Merge branch 'main' into 2.0
This commit is contained in:
Коммит
bec03956ca
|
@ -2,7 +2,7 @@
|
|||
"Signatures": {
|
||||
"go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95",
|
||||
"go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
|
||||
"go1.22.7-20240905.3.src.tar.gz": "4c2601d9fe6b4692b6bb4487751dec149c30bd76ad9383331a84971a66bdd0bc",
|
||||
"go1.22.8-20241001.6.src.tar.gz": "549a43643849c73ffd8579d63e2e3488428f0a4c436169abe02be01a3dbd41c8",
|
||||
"go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
%global goroot %{_libdir}/golang
|
||||
%global gopath %{_datadir}/gocode
|
||||
%global ms_go_filename go1.22.7-20240905.3.src.tar.gz
|
||||
%global ms_go_filename go1.22.8-20241001.6.src.tar.gz
|
||||
%global ms_go_revision 1
|
||||
%ifarch aarch64
|
||||
%global gohostarch arm64
|
||||
|
@ -14,7 +14,7 @@
|
|||
%define __find_requires %{nil}
|
||||
Summary: Go
|
||||
Name: msft-golang
|
||||
Version: 1.22.7
|
||||
Version: 1.22.8
|
||||
Release: 1%{?dist}
|
||||
License: BSD
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -153,6 +153,9 @@ fi
|
|||
%{_bindir}/*
|
||||
|
||||
%changelog
|
||||
* Thu Oct 24 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.22.8-1
|
||||
- Auto-upgrade to 1.22.8 - To fix CVE-2022-41717
|
||||
|
||||
* Mon Sep 09 2024 Henry Beberman <henry.beberman@microsoft.com> - 1.22.7-1
|
||||
- Bump version to 1.22.7 to address CVE-2024-34158, CVE-2024-34156, CVE-2024-34155
|
||||
|
||||
|
|
|
@ -1,50 +0,0 @@
|
|||
From f35969c8cacf16cac88f79cbb0ab0ffd6e5e037f Mon Sep 17 00:00:00 2001
|
||||
From: Suresh Thelkar <sthelkar@microsoft.com>
|
||||
Date: Wed, 20 Dec 2023 12:51:01 +0530
|
||||
Subject: [PATCH] Patch for CVE-2023-46218
|
||||
|
||||
Upstream patch details are given below
|
||||
https://github.com/curl/curl/commit/2b0994c29a721c91c57
|
||||
---
|
||||
extra/curl/curl-8.4.0/lib/cookie.c | 24 ++++++++++++++++--------
|
||||
1 file changed, 16 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/extra/curl/curl-8.4.0/lib/cookie.c b/extra/curl/curl-8.4.0/lib/cookie.c
|
||||
index af01203a..57b2ad9a 100644
|
||||
--- a/extra/curl/curl-8.4.0/lib/cookie.c
|
||||
+++ b/extra/curl/curl-8.4.0/lib/cookie.c
|
||||
@@ -1029,15 +1029,23 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||
* dereference it.
|
||||
*/
|
||||
if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
|
||||
- const psl_ctx_t *psl = Curl_psl_use(data);
|
||||
- int acceptable;
|
||||
-
|
||||
- if(psl) {
|
||||
- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
|
||||
- Curl_psl_release(data);
|
||||
+ bool acceptable = FALSE;
|
||||
+ char lcase[256];
|
||||
+ char lcookie[256];
|
||||
+ size_t dlen = strlen(domain);
|
||||
+ size_t clen = strlen(co->domain);
|
||||
+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
|
||||
+ const psl_ctx_t *psl = Curl_psl_use(data);
|
||||
+ if(psl) {
|
||||
+ /* the PSL check requires lowercase domain name and pattern */
|
||||
+ Curl_strntolower(lcase, domain, dlen + 1);
|
||||
+ Curl_strntolower(lcookie, co->domain, clen + 1);
|
||||
+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
|
||||
+ Curl_psl_release(data);
|
||||
+ }
|
||||
+ else
|
||||
+ acceptable = !bad_domain(domain, strlen(domain));
|
||||
}
|
||||
- else
|
||||
- acceptable = !bad_domain(domain, strlen(domain));
|
||||
|
||||
if(!acceptable) {
|
||||
infof(data, "cookie '%s' dropped, domain '%s' must not "
|
||||
--
|
||||
2.38.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"mysql-boost-8.0.36.tar.gz": "429c5f69f3722e31807e74119d157a023277af210bfee513443cae60ebd2a86d"
|
||||
}
|
||||
}
|
||||
"Signatures": {
|
||||
"mysql-boost-8.0.40.tar.gz": "eb34a23d324584688199b4222242f4623ea7bca457a3191cd7a106c63a7837d9"
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
Summary: MySQL.
