Provide instructions for cloning and RPM repo (e.g. PMC) and then using the clone with the image customizer tool. This is primarily intended for those who want reproducible builds.
CVE-2024-3651 affects idma versions before 3.7. Therefore,
update vendored version of idma in pip to 3.7.
This patch is a combination of 2 upstream commits:
[d83c9e3] Upgrade idna to 3.6
[cba5b13] Upgrade idna to 3.7
Additionally, python3-wheel and python3-pip are both in the
toolchain so address "TODO" and add python3-wheel as a
BR to fix non-toolchain builds.
Note that python-pip has new versions (such as 24.2) but the
setup.py script was removed. They removed setup.py here: pypa/pip@0ad4c94
Therefore, patch CVE directly to avoid changing the build section
implementation.
This change disables building the DBM backend in the NSS library.
For the NSS library and tools, a replacement SQLite database backend has been available since v3.12. The DBM backend has been deprecated since v3.35. Also, the DBM backend code is scheduled for deletion in a future release. As such any found CVEs (e.g. CVE-2017-11695) are being WONTFIXed by upstream.
Previously, the glibc check section caused major failures for the builds. However, these no longer exisit. To enable these tests, address conflicting gcc flags and turn off the macro which prevents check section for glibc. Note there are still 3 tests which need to be invetigated for failures.
The patch prevents the error
c1: error: '-Wformat-security' ignored without '-Wformat' [-Werror=format-security]
The error occurs when glibc is compiled with -Wformat-security which requires -Wformat and thus conflicts with tests which use -Wno-format
The new results from the check section should be
Summary of test results:
3 FAIL : nptl/tst-cancel1, io/tst-lchmod, nptl/tst-mutex10
5040 PASS
152 UNSUPPORTED
12 XFAIL
8 XPASS
Allow the functional tests to accept both Azure Linux 2.0 and 3.0 image versions as input. Then, for the features that have different behavior based on the image version, ensure the tests for those features cover both image versions.