044098bc0b
add patches for Glibc CVE-2023-4806 and CVE-2023-5156 ( #6341 )
...
* add patches for CVE
* bump dependency package release number
---------
Co-authored-by: minghe <rmhsawyer>
2023-10-06 14:55:34 -07:00
115ecc713d
Mandeepsplaha/patch cves against gdb ( #6338 )
...
* Patch CVE-2023-4911 in glibc
* Update all specs that build require glibc-static
2023-10-03 16:38:04 -07:00
6d35fdd2fc
glibc: restore glibc-debuginfo package ( #5795 )
...
* update glibc so binaries are not stripped
* restore glibc-debuginfo
2023-07-14 16:20:19 -07:00
366add1699
Police `glibc-static` versions ( #3748 )
...
* Make `glibc-static` a real package and police its version
* Add version bounds to all mentions of `glibc-static` in spec files
* Bump releases for all affected packages
* Add pipeline job to check static glibc versions
* Release new glibc packages with split out glibc-static
* Include distribution in requirement bounds
* Don't implicitly install glibc-static in pkggen chroot
* Correctly split up the static libraries between devel/static
* Consistent use of f-strings
* Allow libacvp to build without depending on `glibc-static`
* Remove `libhugetlbfs-tests` package
* Update kernel configs to not support static linking
* Declare `glibc-static` dependency for flannel
* Enable `-pie` by default in `clang`
* Rebuild SymCrypt with `-pie` enabled `clang`
* Use `glibc-static` on all platforms for `busybox`
* Tidy up libacvp Source lines
* Clang can't default to `-pie` so move `crt1.o` to `glibc-devel`
* Fix libacvp Source0 syntax
* Don't build static binaries in libhugetlbfs-tests
* Update kernel config signatures
* Kubevirt needs glibc-static too
2022-10-12 16:30:40 +01:00
3b9813e76e
Fix leading spaces in /etc/nsswitch.conf ( #2956 )
...
* Remove leading spaces in /etc/nsswitch.conf
Use tabs instead of spaces in /etc/nsswitch.conf
* Remove leading spaces in /etc/nsswitch.conf
Use tabs instead of spaces in /etc/nsswitch.conf
2022-05-04 16:53:50 -07:00
18a1c779a1
Update glibc to 2.35 to fix CVE-2022-23218 and CVE-2022-23219 ( #2724 )
...
* update glibc to 2.35
* update manifests
* add patch
* patch cleanup
* apply glibc fhs patch in temp toolchain
* update libxcrypt glibcversion
* fix changelog typo
2022-04-15 13:19:43 -07:00
cdf471d927
Re-add `tini-static` package ( #2283 )
...
* Re-add tini-static package
* Switch docker-init to tini-static
* Enable static-pie support in glibc
* Build tini-static as a static-PIE
* Make moby-engine depend on docker-init
* Fix up toolchain package lists to match new glibc version
* RELRO,NOW is already set in default LDFLAGS
2022-03-02 20:50:31 +00:00
20476e8ecd
[dev] Breaking circular dependencies containing pre-built packages ( #1630 )
2021-11-19 13:57:52 -08:00
d7cb7c78e9
Update toolchain and packages to build with gcc 11.2.0 and glibc 2.34 ( #1623 )
...