|
||||
Name: mysql
|
||||
Version: 8.0.36
|
||||
Version: 8.0.40
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2 with exceptions AND LGPLv2 AND BSD
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -9,7 +9,6 @@ Group: Applications/Databases
|
|||
URL: https://www.mysql.com
|
||||
Source0: https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz
|
||||
Patch0: CVE-2012-5627.nopatch
|
||||
Patch1: CVE-2023-46218.patch
|
||||
BuildRequires: cmake
|
||||
BuildRequires: libtirpc-devel
|
||||
BuildRequires: openssl-devel
|
||||
|
@ -98,6 +97,15 @@ fi
|
|||
%{_libdir}/pkgconfig/mysqlclient.pc
|
||||
|
||||
%changelog
|
||||
* Fri Oct 18 2024 Sudipta Pandit <sudpandit@microsoft.com> - 8.0.40-1
|
||||
- Upgrade to 8.0.40 to fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130,
|
||||
CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134,
|
||||
CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237,
|
||||
CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198,
|
||||
CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096,
|
||||
CVE-2024-21171, CVE-2024-21165, CVE-2023-46219
|
||||
- Remove patch for CVE-2023-46218 (fixed in 8.0.37)
|
||||
|
||||
* Tue Jun 18 2024 Archana Choudhary <archana1@microsoft.com> - 8.0.36-1
|
||||
- Upgrade to 8.0.36 to fix 10 CVEs
|
||||
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
From 926c72f641cd122e1e8fc9f92f0fea885d3c8ede Mon Sep 17 00:00:00 2001
|
||||
From: Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com>
|
||||
Date: Wed, 23 Oct 2024 16:13:23 -0700
|
||||
Subject: [PATCH] patch CVE-2022-25255
|
||||
Patch taken from https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff
|
||||
|
||||
---
|
||||
src/corelib/io/qprocess_unix.cpp | 28 +++++++++++++++-------------
|
||||
1 file changed, 15 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/corelib/io/qprocess_unix.cpp b/src/corelib/io/qprocess_unix.cpp
|
||||
index 7a2daa2a..29b771a1 100644
|
||||
--- a/src/corelib/io/qprocess_unix.cpp
|
||||
+++ b/src/corelib/io/qprocess_unix.cpp
|
||||
@@ -1,7 +1,7 @@
|
||||
/****************************************************************************
|
||||
**
|
||||
** Copyright (C) 2016 The Qt Company Ltd.
|
||||
-** Copyright (C) 2016 Intel Corporation.
|
||||
+** Copyright (C) 2022 Intel Corporation.
|
||||
** Contact: https://www.qt.io/licensing/
|
||||
**
|
||||
** This file is part of the QtCore module of the Qt Toolkit.
|
||||
@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess()
|
||||
// Add the program name to the argument list.
