microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'main' into 2.0

This commit is contained in:
Jon Slobodzian 2025-01-24 18:30:13 -05:00
Родитель c927bffd5c ba4b6bfc60
Коммит 48c646119a
85 изменённых файлов: 3042 добавлений и 19892 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

29
.CodeQL.yml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
path_classifiers:
library:
# Treat source files for all compiled languages in the specs directories
# as 3rd party library sources because they are not owned by us.
#
# Extensions from https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/.
- "SPECS*/**/*.c"
- "SPECS*/**/*.c++"
- "SPECS*/**/*.cc"
- "SPECS*/**/*.cpp"
- "SPECS*/**/*.cs"
- "SPECS*/**/*.cshtml"
- "SPECS*/**/*.csproj"
- "SPECS*/**/*.cts"
- "SPECS*/**/*.cxx"
- "SPECS*/**/*.go"
- "SPECS*/**/*.h"
- "SPECS*/**/*.h++"
- "SPECS*/**/*.hh"
- "SPECS*/**/*.hpp"
- "SPECS*/**/*.hxx"
- "SPECS*/**/*.java"
- "SPECS*/**/*.kt"
- "SPECS*/**/*.mts"
- "SPECS*/**/*.sln"
- "SPECS*/**/*.swift"
- "SPECS*/**/*.ts"
- "SPECS*/**/*.tsx"
- "SPECS*/**/*.xaml"

4
.github/workflows/check-entangled-specs.yml поставляемый
Просмотреть файл

@ -25,10 +25,10 @@ jobs:
uses: actions/checkout@v4
# For consistency, we use the same major/minor version of Python that CBL-Mariner ships
- name: Setup Python 3.7
- name: Setup Python 3.9
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.9
- name: Get Python dependencies
run: python3 -m pip install -r toolkit/scripts/requirements.txt

4
.github/workflows/lint-specs.yml поставляемый
Просмотреть файл

@ -62,10 +62,10 @@ jobs:
path: 'spec-cleaner'
# For consistency, we use the same major/minor version of Python that CBL-Mariner ships
- name: Setup Python 3.7
- name: Setup Python 3.9
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.9
# We take our version of the linting tool from the master branch to ensure rules
# are consistent across all branches

48
.pipelines/prchecks/PackageBuildPRCheck.yml
Просмотреть файл

@ -80,9 +80,11 @@ extends:
# GCC fails to build as a regular package.
ignoredSpecs: ["gcc"]
- script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
- script: |
echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
echo "##vso[task.setvariable variable=toolchainTarballName;isOutput=true]toolchain_built_rpms_all.tar.gz"
name: "ToolchainArtifactName"
displayName: "Set variable for published artifact name"
displayName: "Set variables for published toolchain tarball"
# 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because
# then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions
@ -104,24 +106,38 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(rpmsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
outputRPMsTarballName: "rpms.tar.gz"
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: $(toolchainArtifactName)
patterns: "**/$(toolchainTarballName)"
targetPath: $(inputArtifactsLocation)
- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
customToolchainTarballName: $(toolchainTarballName)
inputArtifactsFolder: $(inputArtifactsLocation)
isCheckBuild: true
isQuickRebuildPackages: true
isUseCCache: true
maxCPU: "${{ configuration.maxCPUs }}"
outputArtifactsFolder: $(ob_outputDirectory)
outputRPMsTarballName: $(outputRPMsTarballName)
pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
selfRepoName: self
testSuiteName: "[${{ configuration.name }}] Package test"
- script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
- script: |
echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
echo "##vso[task.setvariable variable=rpmsTarballName;isOutput=true]$(outputRPMsTarballName)"
name: "RPMsArtifactName"
displayName: "Set variable for published artifact name"
@ -142,15 +158,25 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(toolchainTestsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ]
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: $(toolchainArtifactName)
patterns: "**/$(toolchainTarballName)"
targetPath: $(inputArtifactsLocation)
- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
customToolchainTarballName: $(toolchainTarballName)
inputArtifactsFolder: $(inputArtifactsLocation)
isAllowToolchainRebuilds: true
isCheckBuild: true
isQuickRebuildPackages: true
@ -179,8 +205,18 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ]
rpmsTarballName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download RPMs tarball"
inputs:
artifact: $(rpmsArtifactName)
patterns: "**/$(rpmsTarballName)"
targetPath: $(inputArtifactsLocation)
- template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self
parameters:
inputArtifactName: $(rpmsArtifactName)
inputArtifactsFolder: $(inputArtifactsLocation)
inputRPMsTarballName: $(rpmsTarballName)

40
.pipelines/templates/PackageBuild.yml
Просмотреть файл

@ -14,13 +14,9 @@ parameters:
type: number
default: 12
- name: customToolchainArtifactName
type: string
default: ""
- name: customToolchainTarballName
type: string
default: "toolchain_built_rpms_all.tar.gz"
default: ""
- name: extraPackageRepos
type: string
@ -30,12 +26,16 @@ parameters:
type: boolean
default: true
- name: inputCacheArtifacts
- name: inputArtifactsFolder
type: string
default: "$(Agent.TempDirectory)"
- name: inputCacheRPMsTarballs
type: object
default: []
# Sample:
# - name: build-artifacts
# rpmsTarball: cache.tar.gz
# - cache.tar.gz
# - cache2.tar.gz
- name: isAllowToolchainRebuilds
type: string
@ -160,15 +160,9 @@ steps:
artifactFeeds: "${{ parameters.pipArtifactFeeds }}"
displayName: "Authenticate to custom pip artifact feeds"
- ${{ if parameters.customToolchainArtifactName }}:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: "${{ parameters.customToolchainArtifactName }}"
patterns: "**/${{ parameters.customToolchainTarballName }}"
- ${{ if parameters.customToolchainTarballName }}:
- script: |
toolchain_archive="$(find "$(Pipeline.Workspace)" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
if [[ ! -f "$toolchain_archive" ]]; then
echo "ERROR: toolchain archive not found!" >&2
exit 1
@ -178,17 +172,11 @@ steps:
sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive"
displayName: "Populate toolchain"
- ${{ each inputCacheArtifact in parameters.inputCacheArtifacts }}:
- task: DownloadPipelineArtifact@2
displayName: "Download input cache RPM from ${{ inputCacheArtifact.name }}"
inputs:
artifact: "${{ inputCacheArtifact.name }}"
patterns: "**/${{ inputCacheArtifact.rpmsTarball }}"
- ${{ each inputCacheRPMsTarball in parameters.inputCacheRPMsTarballs }}:
- script: |
rpms_archive="$(find "$(Pipeline.Workspace)" -name "${{ inputCacheArtifact.rpmsTarball }}" -print -quit)"
rpms_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ inputCacheRPMsTarball }}" -print -quit)"
if [[ ! -f "$rpms_archive" ]]; then
echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2
echo "ERROR: cache RPMs archive '${{ inputCacheRPMsTarball }}' not found!" >&2
exit 1
fi
@ -200,7 +188,7 @@ steps:
check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}"
fi
if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
if [[ -n "${{ parameters.customToolchainTarballName }}" ]]; then
toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
fi

13
.pipelines/templatesWithCheckout/SodiffCheck.yml
Просмотреть файл

@ -6,8 +6,9 @@ parameters:
type: string
default: "$(Build.SourcesDirectory)"
- name: inputArtifactName
- name: inputArtifactsFolder
type: string
default: "$(Agent.TempDirectory)"
- name: inputRPMsTarballName
type: string
@ -26,19 +27,11 @@ parameters:
default: "$(Agent.TempDirectory)/SourcesWorkspace"
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download sources for signing"
inputs:
artifact: ${{ parameters.inputArtifactName }}
patterns: |
**/${{ parameters.inputRPMsTarballName }}
targetPath: "$(Agent.TempDirectory)"
- script: |
set -e
mkdir -p "${{ parameters.sourcesWorkspace }}"
find "$(Agent.TempDirectory)" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
displayName: "Extract sources tarball"
- script: |

5
SPECS-EXTENDED/fdk-aac-free/fdk-aac-free.signatures.json
Просмотреть файл

@ -1,5 +0,0 @@
{
"Signatures": {
"fdk-aac-free-2.0.0.tar.gz": "5c4a27656463e22861e4e917796d586687abff418d5b5928724a728f10f39cd7"
}
}

113
SPECS-EXTENDED/fdk-aac-free/fdk-aac-free.spec
Просмотреть файл

@ -1,113 +0,0 @@
Vendor: Microsoft Corporation
Distribution: Mariner
Name: fdk-aac-free
Version: 2.0.0
Release: 4%{?dist}
Summary: Third-Party Modified Version of the Fraunhofer FDK AAC Codec Library for Android
License: FDK-AAC
URL: https://cgit.freedesktop.org/~wtay/fdk-aac/log/?h=fedora
Source0: https://people.freedesktop.org/~wtay/fdk-aac-free-%{version}.tar.gz
BuildRequires: gcc gcc-c++
BuildRequires: automake libtool
%description
The Third-Party Modified Version of the Fraunhofer FDK AAC Codec Library
for Android is software that implements part of the MPEG Advanced Audio Coding
("AAC") encoding and decoding scheme for digital audio.
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%prep
%autosetup
autoreconf -vif
%build
%configure \
--disable-silent-rules \
--disable-static
%make_build
%install
%make_install INSTALL="install -p"
find %{buildroot} -name '*.la' -print -delete
%ldconfig_scriptlets
%files
%doc ChangeLog README.fedora
%license NOTICE
%{_libdir}/*.so.*
%files devel
%doc documentation/*.pdf
%dir %{_includedir}/fdk-aac
%{_includedir}/fdk-aac/*.h
%{_libdir}/*.so
%{_libdir}/pkgconfig/fdk-aac.pc
%changelog
* Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.0.0-4
- Initial CBL-Mariner import from Fedora 32 (license: MIT).
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jun 25 2019 Wim Taymans <wtaymans@redhat.com> - 2.0.0-1
- Update to 2.0.0
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Sep 25 2018 Wim Taymans <wtaymans@redhat.com> - 0.1.6-1
- Update to 0.1.6
- Fix url
* Tue Sep 25 2018 Wim Taymans <wtaymans@redhat.com> - 0.1.5-5
- Use %ldconfig_scriptlets
- Remove Group
* Thu Nov 02 2017 Wim Taymans <wtaymans@redhat.com> - 0.1.5-4
- Fix BuildRequires, fix libtool cleanup
* Tue Oct 10 2017 Wim Taymans <wtaymans@redhat.com> - 0.1.5-3
- Build against stripped fdk-aac library
* Thu Aug 31 2017 RPM Fusion Release Engineering <kwizart@rpmfusion.org> - 0.1.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Mon Mar 20 2017 Leigh Scott <leigh123linux@googlemail.com> - 0.1.5-1
- Update to 1.5
* Wed Sep 07 2016 Nicolas Chauvet <kwizart@gmail.com> - 0.1.5-0.1.gita0bd8aa
- Update to github snapshot
- Spec file clean-up
* Fri Nov 06 2015 Nicolas Chauvet <kwizart@gmail.com> - 0.1.4-1
- Update to 1.4
* Sun Jan 26 2014 Nicolas Chauvet <kwizart@gmail.com> - 0.1.3-1
- Update to 1.3.0
* Thu Aug 15 2013 Nicolas Chauvet <kwizart@gmail.com> - 0.1.2-1
- Update to 0.1.2
* Thu Mar 28 2013 Nicolas Chauvet <kwizart@gmail.com> - 0.1.1-1
- Initial spec

2
SPECS-EXTENDED/gcr/gcr.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"gcr-3.36.0.tar.xz": "aaf9bed017a2263c6145c89a1a84178f9f40f238426463e4ae486694ef5f6601"
"gcr-3.38.1.tar.xz": "17fcaf9c4a93a65fb1c72b82643bb102c13344084687d5886ea66313868d9ec9"
}
}

11
SPECS-EXTENDED/gcr/gcr.spec
Просмотреть файл

@ -1,3 +1,5 @@
%define majmin %(echo %{version} | cut -d. -f1-2)
Vendor: Microsoft Corporation
Distribution: Mariner
%ifarch %{valgrind_arches}
@ -5,13 +7,13 @@ Distribution: Mariner
%endif
Name: gcr
Version: 3.36.0
Release: 3%{?dist}
Version: 3.38.1
Release: 1%{?dist}
Summary: A library for bits of crypto UI and parsing
License: GPLv2
URL: https://wiki.gnome.org/Projects/CryptoGlue
Source0: https://download.gnome.org/sources/%{name}/3.36/%{name}-%{version}.tar.xz
Source0: https://download.gnome.org/sources/%{name}/%{majmin}/%{name}-%{version}.tar.xz
BuildRequires: gettext
BuildRequires: gtk-doc
@ -113,6 +115,9 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/gcr-viewer.desktop
%{_libdir}/libgcr-base-3.so.*
%changelog
* Mon Dec 30 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.38.1-1
- Bump to 3.38.1 to fix missing OID header bug (GCR issue #48).
* Mon Mar 21 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.36.0-3
- Adding BR on "python3-pygments".
- License verified.

10
SPECS-EXTENDED/gstreamer1-plugins-base/gstreamer1-plugins-base.spec
Просмотреть файл

@ -3,7 +3,7 @@
Summary: GStreamer streaming media framework base plugins
Name: gstreamer1-plugins-base
Version: 1.20.0
Release: 2%{?dist}
Release: 3%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
@ -26,7 +26,6 @@ BuildRequires: libXv-devel
BuildRequires: orc-devel >= 0.4.18
BuildRequires: pango-devel
BuildRequires: pkgconfig
BuildRequires: opus-devel
BuildRequires: gdk-pixbuf2-devel
BuildRequires: gtk3-devel
BuildRequires: libjpeg-turbo-devel
@ -93,7 +92,8 @@ for developing applications that use %{name}.
-D orc=enabled \
-D tremor=disabled \
-D tests=disabled \
-D examples=disabled
-D examples=disabled \
-D opus=disabled
%meson_build
%install
@ -222,7 +222,6 @@ rm %{_libexecdir}/gstreamer-%{majorminor}/gst-plugin-scanner
%{_libdir}/gstreamer-%{majorminor}/libgstopengl.so
%{_libdir}/gstreamer-%{majorminor}/libgstlibvisual.so
%{_libdir}/gstreamer-%{majorminor}/libgstogg.so
%{_libdir}/gstreamer-%{majorminor}/libgstopus.so
%{_libdir}/gstreamer-%{majorminor}/libgstpango.so
%{_libdir}/gstreamer-%{majorminor}/libgsttheora.so
%{_libdir}/gstreamer-%{majorminor}/libgstvorbis.so
@ -416,6 +415,9 @@ rm %{_libexecdir}/gstreamer-%{majorminor}/gst-plugin-scanner
%{_libdir}/pkgconfig/*.pc
%changelog
* Wed Jan 22 2025 Andrew Phelps <anphel@microsoft.com> - 1.20.4-3
- Remove dependency on opus
* Wed Nov 23 2022 Sumedh Sharma <sumsharma@microsoft.com> - 1.20.4-2
- Initial CBL-Mariner import from Fedora 37 (license: MIT)
- License verified

7
SPECS-EXTENDED/opus/opus.signatures.json
Просмотреть файл

@ -1,7 +0,0 @@
{
"Signatures": {
"opus-1.3.1.tar.gz": "65b58e1e25b2a114157014736a3d9dfeaad8d41be1c8179866f144a2fb44ff9d",
"rfc6716.txt": "41caac5240a4a22661efd0031d5b7aee48f3c0bde3b2cdcee8165932e485f98c",
"rfc8251.txt": "86abdb8c0fa1b0b6e1b9c1f324163ca152a8d2d9debd10461da3d56438489ecd"
}
}

