microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
4 553 коммитов 1 003 Ветки 457 Теги 864 MiB
Граф коммитов

4553 Коммитов

Автор SHA1 Сообщение Дата
Chris Gunn e363b43969
No password: Use `*` instead of `!`. (#6668) 2023-11-05 18:05:43 -08:00
Dallas Delaney ef627c4380
Add kata-containers-cc patch to retain uvm dependencies (#6665) 
Add a patch to retain zstd-libs in the kata-cc UVM
 2023-11-03 14:53:49 -07:00
CBL-Mariner-Bot b779618270
[AUTOPATCHER-CORE] Upgrade telegraf to 1.28.3 To pull the fix for Telegraf update for service account token (#6655) 2023-11-03 12:08:57 -07:00
George Mileka 1a184063fc
Switch ccache to use azure managed identity. (#6660) 2023-11-03 10:38:52 -07:00
Christopher Co 40b562a130
systemd: Add missing Requires on zstd-libs (#6661) 
Signed-off-by: Chris Co <chrco@microsoft.com>
 2023-11-03 08:41:13 -04:00
Neha Agarwal cfda6529d4
containerized-rpmbuild: Add extra_packages option (#6650) 2023-11-02 12:00:30 -07:00
Bala 0559f2530d
Patch snappy to fix build with RTTI enabled (#6654) 2023-11-02 11:28:34 +05:30
CBL-Mariner-Bot 0630aa832d
[AUTOPATCHER-CORE] Upgrade redis to 6.2.14 Fixes CVE-2023-45145 (#6653) 
Upgrade redis to 6.2.14 Fixes CVE-2023-45145
 2023-11-01 18:17:51 -07:00
CBL-Mariner-Bot b9c50a10db
[AUTOPATCHER-kernel] Kernel CVE - branch main - CVE-2023-4623 (#6624) 2023-11-01 12:19:54 -07:00
CBL-Mariner-Bot a351e45170
[AUTOPATCHER-CORE] Upgrade fluent-bit to 2.1.10 upgrade to latest (#6647) 2023-11-01 10:14:21 -07:00
jslobodzian ab0ece9510
Replace the sample username and password with user replaceable values (#6642) 2023-11-01 11:30:13 -04:00
suresh-thelkar 7bb826d753
Patch CVE-2023-45322 in libxml2 (#6628) 2023-11-01 09:50:43 +05:30
Daniel McIlvaney b39325a6bd
go-downloader: abort immediately on 404 errors (#6644) 
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
 2023-10-31 17:13:25 -07:00
Nan Liu 15bf461433
Fix golang CVE-2023-29409, CVE-2023-39318, CVE-2023-39319, CVE-2023-39323, CVE-2023-39533 (#6470) 2023-10-31 14:50:57 -07:00
Daniel McIlvaney e34f8af9b7
go-downloader: handle --no-clobber correctly without explicit dst (#6638) 2023-10-31 11:31:31 -07:00
Lanze Liu 3621348b68
Bugfix: Correctly Return Rootfs Partition Instead of Boot Partition (#6637) 
Co-authored-by: lanzeliu <lanzeliu@microsoft.com>
 2023-10-31 10:11:56 -07:00
Daniel McIlvaney 04dd56ae7d
Add single transaction for image package cloner (#6623) 2023-10-30 17:08:14 -07:00
xiaohong 03e7744dd9
libdrm 2.4.115 PyYAML 5.2 (#6618) 
Co-authored-by: xiaohongdeng <“worldsky86rough@gmail.com”>
 2023-10-30 17:04:47 -07:00
Daniel McIlvaney 89675cb7e7
Add wget replacement go-downloader (#6630) 2023-10-30 16:32:58 -07:00
Rohit Rawat 742489e5dd
Patch CVE-2023-45853 for rust (#6629) 2023-10-30 17:10:48 -04:00
Chris Gunn d3a22c25f4
Imager: Fix for when user password is empty. (#6632) 2023-10-30 13:50:04 -07:00
Trung 865013e1a2
toolkit: Add timestamp arguments to build_mariner_toolchain.sh (#6583) 
- Add timestamp arguments to build_mariner_toolchain.sh
- Split tools.mk into tools.mk and chroot.mk, fix the include order in the main Makefile to use go tools in toolchain.mk
 2023-10-30 11:05:31 -07:00
CBL-Mariner-Bot 03b0dcbabd
Fix zlib CVE-2023-45853 in cloud-hypervisor (#6577) (#6620) 
(cherry picked from commit fc02ff64b5)

