Version: 2.7.5 -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -156,6 +156,9 @@ go test ./... %{_tmpfilesdir}/influxdb.conf %changelog +* Tue Aug 12 2025 Archana Shettigar - 2.7.5-9 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 2.7.5-8 - Bump release to rebuild with rust diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index c1004c6c4f4..7e6b4788527 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -3,7 +3,7 @@ Name: kata-containers-cc Version: 3.15.0.aks0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Kata Confidential Containers package developed for Confidential Containers on AKS License: ASL 2.0 URL: https://github.com/microsoft/kata-containers @@ -150,6 +150,9 @@ fi %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service %changelog +* Tue Aug 12 2025 Archana Shettigar - 3.15.0-aks0-5 +- Bump release to rebuild with rust + * Tue Jul 22 2025 Jyoti Kanase - 3.15.0.aks0-4 - Bump release to rebuild with rust diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index 397e5cc36cd..b58b5e226e0 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -2,7 +2,7 @@ Name: kata-containers Version: 3.18.0.kata0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Kata Containers package developed for Pod Sandboxing on AKS License: ASL 2.0 URL: https://github.com/microsoft/kata-containers @@ -115,6 +115,9 @@ popd %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service %changelog +* Tue Aug 12 2025 Archana Shettigar - 3.18.0.kata0-4 +- Bump release to rebuild with rust + * Tue Jul 22 2025 Jyoti Kanase - 3.18.0.kata0-3 - Bump release to rebuild with rust diff --git a/SPECS/librsvg2/librsvg2.spec b/SPECS/librsvg2/librsvg2.spec index 0cda5e56acc..226bea0b4c6 100644 --- a/SPECS/librsvg2/librsvg2.spec +++ b/SPECS/librsvg2/librsvg2.spec @@ -8,7 +8,7 @@ Summary: An SVG library based on cairo Name: librsvg2 Version: 2.58.1 -Release: 4%{?dist} +Release: 5%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -125,6 +125,9 @@ rm -vrf %{buildroot}%{_docdir} %{_bindir}/rsvg-convert %changelog +* Tue Aug 12 2025 Archana Shettigar - 2.58.1-5 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 2.58.1-4 - Bump release to rebuild with rust diff --git a/SPECS/mesa/mesa.spec b/SPECS/mesa/mesa.spec index 40bba3ea97b..7bd00d3e43a 100644 --- a/SPECS/mesa/mesa.spec +++ b/SPECS/mesa/mesa.spec @@ -67,7 +67,7 @@ Name: mesa Summary: Mesa graphics libraries Version: 24.0.1 -Release: 4%{?dist} +Release: 5%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -741,6 +741,9 @@ popd %endif %changelog +* Tue Aug 12 2025 Archana Shettigar - 24.0.1-5 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 24.0.1-4 - Bump release to rebuild with rust diff --git a/SPECS/netavark/netavark.spec b/SPECS/netavark/netavark.spec index bd59c25d56f..61c9b844f8c 100644 --- a/SPECS/netavark/netavark.spec +++ b/SPECS/netavark/netavark.spec @@ -11,7 +11,7 @@ Name: netavark Version: 1.10.3 -Release: 4%{?dist} +Release: 5%{?dist} Summary: OCI network stack License: ASL 2.0 and BSD and MIT Vendor: Microsoft Corporation @@ -225,6 +225,9 @@ popd %{_unitdir}/%{name}-firewalld-reload.service %changelog +* Tue Aug 12 2025 Archana Shettigar - 1.10.3-5 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 1.10.3-4 - Bump release to rebuild with rust diff --git a/SPECS/rpm-ostree/rpm-ostree.spec b/SPECS/rpm-ostree/rpm-ostree.spec index b855705c861..a2dd1d41885 100644 --- a/SPECS/rpm-ostree/rpm-ostree.spec +++ b/SPECS/rpm-ostree/rpm-ostree.spec @@ -1,7 +1,7 @@ Summary: Commit RPMs to an OSTree repository Name: rpm-ostree Version: 2024.4 -Release: 5%{?dist} +Release: 6%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -178,6 +178,9 @@ make check %{_datadir}/gir-1.0/*-1.0.gir %changelog +* Tue Aug 12 2025 Archana Shettigar - 2024.4-6 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 2024.4-5 - Bump release to rebuild with rust diff --git a/SPECS/virtiofsd/virtiofsd.spec b/SPECS/virtiofsd/virtiofsd.spec index 274b72d1fc0..e6bdcc1ec2e 100644 --- a/SPECS/virtiofsd/virtiofsd.spec +++ b/SPECS/virtiofsd/virtiofsd.spec @@ -22,7 +22,7 @@ Name: virtiofsd # Version to be kept in sync with the `asset.virtiofsd.version` field from # https://github.com/microsoft/kata-containers/blob/msft-main/versions.yaml Version: 1.8.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: vhost-user virtio-fs device backend written in Rust Group: Development/Libraries/Rust License: Apache-2.0 @@ -75,6 +75,9 @@ cargo test --release %{_datadir}/qemu/vhost-user/50-qemu-virtiofsd.json %changelog +* Tue Aug 12 2025 Archana Shettigar - 1.8.0-6 +- Bump release to rebuild with rust + * Mon Jul 21 2025 Jyoti Kanase - 1.8.0-5 - Bump release to rebuild with rust