224
SPECS-EXTENDED/opus/opus.spec
Просмотреть файл

@ -1,224 +0,0 @@
Vendor: Microsoft Corporation
Distribution: Mariner
#global candidate rc2
Name: opus
Version: 1.3.1
Release: 4%{?dist}
Summary: An audio codec for use in low-delay speech and audio communication
License: BSD
URL: https://www.opus-codec.org/
Source0: http://downloads.xiph.org/releases/%{name}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz
# This is the final IETF Working Group RFC
Source1: http://tools.ietf.org/rfc/rfc6716.txt
Source2: http://tools.ietf.org/rfc/rfc8251.txt
BuildRequires: gcc
BuildRequires: doxygen
%description
The Opus codec is designed for interactive speech and audio transmission over
the Internet. It is designed by the IETF Codec Working Group and incorporates
technology from Skype's SILK codec and Xiph.Org's CELT codec.
%package devel
Summary: Development package for opus
Requires: libogg-devel
Requires: opus = %{version}-%{release}
%description devel
Files for development with opus.
%prep
%setup -q %{?candidate:-n %{name}-%{version}-%{candidate}}
cp %{SOURCE1} .
cp %{SOURCE2} .
%build
%configure --enable-custom-modes --disable-static \
--enable-hardening --enable-ambisonics
%make_build
%install
%make_install
# Remove libtool archives
find %{buildroot} -type f -name "*.la" -delete
rm -rf %{buildroot}%{_datadir}/doc/opus/html
%check
make check %{?_smp_mflags} V=1
%ldconfig_scriptlets
%files
%license COPYING
%{_libdir}/libopus.so.*
%files devel
%doc README doc/html rfc6716.txt rfc8251.txt
%{_includedir}/opus
%{_libdir}/libopus.so
%{_libdir}/pkgconfig/opus.pc
%{_datadir}/aclocal/opus.m4
%{_datadir}/man/man3/opus_*.3.gz
%changelog
* Thu Oct 14 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.3.1-4
- Initial CBL-Mariner import from Fedora 32 (license: MIT).
- Converting the 'Release' tag to the '[number].[distribution]' format.
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Apr 14 2019 Peter Robinson <pbrobinson@fedoraproject.org> 1.3.1-1
- Update to 1.3.1
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Oct 18 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.3-1
- Update to 1.3
* Wed Sep 19 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.3-0.7.rc2
- Update to 1.3 rc2
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3-0.6.rc
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Sat Jun 2 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.3-0.5.rc
- Update to 1.3 rc
* Fri Mar 9 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.3-0.4.beta
- Add gcc BR
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3-0.3.beta
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3-0.2.beta
- Switch to %%ldconfig_scriptlets
* Fri Dec 22 2017 Peter Robinson <pbrobinson@fedoraproject.org> 1.3-0.1.beta
- Update to 1.3 beta
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Jun 28 2017 Peter Robinson <pbrobinson@fedoraproject.org> 1.2.1-1
- Update to 1.2.1
* Tue Jun 20 2017 Peter Robinson <pbrobinson@fedoraproject.org> 1.2-1
- Update to 1.2
* Fri Jun 9 2017 Peter Robinson <pbrobinson@fedoraproject.org> 1.2-0.4
- Update to 1.2.0 RC1
* Wed May 24 2017 Peter Robinson <pbrobinson@fedoraproject.org> 1.2-0.3
- Update to 1.2.0 Beta
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2-0.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Nov 4 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1.2-0.1
- Update to 1.2.0 Alpha
* Mon Jul 18 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.3-1
- Update 1.1.3 GA
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jan 12 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.2-1
- Update 1.1.2 GA
* Thu Nov 26 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.1-1
- Update 1.1.1 GA
* Wed Oct 28 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.1-0.4.rc
- Update to 1.1.1 RC (further ARM optimisations)
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.1-0.3.beta
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Feb 3 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.1-0.2.beta
- Use %%license
* Wed Oct 15 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.1-0.1.beta
- Update to 1.1.1 beta (SSE, ARM, MIPS optimisations)
* Sun Oct 5 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.1-5
- Install html docs in devel package
* Fri Oct 3 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.1-4
- Build developer docs
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Dec 6 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.1-1
- 1.1 release
* Tue Dec 3 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.1-0.3rc3
- Update to 1.1-rc3
* Thu Nov 28 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.1-0.2rc2
- Update to 1.1-rc2
* Tue Nov 26 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.1-0.1rc
- Update to 1.1-rc
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Sun Jul 14 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.3-1
- 1.0.3 release
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Jan 10 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2-2
- Enable extra custom modes API
* Thu Dec 6 2012 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2-1
- Official 1.0.2 release
* Wed Sep 12 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 1.0.1-1
- Official 1.0.1 release now rfc6716 is stable
* Tue Sep 4 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 1.0.1rc3-0.1
- Update to 1.0.1rc3
* Thu Aug 9 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 1.0.0rc1-0.1
- Update to 1.0.0rc1
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Sun May 27 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 0.9.14-1
- Update to 0.9.14
* Sat May 12 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 0.9.10-2
- Add make check - fixes RHBZ # 821128
* Fri Apr 27 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 0.9.10-1
- Update to 0.9.10
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Nov 8 2011 Peter Robinson <pbrobinson@fedoraproject.org> 0.9.8-1
- Update to 0.9.8
* Mon Oct 10 2011 Peter Robinson <pbrobinson@fedoraproject.org> 0.9.6-1
- Initial packaging

18259
SPECS-EXTENDED/opus/rfc6716.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

675
SPECS-EXTENDED/opus/rfc8251.txt
Просмотреть файл

@ -1,675 +0,0 @@
Internet Engineering Task Force (IETF) JM. Valin
Request for Comments: 8251 Mozilla Corporation
Updates: 6716 K. Vos
Category: Standards Track vocTone
ISSN: 2070-1721 October 2017
Updates to the Opus Audio Codec
Abstract
This document addresses minor issues that were found in the
specification of the Opus audio codec in RFC 6716. It updates the
normative decoder implementation included in Appendix A of RFC 6716.
The changes fix real and potential security-related issues, as well
as minor quality-related issues.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8251.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Valin & Vos Standards Track [Page 1]
RFC 8251 Opus Update October 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Stereo State Reset in SILK . . . . . . . . . . . . . . . . . 3
4. Parsing of the Opus Packet Padding . . . . . . . . . . . . . 4
5. Resampler Buffer . . . . . . . . . . . . . . . . . . . . . . 4
6. Integer Wrap-Around in Inverse Gain Computation . . . . . . . 6
7. Integer Wrap-Around in LSF Decoding . . . . . . . . . . . . . 7
8. Cap on Band Energy . . . . . . . . . . . . . . . . . . . . . 7
9. Hybrid Folding . . . . . . . . . . . . . . . . . . . . . . . 8
10. Downmix to Mono . . . . . . . . . . . . . . . . . . . . . . . 9
11. New Test Vectors . . . . . . . . . . . . . . . . . . . . . . 9
12. Security Considerations . . . . . . . . . . . . . . . . . . . 11
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
14. Normative References . . . . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
This document addresses minor issues that were discovered in the
reference implementation of the Opus codec. Unlike most IETF
specifications, RFC 6716 [RFC6716] defines Opus in terms of a
normative reference decoder implementation rather than from the
associated text description. Appendix A of that RFC includes the
reference decoder implementation, which is why only issues affecting
the decoder are listed here. An up-to-date implementation of the
Opus encoder can be found at <https://opus-codec.org/>.
Some of the changes in this document update normative behavior in a
way that requires new test vectors. Only the C implementation is
affected, not the English text of the specification. This
specification remains fully compatible with RFC 6716 [RFC6716].
Note: Due to RFC formatting conventions, lines exceeding the column
width in the patch are split using a backslash character. The
backslashes at the end of a line and the white space at the beginning
of the following line are not part of the patch. Referenced line
numbers are approximations. A properly formatted patch including all
changes is available at <https://www.ietf.org/proceedings/98/slides/
materials-98-codec-opus-update-00.patch> and has a SHA-1 hash of
029e3aa88fc342c91e67a21e7bfbc9458661cd5f.
Valin & Vos Standards Track [Page 2]
RFC 8251 Opus Update October 2017
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Stereo State Reset in SILK
The reference implementation does not reinitialize the stereo state
during a mode switch. The old stereo memory can produce a brief
impulse (i.e., single sample) in the decoded audio. This can be
fixed by changing silk/dec_API.c around line 72:
<CODE BEGINS>
for( n = 0; n < DECODER_NUM_CHANNELS; n++ ) {
ret = silk_init_decoder( &channel_state[ n ] );
}
+ silk_memset(&((silk_decoder *)decState)->sStereo, 0,
+ sizeof(((silk_decoder *)decState)->sStereo));
+ /* Not strictly needed, but it's cleaner that way */
+ ((silk_decoder *)decState)->prev_decode_only_middle = 0;
return ret;
}
<CODE ENDS>
This change affects the normative output of the decoder, but the
amount of change is within the tolerance and is too small to make the
test vector check fail.
Valin & Vos Standards Track [Page 3]
RFC 8251 Opus Update October 2017
4. Parsing of the Opus Packet Padding
It was discovered that some invalid packets of a very large size
could trigger an out-of-bounds read in the Opus packet parsing code
responsible for padding. This is due to an integer overflow if the
signaled padding exceeds 2^31-1 bytes (the actual packet may be
smaller). The code can be fixed by decrementing the (signed) len
value, instead of incrementing a separate padding counter. This is
done by applying the following changes around line 596 of
src/opus_decoder.c:
<CODE BEGINS>
/* Padding flag is bit 6 */
if (ch&0x40)
{
- int padding=0;
int p;
do {
if (len<=0)
return OPUS_INVALID_PACKET;
p = *data++;
len--;
- padding += p==255 ? 254: p;
+ len -= p==255 ? 254: p;
} while (p==255);
- len -= padding;
}
<CODE ENDS>
This packet-parsing issue is limited to reading memory up to about 60
KB beyond the compressed buffer. This can only be triggered by a
compressed packet more than about 16 MB long, so it's not a problem
for RTP. In theory, it could crash a file decoder (e.g., Opus in
Ogg) if the memory just after the incoming packet is out of range,
but our attempts to trigger such a crash in a production application
built using an affected version of the Opus decoder failed.
5. Resampler Buffer
The SILK resampler had the following issues:
1. The calls to memcpy() were using sizeof(opus_int32), but the type
of the local buffer was opus_int16.
Valin & Vos Standards Track [Page 4]
RFC 8251 Opus Update October 2017
2. Because the size was wrong, this potentially allowed the source
and destination regions of the memcpy() to overlap on the copy
from "buf" to "buf". We believe that nSamplesIn (number of input
samples) is at least fs_in_khZ (sampling rate in kHz), which is
at least 8. Since RESAMPLER_ORDER_FIR_12 is only 8, that should
not be a problem once the type size is fixed.
3. The size of the buffer used RESAMPLER_MAX_BATCH_SIZE_IN, but the
data stored in it was actually twice the input batch size
(nSamplesIn<<1).
The code can be fixed by applying the following changes around line
78 of silk/resampler_private_IIR_FIR.c:
<CODE BEGINS>
)
{
silk_resampler_state_struct *S = \
(silk_resampler_state_struct *)SS;
opus_int32 nSamplesIn;
opus_int32 max_index_Q16, index_increment_Q16;
- opus_int16 buf[ RESAMPLER_MAX_BATCH_SIZE_IN + \
RESAMPLER_ORDER_FIR_12 ];
+ opus_int16 buf[ 2*RESAMPLER_MAX_BATCH_SIZE_IN + \
RESAMPLER_ORDER_FIR_12 ];
/* Copy buffered samples to start of buffer */
- silk_memcpy( buf, S->sFIR, RESAMPLER_ORDER_FIR_12 \
* sizeof( opus_int32 ) );
+ silk_memcpy( buf, S->sFIR, RESAMPLER_ORDER_FIR_12 \
* sizeof( opus_int16 ) );
/* Iterate over blocks of frameSizeIn input samples */
index_increment_Q16 = S->invRatio_Q16;
while( 1 ) {
nSamplesIn = silk_min( inLen, S->batchSize );
/* Upsample 2x */
silk_resampler_private_up2_HQ( S->sIIR, &buf[ \
RESAMPLER_ORDER_FIR_12 ], in, nSamplesIn );
max_index_Q16 = silk_LSHIFT32( nSamplesIn, 16 + 1 \
); /* + 1 because 2x upsampling */
out = silk_resampler_private_IIR_FIR_INTERPOL( out, \
buf, max_index_Q16, index_increment_Q16 );
in += nSamplesIn;
inLen -= nSamplesIn;
Valin & Vos Standards Track [Page 5]
RFC 8251 Opus Update October 2017
if( inLen > 0 ) {
/* More iterations to do; copy last part of \
filtered signal to beginning of buffer */
- silk_memcpy( buf, &buf[ nSamplesIn << 1 ], \
RESAMPLER_ORDER_FIR_12 * sizeof( opus_int32 ) );
+ silk_memmove( buf, &buf[ nSamplesIn << 1 ], \
RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) );
} else {
break;
}
}
/* Copy last part of filtered signal to the state for \
the next call */
- silk_memcpy( S->sFIR, &buf[ nSamplesIn << 1 ], \
RESAMPLER_ORDER_FIR_12 * sizeof( opus_int32 ) );
+ silk_memcpy( S->sFIR, &buf[ nSamplesIn << 1 ], \
RESAMPLER_ORDER_FIR_12 * sizeof( opus_int16 ) );
}
<CODE ENDS>
6. Integer Wrap-Around in Inverse Gain Computation
It was discovered through decoder fuzzing that some bitstreams could
produce integer values exceeding 32 bits in
LPC_inverse_pred_gain_QA(), causing a wrap-around. The C standard
considers this behavior as undefined. The following patch around
line 87 of silk/LPC_inv_pred_gain.c detects values that do not fit in
a 32-bit integer and considers the corresponding filters unstable:
<CODE BEGINS>
/* Update AR coefficient */
for( n = 0; n < k; n++ ) {
- tmp_QA = Aold_QA[ n ] - MUL32_FRAC_Q( \
Aold_QA[ k - n - 1 ], rc_Q31, 31 );
- Anew_QA[ n ] = MUL32_FRAC_Q( tmp_QA, rc_mult2 , mult2Q );
+ opus_int64 tmp64;
+ tmp_QA = silk_SUB_SAT32( Aold_QA[ n ], MUL32_FRAC_Q( \
Aold_QA[ k - n - 1 ], rc_Q31, 31 ) );
+ tmp64 = silk_RSHIFT_ROUND64( silk_SMULL( tmp_QA, \
rc_mult2 ), mult2Q);
+ if( tmp64 > silk_int32_MAX || tmp64 < silk_int32_MIN ) {
+ return 0;
+ }
+ Anew_QA[ n ] = ( opus_int32 )tmp64;
}
<CODE ENDS>
Valin & Vos Standards Track [Page 6]
RFC 8251 Opus Update October 2017
7. Integer Wrap-Around in LSF Decoding
It was discovered -- also from decoder fuzzing -- that an integer
wrap-around could occur when decoding bitstreams with extremely large
values for the high Line Spectral Frequency (LSF) parameters. The
end result of the wrap-around is an illegal read access on the stack,
which the authors do not believe is exploitable but should
nonetheless be fixed. The following patch around line 137 of silk/
NLSF_stabilize.c prevents the problem:
<CODE BEGINS>
/* Keep delta_min distance between the NLSFs */
for( i = 1; i < L; i++ )
- NLSF_Q15[i] = silk_max_int( NLSF_Q15[i], \
NLSF_Q15[i-1] + NDeltaMin_Q15[i] );
+ NLSF_Q15[i] = silk_max_int( NLSF_Q15[i], \
silk_ADD_SAT16( NLSF_Q15[i-1], NDeltaMin_Q15[i] ) );
/* Last NLSF should be no higher than 1 - NDeltaMin[L] */
<CODE ENDS>
8. Cap on Band Energy
On extreme bitstreams, it is possible for log-domain band energy
levels to exceed the maximum single-precision floating point value
once converted to a linear scale. This would later cause the decoded
values to be NaN (not a number), possibly causing problems in the
software using the PCM values. This can be avoided with the
following patch around line 552 of celt/quant_bands.c:
<CODE BEGINS>
{
opus_val16 lg = ADD16(oldEBands[i+c*m->nbEBands],
SHL16((opus_val16)eMeans[i],6));
+ lg = MIN32(QCONST32(32.f, 16), lg);
eBands[i+c*m->nbEBands] = PSHR32(celt_exp2(lg),4);
}
for (;i<m->nbEBands;i++)
<CODE ENDS>
Valin & Vos Standards Track [Page 7]
RFC 8251 Opus Update October 2017
9. Hybrid Folding
When encoding in hybrid mode at low bitrate, we sometimes only have
enough bits to code a single Constrained-Energy Lapped Transform
(CELT) band (8 - 9.6 kHz). When that happens, the second band (CELT
band 18, from 9.6 - 12 kHz) cannot use folding because it is wider
than the amount already coded and falls back to white noise. Because
it can also happen on transients (e.g., stops), it can cause audible
pre-echo.
To address the issue, we change the folding behavior so that it is
never forced to fall back to Linear Congruential Generator (LCG) due
to the first band not containing enough coefficients to fold onto the
second band. This is achieved by simply repeating part of the first
band in the folding of the second band. This changes the code in
celt/bands.c around line 1237:
<CODE BEGINS>
b = 0;
}
- if (resynth && M*eBands[i]-N >= M*eBands[start] && \
(update_lowband || lowband_offset==0))
+ if (resynth && (M*eBands[i]-N >= M*eBands[start] || \
i==start+1) && (update_lowband || lowband_offset==0))
lowband_offset = i;
+ if (i == start+1)
+ {
+ int n1, n2;
+ int offset;
+ n1 = M*(eBands[start+1]-eBands[start]);
+ n2 = M*(eBands[start+2]-eBands[start+1]);
+ offset = M*eBands[start];
+ /* Duplicate enough of the first band folding data to \
be able to fold the second band.
+ Copies no data for CELT-only mode. */
+ OPUS_COPY(&norm[offset+n1], &norm[offset+2*n1 - n2], n2-n1);
+ if (C==2)
+ OPUS_COPY(&norm2[offset+n1], &norm2[offset+2*n1 - n2], \
n2-n1);
+ }
+
tf_change = tf_res[i];
if (i>=m->effEBands)
{
<CODE ENDS>
Valin & Vos Standards Track [Page 8]
RFC 8251 Opus Update October 2017
as well as around line 1260:
<CODE BEGINS>
fold_start = lowband_offset;
while(M*eBands[--fold_start] > effective_lowband);
fold_end = lowband_offset-1;
- while(M*eBands[++fold_end] < effective_lowband+N);
+ while(++fold_end < i && M*eBands[fold_end] < \
effective_lowband+N);
x_cm = y_cm = 0;
fold_i = fold_start; do {
x_cm |= collapse_masks[fold_i*C+0];
<CODE ENDS>
The fix does not impact compatibility, because the improvement does
not depend on the encoder doing anything special. There is also no
reasonable way for an encoder to use the original behavior to improve
quality over the proposed change.
10. Downmix to Mono
The last issue is not strictly a bug, but it is an issue that has
been reported when downmixing an Opus decoded stream to mono, whether
this is done inside the decoder or as a post-processing step on the
stereo decoder output. Opus intensity stereo allows optionally
coding the two channels 180 degrees out of phase on a per-band basis.
This provides better stereo quality than forcing the two channels to
be in phase, but when the output is downmixed to mono, the energy in
the affected bands is canceled, sometimes resulting in audible
artifacts.
As a work-around for this issue, the decoder MAY choose not to apply
the 180-degree phase shift. This can be useful when downmixing to
mono inside or outside of the decoder (e.g., requested explicitly
from an API).
11. New Test Vectors
Changes in Sections 9 and 10 have sufficient impact on the test
vectors to make them fail. For this reason, this document also
updates the Opus test vectors. The new test vectors now include two
decoded outputs for the same bitstream. The outputs with suffix 'm'
do not apply the CELT 180-degree phase shift as allowed in
Section 10, while the outputs without the suffix do. An
implementation is compliant as long as it passes either set of
vectors.
Valin & Vos Standards Track [Page 9]
RFC 8251 Opus Update October 2017
Any Opus implementation that passes either the original test vectors
from RFC 6716 [RFC6716] or one of the new sets of test vectors is
compliant with the Opus specification. However, newer
implementations SHOULD be based on the new test vectors rather than
the old ones.
The new test vectors are located at
<https://www.ietf.org/proceedings/98/slides/materials-98-codec-opus-
newvectors-00.tar.gz>. The SHA-1 hashes of the test vectors are:
e49b2862ceec7324790ed8019eb9744596d5be01 testvector01.bit
b809795ae1bcd606049d76de4ad24236257135e0 testvector02.bit
e0c4ecaeab44d35a2f5b6575cd996848e5ee2acc testvector03.bit
a0f870cbe14ebb71fa9066ef3ee96e59c9a75187 testvector04.bit
9b3d92b48b965dfe9edf7b8a85edd4309f8cf7c8 testvector05.bit
28e66769ab17e17f72875283c14b19690cbc4e57 testvector06.bit
bacf467be3215fc7ec288f29e2477de1192947a6 testvector07.bit
ddbe08b688bbf934071f3893cd0030ce48dba12f testvector08.bit
3932d9d61944dab1201645b8eeaad595d5705ecb testvector09.bit
521eb2a1e0cc9c31b8b740673307c2d3b10c1900 testvector10.bit
6bc8f3146fcb96450c901b16c3d464ccdf4d5d96 testvector11.bit
338c3f1b4b97226bc60bc41038becbc6de06b28f testvector12.bit
f5ef93884da6a814d311027918e9afc6f2e5c2c8 testvector01.dec
48ac1ff1995250a756e1e17bd32acefa8cd2b820 testvector02.dec
d15567e919db2d0e818727092c0af8dd9df23c95 testvector03.dec
1249dd28f5bd1e39a66fd6d99449dca7a8316342 testvector04.dec
b85675d81deef84a112c466cdff3b7aaa1d2fc76 testvector05.dec
55f0b191e90bfa6f98b50d01a64b44255cb4813e testvector06.dec
61e8b357ab090b1801eeb578a28a6ae935e25b7b testvector07.dec
a58539ee5321453b2ddf4c0f2500e856b3966862 testvector08.dec
bb96aad2cde188555862b7bbb3af6133851ef8f4 testvector09.dec
1b6cdf0413ac9965b16184b1bea129b5c0b2a37a testvector10.dec
b1fff72b74666e3027801b29dbc48b31f80dee0d testvector11.dec
98e09bbafed329e341c3b4052e9c4ba5fc83f9b1 testvector12.dec
1e7d984ea3fbb16ba998aea761f4893fbdb30157 testvector01m.dec
48ac1ff1995250a756e1e17bd32acefa8cd2b820 testvector02m.dec
d15567e919db2d0e818727092c0af8dd9df23c95 testvector03m.dec
1249dd28f5bd1e39a66fd6d99449dca7a8316342 testvector04m.dec
d70b0bad431e7d463bc3da49bd2d49f1c6d0a530 testvector05m.dec
6ac1648c3174c95fada565161a6c78bdbe59c77d testvector06m.dec
fc5e2f709693738324fb4c8bdc0dad6dda04e713 testvector07m.dec
aad2ba397bf1b6a18e8e09b50e4b19627d479f00 testvector08m.dec
6feb7a7b9d7cdc1383baf8d5739e2a514bd0ba08 testvector09m.dec
1b6cdf0413ac9965b16184b1bea129b5c0b2a37a testvector10m.dec
fd3d3a7b0dfbdab98d37ed9aa04b659b9fefbd18 testvector11m.dec
98e09bbafed329e341c3b4052e9c4ba5fc83f9b1 testvector12m.dec
Note that the decoder input bitstream files (.bit) are unchanged.
Valin & Vos Standards Track [Page 10]
RFC 8251 Opus Update October 2017
12. Security Considerations
This document fixes two security issues reported on Opus that affect
the reference implementation in RFC 6716 [RFC6716]: CVE-2013-0899
<https://nvd.nist.gov/vuln/detail/CVE-2013-0899> and CVE-2017-0381
<https://nvd.nist.gov/vuln/detail/CVE-2017-0381>. CVE-2013-0899
theoretically could have caused an information leak. The leaked
information would have gone through the decoder process before being
accessible to the attacker. The update in Section 4 fixes this.
CVE-2017-0381 could have resulted in a 16-bit out-of-bounds read from
a fixed location. The update in Section 7 fixes this. Beyond the
two fixed Common Vulnerabilities and Exposures (CVEs), this document
adds no new security considerations beyond those in RFC 6716
[RFC6716].
13. IANA Considerations
This document does not require any IANA actions.
14. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC6716] Valin, JM., Vos, K., and T. Terriberry, "Definition of the
Opus Audio Codec", RFC 6716, DOI 10.17487/RFC6716,
September 2012, <https://www.rfc-editor.org/info/rfc6716>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Acknowledgements
We would like to thank Juri Aedla for reporting the issue with the
parsing of the Opus padding. Thanks to Felicia Lim for reporting the
LSF integer overflow issue. Also, thanks to Tina le Grand, Jonathan
Lennox, and Mark Harris for their feedback on this document.
Valin & Vos Standards Track [Page 11]
RFC 8251 Opus Update October 2017
Authors' Addresses
Jean-Marc Valin
Mozilla Corporation
331 E. Evelyn Avenue
Mountain View, CA 94041
United States of America
Phone: +1 650 903-0800
Email: jmvalin@jmvalin.ca
Koen Vos
vocTone
Email: koenvos74@gmail.com
Valin & Vos Standards Track [Page 12]

