[AUTO-CHERRYPICK] Upgrade mysql to 8.0.40 - branch main (#10809)

Co-authored-by: Sudipta Pandit <sudpandit@microsoft.com>

SPECS/mysql/CVE-2023-46218.patch

@@ -1,50 +0,0 @@
-From f35969c8cacf16cac88f79cbb0ab0ffd6e5e037f Mon Sep 17 00:00:00 2001
-From: Suresh Thelkar <sthelkar@microsoft.com>
-Date: Wed, 20 Dec 2023 12:51:01 +0530
-Subject: [PATCH] Patch for CVE-2023-46218
-
-Upstream patch details are given below
-https://github.com/curl/curl/commit/2b0994c29a721c91c57
----
- extra/curl/curl-8.4.0/lib/cookie.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/extra/curl/curl-8.4.0/lib/cookie.c b/extra/curl/curl-8.4.0/lib/cookie.c
-index af01203a..57b2ad9a 100644
---- a/extra/curl/curl-8.4.0/lib/cookie.c
-+++ b/extra/curl/curl-8.4.0/lib/cookie.c
-@@ -1029,15 +1029,23 @@ Curl_cookie_add(struct Curl_easy *data,
-    * dereference it.
-    */
-   if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
--    const psl_ctx_t *psl = Curl_psl_use(data);
--    int acceptable;
--
--    if(psl) {
--      acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
--      Curl_psl_release(data);
-+    bool acceptable = FALSE;
-+    char lcase[256];
-+    char lcookie[256];
-+    size_t dlen = strlen(domain);
-+    size_t clen = strlen(co->domain);
-+    if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
-+      const psl_ctx_t *psl = Curl_psl_use(data);
-+      if(psl) {
-+        /* the PSL check requires lowercase domain name and pattern */
-+        Curl_strntolower(lcase, domain, dlen + 1);
-+        Curl_strntolower(lcookie, co->domain, clen + 1);
-+        acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
-+        Curl_psl_release(data);
-+      }
-+      else
-+        acceptable = !bad_domain(domain, strlen(domain));
-     }
--    else
--      acceptable = !bad_domain(domain, strlen(domain));
- 
-     if(!acceptable) {
-       infof(data, "cookie '%s' dropped, domain '%s' must not "
--- 
-2.38.1
-

SPECS/mysql/mysql.signatures.json

@@ -1,5 +1,5 @@
 {
-  "Signatures": {
-    "mysql-boost-8.0.36.tar.gz": "429c5f69f3722e31807e74119d157a023277af210bfee513443cae60ebd2a86d"
-  }
-}
+ "Signatures": {
+  "mysql-boost-8.0.40.tar.gz": "eb34a23d324584688199b4222242f4623ea7bca457a3191cd7a106c63a7837d9"
+ }
+}

SPECS/mysql/mysql.spec

@@ -1,6 +1,6 @@
 Summary:        MySQL.
 Name:           mysql
-Version:        8.0.36
+Version:        8.0.40
 Release:        1%{?dist}
 License:        GPLv2 with exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
@@ -9,7 +9,6 @@ Group:          Applications/Databases
 URL:            https://www.mysql.com
 Source0:        https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz
 Patch0:         CVE-2012-5627.nopatch
-Patch1:         CVE-2023-46218.patch
 BuildRequires:  cmake
 BuildRequires:  libtirpc-devel
 BuildRequires:  openssl-devel
@@ -98,6 +97,15 @@ fi
 %{_libdir}/pkgconfig/mysqlclient.pc
 
 %changelog
+* Fri Oct 18 2024 Sudipta Pandit <sudpandit@microsoft.com> - 8.0.40-1
+- Upgrade to 8.0.40 to fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130,
+  CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134,
+  CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237,
+  CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198,
+  CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096,
+  CVE-2024-21171, CVE-2024-21165, CVE-2023-46219
+- Remove patch for CVE-2023-46218 (fixed in 8.0.37)
+
 * Tue Jun 18 2024 Archana Choudhary <archana1@microsoft.com> - 8.0.36-1
 - Upgrade to 8.0.36 to fix 10 CVEs
 

cgmanifest.json

@@ -13813,8 +13813,8 @@
         "type": "other",
         "other": {
           "name": "mysql",
-          "version": "8.0.36",
-          "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz"
+          "version": "8.0.40",
+          "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.40.tar.gz"
         }
       }
     },