* update coreutils and texinfo specs
* update coreutils and texinfo in toolchain
* fix patch url
* update binutils to 2.37
* update version in manifests
* update util-linux mpfr mpc gmp
* fix mpfr tarball
* fix gmp
* update cgmanifest.json
* cleanup
* restore binutils patch
* fix gmp and mpfr specs
* update util-linux spec
* fix binutils and util-linux breaks
* update kernel CONFIG_LD_VERSION
* bump kernel release
* remove reference to rpm-define-RPM-LD-FLAGS.patch
* fix gen-ld-script.sh sha256sum
* update gcc spec to 11.2.0
* update kernel configs for gcc
* update cgmanifest
* update gcc to 11.2.0 in raw toolchain
* add patch for gcc texi issue
* update glibc to 2.34
* update manifests for diffutils and glibc
* disable tm_texi patch in toolchain
* fix SIGSTKSZ gcc issue
* patch m4 for glibc 2.34
* update make to 4.3 and diffutils to 3.8
* revert make to 4.2.1 due to operation not permitted error
* fix make and texinfo build issues with glibc 2.34
* dont build zstd in temp toolchain due to gcc build errors
* remove glibc workarounds for fintutils and gzip
* update findutils and gzip
* update gzip and findutils specs
* update gdbm to 1.21
* update elfutils to 1.185 in toolchain. fix manifests
* remove findutils test change
* remove texinfo patch
* fix kernel changelogs
* add patch for cpio extern issue
* restore rpm patch
* fix m4 spec
* fix elfutils and gpgme spec issues
* fix kernel-hyperv changelog
* update kbd and libtirpc to resolve gcc 11.2.0 issues
* fix m4 version in pkggen_core
* fix libtirpc in manifests
* fix nss error
* fix openjdk
* fix aarch64 openjdk8
* fix elfutils spec
* GODEBUG=netdns=go
* verbose rpm query
* fix coreutils on aarch64. use rpm 1.14.2.1 in raw toolchain. revert rpm.go
* bump cpio release
* revert rpm.go change
* cleanup toolchain scripts and specs. parallel make for glibc
* enable fortran
* remove aarch64 ld-2.27.so link
* add gfortran to toolchain manifests
* fix binutils changelog
* fix kernel release version
* update bison grep sed tar
* add glibc pthread patch
* upgrade file gawk and xz. fix sed and grep spec issues
* set -fcommon
* revert file to 5.34
* fix temp gawk version
* fix xz man1 files
* update libgpg-error to 1.43
* add ld-linux-aarch64.so.1 to glibc spec
* use /lib/ld-linux-aarch64.so.1
* update file 5.40 and bzip2 1.0.8 in toolchain. openjdk8 remove -fcommon.
* update to perl 5.32.0 in toolchain
* fix glibc aarch64 exclude. add shadow-utils provides. fix perl src filename
* fix efivar build. upgrade dtc
* Removing 'ctags'.
* Updating 'libacvp' to version 1.4.1.
* Updating 'nlohmann-json' to version 3.10.4.
* Updating 'dhcp.spec' CFLAGS to include CBL-Mariner's defaults.
* update and fix ipxe build. remove perl debuginfo.
* add fixes for autofs and libcomps
* Adjusting build steps for 'dhcp' and 'nlohmann-json'.
* fix rocksdb
* fix ntp
* fix libcomps url in cgmanifest. revert perl change
* fix nfs-utils
* fix azure-iot-sdk-c
* Remove 'tboot'.
* fix qemu-kvm
* update R and ant
* Updating 'libiothsm-std' to version 1.2.5.
* Linting.
* Remove tcp_wrappers package
* fix syslinux
* Downgrading 'libiothsm-std' to 1.1.8.
* fix fuse. fix libcomps url
* Downgrading 'libacvp' to 1.3.0.
* Applying GCC 11 patch.
* fix fuse configure.ac issue
* Fixing 'libiothsm-std' build.
* Upgrade lldpad to 1.1.0
* Upgrade gdb to 11.1
* Upgrade catch to 2.13.7
* fixup! Upgrade gdb to 11.1
* fixup! Upgrade lldpad to 1.1.0
* remove bazel
* Updating 'toml11' to version 3.7.0.
* update cgmanifest for catch gdb lldpad
* fix qt5-qtbase
* fix device-mapper-multipath
* fix syslinux
* fix grpc
* fix kernel configs
* fix kernel-hyperv config
* increase heap size for ant
* update lttng-consume
* fix auoms
* update valgrind. fix arm64 gdb issue
* update arm64 kernel config
* fix blobfuse
* update and fix azure-iotedge
* fix grpc 1.41.1 in cgmanifest
* fix kernel and kernel-hyperv PTHREAD_STACK_MIN issue
* remove ant ant-contrib jna R
* Updating 'azure-iotedge' sources creation instructions.
* add back ant ant-contrib bazel jna R
* restrict jdk8 packages
* verify licenses
* only build conda picosat python-pycosat on arm64. fix cgmanifest
* update openjdk8 to version 1.8.0.302
* fix cgmanifest for ant and R
* always build ant
* update licenses. remove tdnf workaround. bump shadow-utils release
* update LICENSES-MAP.md to remove tboot ctags tcp_wrappers. bump libavcp release
* fix ant builds only on arm64
* Clarifying license for 'ntp'.