5
SPECS-EXTENDED/opusfile/opusfile.signatures.json
Просмотреть файл

@ -1,5 +0,0 @@
{
"Signatures": {
"opusfile-0.12.tar.gz": "118d8601c12dd6a44f52423e68ca9083cc9f2bfe72da7a8c1acb22a80ae3550b"
}
}

146
SPECS-EXTENDED/opusfile/opusfile.spec
Просмотреть файл

@ -1,146 +0,0 @@
Vendor: Microsoft Corporation
Distribution: Mariner
Name: opusfile
Version: 0.12
Release: 2%{?dist}
Summary: A high-level API for decoding and seeking within .opus files
License: BSD
URL: https://www.opus-codec.org/
Source0: https://downloads.xiph.org/releases/opus/%{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: libogg-devel
BuildRequires: openssl-devel
BuildRequires: opus-devel
%description
libopusfile provides a high-level API for decoding and seeking
within .opus files. It includes:
* Support for all files with at least one Opus stream (including
multichannel files or Ogg files where Opus is muxed with something else).
* Full support, including seeking, for chained files.
* A simple stereo downmixing API (allowing chained files to be
decoded with a single output format, even if the channel count changes).
* Support for reading from a file, memory buffer, or over HTTP(S)
(including seeking).
* Support for both random access and streaming data sources.
%package devel
Summary: Development package for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: pkgconfig
%description devel
Files for development with %{name}.
%prep
%setup -q
%build
%configure --disable-static
%make_build
%install
%make_install
#Remove libtool archives.
find %{buildroot} -type f -name "*.la" -delete
%ldconfig_scriptlets
%files
%license COPYING
%doc AUTHORS
%{_libdir}/libopusfile.so.*
%{_libdir}/libopusurl.so.*
%files devel
%doc %{_docdir}/%{name}
%{_includedir}/opus/opus*
%{_libdir}/pkgconfig/opusfile.pc
%{_libdir}/pkgconfig/opusurl.pc
%{_libdir}/libopusfile.so
%{_libdir}/libopusurl.so
%changelog
* Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.12-2
- Initial CBL-Mariner import from Fedora 32 (license: MIT).
* Sun Jun 28 2020 David King <amigadave@amigadave.com> - 0.12-1
- Update to 0.12
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.11-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Sep 19 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.11
- Update to 0.11
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Mar 9 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.10-3
- Add gcc BR, spec cleanups
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Nov 23 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.10-1
- Update to 0.10
* Thu Aug 3 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.9-1
- Update to 0.9
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Wed Oct 5 2016 Peter Robinson <pbrobinson@fedoraproject.org> 0.8-1
- Update to 0.8
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Jan 6 2016 Peter Robinson <pbrobinson@fedoraproject.org> 0.7-1
- Update to 0.7
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Fri Jun 13 2014 Peter Robinson <pbrobinson@fedoraproject.org> 0.6-1
- Update to 0.6
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sun Jan 12 2014 Peter Robinson <pbrobinson@fedoraproject.org> 0.5-1
- Update to 0.5
* Tue Aug 20 2013 Peter Robinson <pbrobinson@fedoraproject.org> 0.4-1
- Update to 0.4
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Wed Nov 14 2012 Peter Robinson <pbrobinson@fedoraproject.org> 0.2-1
- Update to 0.2
* Sun Nov 4 2012 Peter Robinson <pbrobinson@fedoraproject.org> 0.1-1
- Initial package

8
SPECS-EXTENDED/sox/sox.spec
Просмотреть файл

@ -6,7 +6,7 @@ Name: sox
# This workaround will go away with rebase to 14.4.3
# it affects Source, %%prep and Version
Version: 14.4.2.0
Release: 33%{?dist}
Release: 34%{?dist}
License: GPLv2+ and LGPLv2+ and MIT
# Modified source tarball with libgsm license, without unlicensed liblpc10:
# _Source: http://downloads.sourceforge.net/%%{name}/%%{name}-%%{version}.tar.gz
@ -75,7 +75,7 @@ BuildRequires: libvorbis-devel
BuildRequires: alsa-lib-devel, libtool-ltdl-devel, libsamplerate-devel
BuildRequires: gsm-devel, wavpack-devel, ladspa-devel, libpng-devel
BuildRequires: flac-devel, libao-devel, libsndfile-devel, libid3tag-devel
BuildRequires: pulseaudio-libs-devel, opusfile-devel
BuildRequires: pulseaudio-libs-devel
BuildRequires: libtool, libmad-devel, lame-devel, twolame-devel
%description
@ -112,6 +112,7 @@ autoreconf -vfi
%build
CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64"
%configure --without-lpc10 \
--without-opus \
--with-gsm \
--includedir=%{_includedir}/sox \
--disable-static \
@ -150,6 +151,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/sox/*.a
%changelog
* Wed Jan 22 2025 Andrew Phelps <anphel@microsoft.com> - 14.4.2.0-34
- Remove dependency on opusfile
* Mon Mar 06 2023 Muhammad Falak R Wani <mwani@microsoft.com> - 14.4.2.0-33
- Initial CBL-Mariner import from Fedora 36 (license: MIT).
- License Verified

2
SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md сгенерированный
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

3
SPECS/LICENSES-AND-NOTICES/data/licenses.json
Просмотреть файл

@ -219,7 +219,6 @@
"fakechroot",
"fakeroot",
"fapolicyd",
"fdk-aac-free",
"fdupes",
"fence-virt",
"fetchmail",
@ -1056,8 +1055,6 @@
"openssl-pkcs11",
"openwsman",
"optipng",
"opus",
"opusfile",
"orangefs",
"ORBit2",
"orc",

80
SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 74774c4..d6aa84d 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 2cd12fc..851dc42 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1007,7 +1007,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1435,7 +1435,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
Просмотреть файл

@ -2,7 +2,7 @@
Summary: Application Gateway Ingress Controller
Name: application-gateway-kubernetes-ingress
Version: 1.4.0
Release: 23%{?dist}
Release: 24%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -30,6 +30,7 @@ Patch0: CVE-2022-21698.patch
Patch1: CVE-2023-44487.patch
Patch2: CVE-2021-44716.patch
Patch3: CVE-2022-32149.patch
Patch4: CVE-2024-45338.patch
BuildRequires: golang
%if %{with_check}
@ -68,6 +69,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/
%{_bindir}/appgw-ingress
%changelog
* Thu Jan 02 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.4.0-24
- Add patch for CVE-2024-45338.
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.4.0-23
- Bump release to rebuild with go 1.22.7

80
SPECS/cert-manager/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/cert-manager/cert-manager.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Automatically provision and manage TLS certificates in Kubernetes
Name: cert-manager
Version: 1.11.2
Release: 16%{?dist}
Release: 17%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -29,6 +29,7 @@ Patch6: CVE-2024-24786.patch
Patch7: CVE-2024-28180.patch
Patch8: CVE-2023-2253.patch
Patch9: CVE-2024-45337.patch
Patch10: CVE-2024-45338.patch
BuildRequires: golang
Requires: %{name}-acmesolver
Requires: %{name}-cainjector
@ -121,6 +122,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
%{_bindir}/webhook
%changelog
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.11.2-17
- Add patch for CVE-2024-45338
* Tue Dec 17 2024 Andrew Phelps <anphel@microsoft.com> - 1.11.2-16
- Add patch for CVE-2024-45337

80
SPECS/cf-cli/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/cf-cli/cf-cli.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: The official command line client for Cloud Foundry.
Name: cf-cli
Version: 8.4.0
Release: 22%{?dist}
Release: 23%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -34,6 +34,7 @@ Patch2: CVE-2021-43565.patch
# git checkout 434eadcdbc3b0256971992e8c70027278364c72c && git format-patch -1 HEAD
Patch3: CVE-2022-32149.patch
Patch4: CVE-2024-24786.patch
Patch5: CVE-2024-45338.patch
BuildRequires: golang
%global debug_package %{nil}
@ -68,6 +69,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
%{_bindir}/cf
%changelog
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 8.4.0-23
- Add patch for CVE-2024-45338
* Wed Dec 04 2024 bhapathak <bhapathak@microsoft.com> - 8.4.0-22
- Patch CVE-2024-24786