|
||||
argv[0] = nullptr;
|
||||
if (!program.contains(QLatin1Char('/'))) {
|
||||
+ // findExecutable() returns its argument if it's an absolute path,
|
||||
+ // otherwise it searches $PATH; returns empty if not found (we handle
|
||||
+ // that case much later)
|
||||
const QString &exeFilePath = QStandardPaths::findExecutable(program);
|
||||
- if (!exeFilePath.isEmpty()) {
|
||||
- const QByteArray &tmp = QFile::encodeName(exeFilePath);
|
||||
- argv[0] = ::strdup(tmp.constData());
|
||||
- }
|
||||
- }
|
||||
- if (!argv[0])
|
||||
+ const QByteArray &tmp = QFile::encodeName(exeFilePath);
|
||||
+ argv[0] = ::strdup(tmp.constData());
|
||||
+ } else {
|
||||
argv[0] = ::strdup(encodedProgramName.constData());
|
||||
+ }
|
||||
|
||||
// Add every argument to the list
|
||||
for (int i = 0; i < arguments.count(); ++i)
|
||||
@@ -975,15 +976,16 @@ bool QProcessPrivate::startDetached(qint64 *pid)
|
||||
envp = _q_dupEnvironment(environment.d.constData()->vars, &envc);
|
||||
}
|
||||
|
||||
- QByteArray tmp;
|
||||
if (!program.contains(QLatin1Char('/'))) {
|
||||
+ // findExecutable() returns its argument if it's an absolute path,
|
||||
+ // otherwise it searches $PATH; returns empty if not found (we handle
|
||||
+ // that case much later)
|
||||
const QString &exeFilePath = QStandardPaths::findExecutable(program);
|
||||
- if (!exeFilePath.isEmpty())
|
||||
- tmp = QFile::encodeName(exeFilePath);
|
||||
+ const QByteArray &tmp = QFile::encodeName(exeFilePath);
|
||||
+ argv[0] = ::strdup(tmp.constData());
|
||||
+ } else {
|
||||
+ argv[0] = ::strdup(QFile::encodeName(program));
|
||||
}
|
||||
- if (tmp.isEmpty())
|
||||
- tmp = QFile::encodeName(program);
|
||||
- argv[0] = tmp.data();
|
||||
|
||||
if (envp)
|
||||
qt_safe_execve(argv[0], argv, envp);
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -33,7 +33,7 @@
|
|||
Name: qt5-qtbase
|
||||
Summary: Qt5 - QtBase components
|
||||
Version: 5.12.11
|
||||
Release: 13%{?dist}
|
||||
Release: 14%{?dist}
|
||||
# See LICENSE.GPL3-EXCEPT.txt, for exception details
|
||||
License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
|
||||
Vendor: Microsoft Corporation
|
||||
|
@ -163,6 +163,8 @@ Patch90: CVE-2022-25643.patch
|
|||
Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch
|
||||
Patch92: CVE-2024-39936.patch
|
||||
|
||||
Patch93: CVE-2022-25255.patch
|
||||
|
||||
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
|
||||
# Those themes are there for platform integration. If the required libraries are
|
||||
# not there, the platform to integrate with isn't either. Then Qt will just
|
||||
|
@ -276,6 +278,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
|
|||
%patch90 -p1
|
||||
%patch91 -p1
|
||||
%patch92 -p1
|
||||
%patch93 -p1
|
||||
|
||||
## upstream patches
|
||||
|
||||
|
@ -781,6 +784,9 @@ fi
|
|||
%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
|
||||
|
||||
%changelog
|
||||
* Wed Oct 23 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 5.12.11-14
|
||||
- Add patch to resolve CVE-2022-25255.
|
||||
|
||||
* Wed Aug 07 2024 Sumedh Sharma <sumsharma@microsoft.com> - 5.12.11-13
|
||||
- Add patch to resolve CVE-2024-39936.
|
||||
|
||||
|
|
|
@ -13673,8 +13673,8 @@
|
|||
"type": "other",
|
||||
"other": {
|
||||
"name": "msft-golang",
|
||||
"version": "1.22.7",
|
||||
"downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.7-1/go1.22.7-20240905.3.src.tar.gz"
|
||||
"version": "1.22.8",
|
||||
"downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.8-1/go1.22.8-20241001.6.src.tar.gz"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -13813,8 +13813,8 @@
|
|||
"type": "other",
|
||||
"other": {
|
||||
"name": "mysql",
|
||||
"version": "8.0.36",
|
||||
"downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz"
|
||||
"version": "8.0.40",
|
||||
"downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.40.tar.gz"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
Загрузка…
Ссылка в новой задаче