Co-authored-by: Rohit Rawat <rohitrawat@microsoft.com>
 2023-10-30 22:29:13 +05:30
Neha Agarwal 0633a5fda6
Update libX11 to v1.8.7 to fix CVEs 2023-43785, 2023-43786 and 2023-43787 (#6467) 
* Update libX11 to v1.8.7 to fix CVEs 2023-43785, 2023-43786 and 2023-43787

* Update xorg-x11-proto-devel to v2023.2
 2023-10-30 09:44:36 -07:00
CBL-Mariner-Bot d8faf13af6
Prepare October 2023 Release 2 (#6570) 
* Prepare October 2023 Release 2

* Undo the livepatch changes

---------

Co-authored-by: Jon Slobodzian <joslobo@microsoft.com>
 2023-10-27 16:50:57 -04:00
Chris PeBenito 32fded6ef4
selinux-policy: Silence io.containerd.internal.v1.opt denial noise. (#6449) 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2023-10-27 16:06:24 -04:00
Chris Gunn 4143c24dbf
Image Customizer: Add tool version. (#6613) 
Add a version to the image customizer tool. This version and the
version format will be different from the CBL-Mariner OS.

This change updates the `Makefile` files to handle this new version.
It also ensures that the `--version` CLI option reports the calculated
version.
 2023-10-27 12:27:02 -07:00
Andrew Phelps c1f7319e00
fix cronie crond file (#6616) 2023-10-27 11:58:25 -07:00
CBL-Mariner-Bot d91c237e39
[AUTOPATCHER-CORE] Upgrade python-urllib3 to 1.26.18 fix CVE-2023-45803 (#6617) 
* Upgrade python-urllib3 to 1.26.18 fix CVE-2023-45803

* remove CVE patch already addressed by new version
 2023-10-27 11:57:03 -07:00
Jonathan Behrens 4cacf51386
Fix zhash CVE-2023-46228 (#6615) 2023-10-27 11:43:34 -07:00
Neha Agarwal 7b6a4db176
Update libtiff to v4.6.0 to fix CVE 2023-40745 and 2023-41175 (#6567) 2023-10-27 11:05:11 -07:00
CBL-Mariner-Bot 20fa459fff
Patch CVE-2023-45853 for boost (#6601) (#6608) 
(cherry picked from commit ac581c84a5)

Co-authored-by: Rohit Rawat <rohitrawat@microsoft.com>
 2023-10-27 21:17:37 +05:30
CBL-Mariner-Bot 26f49539c0
Patch CVE-2023-45853 for tcl (#6600) (#6612) 
(cherry picked from commit f106d90aed)

Co-authored-by: Rohit Rawat <rohitrawat@microsoft.com>
 2023-10-27 21:16:42 +05:30
Andrew Phelps 40ed51d900
fix with_check handling in toolchain (#6584) 2023-10-26 15:08:16 -07:00
Andrew Phelps 0f2ffc4872
update 2.0 workflow to use golang 1.20 (#6606) 2023-10-26 14:13:45 -07:00
Gary Swalling b05435d5ba
Patch grub2 to fix CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28735, CVE-2022-28736 (#6469) 
Backport 30 patches to bring grub 2.06 up to SBAT level 2 and resolve vulnerabilities for CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28735, and CVE-2022-28736.
 2023-10-26 12:45:44 -07:00
rlmenge 5fd99705b1
Nopatch CVE-2023-5345 and CVE-2023-4622 for hyperv-daemons (#6610) 2023-10-26 10:19:52 -07:00
Nan Liu 10ba6760c1
Fix zlib CVE-2023-45853 (#6611) 
* add patch to address CVE-2023-45853