331
SPECS/cmake/CVE-2024-11053.patch Normal file
Просмотреть файл

@ -0,0 +1,331 @@
From 277c4661bd10b7f513c18f84b64431dad20c2722 Mon Sep 17 00:00:00 2001
From: Henry Beberman <henry.beberman@microsoft.com>
Date: Wed, 15 Jan 2025 01:03:08 +0000
Subject: [PATCH] Backport updated netrc parsing
Backport fix for CVE-2024-11053 from upstream commit to vendored libcurl 7.77.0
From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 15 Nov 2024 11:06:36 +0100
Subject: [PATCH] netrc: address several netrc parser flaws
- make sure that a match that returns a username also returns a
password, that should be blank if no password is found
- fix handling of multiple logins for same host where the password/login
order might be reversed.
- reject credentials provided in the .netrc if they contain ASCII control
codes - if the used protocol does not support such (like HTTP and WS do)
diff --git a/Utilities/cmcurl/lib/netrc.c b/Utilities/cmcurl/lib/netrc.c
index 13610bb..2c93c6e 100644
--- a/Utilities/cmcurl/lib/netrc.c
+++ b/Utilities/cmcurl/lib/netrc.c
@@ -42,9 +42,19 @@
enum host_lookup_state {
NOTHING,
HOSTFOUND, /* the 'machine' keyword was found */
- HOSTVALID /* this is "our" machine! */
+ HOSTVALID, /* this is "our" machine! */
+ MACDEF
};
+enum found_state {
+ NONE,
+ LOGIN,
+ PASSWORD
+};
+
+#define FOUND_LOGIN 1
+#define FOUND_PASSWORD 2
+
#define NETRC_FILE_MISSING 1
#define NETRC_FAILED -1
#define NETRC_SUCCESS 0
@@ -62,16 +72,14 @@ static int parsenetrc(const char *host,
FILE *file;
int retcode = NETRC_FILE_MISSING;
char *login = *loginp;
- char *password = *passwordp;
- bool specific_login = (login && *login != 0);
- bool login_alloc = FALSE;
- bool password_alloc = FALSE;
+ char *password = NULL;
+ bool specific_login = !!login; /* points to something */
enum host_lookup_state state = NOTHING;
-
- char state_login = 0; /* Found a login keyword */
- char state_password = 0; /* Found a password keyword */
- int state_our_login = FALSE; /* With specific_login, found *our* login
- name */
+ enum found_state keyword = NONE;
+ unsigned char found = 0; /* login + password found bits, as they can come in
+ any order */
+ bool our_login = FALSE; /* found our login name */
+ bool done = FALSE;
DEBUGASSERT(netrcfile);
@@ -90,110 +98,129 @@ static int parsenetrc(const char *host,
continue;
while(tok) {
- if((login && *login) && (password && *password)) {
- done = TRUE;
- break;
- }
-
switch(state) {
- case NOTHING:
- if(strcasecompare("machine", tok)) {
- /* the next tok is the machine name, this is in itself the
- delimiter that starts the stuff entered for this machine,
- after this we need to search for 'login' and
- 'password'. */
- state = HOSTFOUND;
- }
- else if(strcasecompare("default", tok)) {
- state = HOSTVALID;
- retcode = NETRC_SUCCESS; /* we did find our host */
- }
- break;
- case HOSTFOUND:
- if(strcasecompare(host, tok)) {
- /* and yes, this is our host! */
- state = HOSTVALID;
- retcode = NETRC_SUCCESS; /* we did find our host */
- }
- else
- /* not our host */
- state = NOTHING;
- break;
- case HOSTVALID:
- /* we are now parsing sub-keywords concerning "our" host */
- if(state_login) {
- if(specific_login) {
- state_our_login = strcasecompare(login, tok);
+ case NOTHING:
+ if(strcasecompare("macdef", tok))
+ /* Define a macro. A macro is defined with the specified name; its
+ contents begin with the next .netrc line and continue until a
+ null line (consecutive new-line characters) is encountered. */
+ state = MACDEF;
+ else if(strcasecompare("machine", tok)) {
+ /* the next tok is the machine name, this is in itself the delimiter
+ that starts the stuff entered for this machine, after this we
+ need to search for 'login' and 'password'. */
+ state = HOSTFOUND;
+ keyword = NONE;
+ found = 0;
+ our_login = FALSE;
+ Curl_safefree(password);
+ if(!specific_login)
+ Curl_safefree(login);
}
- else if(!login || strcmp(login, tok)) {
- if(login_alloc) {
+ else if(strcasecompare("default", tok)) {
+ state = HOSTVALID;
+ retcode = NETRC_SUCCESS; /* we did find our host */
+ }
+ break;
+ case MACDEF:
+ if(!*tok)
+ state = NOTHING;
+ break;
+ case HOSTFOUND:
+ if(strcasecompare(host, tok)) {
+ /* and yes, this is our host! */
+ state = HOSTVALID;
+ retcode = NETRC_SUCCESS; /* we did find our host */
+ }
+ else
+ /* not our host */
+ state = NOTHING;
+ break;
+ case HOSTVALID:
+ /* we are now parsing sub-keywords concerning "our" host */
+ if(keyword == LOGIN) {
+ if(specific_login)
+ our_login = !Curl_timestrcmp(login, tok);
+ else {
+ our_login = TRUE;
free(login);
- login_alloc = FALSE;
- }
- login = strdup(tok);
- if(!login) {
- retcode = NETRC_FAILED; /* allocation failed */
- goto out;
+ login = strdup(tok);
+ if(!login) {
+ retcode = NETRC_FAILED; /* allocation failed */
+ goto out;
+ }
}
- login_alloc = TRUE;
+ found |= FOUND_LOGIN;
+ keyword = NONE;
}
- state_login = 0;
- }
- else if(state_password) {
- if((state_our_login || !specific_login)
- && (!password || strcmp(password, tok))) {
- if(password_alloc) {
- free(password);
- password_alloc = FALSE;
- }
+ else if(keyword == PASSWORD) {
+ free(password);
password = strdup(tok);
if(!password) {
retcode = NETRC_FAILED; /* allocation failed */
goto out;
}
- password_alloc = TRUE;
+ if(!specific_login || our_login)
+ found |= FOUND_PASSWORD;
+ keyword = NONE;
+ }
+ else if(strcasecompare("login", tok))
+ keyword = LOGIN;
+ else if(strcasecompare("password", tok))
+ keyword = PASSWORD;
+ else if(strcasecompare("machine", tok)) {
+ /* a new machine here */
+ if(found & FOUND_PASSWORD) {
+ done = TRUE;
+ break;
+ }
+ state = HOSTFOUND;
+ keyword = NONE;
+ found = 0;
+ Curl_safefree(password);
+ if(!specific_login)
+ Curl_safefree(login);
+ }
+ else if(strcasecompare("default", tok)) {
+ state = HOSTVALID;
+ retcode = NETRC_SUCCESS; /* we did find our host */
+ Curl_safefree(password);
+ if(!specific_login)
+ Curl_safefree(login);
+ }
+ if((found == (FOUND_PASSWORD|FOUND_LOGIN)) && our_login) {
+ done = TRUE;
+ break;
}
- state_password = 0;
- }
- else if(strcasecompare("login", tok))
- state_login = 1;
- else if(strcasecompare("password", tok))
- state_password = 1;
- else if(strcasecompare("machine", tok)) {
- /* ok, there's machine here go => */
- state = HOSTFOUND;
- state_our_login = FALSE;
- }
- break;
- } /* switch (state) */
+ break;
+ } /* switch (state) */
tok = strtok_r(NULL, " \t\n", &tok_buf);
} /* while(tok) */
} /* while fgets() */
out:
+ if(!retcode) {
+ if(!password && our_login) {
+ /* success without a password, set a blank one */
+ password = strdup("");
+ if(!password)
+ retcode = 1; /* out of memory */
+ }
+ else if(!login && !password)
+ /* a default with no credentials */
+ retcode = NETRC_FILE_MISSING;
+ }
if(!retcode) {
/* success */
- *login_changed = FALSE;
- *password_changed = FALSE;
- if(login_alloc) {
- if(*loginp)
- free(*loginp);
+ if(!specific_login)
*loginp = login;
- *login_changed = TRUE;
- }
- if(password_alloc) {
- if(*passwordp)
- free(*passwordp);
- *passwordp = password;
- *password_changed = TRUE;
- }
+ *passwordp = password;
}
else {
- if(login_alloc)
+ if(!specific_login)
free(login);
- if(password_alloc)
- free(password);
+ free(password);
}
fclose(file);
}
diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c
index 1ee38af..28ab55a 100644
--- a/Utilities/cmcurl/lib/url.c
+++ b/Utilities/cmcurl/lib/url.c
@@ -2890,23 +2890,25 @@ static CURLcode override_login(struct Curl_easy *data,
bool netrc_passwd_changed = FALSE;
int ret;
- ret = Curl_parsenetrc(conn->host.name,
- userp, passwdp,
- &netrc_user_changed, &netrc_passwd_changed,
- data->set.str[STRING_NETRC_FILE]);
- if(ret > 0) {
- infof(data, "Couldn't find host %s in the %s file; using defaults\n",
- conn->host.name, data->set.str[STRING_NETRC_FILE]);
- }
- else if(ret < 0) {
- return CURLE_OUT_OF_MEMORY;
- }
- else {
- /* set bits.netrc TRUE to remember that we got the name from a .netrc
- file, so that it is safe to use even if we followed a Location: to a
- different host or similar. */
- conn->bits.netrc = TRUE;
- conn->bits.user_passwd = TRUE; /* enable user+password */
+ if(!*passwdp) {
+ ret = Curl_parsenetrc(conn->host.name,
+ userp, passwdp,
+ &netrc_user_changed, &netrc_passwd_changed,
+ data->set.str[STRING_NETRC_FILE]);
+ if(ret > 0) {
+ infof(data, "Couldn't find host %s in the %s file; using defaults\n",
+ conn->host.name, data->set.str[STRING_NETRC_FILE]);
+ }
+ else if(ret < 0) {
+ return CURLE_OUT_OF_MEMORY;
+ }
+ else {
+ /* set bits.netrc TRUE to remember that we got the name from a .netrc
+ file, so that it is safe to use even if we followed a Location: to a
+ different host or similar. */
+ conn->bits.netrc = TRUE;
+ conn->bits.user_passwd = TRUE; /* enable user+password */
+ }
}
}
--
2.45.2

6
SPECS/cmake/cmake.spec
Просмотреть файл

@ -2,7 +2,7 @@
Summary: Cmake
Name: cmake
Version: 3.21.4
Release: 14%{?dist}
Release: 15%{?dist}
License: BSD AND LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
@ -32,6 +32,7 @@ Patch17: CVE-2023-46218.patch
Patch18: CVE-2024-2398.patch
Patch19: CVE-2024-28182.patch
Patch20: CVE-2024-7264.patch
Patch21: CVE-2024-11053.patch
BuildRequires: bzip2
BuildRequires: bzip2-devel
BuildRequires: curl
@ -97,6 +98,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
%{_prefix}/doc/%{name}-*/*
%changelog
* Tue Jan 14 2025 Henry Beberman <henry.beberman@microsoft.com> - 3.21.4-15
- Patch vendored curl for CVE-2024-11053
* Thu Nov 21 2024 Vince Perri <viperri@microsoft.com> - 3.21.4-14
- Patch CVE-2024-2398 and CVE-2024-7264 (bundled curl)
- Patch CVE-2024-28182 (bundled nghttp2)

80
SPECS/cni-plugins/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/cni-plugins/cni-plugins.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Container Network Interface (CNI) plugins
Name: cni-plugins
Version: 1.3.0
Release: 6%{?dist}
Release: 7%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -11,6 +11,7 @@ URL: https://github.com/containernetworking/plugins
#Source0: https://github.com/containernetworking/plugins/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
Patch0: CVE-2023-3978.patch
Patch1: CVE-2024-45338.patch
%define _default_cni_plugins_dir /opt/cni/bin
BuildRequires: golang
Provides: kubernetes-cni
@ -40,6 +41,9 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
%{_default_cni_plugins_dir}/*
%changelog
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.0-7
- Add patch for CVE-2024-45338.
* Thu Oct 10 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.0-6
- Add patch to resolve CVE-2023-3978.

80
SPECS/containerized-data-importer/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/containerized-data-importer/containerized-data-importer.spec
Просмотреть файл

@ -18,7 +18,7 @@
Summary: Container native virtualization
Name: containerized-data-importer
Version: 1.55.0
Release: 21%{?dist}
Release: 22%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -38,6 +38,7 @@ Patch1: CVE-2024-3727.patch
Patch2: CVE-2022-41717.patch
Patch3: CVE-2022-32149.patch
Patch4: CVE-2024-28180.patch
Patch5: CVE-2024-45338.patch
%description
Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes
@ -205,6 +206,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
%{_datadir}/cdi/manifests
%changelog
* Mon Jan 06 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.55.0-22
- Add patch for CVE-2024-45338
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.55.0-21
- Bump release to rebuild with go 1.22.7

12
SPECS/cri-o/CVE-2022-1708.patch
Просмотреть файл

@ -360,15 +360,3 @@ index 3e7577d..ea7b635 100644
@test "ctr device add" {
# In an user namespace we can only bind mount devices from the host, not mknod
# https://github.com/opencontainers/runc/blob/master/libcontainer/rootfs_linux.go#L480-L481
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 6f8a08b..1899c90 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1517,6 +1517,7 @@ k8s.io/kubernetes/pkg/kubelet/cri/streaming
k8s.io/kubernetes/pkg/kubelet/cri/streaming/portforward
k8s.io/kubernetes/pkg/kubelet/cri/streaming/remotecommand
k8s.io/kubernetes/pkg/kubelet/types
+k8s.io/kubernetes/pkg/kubelet/util/ioutils
k8s.io/kubernetes/pkg/proxy
k8s.io/kubernetes/pkg/proxy/config
k8s.io/kubernetes/pkg/proxy/healthcheck

46
SPECS/cri-o/CVE-2022-4318.patch Normal file
Просмотреть файл

@ -0,0 +1,46 @@
From 41dca27cb53bca3c9255287f53e241b9d3bfd7de Mon Sep 17 00:00:00 2001
From: Peter Hunt~ <pehunt@redhat.com>
Date: Wed, 14 Dec 2022 18:15:50 -0500
Subject: [PATCH] server: fail if HOME variable has a newline
to prevent CVE-2022-4318
Signed-off-by: Peter Hunt~ <pehunt@redhat.com>
---
server/container_create.go | 3 +++
test/ctr.bats | 8 ++++++++
2 files changed, 11 insertions(+)
diff --git a/server/container_create.go b/server/container_create.go
index fb835b0..d07e2f1 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -196,6 +196,9 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
for _, env := range specgen.Config.Process.Env {
if strings.HasPrefix(env, "HOME=") {
homedir = strings.TrimPrefix(env, "HOME=")
+ if idx := strings.Index(homedir, `\n`); idx > -1 {
+ return fmt.Errorf("invalid HOME environment; newline not allowed")
+ }
break
}
}
diff --git a/test/ctr.bats b/test/ctr.bats
index 67f941f..9c48149 100644
--- a/test/ctr.bats
+++ b/test/ctr.bats
@@ -938,3 +938,11 @@ function check_oci_annotation() {
pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)
! crictl create "$pod_id" "$TESTDIR/config" "$TESTDATA"/sandbox_config.json
}
+
+@test "ctr HOME env newline invalid" {
+ start_crio
+ jq ' .envs = [{"key": "HOME=", "value": "/root:/sbin/nologin\\ntest::0:0::/:/bin/bash"}]' \
+ "$TESTDATA"/container_config.json > "$newconfig"
+
+ ! crictl run "$newconfig" "$TESTDATA"/sandbox_config.json
+}
--
2.25.1

265
SPECS/cri-o/CVE-2023-44487.patch
Просмотреть файл

@ -1,3 +1,139 @@
From 6eabd7e1834e47b20f55cbe9d473fc607c693358 Mon Sep 17 00:00:00 2001
From: Alexey Ivanov <SaveTheRbtz@GMail.com>
Date: Tue, 11 Apr 2023 11:34:42 -0700
Subject: [PATCH] server: use least-requests loadbalancer for workers (#6004)
---
vendor/google.golang.org/grpc/server.go | 52 +++++++++++--------------
1 file changed, 22 insertions(+), 30 deletions(-)
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index 0251f48..7a9b98d 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -43,7 +43,6 @@ import (
"google.golang.org/grpc/internal"
"google.golang.org/grpc/internal/binarylog"
"google.golang.org/grpc/internal/channelz"
- "google.golang.org/grpc/internal/grpcrand"
"google.golang.org/grpc/internal/grpcsync"
"google.golang.org/grpc/internal/transport"
"google.golang.org/grpc/keepalive"
@@ -137,7 +136,7 @@ type Server struct {
channelzID int64 // channelz unique identification number
czData *channelzData
- serverWorkerChannels []chan *serverWorkerData
+ serverWorkerChannel chan *serverWorkerData
}
type serverOptions struct {
@@ -520,40 +519,38 @@ func NumStreamWorkers(numServerWorkers uint32) ServerOption {
const serverWorkerResetThreshold = 1 << 16
// serverWorkers blocks on a *transport.Stream channel forever and waits for
-// data to be fed by serveStreams. This allows different requests to be
+// data to be fed by serveStreams. This allows multiple requests to be
// processed by the same goroutine, removing the need for expensive stack
// re-allocations (see the runtime.morestack problem [1]).
//
// [1] https://github.com/golang/go/issues/18138
-func (s *Server) serverWorker(ch chan *serverWorkerData) {
- // To make sure all server workers don't reset at the same time, choose a
- // random number of iterations before resetting.
- threshold := serverWorkerResetThreshold + grpcrand.Intn(serverWorkerResetThreshold)
- for completed := 0; completed < threshold; completed++ {
- data, ok := <-ch
+func (s *Server) serverWorker() {
+ for completed := 0; completed < serverWorkerResetThreshold; completed++ {
+ data, ok := <-s.serverWorkerChannel
if !ok {
return
}
- s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream))
- data.wg.Done()
+ s.handleSingleStream(data)
}
- go s.serverWorker(ch)
+ go s.serverWorker()
}
-// initServerWorkers creates worker goroutines and channels to process incoming
+func (s *Server) handleSingleStream(data *serverWorkerData) {
+ defer data.wg.Done()
+ s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream))
+}
+
+// initServerWorkers creates worker goroutines and a channel to process incoming
// connections to reduce the time spent overall on runtime.morestack.
func (s *Server) initServerWorkers() {
- s.serverWorkerChannels = make([]chan *serverWorkerData, s.opts.numServerWorkers)
+ s.serverWorkerChannel = make(chan *serverWorkerData)
for i := uint32(0); i < s.opts.numServerWorkers; i++ {
- s.serverWorkerChannels[i] = make(chan *serverWorkerData)
- go s.serverWorker(s.serverWorkerChannels[i])
+ go s.serverWorker()
}
}
func (s *Server) stopServerWorkers() {
- for i := uint32(0); i < s.opts.numServerWorkers; i++ {
- close(s.serverWorkerChannels[i])
- }
+ close(s.serverWorkerChannel)
}
// NewServer creates a gRPC server which has no service registered and has not
@@ -921,26 +918,21 @@ func (s *Server) serveStreams(st transport.ServerTransport) {
defer st.Close()
var wg sync.WaitGroup
- var roundRobinCounter uint32
st.HandleStreams(func(stream *transport.Stream) {
wg.Add(1)
if s.opts.numServerWorkers > 0 {
data := &serverWorkerData{st: st, wg: &wg, stream: stream}
select {
- case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data:
+ case s.serverWorkerChannel <- data:
+ return
default:
// If all stream workers are busy, fallback to the default code path.
- go func() {
- s.handleStream(st, stream, s.traceInfo(st, stream))
- wg.Done()
- }()
}
- } else {
- go func() {
- defer wg.Done()
- s.handleStream(st, stream, s.traceInfo(st, stream))
- }()
}
+ go func() {
+ defer wg.Done()
+ s.handleStream(st, stream, s.traceInfo(st, stream))
+ }()
}, func(ctx context.Context, method string) context.Context {
if !EnableTracing {
return ctx
--
2.25.1
From 5efd7bd73e11fea58d1c7f1c110902e78a286299 Mon Sep 17 00:00:00 2001
From: Doug Fawley <dfawley@google.com>
Date: Tue, 10 Oct 2023 14:05:12 -0700
Subject: [PATCH] server: prohibit more than MaxConcurrentStreams handlers from
running at once (#6703) (#6708)
---
.../grpc/internal/transport/http2_server.go | 11 +-
vendor/google.golang.org/grpc/server.go | 71 +++++++----
.../google.golang.org/grpc/server_ext_test.go | 110 ++++++++++++++++++
.../apimachinery/pkg/util/runtime/runtime.go | 15 ++-
4 files changed, 172 insertions(+), 35 deletions(-)
create mode 100644 vendor/google.golang.org/grpc/server_ext_test.go
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
index e3799d5..586c85f 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
@ -30,10 +166,32 @@ index e3799d5..586c85f 100644
fc: &trInFlow{limit: uint32(icwz)},
state: reachable,
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index 0251f48..2277846 100644
index 7a9b98d..81cf25e 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -168,6 +168,7 @@ type serverOptions struct {
@@ -106,12 +106,6 @@ type serviceInfo struct {
mdata interface{}
}
-type serverWorkerData struct {
- st transport.ServerTransport
- wg *sync.WaitGroup
- stream *transport.Stream
-}
-
// Server is a gRPC server to serve RPC requests.
type Server struct {
opts serverOptions
@@ -136,7 +130,7 @@ type Server struct {
channelzID int64 // channelz unique identification number
czData *channelzData
- serverWorkerChannel chan *serverWorkerData
+ serverWorkerChannel chan func()
}
type serverOptions struct {
@@ -167,6 +161,7 @@ type serverOptions struct {
}
var defaultServerOptions = serverOptions{
@ -41,7 +199,7 @@ index 0251f48..2277846 100644
maxReceiveMessageSize: defaultServerMaxReceiveMessageSize,
maxSendMessageSize: defaultServerMaxSendMessageSize,
connectionTimeout: 120 * time.Second,
@@ -361,6 +362,9 @@ func MaxSendMsgSize(m int) ServerOption {
@@ -360,6 +355,9 @@ func MaxSendMsgSize(m int) ServerOption {
// MaxConcurrentStreams returns a ServerOption that will apply a limit on the number
// of concurrent streams to each ServerTransport.
func MaxConcurrentStreams(n uint32) ServerOption {
@ -51,69 +209,82 @@ index 0251f48..2277846 100644
return newFuncServerOption(func(o *serverOptions) {
o.maxConcurrentStreams = n
})
@@ -918,35 +922,29 @@ func (s *Server) newHTTP2Transport(c net.Conn, authInfo credentials.AuthInfo) tr
@@ -526,24 +524,19 @@ const serverWorkerResetThreshold = 1 << 16
// [1] https://github.com/golang/go/issues/18138
func (s *Server) serverWorker() {
for completed := 0; completed < serverWorkerResetThreshold; completed++ {
- data, ok := <-s.serverWorkerChannel
+ f, ok := <-s.serverWorkerChannel
if !ok {
return
}
- s.handleSingleStream(data)
+ f()
}
go s.serverWorker()
}
func (s *Server) serveStreams(st transport.ServerTransport) {
- defer st.Close()
+ defer st.Close(errors.New("finished serving streams for the server transport"))
-func (s *Server) handleSingleStream(data *serverWorkerData) {
- defer data.wg.Done()
- s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream))
-}
-
// initServerWorkers creates worker goroutines and a channel to process incoming
// connections to reduce the time spent overall on runtime.morestack.
func (s *Server) initServerWorkers() {
- s.serverWorkerChannel = make(chan *serverWorkerData)
+ s.serverWorkerChannel = make(chan func())
for i := uint32(0); i < s.opts.numServerWorkers; i++ {
go s.serverWorker()
}
@@ -918,21 +911,27 @@ func (s *Server) serveStreams(st transport.ServerTransport) {
defer st.Close()
var wg sync.WaitGroup
- var roundRobinCounter uint32
+ streamQuota := newHandlerQuota(s.opts.maxConcurrentStreams)
st.HandleStreams(func(stream *transport.Stream) {
wg.Add(1)
+
+
+ streamQuota.acquire()
+ f := func() {
+ defer streamQuota.release()
+ defer wg.Done()
+ s.handleStream(st, stream)
+ s.handleStream(st, stream, s.traceInfo(st, stream))
+ }
+
if s.opts.numServerWorkers > 0 {
- data := &serverWorkerData{st: st, wg: &wg, stream: stream}
select {
- case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data:
- case s.serverWorkerChannel <- data:
+ case s.serverWorkerChannel <- f:
+ return
return
default:
// If all stream workers are busy, fallback to the default code path.
- go func() {
- s.handleStream(st, stream, s.traceInfo(st, stream))
- wg.Done()
- }()
}
- } else {
- go func() {
- defer wg.Done()
- s.handleStream(st, stream, s.traceInfo(st, stream))
- }()
- }
- }, func(ctx context.Context, method string) context.Context {
- if !EnableTracing {
- return ctx
}
- tr := trace.New("grpc.Recv."+methodFamily(method), method)
- return trace.NewContext(ctx, tr)
- go func() {
- defer wg.Done()
- s.handleStream(st, stream, s.traceInfo(st, stream))
- }()
+ go f()
})
}, func(ctx context.Context, method string) context.Context {
if !EnableTracing {
return ctx
@@ -943,6 +942,36 @@ func (s *Server) serveStreams(st transport.ServerTransport) {
wg.Wait()
}
@@ -1875,3 +1873,34 @@ type channelzServer struct {
func (c *channelzServer) ChannelzMetric() *channelz.ServerInternalMetric {
return c.s.channelzMetric()
}
+
+// atomicSemaphore implements a blocking, counting semaphore. acquire should be
+// called synchronously; release may be called asynchronously.
+type atomicSemaphore struct {
+ n atomic.Int64
+ n int64
+ wait chan struct{}
+}
+
+func (q *atomicSemaphore) acquire() {
+ if q.n.Add(-1) < 0 {
+ if atomic.AddInt64(&q.n, -1) < 0 {
+ // We ran out of quota. Block until a release happens.
+ <-q.wait
+ }
@ -124,23 +295,25 @@ index 0251f48..2277846 100644
+ // concurrent calls to acquire, but also note that with synchronous calls to
+ // acquire, as our system does, n will never be less than -1. There are
+ // fairness issues (queuing) to consider if this was to be generalized.
+ if q.n.Add(1) <= 0 {
+ if atomic.AddInt64(&q.n, 1) <= 0 {
+ // An acquire was waiting on us. Unblock it.
+ q.wait <- struct{}{}
+ }
+}
+
+func newHandlerQuota(n uint32) *atomicSemaphore {
+ a := &atomicSemaphore{wait: make(chan struct{}, 1)}
+ a.n.Store(int64(n))
+ return a
+ return &atomicSemaphore{n: int64(n), wait: make(chan struct{}, 1)}
+}
+
var _ http.Handler = (*Server)(nil)
// ServeHTTP implements the Go standard library's http.Handler
diff --git a/vendor/google.golang.org/grpc/server_ext_test.go b/vendor/google.golang.org/grpc/server_ext_test.go
new file mode 100644
index 0000000..df79755
index 0000000..dab7a80
--- /dev/null
+++ b/vendor/google.golang.org/grpc/server_ext_test.go
@@ -0,0 +1,99 @@
@@ -0,0 +1,110 @@
+/*
+ *
+ * Copyright 2023 gRPC authors.
@ -169,11 +342,22 @@ index 0000000..df79755
+
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/internal/grpcsync"
+ "google.golang.org/grpc/internal/grpctest"
+ "google.golang.org/grpc/internal/stubserver"
+
+ testgrpc "google.golang.org/grpc/interop/grpc_testing"
+)
+
+const defaultTestTimeout = 10 * time.Second
+
+type s struct {
+ grpctest.Tester
+}
+
+func Test(t *testing.T) {
+ grpctest.RunSubTests(t, s{})
+}
+
+// TestServer_MaxHandlers ensures that no more than MaxConcurrentStreams server
+// handlers are active at one time.
+func (s) TestServer_MaxHandlers(t *testing.T) {
@ -268,3 +452,6 @@ index 035c528..c3241ea 100644
}
// GetCaller returns the caller of the function that calls it.
--
2.25.1