* Verifying license for 'ant-contrib'.
* Verifying more specs.
* revert libabcvp CFLAGS changes
* add kernel patch file
* set -fcommon to fix libacvp build
* fix python-filelock
* revert tdnf line change
Co-authored-by: CBL-Mariner Service Account <cblmargh@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawel.winogrodzki@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Thomas Crain <thcrain@microsoft.com>
2021-11-17 21:41:55 -08:00
d7b579ebfe
[dev] Adding more common `Provides` ( #1449 )
2021-09-24 17:31:08 -07:00
17b0e93e71
Merge 1.0 to dev branch
...
This merge brings the latest SELinux and many packages and CVE fixes from the 1.0 branch.
2021-08-19 13:46:51 -07:00
90f361f753
Merge branch '1.0' from April Update
2021-04-30 18:07:37 -05:00
b885a285a6
first try fixes
2021-04-16 17:01:52 -05:00
7778033a5f
Merge branch 'dev' into thcrain/pain
2021-04-13 16:24:37 -05:00
eae5b4006f
Merge branch '1.0' into thcrain/ever-given
2021-04-06 22:39:22 -05:00
f4606adad1
CVE-2020-27618 patch fixed to enable glibc build
2021-03-31 20:15:48 +00:00
e5957887fe
[dev] Update glibc, freetype and initscripts ( #801 )
...
* update core packages
* update changes
* fix linting
Co-authored-by: Henry Li <lihl@microsoft.com>
2021-03-29 09:52:43 -07:00
d31496abdd
Patched CVE-2020-27618 in glibc
2021-03-22 21:23:09 +00:00
ef3343d9fd
[dev] Update lib macro and enable python byte compilation ( #636 )
2021-02-16 10:34:30 -08:00
fa579fc877
Take patch backported to our version
2021-02-11 21:57:59 -08:00
2e9604aaeb
Update release number
2021-02-09 12:44:40 -08:00
eeddecd005
Patch CVE-2021-3326 in glibc
2021-02-09 11:15:29 -08:00
eaf285b7d2
glibc: patch CVE-2019-25013 ( #522 )
...
Co-authored-by: nicolasg@microsoft.com <nicolasg@microsoft.com>
2021-01-08 19:04:10 +01:00
4f6e6fafc0
[dev] Add additional provides to several specs ( #467 )
2021-01-04 09:22:01 -08:00
0695cac045
Add distroless containers ( #403 )
...
Co-authored-by: Jon Slobodzian <joslobo@microsoft.com>
2020-12-15 16:31:49 -08:00
b812866803
Patch CVE-2019-19126 in glibc ( #360 )
2020-11-16 05:31:23 -08:00
4be01ba170
fix spec format
2020-10-28 14:14:57 -07:00
545af35e7c
fix glibc CVE
2020-10-28 13:45:22 -07:00
534d5bfc58
Revert "Implement "distroless" containers ( #252 )" ( #264 )
...
This reverts commit e41efdda19
2020-10-25 18:37:45 -07:00
e41efdda19
Implement "distroless" containers ( #252 )
...
* Create distroless container without bash and surplus dependencies
* Remove RPM database for distroless
* Add busybox and uclibc. Add distroless-packages-debug
* Update cgmanifest
Co-authored-by: Jon Slobodzian <joslobo@microsoft.com>
Co-authored-by: MateuszMalisz <mamalisz@microsoft.com>
2020-10-24 11:28:47 +02:00
62103bd568
Improve spec file compatibility [2/2] ( #163 )
2020-10-07 13:22:31 -07:00
305965d7b5
[Security] Clean up non-applicable CVEs ( #106 )
...
* Ignore non-applicable gcc CVEs
* Ignore non-security-issue CVE in glibc
* Ignore irrelevant Python CVEs
* Update toolchain and pkggen manifests
2020-09-11 11:11:47 -07:00
b877013b27
Initial CBL-Mariner commit to GitHub
2020-08-06 20:17:52 -07:00
Minghe Ren
Mandeep Plaha
Andrew Phelps
Andy Caldwell
Sriram Nambakam
Andy Caldwell
Pawel Winogrodzki
jslobodzian
Thomas Crain
Nick Samson
Henry Li
Nick Samson
Joe Schmitt
nicolas guibourge
Mateusz Malisz
Henry Li