* update manifests

* fix invalid source url

* update cgmanifest
 2023-10-26 10:09:53 -07:00
AZaugg fda9428160
Bumping sudo to version 1.9.14p3 (#6068) 2023-10-26 00:54:19 -07:00
Archana Choudhary e83a2582a8
Fix freeradius installation issues (#6562) 
* Correct unavailable sysusers_create_compat macro to available sysusers_create_package macro
* Add runtime requirement for utils subpackage
* Update build requirement for postgresql subpackage
* Disable generation of debuginfo package as its files conflict with filsystem package
 2023-10-25 15:10:47 +05:30
Daniel McIlvaney 78dda7ec78
Revert "Call setfacl on the chroot dir directly in case it (#6581)" (#6596) 
This reverts commit 2c97d22aa8.
 2023-10-24 17:15:02 -07:00
nicolas guibourge fb524d6f5b
kubernetes: upgrade to 1.28.3 to address CVE-2023-44487 and CVE-2023-39325 (#6578) 
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
 2023-10-24 17:12:21 -07:00
rlmenge a7ebe53518
Enable CONFIG_BINFMT_MISC in ARM64 (#6582) 2023-10-24 16:13:53 -07:00
Chris Gunn faa6d9184c
Image Customizer: Add documentation. (#6496) 
Add some documentation on how to use the Mariner Image customizer. This
includes a Getting Started guide, descriptions of the CLI arguments,
and descriptions of the configuration file.
 2023-10-24 13:13:05 -07:00
Daniel McIlvaney e5ce71356f
Disable TestReferenceDOTFile() until fix is found (#6586) 
* Disable TestReferenceDOTFile() until fix is found

* Add comment
 2023-10-24 11:11:39 -07:00
Daniel McIlvaney 2c97d22aa8
Call setfacl on the chroot dir directly in case it (#6581) 
is set by the user.
 2023-10-24 09:58:44 -07:00
Christopher Co c82de0d3e0
fix: Enable lzo, snappy, zstd support in crash (#6380) 
* fix: Enable lzo, snappy, zstd support in crash

Issue discovered in crash where lzo compressed kdump files were not
readable by our crash utility. So add a patch to enable support for
common compression types (lzo, snappy, zstd)

* chore: remove unused patch

* add missing build requires for lzo and snappy

* add fedora attribution of lzo_snappy_zstd patch

* add missing zstd-devel buildrequires

While the current default chroot build environment contains zstd-devel,
it is much better to be explicit about our build dependencies in the
spec.

Signed-off-by: Chris Co <chrco@microsoft.com>
 2023-10-24 01:09:29 -07:00
Muhammad Falak R Wani 17363384ba
httpd: upgrade 2.4.56 -> 2.4.58 to address CVE-2023-45802, CVE-2023-43622 & CVE-2023-31122 (#6559) 
Reference: https://downloads.apache.org/httpd/CHANGES_2.4.58
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
 2023-10-24 09:21:31 +05:30
Chris Gunn c70d984c94
Image config: Fix for when no user password is specified. (#6443) 
Currently, the situation where a user is specified in the new-image config or the image-customizer config without a password is not handled. This change ensures that the user password login is disabled in such situations (by either not passing a password value to useradd or by setting the password value to ! in the /etc/shadow file).

In addition, this change fixes a bug that could allow the plain-text password to be printed when the trace logs are enabled.
 2023-10-23 16:34:22 -07:00
Dan Streetman 89a59542e5 systemd: enable zstd support in journald 
Also for mariner 2, force journald to not use zstd compression, to
retain backwards compatibility.

Fixes: #6424
 2023-10-23 14:39:52 -04:00