195
SPECS/cri-o/CVE-2024-21626.patch
Просмотреть файл

@ -1,48 +1,43 @@
From 8e1cd2f56d518f8d6292b8bb39f0d0932e4b6c2a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Tue, 26 Dec 2023 23:53:07 +1100
Subject: [PATCH 1/5] init: verify after chdir that cwd is inside the container
If a file descriptor of a directory in the host's mount namespace is
leaked to runc init, a malicious config.json could use /proc/self/fd/...
as a working directory to allow for host filesystem access after the
container runs. This can also be exploited by a container process if it
knows that an administrator will use "runc exec --cwd" and the target
--cwd (the attacker can change that cwd to be a symlink pointing to
/proc/self/fd/... and wait for the process to exec and then snoop on
/proc/$pid/cwd to get access to the host). The former issue can lead to
a critical vulnerability in Docker and Kubernetes, while the latter is a
container breakout.
We can (ab)use the fact that getcwd(2) on Linux detects this exact case,
and getcwd(3) and Go's Getwd() return an error as a result. Thus, if we
just do os.Getwd() after chdir we can easily detect this case and error
out.
In runc 1.1, a /sys/fs/cgroup handle happens to be leaked to "runc
init", making this exploitable. On runc main it just so happens that the
leaked /sys/fs/cgroup gets clobbered and thus this is only consistently
exploitable for runc 1.1.
Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[refactored the implementation and added more comments]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Adapted for Azure Linux
.../libcontainer/cgroups/fscommon/open.go | 13 ++--
.../runc/libcontainer/utils/utils_unix.go | 74 ++++++++++++++++---
2 files changed, 72 insertions(+), 15 deletions(-)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go
index 5f6ab9f..53f5f2d 100644
index 5f6ab9f..886741c 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go
@@ -89,14 +89,13 @@ func prepareOpenat2() error {
@@ -4,6 +4,7 @@ import (
"bytes"
"os"
"strings"
+ "strconv"
"sync"
"github.com/pkg/errors"
@@ -68,16 +69,16 @@ var (
// TestMode is set to true by unit tests that need "fake" cgroupfs.
TestMode bool
- cgroupFd int = -1
- prepOnce sync.Once
- prepErr error
- resolveFlags uint64
+ cgroupRootHandle *os.File
+ prepOnce sync.Once
+ prepErr error
+ resolveFlags uint64
)
func prepareOpenat2() error {
prepOnce.Do(func() {
fd, err := unix.Openat2(-1, cgroupfsDir, &unix.OpenHow{
- Flags: unix.O_DIRECTORY | unix.O_PATH,
+ Flags: unix.O_DIRECTORY | unix.O_PATH | unix.O_CLOEXEC,
})
if err != nil {
prepErr = &os.PathError{Op: "openat2", Path: cgroupfsDir, Err: err}
@@ -88,15 +89,16 @@ func prepareOpenat2() error {
}
return
}
+ file := os.NewFile(uintptr(fd), cgroupfsDir)
+
var st unix.Statfs_t
- if err = unix.Fstatfs(fd, &st); err != nil {
+ if err := unix.Fstatfs(int(file.Fd()), &st); err != nil {
@ -57,7 +52,7 @@ index 5f6ab9f..53f5f2d 100644
resolveFlags = unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS
if st.Type == unix.CGROUP2_SUPER_MAGIC {
// cgroupv2 has a single mountpoint and no "cpu,cpuacct" symlinks
@@ -125,7 +124,7 @@ func openFile(dir, file string, flags int) (*os.File, error) {
@@ -125,7 +127,7 @@ func openFile(dir, file string, flags int) (*os.File, error) {
}
relname := reldir + "/" + file
@ -66,5 +61,119 @@ index 5f6ab9f..53f5f2d 100644
&unix.OpenHow{
Resolve: resolveFlags,
Flags: uint64(flags) | unix.O_CLOEXEC,
--
2.25.1
@@ -133,6 +135,23 @@ func openFile(dir, file string, flags int) (*os.File, error) {
})
if err != nil {
return nil, &os.PathError{Op: "openat2", Path: dir + "/" + file, Err: err}
+ err = &os.PathError{Op: "openat2", Path: dir + "/" + file, Err: err}
+ // Check if cgroupRootHandle is still opened to cgroupfsDir
+ // (happens when this package is incorrectly used
+ // across the chroot/pivot_root/mntns boundary, or
+ // when /sys/fs/cgroup is remounted).
+ //
+ // TODO: if such usage will ever be common, amend this
+ // to reopen cgroupRootHandle and retry openat2.
+ fdStr := strconv.Itoa(int(cgroupRootHandle.Fd()))
+ fdDest, _ := os.Readlink("/proc/self/fd/" + fdStr)
+ if fdDest != cgroupfsDir {
+ // Wrap the error so it is clear that cgroupRootHandle
+ // is opened to an unexpected/wrong directory.
+ err = errors.Errorf("cgroupRootHandle %d unexpectedly opened to %s != %s: %w",
+ cgroupRootHandle.Fd(), fdDest, cgroupfsDir, err)
+ }
+ return nil, err
}
return os.NewFile(uintptr(fd), cgroupfsPrefix+relname), nil
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
index 1576f2d..4d01531 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
@@ -6,6 +6,7 @@ import (
"fmt"
"os"
"strconv"
+ _ "unsafe" // for go:linkname
"golang.org/x/sys/unix"
)
@@ -22,9 +23,11 @@ func EnsureProcHandle(fh *os.File) error {
return nil
}
-// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for
-// the process (except for those below the given fd value).
-func CloseExecFrom(minFd int) error {
+type fdFunc func(fd int)
+
+// fdRangeFrom calls the passed fdFunc for each file descriptor that is open in
+// the current process.
+func fdRangeFrom(minFd int, fn fdFunc) error {
fdDir, err := os.Open("/proc/self/fd")
if err != nil {
return err
@@ -49,15 +52,59 @@ func CloseExecFrom(minFd int) error {
if fd < minFd {
continue
}
- // Intentionally ignore errors from unix.CloseOnExec -- the cases where
- // this might fail are basically file descriptors that have already
- // been closed (including and especially the one that was created when
- // ioutil.ReadDir did the "opendir" syscall).
- unix.CloseOnExec(fd)
+ // Ignore the file descriptor we used for readdir, as it will be closed
+ // when we return.
+ if uintptr(fd) == fdDir.Fd() {
+ continue
+ }
+ // Run the closure.
+ fn(fd)
}
return nil
}
+// CloseExecFrom sets the O_CLOEXEC flag on all file descriptors greater or
+// equal to minFd in the current process.
+func CloseExecFrom(minFd int) error {
+ return fdRangeFrom(minFd, unix.CloseOnExec)
+}
+
+//go:linkname runtime_IsPollDescriptor internal/poll.IsPollDescriptor
+// In order to make sure we do not close the internal epoll descriptors the Go
+// runtime uses, we need to ensure that we skip descriptors that match
+// "internal/poll".IsPollDescriptor. Yes, this is a Go runtime internal thing,
+// unfortunately there's no other way to be sure we're only keeping the file
+// descriptors the Go runtime needs. Hopefully nothing blows up doing this...
+func runtime_IsPollDescriptor(fd uintptr) bool //nolint:revive
+
+// UnsafeCloseFrom closes all file descriptors greater or equal to minFd in the
+// current process, except for those critical to Go's runtime (such as the
+// netpoll management descriptors).
+//
+// NOTE: That this function is incredibly dangerous to use in most Go code, as
+// closing file descriptors from underneath *os.File handles can lead to very
+// bad behaviour (the closed file descriptor can be re-used and then any
+// *os.File operations would apply to the wrong file). This function is only
+// intended to be called from the last stage of runc init.
+func UnsafeCloseFrom(minFd int) error {
+ // We must not close some file descriptors.
+ return fdRangeFrom(minFd, func(fd int) {
+ if runtime_IsPollDescriptor(uintptr(fd)) {
+ // These are the Go runtimes internal netpoll file descriptors.
+ // These file descriptors are operated on deep in the Go scheduler,
+ // and closing those files from underneath Go can result in panics.
+ // There is no issue with keeping them because they are not
+ // executable and are not useful to an attacker anyway. Also we
+ // don't have any choice.
+ return
+ }
+ // There's nothing we can do about errors from close(2), and the
+ // only likely error to be seen is EBADF which indicates the fd was
+ // already closed (in which case, we got what we wanted).
+ _ = unix.Close(fd)
+ })
+}
+
// NewSockPair returns a new unix socket pair
func NewSockPair(name string) (parent *os.File, child *os.File, err error) {
fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)

80
SPECS/cri-o/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

42
SPECS/cri-o/CVE-2024-9341.patch Normal file
Просмотреть файл

@ -0,0 +1,42 @@
From 5a550b6fe26068dd1d5d2616c8595edf10b41e28 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Fri, 27 Sep 2024 14:01:56 +0200
Subject: [PATCH] pkg/subscriptions: use securejoin for the container path
If we join a path from the container image we must always use securejoin
to prevent us from following a symlink onto the host.
Fixes CVE-2024-9341
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
.../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
index 4b7253b..81f72f6 100644
--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
@@ -9,6 +9,7 @@ import (
"github.com/containers/common/pkg/umask"
"github.com/containers/storage/pkg/idtools"
+ securejoin "github.com/cyphar/filepath-securejoin"
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
@@ -337,7 +338,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerWorkingDir, mountPo
srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
destDir := "/etc/crypto-policies/back-ends"
- srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+ if err != nil {
+ return errors.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+ }
if _, err := os.Stat(srcOnHost); err != nil {
if os.IsNotExist(err) {
return nil
--
2.25.1

12
SPECS/cri-o/cri-o.spec
Просмотреть файл

@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa
# Define macros for further referenced sources
Name: cri-o
Version: 1.22.3
Release: 8%{?dist}
Release: 9%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -68,6 +68,9 @@ Patch12: CVE-2024-3727.patch
Patch13: CVE-2021-43565.patch
Patch14: CVE-2024-6104.patch
Patch15: CVE-2022-32149.patch
Patch16: CVE-2022-4318.patch
Patch17: CVE-2024-9341.patch
Patch18: CVE-2024-45338.patch
BuildRequires: btrfs-progs-devel
BuildRequires: device-mapper-devel
BuildRequires: fdupes
@ -115,8 +118,8 @@ This package provides the CRI-O container runtime configuration for kubeadm
%prep
%setup -q
%autopatch -p1
tar -xf %{SOURCE1} --no-same-owner
%autopatch -p1
%build
@ -220,6 +223,11 @@ mkdir -p /opt/cni/bin
%{_fillupdir}/sysconfig.kubelet
%changelog
* Mon Jan 06 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.22.3-9
- Apply patch after extracting the vendor sources.
- Fix patches with compilation errors.
- Add patches for CVE-2022-4318, CVE-2024-9341 & CVE-2024-45338.
* Thu Sep 12 2024 Sindhu Karri <lakarri@microsoft.com> - 1.22.3-8
- Patch CVE-2022-32149

80
SPECS/cri-tools/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/cri-tools/cri-tools.spec
Просмотреть файл

@ -7,7 +7,7 @@
Summary: CRI tools
Name: cri-tools
Version: 1.29.0
Release: 5%{?dist}
Release: 6%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -17,6 +17,7 @@ Source0: https://github.com/kubernetes-sigs/cri-tools/archive/v%{version}
Patch0: CVE-2024-21626.patch
Patch1: CVE-2023-45288.patch
Patch2: CVE-2024-24786.patch
Patch3: CVE-2024-45338.patch
BuildRequires: glib-devel
BuildRequires: glibc-devel
BuildRequires: golang
@ -47,6 +48,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} "${BUILD_FOLDER}/critest"
%{_bindir}/critest
%changelog
* Mon Jan 06 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.29.0-6
- Add patch for CVE-2024-45338
* Wed Dec 04 2024 Suresh Thelkar <sthelkar@microsoft.com> - 1.29.0-5
- Patch CVE-2024-24786

14
SPECS/fluent-bit/fluent-bit.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
Name: fluent-bit
Version: 2.2.3
Release: 6%{?dist}
Release: 7%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -64,7 +64,6 @@ Development files for %{name}
-DFLB_DEBUG=Off \
-DFLB_TLS=On \
-DFLB_JEMALLOC=On \
-DFLB_LUAJIT=Off \
%cmake_build
@ -72,7 +71,7 @@ Development files for %{name}
%cmake_install
%check
%ctest --exclude-regex "flb-rt-in_podman_metrics|flb-rt-filter_lua|.*\\.sh"
%ctest --exclude-regex "flb-rt-in_podman_metrics|.*\\.sh"
%files
%license LICENSE
@ -81,12 +80,19 @@ Development files for %{name}
%{_unitdir}/fluent-bit.service
%{_bindir}/*
%{_prefix}%{_sysconfdir}/fluent-bit/*
%exclude %{_bindir}/luajit
%exclude %{_libdir}/libluajit.a
%files devel
%{_includedir}/*
%{_libdir}/fluent-bit/*.so
%changelog
* Fri Jan 10 2025 Kshitiz Godara <kgodara@microsoft.com> - 2.2.3-7
- Enable luajit support
- Exclude luajit binary from final package to remove conflict with luajit package
- Exclude luajit static library from package as not needed
* Tue Dec 10 2024 Sudipta Pandit <sudpandit@microsoft.com> - 2.2.3-6
- Backport fix for CVE-2024-27532
@ -132,7 +138,7 @@ Development files for %{name}
- Upgrade version to 1.9.6
- Add build time dependency libyaml-devel
* Thu Feb 19 2022 Sriram Nambakam <snambakam@microsoft.com> - 1.8.12-2
* Sat Feb 19 2022 Sriram Nambakam <snambakam@microsoft.com> - 1.8.12-2
- Compile with -DFLB_JEMALLOC=on.
* Tue Feb 01 2022 Cameron Baird <cameronbaird@microsoft.com> - 1.8.12-1

80
SPECS/gh/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

11
SPECS/gh/gh.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: GitHub official command line tool
Name: gh
Version: 2.13.0
Release: 23%{?dist}
Release: 24%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -32,6 +32,7 @@ Patch0: fix-relative-time-search-tests.patch
Patch1: CVE-2021-43565.patch
Patch2: CVE-2022-32149.patch
Patch3: CVE-2024-54132.patch
Patch4: CVE-2024-45338.patch
BuildRequires: golang
BuildRequires: git
@ -44,11 +45,8 @@ GitHub official command line tool.
%prep
%setup -q -n cli-%{version}
%patch0 -p1
tar --no-same-owner -xf %{SOURCE1}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%autopatch -p1
%build
export GOPATH=%{our_gopath}
@ -79,6 +77,9 @@ make test
%{_datadir}/zsh/site-functions/_gh
%changelog
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 2.13.0-24
- Add patch for CVE-2024-45338.
* Fri Dec 13 2024 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.13.0-23
- Patch CVE-2024-54132

80
SPECS/helm/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/helm/helm.spec
Просмотреть файл

@ -2,7 +2,7 @@
Name: helm
Version: 3.14.2
Release: 4%{?dist}
Release: 5%{?dist}
Summary: The Kubernetes Package Manager
Group: Applications/Networking
License: Apache 2.0
@ -26,6 +26,7 @@ Source0: %{name}-%{version}.tar.gz
#
Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2023-45288.patch
Patch1: CVE-2024-45338.patch
BuildRequires: golang
%description
@ -55,6 +56,9 @@ install -m 755 ./helm %{buildroot}%{_bindir}
go test -v ./cmd/helm
%changelog
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 3.14.2-5
- Add patch for CVE-2024-45338
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.14.2-4
- Bump release to rebuild with go 1.22.7

80
SPECS/influxdb/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/influxdb/influxdb.spec
Просмотреть файл

@ -18,7 +18,7 @@
Summary: Scalable datastore for metrics, events, and real-time analytics
Name: influxdb
Version: 2.6.1
Release: 18%{?dist}
Release: 19%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -58,6 +58,7 @@ Source6: influxdb-user.conf
Patch0: CVE-2024-6104.patch
Patch1: CVE-2022-32149.patch
Patch2: CVE-2024-24786.patch
Patch3: CVE-2024-45338.patch
BuildRequires: clang
BuildRequires: golang <= 1.18.8
BuildRequires: kernel-headers
@ -147,6 +148,9 @@ go test ./...
%{_tmpfilesdir}/influxdb.conf
%changelog
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 2.6.1-19
- Add patch for CVE-2024-45338
* Mon Dec 09 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 2.6.1-18
- Patch for CVE-2024-24786

79
SPECS/keda/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,79 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

7
SPECS/keda/keda.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Kubernetes-based Event Driven Autoscaling
Name: keda
Version: 2.4.0
Release: 24%{?dist}
Release: 25%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -33,7 +33,7 @@ Patch1: CVE-2023-44487.patch
Patch2: CVE-2021-44716.patch
Patch3: CVE-2022-32149.patch
Patch4: CVE-2024-6104.patch
Patch5: CVE-2024-45338.patch
BuildRequires: golang
@ -69,6 +69,9 @@ cp ./bin/keda-adapter %{buildroot}%{_bindir}
%{_bindir}/%{name}-adapter
%changelog
* Thu Jan 02 2025 Sumedh Sharma <sumsharma@microsoft.com> - 2.4.0-25
- Add patch for CVE-2024-45338.
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.4.0-24
- Bump release to rebuild with go 1.22.7

53
SPECS/kubernetes/CVE-2024-10220.patch Normal file
Просмотреть файл

@ -0,0 +1,53 @@
From 6622b002f70a153100d1c286fbcea721160da192 Mon Sep 17 00:00:00 2001
From: Imre Rad <imrer@google.com>
Date: Thu, 25 Apr 2024 14:21:51 +0000
Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
More details on Hackerone #2266560
---
pkg/volume/git_repo/git_repo.go | 6 ++++++
pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
index 995018d900727..b3827b92ad0f0 100644
--- a/pkg/volume/git_repo/git_repo.go
+++ b/pkg/volume/git_repo/git_repo.go
@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
return err
}
+ if (src.Revision != "") && (src.Directory != "") {
+ cleanedDir := filepath.Clean(src.Directory)
+ if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
+ return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
+ }
+ }
return nil
}
diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
index 5b1461be892a1..650f765cc4884 100644
--- a/pkg/volume/git_repo/git_repo_test.go
+++ b/pkg/volume/git_repo/git_repo_test.go
@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
},
isExpectedFailure: true,
},
+ {
+ name: "invalid-revision-directory-combo",
+ vol: &v1.Volume{
+ Name: "vol1",
+ VolumeSource: v1.VolumeSource{
+ GitRepo: &v1.GitRepoVolumeSource{
+ Repository: gitURL,
+ Revision: "main",
+ Directory: "foo/bar",
+ },
+ },
+ },
+ isExpectedFailure: true,
+ },
}
for _, scenario := range scenarios {

80
SPECS/kubernetes/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a9..bca3ae9a 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9dc..e8515d8e 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89eda..5b8374bf 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

10
SPECS/kubernetes/kubernetes.spec
Просмотреть файл

@ -10,7 +10,7 @@
Summary: Microsoft Kubernetes
Name: kubernetes
Version: 1.28.4
Release: 12%{?dist}
Release: 14%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -24,6 +24,8 @@ Patch2: CVE-2023-5408.patch
Patch3: CVE-2023-45288.patch
Patch4: CVE-2024-28180.patch
Patch5: CVE-2024-24786.patch
Patch6: CVE-2024-45338.patch
Patch7: CVE-2024-10220.patch
BuildRequires: flex-devel
BuildRequires: glibc-static >= 2.35-7%{?dist}
BuildRequires: golang
@ -270,6 +272,12 @@ fi
%{_exec_prefix}/local/bin/pause
%changelog
* Tue Jan 07 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.28.4-14
- Add patch for CVE-2024-10220
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.28.4-13
- Add patch for CVE-2024-45338
* Mon Oct 14 2024 Henry Li <lihl@microsoft.com> - 1.28.4-12
- Add patch to resolve CVE-2024-24786

80
SPECS/kubevirt/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/kubevirt/kubevirt.spec
Просмотреть файл

@ -19,7 +19,7 @@
Summary: Container native virtualization
Name: kubevirt
Version: 0.59.0
Release: 22%{?dist}
Release: 23%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -39,6 +39,7 @@ Patch06: CVE-2024-24786.patch
Patch07: CVE-2023-45288.patch
Patch08: CVE-2022-32149.patch
Patch09: CVE-2023-26484.patch
Patch10: CVE-2024-45338.patch
%global debug_package %{nil}
BuildRequires: glibc-devel
BuildRequires: glibc-static >= 2.35-7%{?dist}
@ -218,6 +219,9 @@ install -p -m 0644 cmd/virt-handler/nsswitch.conf %{buildroot}%{_datadir}/kube-v
%{_bindir}/virt-tests
%changelog
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 0.59.0-23
- Add patch to fix CVE-2024-45338
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.59.0-22
- Bump release to rebuild with go 1.22.7

2
SPECS/msft-golang/msft-golang.signatures.json
Просмотреть файл

@ -2,7 +2,7 @@
"Signatures": {
"go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95",
"go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
"go1.22.8-20241001.6.src.tar.gz": "549a43643849c73ffd8579d63e2e3488428f0a4c436169abe02be01a3dbd41c8",
"go1.23.3-20241202.3.src.tar.gz": "7ac83f3918439205861a8ca9e10360e7a0867d9ba8327f283b411e1de077d0e2",
"go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
}
}

13
SPECS/msft-golang/msft-golang.spec
Просмотреть файл

@ -1,7 +1,8 @@
%global goroot %{_libdir}/golang
%global gopath %{_datadir}/gocode
%global ms_go_filename go1.22.8-20241001.6.src.tar.gz
%global ms_go_revision 1
%global ms_go_filename go1.23.3-20241202.3.src.tar.gz
%global ms_go_revision 2
%global go_priority %(echo %{version}.%{ms_go_revision} | tr -d .)
%ifarch aarch64
%global gohostarch arm64
%else
@ -14,7 +15,7 @@
%define __find_requires %{nil}
Summary: Go
Name: msft-golang
Version: 1.22.8
Version: 1.23.3
Release: 1%{?dist}
License: BSD
Vendor: Microsoft Corporation
@ -153,6 +154,12 @@ fi
%{_bindir}/*
%changelog
* Wed Jan 15 2025 Muhammad Falak <mwani@microsoft.com> - 1.23.3-1
- Bump version to 1.23.3
* Mon Jan 06 2025 Riken Maharjan <rmaharjan@microsoft.com> - 1.22.10-1
- Bump version to 1.22.10-1
* Thu Oct 24 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.22.8-1
- Auto-upgrade to 1.22.8 - To fix CVE-2022-41717

80
SPECS/multus/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/multus/multus.spec
Просмотреть файл

@ -19,7 +19,7 @@
Summary: CNI plugin providing multiple interfaces in containers
Name: multus
Version: 4.0.2
Release: 6%{?dist}
Release: 7%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -29,6 +29,7 @@ Source0: https://github.com/k8snetworkplumbingwg/multus-cni/archive/refs/
%define commit efdc0a5c7d1ea4bb236d638403420448b48782b3
Patch0: CVE-2023-45288.patch
Patch1: CVE-2023-3978.patch
Patch2: CVE-2024-45338.patch
BuildRequires: golang
BuildRequires: golang-packaging
@ -74,6 +75,9 @@ install -D -m0644 deployments/multus-daemonset.yml %{buildroot}%{_datadir}/k8s-y
%{_datarootdir}/k8s-yaml/multus/multus.yaml
%changelog
* Thu Jan 02 2025 Sumedh Sharma <sumsharma@microsoft.com> - 4.0.2-7
- Add patch for CVE-2024-45338.
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 4.0.2-6
- Bump release to rebuild with go 1.22.7

86
SPECS/packer/CVE-2023-45288.patch
Просмотреть файл

@ -1,86 +0,0 @@
From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 10 Jan 2024 13:41:39 -0800
Subject: [PATCH] http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and process
all HEADERS and CONTINUATION frames on a connection.
When a request's headers exceed MaxHeaderBytes, we don't
allocate memory to store the excess headers but we do
parse them. This permits an attacker to cause an HTTP/2
endpoint to read arbitrary amounts of data, all associated
with a request which is going to be rejected.
Set a limit on the amount of excess header frames we
will process before closing a connection.
Thanks to Bartek Nowotarski for reporting this issue.
Fixes CVE-2023-45288
Fixes golang/go#65051
Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
index c1f6b90..175c154 100644
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
if size > remainSize {
hdec.SetEmitEnabled(false)
mh.Truncated = true
+ remainSize = 0
return
}
remainSize -= size
@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
var hc headersOrContinuation = hf
for {
frag := hc.HeaderBlockFragment()
+
+ // Avoid parsing large amounts of headers that we will then discard.
+ // If the sender exceeds the max header list size by too much,
+ // skip parsing the fragment and close the connection.
+ //
+ // "Too much" is either any CONTINUATION frame after we've already
+ // exceeded the max header list size (in which case remainSize is 0),
+ // or a frame whose encoded size is more than twice the remaining
+ // header list bytes we're willing to accept.
+ if int64(len(frag)) > int64(2*remainSize) {
+ if VerboseLogs {
+ log.Printf("http2: header list too large")
+ }
+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
+ // but the struture of the server's frame writer makes this difficult.
+ return nil, ConnectionError(ErrCodeProtocol)
+ }
+
+ // Also close the connection after any CONTINUATION frame following an
+ // invalid header, since we stop tracking the size of the headers after
+ // an invalid one.
+ if invalid != nil {
+ if VerboseLogs {
+ log.Printf("http2: invalid header: %v", invalid)
+ }
+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
+ // but the struture of the server's frame writer makes this difficult.
+ return nil, ConnectionError(ErrCodeProtocol)
+ }
+
if _, err := hdec.Write(frag); err != nil {
return nil, ConnectionError(ErrCodeCompression)
}
--
2.44.0

288
SPECS/packer/CVE-2023-49569.patch → SPECS/packer/CVE-2025-21613.patch
Просмотреть файл

@ -1,15 +1,15 @@
From 8dbf1953b608a8931f0b77b2c285a5344dcf1aef Mon Sep 17 00:00:00 2001
From: Pawel Winogrodzki <pawelwi@microsoft.com>
Date: Wed, 3 Jul 2024 09:36:37 -0700
Subject: [PATCH] Updated 'go-git' to version 5.12.0.
From 67ac38d1f4733b423aaa462f2d6a9d5a8e2b42ee Mon Sep 17 00:00:00 2001
From: Sudipta Pandit <sudpandit@microsoft.com>
Date: Thu, 9 Jan 2025 16:33:00 +0530
Subject: [PATCH] Update go-git to v5.13.0 to fix CVE-2025-21613
---
go.mod | 43 +++++++++---------
go.sum | 136 +++++++++++++++++++++++++++++++--------------------------
2 files changed, 98 insertions(+), 81 deletions(-)
go.mod | 47 ++++++++++---------
go.sum | 144 ++++++++++++++++++++++++++++++++-------------------------
2 files changed, 106 insertions(+), 85 deletions(-)
diff --git a/go.mod b/go.mod
index 21cfd2a..0b45f62 100644
index 21cfd2a..dfb67e3 100644
--- a/go.mod
+++ b/go.mod
@@ -6,12 +6,12 @@ require (
@ -17,7 +17,7 @@ index 21cfd2a..0b45f62 100644
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
github.com/dsnet/compress v0.0.1
- github.com/go-git/go-git/v5 v5.4.2
+ github.com/go-git/go-git/v5 v5.12.0
+ github.com/go-git/go-git/v5 v5.13.0
github.com/go-openapi/runtime v0.25.0
github.com/gobwas/glob v0.2.3
github.com/gofrs/flock v0.8.1 // indirect
@ -32,26 +32,27 @@ index 21cfd2a..0b45f62 100644
github.com/pkg/sftp v1.13.2 // indirect
github.com/posener/complete v1.2.3
- github.com/stretchr/testify v1.8.2
+ github.com/stretchr/testify v1.9.0
+ github.com/stretchr/testify v1.10.0
github.com/ulikunitz/xz v0.5.10
github.com/zclconf/go-cty v1.10.0
github.com/zclconf/go-cty-yaml v1.0.1
- golang.org/x/crypto v0.14.0 // indirect
- golang.org/x/mod v0.8.0
- golang.org/x/net v0.17.0
+ golang.org/x/crypto v0.21.0 // indirect
+ golang.org/x/mod v0.12.0
+ golang.org/x/net v0.22.0
+ golang.org/x/crypto v0.31.0 // indirect
+ golang.org/x/mod v0.17.0
+ golang.org/x/net v0.33.0
golang.org/x/oauth2 v0.11.0
golang.org/x/sync v0.3.0
- golang.org/x/sync v0.3.0
- golang.org/x/sys v0.13.0 // indirect
- golang.org/x/term v0.13.0 // indirect
- golang.org/x/text v0.13.0 // indirect
- golang.org/x/tools v0.6.0
+ golang.org/x/sys v0.18.0 // indirect
+ golang.org/x/term v0.18.0 // indirect
+ golang.org/x/text v0.14.0 // indirect
+ golang.org/x/tools v0.13.0
+ golang.org/x/sync v0.10.0
+ golang.org/x/sys v0.28.0 // indirect
+ golang.org/x/term v0.27.0 // indirect
+ golang.org/x/text v0.21.0 // indirect
+ golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
google.golang.org/api v0.128.0 // indirect
google.golang.org/grpc v1.59.0
)
@ -71,7 +72,7 @@ index 21cfd2a..0b45f62 100644
- github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
- github.com/acomagu/bufpipe v1.0.3 // indirect
+ github.com/Microsoft/go-winio v0.6.1 // indirect
+ github.com/ProtonMail/go-crypto v1.0.0 // indirect
+ github.com/ProtonMail/go-crypto v1.1.3 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/apparentlymart/go-cidr v1.0.1 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
@ -80,7 +81,7 @@ index 21cfd2a..0b45f62 100644
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
github.com/chzyer/test v1.0.0 // indirect
+ github.com/cloudflare/circl v1.3.7 // indirect
+ github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+ github.com/cyphar/filepath-securejoin v0.2.5 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/digitalocean/go-libvirt v0.0.0-20201209184759-e2a69bcd5bd1 // indirect
github.com/digitalocean/go-qemu v0.0.0-20210326154740-ac9e0b687001 // indirect
@ -92,7 +93,7 @@ index 21cfd2a..0b45f62 100644
- github.com/go-git/gcfg v1.5.0 // indirect
- github.com/go-git/go-billy/v5 v5.3.1 // indirect
+ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+ github.com/go-git/go-billy/v5 v5.5.0 // indirect
+ github.com/go-git/go-billy/v5 v5.6.0 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
@ -123,7 +124,7 @@ index 21cfd2a..0b45f62 100644
- github.com/sergi/go-diff v1.1.0 // indirect
+ github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
github.com/shoenig/go-m1cpu v0.1.5 // indirect
+ github.com/skeema/knownhosts v1.2.2 // indirect
+ github.com/skeema/knownhosts v1.3.0 // indirect
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
github.com/tklauser/go-sysconf v0.3.11 // indirect
github.com/tklauser/numcpus v0.6.0 // indirect
@ -134,8 +135,14 @@ index 21cfd2a..0b45f62 100644
github.com/yusufpapurcu/wmi v1.2.2 // indirect
go.mongodb.org/mongo-driver v1.11.0 // indirect
go.opencensus.io v0.24.0 // indirect
@@ -216,4 +219,4 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
)
-go 1.20
+go 1.21
diff --git a/go.sum b/go.sum
index 78887ed..d8adb07 100644
index 78887ed..f4571c9 100644
--- a/go.sum
+++ b/go.sum
@@ -11,6 +11,8 @@ cloud.google.com/go/iam v1.1.2 h1:gacbrBdWcoVmGLozRuStX45YKvJtzIjJdAolzUs1sm4=
@ -147,7 +154,7 @@ index 78887ed..d8adb07 100644
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
github.com/Azure/azure-sdk-for-go v51.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v64.0.0+incompatible h1:WAA77WBDWYtNfCC95V70VvkdzHe+wM/r2MQ9mG7fnQs=
@@ -70,25 +72,22 @@ github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3Q
@@ -70,36 +72,38 @@ github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3Q
github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60=
github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
@ -161,8 +168,8 @@ index 78887ed..d8adb07 100644
github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8=
-github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 h1:YoJbenK9C67SkzkDfmQuVln04ygHj3vjZfd9FL+GmQQ=
-github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
+github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
+github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
+github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
@ -176,57 +183,66 @@ index 78887ed..d8adb07 100644
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
github.com/antchfx/xpath v1.1.11 h1:WOFtK8TVAjLm3lbgqeP0arlHpvCEeTANeWZ/csPpJkQ=
+github.com/antchfx/xpath v1.1.11/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
github.com/antchfx/xquery v0.0.0-20180515051857-ad5b8c7a47b0 h1:JaCC8jz0zdMLk2m+qCCVLLLM/PL93p84w4pK3aJWj60=
+github.com/antchfx/xquery v0.0.0-20180515051857-ad5b8c7a47b0/go.mod h1:LzD22aAzDP8/dyiCKFp31He4m2GPjl0AFyzDtZzUu9M=
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -110,7 +109,6 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ=
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
@@ -131,6 +129,7 @@ github.com/biogo/hts v1.4.3 h1:vir2yUTiRkPvtp6ZTpzh9lWTKQJZXJKZ563rpAQAsRM=
github.com/biogo/hts v1.4.3/go.mod h1:eW40HJ1l2ExK9C+yvvoRSftInqWsf3ue+zAEjzCGWjA=
github.com/bmatcuk/doublestar v1.1.5 h1:2bNwBOmhyFEFcoB3tGvTD5xanq+4kyOZlB8wFYbMjkk=
github.com/bmatcuk/doublestar v1.1.5/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
@@ -147,6 +146,9 @@ github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38
github.com/apparentlymart/go-cidr v1.0.1 h1:NmIwLZ/KdsjIUlhf+/Np40atNXm/+lZ5txfTJ/SpF+U=
github.com/apparentlymart/go-cidr v1.0.1/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3 h1:ZSTrOEhiM5J5RFxEaFvMZVEAM1KvT1YzbEOwB2EAGjA=
+github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM=
github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/approvals/go-approval-tests v0.0.0-20210131072903-38d0b0ec12b1 h1:uroQ0JaeVom9Ffv9xFtc7DcqrpGmyQeZCRzHD9FqPBg=
+github.com/approvals/go-approval-tests v0.0.0-20210131072903-38d0b0ec12b1/go.mod h1:PJOqSY8IofNv3heAD6k8E7EfFS6okiSS9bSAasaAUME=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
github.com/armon/go-metrics v0.3.0/go.mod h1:zXjbSimjXTd7vOpY8B0/2LpvNvDoXBuplAD+gJD3GYs=
@@ -147,6 +151,8 @@ github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38
github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
@@ -165,6 +167,8 @@ github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDG
@@ -165,6 +171,8 @@ github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDG
github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
+github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -188,8 +192,9 @@ github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:Htrtb
@@ -177,6 +185,7 @@ github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQ
github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
+github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v1.4.2-0.20200319182547-c7ad2b866182/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
@@ -188,8 +197,11 @@ github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:Htrtb
github.com/dylanmei/iso8601 v0.1.0 h1:812NGQDBcqquTfH5Yeo7lwR0nzx/cKdsmf3qMjPURUI=
github.com/dylanmei/iso8601 v0.1.0/go.mod h1:w9KhXSgIyROl1DefbMYIE7UVSIvELTbMrCfx+QkYnoQ=
github.com/dylanmei/winrmtest v0.0.0-20170819153634-c2fbb09e6c08 h1:0bp6/GrNOrTDtSXe9YYGCwf8jp5Fb/b+4a6MTRm4qzY=
-github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
-github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/dylanmei/winrmtest v0.0.0-20170819153634-c2fbb09e6c08/go.mod h1:VBVDFSBXCIW8JaHQpI8lldSKfYaLMzP9oyq6IJ4fhzY=
+github.com/elazarl/goproxy v1.2.1 h1:njjgvO6cRG9rIqN2ebkqy6cQz2Njkx7Fsfv/zIZqgug=
+github.com/elazarl/goproxy v1.2.1/go.mod h1:YfEbZtqP4AetfO6d40vWchF3znWX7C7Vd6ZMfdL8z64=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -202,24 +207,20 @@ github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL
@@ -202,24 +214,22 @@ github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL
github.com/fatih/color v1.12.0 h1:mRhaKNwANqRgUBGKmnI5ZxEk7QXmjQeCcuYFMX2bfcc=
github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
@ -238,7 +254,8 @@ index 78887ed..d8adb07 100644
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
-github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE=
+github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
+github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
-github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E=
@ -251,15 +268,24 @@ index 78887ed..d8adb07 100644
-github.com/go-git/go-git/v5 v5.4.2/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti4ihgckDc=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-billy/v5 v5.6.0 h1:w2hPNtoehvJIxR00Vb4xX94qHQi/ApZfX+nBE2Cjio8=
+github.com/go-git/go-billy/v5 v5.6.0/go.mod h1:sFDq7xD3fn3E0GOwUSZqHo9lrkmx8xJhA0ZrfvjBRGM=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
+github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.13.0 h1:vLn5wlGIh/X78El6r3Jr+30W16Blk0CTcxTYcYPWi5E=
+github.com/go-git/go-git/v5 v5.13.0/go.mod h1:Wjo7/JyVKtQgUNdXYXIepzWfJQkUEIGvkvVkiXRR/zw=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -353,8 +354,9 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
@@ -273,6 +283,7 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me
github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
+github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY=
github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg=
@@ -353,8 +364,9 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@ -270,7 +296,23 @@ index 78887ed..d8adb07 100644
github.com/google/go-github/v33 v33.0.1-0.20210113204525-9318e629ec69 h1:zL0/Ug5CMhV0XRb3A6vnK1SQ9kJM3VIyRxPQ5t9w8Bg=
github.com/google/go-github/v33 v33.0.1-0.20210113204525-9318e629ec69/go.mod h1:GMdDnVZY/2TsWgp/lkYnpSAh6TrzhANBBwm6k6TTEXg=
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@@ -504,7 +506,6 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
@@ -362,6 +374,7 @@ github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
+github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
@@ -417,6 +430,7 @@ github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh
github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
github.com/hashicorp/go-msgpack v0.5.5 h1:i9R9JSrqIz0QVLz3sz+i3YJdT7TTSLcfLLzJi9aZTuI=
+github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
@@ -504,7 +518,6 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
github.com/jehiah/go-strftime v0.0.0-20171201141054-1d33003b3869 h1:IPJ3dvxmJ4uczJe5YQdrYB16oTJlGSC/OyZDqUk9xX4=
github.com/jehiah/go-strftime v0.0.0-20171201141054-1d33003b3869/go.mod h1:cJ6Cj7dQo+O6GJNiMx+Pa94qKj+TG8ONdKHgMNIyyag=
@ -278,7 +320,7 @@ index 78887ed..d8adb07 100644
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
@@ -519,8 +520,8 @@ github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/u
@@ -519,8 +532,8 @@ github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/u
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4=
github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
@ -289,17 +331,18 @@ index 78887ed..d8adb07 100644
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -538,8 +539,7 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
@@ -538,8 +551,8 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -560,9 +560,6 @@ github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786 h1:2ZKn+w/BJeL
@@ -560,9 +573,6 @@ github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786 h1:2ZKn+w/BJeL
github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786/go.mod h1:kCEbxUJlNDEBNbdQMkPSp6yaKcRXVI6f4ddk8Riv4bc=
github.com/masterzen/winrm v0.0.0-20210623064412-3b76017826b0 h1:KqYuDbSr8I2X8H65InN8SafDEa0UaLRy6WEmxDqd0F0=
github.com/masterzen/winrm v0.0.0-20210623064412-3b76017826b0/go.mod h1:l31LCh9VvG43RJ83A5JLkFPjuz48cZAxBSLQLaIn1p8=
@ -309,15 +352,16 @@ index 78887ed..d8adb07 100644
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@@ -637,6 +634,7 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn
@@ -637,6 +647,8 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
+github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -658,6 +656,8 @@ github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9F
@@ -658,6 +670,8 @@ github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9F
github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
github.com/pierrec/lz4/v4 v4.1.18 h1:xaKrnTkyoqfh1YItXl56+6KJNVYWlEEPuAQW9xsplYQ=
github.com/pierrec/lz4/v4 v4.1.18/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
@ -326,17 +370,19 @@ index 78887ed..d8adb07 100644
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -694,7 +694,7 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
@@ -694,16 +708,18 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
@@ -702,8 +702,8 @@ github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIH
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
+github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
@ -346,38 +392,39 @@ index 78887ed..d8adb07 100644
github.com/shirou/gopsutil/v3 v3.23.4 h1:hZwmDxZs7Ewt75DV81r4pFMqbq+di2cbt9FsQBqLD2o=
github.com/shirou/gopsutil/v3 v3.23.4/go.mod h1:ZcGxyfzAMRevhUR2+cfhXDH6gQdFYE/t8j1nsU4mPI8=
github.com/shoenig/go-m1cpu v0.1.5 h1:LF57Z/Fpb/WdGLjt2HZilNnmZOxg/q2bSKTQhgbrLrQ=
@@ -715,6 +715,9 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
@@ -715,6 +731,9 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
+github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY=
+github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
@@ -724,8 +727,8 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn
@@ -724,8 +743,9 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -735,8 +738,9 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
@@ -735,8 +755,9 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
@@ -756,8 +760,8 @@ github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+
@@ -756,8 +777,8 @@ github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+
github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
github.com/vmware/govmomi v0.29.0 h1:SHJQ7DUc4fltFZv16znJNGHR1/XhiDK5iKxm2OqwkuU=
github.com/vmware/govmomi v0.29.0/go.mod h1:F7adsVewLNHsW/IIm7ziFURaXDaHEwcc+ym4r3INMdY=
@ -388,7 +435,15 @@ index 78887ed..d8adb07 100644
github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
@@ -793,7 +797,6 @@ go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@@ -786,6 +807,7 @@ go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
go.opentelemetry.io/otel v1.11.1 h1:4WLLAmcfkmDk2ukNXJyq3/kiz/3UzCaYq6PskJsaou4=
go.opentelemetry.io/otel v1.11.1/go.mod h1:1nNhXBbWSD0nsL38H6btgnFN2k4i0sNLHNNMZMSbUGE=
go.opentelemetry.io/otel/sdk v1.11.1 h1:F7KmQgoHljhUuJyA+9BiU+EkJfyX5nVVF4wyzWZpKxs=
+go.opentelemetry.io/otel/sdk v1.11.1/go.mod h1:/l3FE4SupHJ12TduVjUkZtlfFqDCQJlOlithYrdktys=
go.opentelemetry.io/otel/trace v1.11.1 h1:ofxdnzsNrGBYXbP7t7zpUK281+go5rF7dvdIZXF8gdQ=
go.opentelemetry.io/otel/trace v1.11.1/go.mod h1:f/Q9G7vzk5u91PhbmKbg1Qn0rzH1LJ4vbPHFGkTPtOk=
go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
@@ -793,7 +815,6 @@ go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@ -396,7 +451,7 @@ index 78887ed..d8adb07 100644
golang.org/x/crypto v0.0.0-20190222235706-ffb98f73852f/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
@@ -809,13 +812,14 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
@@ -809,17 +830,18 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
@ -407,25 +462,29 @@ index 78887ed..d8adb07 100644
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190731235908-ec7cb31e5a56/go.mod h1:JhuoJpWY28nO4Vef9tZUw9qufEGTyX1+7lmHxV5q5G4=
@@ -834,8 +838,9 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -834,8 +856,8 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -861,14 +866,16 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R
@@ -861,14 +883,13 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@ -437,23 +496,23 @@ index 78887ed..d8adb07 100644
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
@@ -883,6 +890,7 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
@@ -883,8 +904,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -900,7 +908,6 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -900,7 +921,6 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -461,7 +520,7 @@ index 78887ed..d8adb07 100644
golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -912,34 +919,38 @@ golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7w
@@ -912,34 +932,32 @@ golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -487,60 +546,43 @@ index 78887ed..d8adb07 100644
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -947,8 +958,11 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -947,8 +965,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
@@ -973,8 +987,9 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
@@ -973,8 +991,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
golang.org/x/tools v0.0.0-20200711155855-7342f9734a7d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1035,7 +1050,6 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
--
2.34.1

1
SPECS/packer/CVE-2025-21614.nopatch Normal file
Просмотреть файл

@ -0,0 +1 @@
# fixed by CVE-2025-21613.patch file

2
SPECS/packer/packer.signatures.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"Signatures": {
"packer-1.9.5-vendor.tar.gz": "356f442fec9bd414cc9fdf82ed829f92551509bfea11e7f4c79c6dd0e9a66a87",
"packer-1.9.5-vendor-v2.tar.gz": "4b77d1bba3adb00a8a410b8a507df96f66e2b36a016d49300b08f77c8d3f7245",
"packer-1.9.5.tar.gz": "a6da3e455578f5373c5e333023a7be483e9c22f4235ccd599fe39d42df55f870"
}
}

23
SPECS/packer/packer.spec
Просмотреть файл

@ -5,7 +5,7 @@ Summary: Tool for creating identical machine images for multiple platform
Name: packer
Epoch: 1
Version: 1.9.5
Release: 5%{?dist}
Release: 7%{?dist}
License: MPLv2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -18,7 +18,7 @@ Source0: https://github.com/hashicorp/packer/archive/refs/tags/v%{version
# 1. wget https://github.com/hashicorp/packer/archive/v%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
# 2. tar -xf %%{name}-%%{version}.tar.gz
# 3. cd %%{name}-%%{version}
# 4. Apply all patches affecting "go.mod" and "go.sum" files. Example: CVE-2023-49569.patch.
# 4. Apply all patches affecting "go.mod" and "go.sum" files. Example: CVE-2025-21613.patch.
# 5. go mod vendor
# 6. tar --sort=name \
# --mtime="2021-04-26 00:00Z" \
@ -31,13 +31,11 @@ Source0: https://github.com/hashicorp/packer/archive/refs/tags/v%{version
# - The additional options enable generation of a tarball with the same hash every time regardless of the environment.
# See: https://reproducible-builds.org/docs/archives/
# - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2023-45288.patch
Patch1: CVE-2022-3064.patch
Patch2: CVE-2023-49569.patch
Patch3: CVE-2024-6104.patch
Patch4: CVE-2024-24786.patch
Patch5: CVE-2024-45337.patch
Source1: %{name}-%{version}-vendor-v2.tar.gz
Patch0: CVE-2022-3064.patch
Patch1: CVE-2024-6104.patch
Patch2: CVE-2024-24786.patch
Patch3: CVE-2025-21613.patch
BuildRequires: golang
BuildRequires: kernel-headers
BuildRequires: glibc-devel
@ -71,6 +69,13 @@ go test -mod=vendor
%{_bindir}/packer
%changelog
* Mon Jan 13 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.9.5-7
- Add patch for CVE-2025-21613 and CVE-2025-21614
- Remove patch for CVE-2023-45288, CVE-2023-49569, CVE-2024-45337, CVE-2024-45338
* Thu Jan 02 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.9.5-6
- Add patch for CVE-2024-45338.
* Tue Dec 17 2024 Andrew Phelps <anphel@microsoft.com> - 1.9.5-5
- Add patch for CVE-2024-45337

80
SPECS/prometheus-adapter/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/prometheus-adapter/prometheus-adapter.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Kubernetes Custom, Resource, and External Metric APIs implemented to work with Prometheus.
Name: prometheus-adapter
Version: 0.10.0
Release: 15%{?dist}
Release: 16%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -9,6 +9,7 @@ URL: https://github.com/kubernetes-sigs/prometheus-adapter
Source0: https://github.com/kubernetes-sigs/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch0: CVE-2024-24786.patch
Patch1: CVE-2022-32149.patch
Patch2: CVE-2024-45338.patch
BuildRequires: golang
%description
@ -43,6 +44,9 @@ make test
%doc README.md RELEASE.md
%changelog
* Thu Jan 02 2025 Sumedh Sharma <sumsharma@microsoft.com> - 0.10.0-16
- Add patch for CVE-2024-45338.
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.10.0-15
- Bump release to rebuild with go 1.22.7

32
SPECS/python-jinja2/CVE-2024-56201.patch Normal file
Просмотреть файл

@ -0,0 +1,32 @@
From 739028358bdb8ecbff4dd7c13c316d934ec5cbbd Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <kbkanishk975@gmail.com>
Date: Thu, 2 Jan 2025 10:07:33 +0000
Subject: [PATCH] Fix CVE-2024-56201
---
src/jinja2/compiler.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/jinja2/compiler.py b/src/jinja2/compiler.py
index 52fd5b8..0314f67 100644
--- a/src/jinja2/compiler.py
+++ b/src/jinja2/compiler.py
@@ -1122,9 +1122,14 @@ class CodeGenerator(NodeVisitor):
)
self.writeline(f"if {frame.symbols.ref(alias)} is missing:")
self.indent()
+ # The position will contain the template name, and will be formatted
+ # into a string that will be compiled into an f-string. Curly braces
+ # in the name must be replaced with escapes so that they will not be
+ # executed as part of the f-string.
+ position = self.position(node).replace("{", "{{").replace("}", "}}")
message = (
"the template {included_template.__name__!r}"
- f" (imported on {self.position(node)})"
+ f" (imported on {position})"
f" does not export the requested name {name!r}"
)
self.writeline(
--
2.45.2

142
SPECS/python-jinja2/CVE-2024-56326.patch Normal file
Просмотреть файл

@ -0,0 +1,142 @@
From c81e4a5da52f6782157d608356c9a82eaf908a89 Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <kbkanishk975@gmail.com>
Date: Thu, 2 Jan 2025 11:09:30 +0000
Subject: [PATCH] Fix CVE-2024-56326
---
src/jinja2/sandbox.py | 77 ++++++++++++++++++++++---------------------
1 file changed, 40 insertions(+), 37 deletions(-)
diff --git a/src/jinja2/sandbox.py b/src/jinja2/sandbox.py
index 4294884..96519a2 100644
--- a/src/jinja2/sandbox.py
+++ b/src/jinja2/sandbox.py
@@ -7,6 +7,7 @@ import typing as t
from _string import formatter_field_name_split # type: ignore
from collections import abc
from collections import deque
+from functools import update_wrapper
from string import Formatter
from markupsafe import EscapeFormatter
@@ -80,19 +81,6 @@ _mutable_spec: t.Tuple[t.Tuple[t.Type, t.FrozenSet[str]], ...] = (
)
-def inspect_format_method(callable: t.Callable) -> t.Optional[str]:
- if not isinstance(
- callable, (types.MethodType, types.BuiltinMethodType)
- ) or callable.__name__ not in ("format", "format_map"):
- return None
-
- obj = callable.__self__
-
- if isinstance(obj, str):
- return obj
-
- return None
-
def safe_range(*args: int) -> range:
"""A range that can't generate ranges with a length of more than
@@ -313,6 +301,9 @@ class SandboxedEnvironment(Environment):
except AttributeError:
pass
else:
+ fmt = self.wrap_str_format(value)
+ if fmt is not None:
+ return fmt
if self.is_safe_attribute(obj, argument, value):
return value
return self.unsafe_undefined(obj, argument)
@@ -330,6 +321,9 @@ class SandboxedEnvironment(Environment):
except (TypeError, LookupError):
pass
else:
+ fmt = self.wrap_str_format(value)
+ if fmt is not None:
+ return fmt
if self.is_safe_attribute(obj, attribute, value):
return value
return self.unsafe_undefined(obj, attribute)
@@ -345,34 +339,46 @@ class SandboxedEnvironment(Environment):
exc=SecurityError,
)
- def format_string(
- self,
- s: str,
- args: t.Tuple[t.Any, ...],
- kwargs: t.Dict[str, t.Any],
- format_func: t.Optional[t.Callable] = None,
- ) -> str:
- """If a format call is detected, then this is routed through this
- method so that our safety sandbox can be used for it.
+ def wrap_str_format(self, value: t.Any) -> t.Optional[t.Callable[..., str]]:
+ """If the given value is a ``str.format`` or ``str.format_map`` method,
+ return a new function than handles sandboxing. This is done at access
+ rather than in :meth:`call`, so that calls made without ``call`` are
+ also sandboxed.
"""
+ if not isinstance(
+ value, (types.MethodType, types.BuiltinMethodType)
+ ) or value.__name__ not in ("format", "format_map"):
+ return None
+ f_self: t.Any = value.__self__
+ if not isinstance(f_self, str):
+ return None
+ str_type: t.Type[str] = type(f_self)
+ is_format_map = value.__name__ == "format_map"
formatter: SandboxedFormatter
- if isinstance(s, Markup):
- formatter = SandboxedEscapeFormatter(self, escape=s.escape)
+
+ if isinstance(f_self, Markup):
+ formatter = SandboxedEscapeFormatter(self, escape=f_self.escape)
else:
formatter = SandboxedFormatter(self)
- if format_func is not None and format_func.__name__ == "format_map":
- if len(args) != 1 or kwargs:
- raise TypeError(
- "format_map() takes exactly one argument"
- f" {len(args) + (kwargs is not None)} given"
- )
+ vformat = formatter.vformat
+
+ def wrapper(*args: t.Any, **kwargs: t.Any) -> str:
+ if is_format_map:
+ if kwargs:
+ raise TypeError("format_map() takes no keyword arguments")
+
+ if len(args) != 1:
+ raise TypeError(
+ f"format_map() takes exactly one argument ({len(args)} given)"
+ )
+
+ kwargs = args[0]
+ args = ()
- kwargs = args[0]
- args = ()
+ return str_type(vformat(f_self, args, kwargs))
- rv = formatter.vformat(s, args, kwargs)
- return type(s)(rv)
+ return update_wrapper(wrapper, value)
def call(
__self, # noqa: B902
@@ -382,9 +388,6 @@ class SandboxedEnvironment(Environment):
**kwargs: t.Any,
) -> t.Any:
"""Call an object from sandboxed code."""
- fmt = inspect_format_method(__obj)
- if fmt is not None:
- return __self.format_string(fmt, args, kwargs, __obj)
# the double prefixes are to avoid double keyword argument
# errors when proxying the call.
--
2.45.2

7
SPECS/python-jinja2/python-jinja2.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: A fast and easy to use template engine written in pure Python
Name: python-jinja2
Version: 3.0.3
Release: 4%{?dist}
Release: 5%{?dist}
License: BSD
Vendor: Microsoft Corporation
Distribution: Mariner
@ -10,6 +10,8 @@ URL: https://jinja.pocoo.org/
Source0: https://files.pythonhosted.org/packages/91/a5/429efc6246119e1e3fbf562c00187d04e83e54619249eb732bb423efa6c6/Jinja2-%{version}.tar.gz
Patch0: CVE-2024-22195.patch
Patch1: CVE-2024-34064.patch
Patch2: CVE-2024-56201.patch
Patch3: CVE-2024-56326.patch
BuildArch: noarch
%description
@ -55,6 +57,9 @@ tox -e py%{python3_version_nodots}
%{python3_sitelib}/Jinja2-%{version}-py%{python3_version}.egg-info
%changelog
* Thu Jan 2 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.0.3-5
- Address CVE-2024-56201, CVE-2024-56326.patch with an upstream patch.
* Wed May 22 2024 Sudipta Pandit <sudpandit@microsoft.com> - 3.0.3-4
- Backport CVE-2024-34064 from upstream (based on previous backport of CVE-2024-22195)

2
SPECS/rsync/rsync.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"rsync-3.2.5.tar.gz": "2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba"
"rsync-3.4.1.tar.gz": "2924bcb3a1ed8b551fc101f740b9f0fe0a202b115027647cf69850d65fd88c52"
}
}

5
SPECS/rsync/rsync.spec
Просмотреть файл

@ -1,6 +1,6 @@
Summary: Fast incremental file transfer.
Name: rsync
Version: 3.2.5
Version: 3.4.1
Release: 1%{?dist}
License: GPLv3+
Vendor: Microsoft Corporation
@ -60,6 +60,9 @@ EOF
%{_sysconfdir}/rsyncd.conf
%changelog
* Wed Jan 15 2025 Henry Beberman <henry.beberman@microsoft.com> - 3.4.1-1
- Upgrade to version 3.4.1 to fix CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747
* Tue Aug 16 2022 Muhammad Falak <mwani@microsoft.com> - 3.2.5-1
- Bump version to address CVE-2022-29154

37
SPECS/socat/CVE-2024-54661.patch Normal file
Просмотреть файл

@ -0,0 +1,37 @@
From be474a81dc2d9010ac16f9690f97cf7ff68b36d7 Mon Sep 17 00:00:00 2001
From: Muhammad Falak R Wani <falakreyaz@gmail.com>
Date: Sun, 29 Dec 2024 17:47:45 +0530
Subject: [PATCH] CVE-2024-54661: Arbitrary file overwrite in readline.sh
Link: https://repo.or.cz/socat.git/commit/4ee1f31cf80019c5907876576d6dfd49368d660f
Author: Gerhard Rieger <gerhard@dest-unreach.org>
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
readline.sh | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/readline.sh b/readline.sh
index b6f8438..1045303 100755
--- a/readline.sh
+++ b/readline.sh
@@ -22,9 +22,15 @@ if [ "$withhistfile" ]; then
else
HISTOPT=
fi
-mkdir -p /tmp/$USER || exit 1
#
#
-exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2
+if test -w .; then
+ STDERR=./socat-readline.${1##*/}.log
+ rm -f $STDERR
+else
+ STDERR=/dev/null
+fi
+
+exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR
--
2.40.1

8
SPECS/socat/socat.spec
Просмотреть файл

@ -1,19 +1,20 @@
Summary: Multipurpose relay (SOcket CAT)
Name: socat
Version: 1.7.4.3
Release: 1%{?dist}
Release: 2%{?dist}
License: GPL2
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/Internet
URL: http://www.dest-unreach.org/socat
Source0: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
Patch0: CVE-2024-54661.patch
%description
Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes.
%prep
%setup -q
%autosetup -p1
%build
./configure --prefix=%{_prefix} --sysconfdir=%{_sysconfdir}
@ -36,6 +37,9 @@ make %{?_smp_mflags} test
%{_mandir}/man1/*
%changelog
* Sun Dec 29 2024 Muhammad Falak <mwani@microsoft.com> - 1.7.4.3-2
- Patch CVE-2024-54661
* Mon Jan 24 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 1.7.4.3-1
- Update to version 1.7.4.3.

80
SPECS/sriov-network-device-plugin/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Plugin for discovering and advertising networking resources
Name: sriov-network-device-plugin
Version: 3.6.2
Release: 6%{?dist}
Release: 7%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -9,6 +9,7 @@ URL: https://github.com/k8snetworkplumbingwg/sriov-network-device-plu
Source0: https://github.com/k8snetworkplumbingwg/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch0: CVE-2023-45288.patch
Patch1: CVE-2024-24786.patch
Patch2: CVE-2024-45338.patch
BuildRequires: golang
Requires: gawk
Requires: hwdata
@ -36,6 +37,9 @@ install -D -m0755 images/ddptool-1.0.1.12.tar.gz %{buildroot}%{_datadir}/%{name}
%{_datadir}/%{name}/ddptool-1.0.1.12.tar.gz
%changelog
* Thu Jan 02 2025 Sumedh Sharma <sumsharma@microsoft.com> - 3.6.2-7
- Add patch for CVE-2024-45338.
* Thu Nov 11 2024 Vince Perri <viperri@microsoft.com> - 3.6.2-6
- Patch CVE-2024-24786 (vendored google.golang.org/protobuf)

10
SPECS/packer/CVE-2024-45337.patch → SPECS/telegraf/CVE-2024-45337.patch
Просмотреть файл

@ -1,5 +1,3 @@
https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch
From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Tue, 3 Dec 2024 09:03:03 -0800
@ -32,10 +30,11 @@ Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
vendor/golang.org/x/crypto/ssh/server.go | 15 ++++++++++----
vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index c0d1c29e6f..5b5ccd96f4 100644
index c2dfe326..39dcc095 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) {
@ -75,3 +74,6 @@ index c0d1c29e6f..5b5ccd96f4 100644
}
// ServerConn is an authenticated SSH connection, as seen from the
--
2.25.1

80
SPECS/telegraf/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a9..bca3ae9a 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9dc..e8515d8e 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89eda..5b8374bf 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

7
SPECS/telegraf/telegraf.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: agent for collecting, processing, aggregating, and writing metrics.
Name: telegraf
Version: 1.29.4
Release: 9%{?dist}
Release: 10%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -17,6 +17,8 @@ Patch3: CVE-2024-35255.patch
Patch4: CVE-2024-37298.patch
Patch5: CVE-2024-24786.patch
Patch6: CVE-2024-28180.patch
Patch7: CVE-2024-45337.patch
Patch8: CVE-2024-45338.patch
BuildRequires: golang
BuildRequires: iana-etc
BuildRequires: systemd-devel
@ -87,6 +89,9 @@ fi
%dir %{_sysconfdir}/%{name}/telegraf.d
%changelog
* Mon Jan 06 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.29.4-10
- Add patch for CVE-2024-45337 & CVE-2024-45338.
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.29.4-9
- Bump release to rebuild with go 1.22.7

80
SPECS/terraform/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/terraform/terraform.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Infrastructure as code deployment management tool
Name: terraform
Version: 1.3.2
Release: 20%{?dist}
Release: 21%{?dist}
License: MPLv2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -34,6 +34,7 @@ Patch3: CVE-2024-6104.patch
Patch4: CVE-2022-32149.patch
Patch5: CVE-2023-4782.patch
Patch6: CVE-2024-24786.patch
Patch7: CVE-2024-45338.patch
%global debug_package %{nil}
%define our_gopath %{_topdir}/.gopath
@ -67,6 +68,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
%{_bindir}/terraform
%changelog
* Mon Jan 06 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.2-21
- Add patch for CVE-2024-45338
* Wed Dec 04 2024 bhapathak <bhapathak@microsoft.com> - 1.3.2-20
- Patch CVE-2024-24786

80
SPECS/vitess/CVE-2024-45338.patch Normal file
Просмотреть файл

@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.
Thanks to Guido Vranken for reporting this issue.
Fixes golang/go#70906
Fixes CVE-2024-45338
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6
SPECS/vitess/vitess.spec
Просмотреть файл

@ -3,7 +3,7 @@
Name: vitess
Version: 17.0.7
Release: 2%{?dist}
Release: 3%{?dist}
Summary: Database clustering system for horizontal scaling of MySQL
# Upstream license specification: MIT and Apache-2.0
License: MIT and ASL 2.0
@ -26,6 +26,7 @@ Source0: %{name}-%{version}.tar.gz
# -cf %%{name}-%%{version}-vendor.tar.gz vendor
#
Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2024-45338.patch
BuildRequires: golang
%description
@ -103,6 +104,9 @@ go check -t go/cmd \
%{_bindir}/*
%changelog
* Thu Jan 02 2025 Sumedh Sharma <sumsharma@microsoft.com> - 17.0.7-3
- Add patch for CVE-2024-45338.
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 17.0.7-2
- Bump release to rebuild with go 1.22.7

42
cgmanifest.json
Просмотреть файл

@ -3503,16 +3503,6 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "fdk-aac-free",
"version": "2.0.0",
"downloadUrl": "https://people.freedesktop.org/~wtay/fdk-aac-free-2.0.0.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -4100,8 +4090,8 @@
"type": "other",
"other": {
"name": "gcr",
"version": "3.36.0",
"downloadUrl": "https://download.gnome.org/sources/gcr/3.36/gcr-3.36.0.tar.xz"
"version": "3.38.1",
"downloadUrl": "https://download.gnome.org/sources/gcr/3.38/gcr-3.38.1.tar.xz"
}
}
},
@ -13673,8 +13663,8 @@
"type": "other",
"other": {
"name": "msft-golang",
"version": "1.22.8",
"downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.8-1/go1.22.8-20241001.6.src.tar.gz"
"version": "1.23.3",
"downloadUrl": "https://github.com/microsoft/go/releases/download/v1.23.3-2/go1.23.3-20241202.3.src.tar.gz"
}
}
},
@ -15599,26 +15589,6 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "opus",
"version": "1.3.1",
"downloadUrl": "http://downloads.xiph.org/releases/opus/opus-1.3.1.tar.gz"
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "opusfile",
"version": "0.12",
"downloadUrl": "https://downloads.xiph.org/releases/opus/opusfile-0.12.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -25845,8 +25815,8 @@
"type": "other",
"other": {
"name": "rsync",
"version": "3.2.5",
"downloadUrl": "https://download.samba.org/pub/rsync/src/rsync-3.2.5.tar.gz"
"version": "3.4.1",
"downloadUrl": "https://download.samba.org/pub/rsync/src/rsync-3.4.1.tar.gz"
}
}
},

6
toolkit/resources/manifests/package/toolchain_aarch64.txt
Просмотреть файл

@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
chkconfig-1.20-4.cm2.aarch64.rpm
chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
chkconfig-lang-1.20-4.cm2.aarch64.rpm
cmake-3.21.4-14.cm2.aarch64.rpm
cmake-debuginfo-3.21.4-14.cm2.aarch64.rpm
cmake-3.21.4-15.cm2.aarch64.rpm
cmake-debuginfo-3.21.4-15.cm2.aarch64.rpm
coreutils-8.32-7.cm2.aarch64.rpm
coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
coreutils-lang-8.32-7.cm2.aarch64.rpm
@ -518,7 +518,7 @@ python3-Cython-0.29.33-2.cm2.aarch64.rpm
python3-debuginfo-3.9.19-8.cm2.aarch64.rpm
python3-devel-3.9.19-8.cm2.aarch64.rpm
python3-gpg-1.16.0-2.cm2.aarch64.rpm
python3-jinja2-3.0.3-4.cm2.noarch.rpm
python3-jinja2-3.0.3-5.cm2.noarch.rpm
python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
python3-libs-3.9.19-8.cm2.aarch64.rpm
python3-libxml2-2.10.4-4.cm2.aarch64.rpm

6
toolkit/resources/manifests/package/toolchain_x86_64.txt
Просмотреть файл

@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
chkconfig-1.20-4.cm2.x86_64.rpm
chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
chkconfig-lang-1.20-4.cm2.x86_64.rpm
cmake-3.21.4-14.cm2.x86_64.rpm
cmake-debuginfo-3.21.4-14.cm2.x86_64.rpm
cmake-3.21.4-15.cm2.x86_64.rpm
cmake-debuginfo-3.21.4-15.cm2.x86_64.rpm
coreutils-8.32-7.cm2.x86_64.rpm
coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
coreutils-lang-8.32-7.cm2.x86_64.rpm
@ -524,7 +524,7 @@ python3-Cython-0.29.33-2.cm2.x86_64.rpm
python3-debuginfo-3.9.19-8.cm2.x86_64.rpm
python3-devel-3.9.19-8.cm2.x86_64.rpm
python3-gpg-1.16.0-2.cm2.x86_64.rpm
python3-jinja2-3.0.3-4.cm2.noarch.rpm
python3-jinja2-3.0.3-5.cm2.noarch.rpm
python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
python3-libs-3.9.19-8.cm2.x86_64.rpm
python3-libxml2-2.10.4-4.cm2.x86_64.rpm