diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 1c0878d0d0f..6aea2ae5683 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,98 +1,2 @@ -# By default all files require a review by at lest one member of the CBL-Mariner developers team. -* @microsoft/cbl-mariner-devs - -# Modification to this file require admin approval. -/.github/CODEOWNERS @microsoft/cbl-mariner-admins - -# Modifications to the build pipelines require admin approval. -/.pipelines/* @microsoft/cbl-mariner-admins - -# Modifications to the CredScan exceptions require admin approval. -/.config/CredScanSuppressions.json @microsoft/cbl-mariner-admins - -# Modification to what is considered "core packages" require admin approval. -/SPECS/core-packages/* @microsoft/cbl-mariner-admins - -# Modification to specific packages go to specific teams -/SPECS/installkernel/* @microsoft/cbl-mariner-kernel -/SPECS/kernel/* @microsoft/cbl-mariner-kernel -/SPECS/kernel-azure/* @microsoft/cbl-mariner-kernel -/SPECS/kernel-hci/* @microsoft/cbl-mariner-kernel -/SPECS/kernel-headers/* @microsoft/cbl-mariner-kernel -/SPECS/kernel-mshv/* @microsoft/cbl-mariner-kata-containers -/SPECS/kernel-uvm/* @microsoft/cbl-mariner-kata-containers -/SPECS-SIGNED/kernel-signed/* @microsoft/cbl-mariner-kernel -/SPECS-SIGNED/kernel-hci-signed/* @microsoft/cbl-mariner-kernel -/SPECS-SIGNED/kernel-azure-signed/* @microsoft/cbl-mariner-kernel -/SPECS-SIGNED/kernel-mstflint-signed/* @microsoft/cbl-mariner-kernel -/SPECS-SIGNED/kernel-mshv-signed/* @microsoft/cbl-mariner-kata-containers - -/SPECS/grub2/* @microsoft/cbl-mariner-bootloader -/SPECS/grubby/* @microsoft/cbl-mariner-bootloader -/SPECS/shim/* @microsoft/cbl-mariner-bootloader -/SPECS/shim-unsigned/* @microsoft/cbl-mariner-bootloader -/SPECS/shim-unsigned-x64/* @microsoft/cbl-mariner-bootloader -/SPECS/shim-unsigned-aarch64/* @microsoft/cbl-mariner-bootloader -/SPECS-SIGNED/grub2-efi-binary-signed/* @microsoft/cbl-mariner-bootloader - -/SPECS/dracut/* @microsoft/cbl-mariner-dracut -/SPECS/initramfs/* @microsoft/cbl-mariner-dracut -/SPECS/verity-read-only-root/* @microsoft/cbl-mariner-dracut - -/SPECS/systemd/* @microsoft/cbl-mariner-systemd - -/SPECS/bcc/* @microsoft/cbl-mariner-debug-tools -/SPECS/bpftrace/* @microsoft/cbl-mariner-debug-tools -/SPECS/crash/* @microsoft/cbl-mariner-debug-tools -/SPECS/gdb/* @microsoft/cbl-mariner-debug-tools -/SPECS/kexec-tools/* @microsoft/cbl-mariner-debug-tools - -/SPECS/openssl/* @microsoft/cbl-mariner-openssl -/SPECS/SymCrypt-OpenSSL/* @microsoft/cbl-mariner-openssl -/SPECS/SymCrypt/* @microsoft/cbl-mariner-openssl -/SPECS/KeysInUse-OpenSSL/* @microsoft/cbl-mariner-openssl - -/SPECS/dnf/* @microsoft/cbl-mariner-package-managers -/SPECS/dnf-plugins-core/* @microsoft/cbl-mariner-package-managers -/SPECS/rpm/* @microsoft/cbl-mariner-package-managers -/SPECS/tdnf/* @microsoft/cbl-mariner-package-managers - -/SPECS/moby-buildx/* @microsoft/cbl-mariner-container-runtime -/SPECS/moby-cli/* @microsoft/cbl-mariner-container-runtime -/SPECS/moby-containerd/* @microsoft/cbl-mariner-container-runtime -/SPECS/moby-containerd-cc/* @microsoft/cbl-mariner-kata-containers -/SPECS/moby-engine/* @microsoft/cbl-mariner-container-runtime -/SPECS/moby-runc/* @microsoft/cbl-mariner-container-runtime -/SPECS/kata-containers/* @microsoft/cbl-mariner-kata-containers -/SPECS/kata-containers-cc/* @microsoft/cbl-mariner-kata-containers -/SPECS/virtiofsd/* @microsoft/cbl-mariner-kata-containers - -/SPECS/cloud-hypervisor/* @microsoft/cbl-mariner-virtualization -/SPECS/hvloader/* @microsoft/cbl-mariner-kata-containers -/SPECS-SIGNED/hvloader-signed/* @microsoft/cbl-mariner-kata-containers - -/SPECS/cloud-init/* @microsoft/cbl-mariner-provisioning -/SPECS/walinuxagent/* @microsoft/cbl-mariner-provisioning - -# Modifications to the toolkit requires reviews from the toolkit team -/toolkit/ @microsoft/cbl-mariner-tooling - -# Docs to be reviewed by general CBL-Mariner devs -/toolkit/docs/ @microsoft/cbl-mariner-devs - -# Default image configurations to be reviewed by general CBL-Mariner devs -/toolkit/imageconfigs/ @microsoft/cbl-mariner-devs - -# Package and toolchain manifests to be reviewed by general CBL-Mariner devs -/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @microsoft/cbl-mariner-devs -/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @microsoft/cbl-mariner-devs -/toolkit/resources/manifests/package/toolchain_aarch64.txt @microsoft/cbl-mariner-devs -/toolkit/resources/manifests/package/toolchain_x86_64.txt @microsoft/cbl-mariner-devs - -# Modifications to the raw toolchain require admin approval. -/toolkit/scripts/toolchain/container/* @microsoft/cbl-mariner-admins -/toolkit/scripts/toolchain/cgmanifest.json @microsoft/cbl-mariner-admins -/toolkit/scripts/toolchain/create_toolchain_in_container.sh @microsoft/cbl-mariner-admins - -# Modifications to the trusted CA certificates require admin approval. -/SPECS/*ca-certificates*/* @microsoft/cbl-mariner-admins +# For stable release branches, ensure stable release maintainers are added as code reviewers +* @microsoft/cbl-mariner-stable-maintainers diff --git a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec index 3f8043e96cc..089d9b026e1 100644 --- a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec +++ b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec @@ -6,7 +6,7 @@ Summary: Signed HvLoader.efi for %{buildarch} systems Name: hvloader-signed-%{buildarch} Version: 1.0.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -69,6 +69,9 @@ popd /boot/efi/HvLoader.efi %changelog +* Fri May 31 2024 Archana Choudhary - 1.0.1-3.cm2 +- Update version for consistency with hvloader spec + * Fri May 10 2024 Archana Choudhary - 1.0.1-2 - Update version for consistency with hvloader spec diff --git a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec index 2739aba2ba0..361e932e2e8 100644 --- a/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec +++ b/SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for Azure Name: kernel-azure-signed-%{buildarch} -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec index c38b6dbbe27..0019e0b0414 100644 --- a/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec +++ b/SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for HCI Name: kernel-hci-signed-%{buildarch} -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -149,6 +149,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec b/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec index f105a98e7b3..16bd02f368d 100644 --- a/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec +++ b/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec @@ -4,7 +4,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for MOS systems Name: kernel-mos-signed-%{buildarch} -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -150,6 +150,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Jun 07 2024 Gary Swalling - 5.15.158.2-1 +- Update to 5.15.158.2 + * Wed May 08 2024 Gary Swalling - 5.15.158.1-1 - Update to 5.15.158.1 diff --git a/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec b/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec index 39f9ee3628d..f4fe895e41c 100644 --- a/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec +++ b/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec @@ -6,8 +6,8 @@ %define uname_r %{version}-%{release} Summary: Signed MSHV-enabled Linux Kernel for %{buildarch} systems Name: kernel-mshv-signed-%{buildarch} -Version: 5.15.126.mshv9 -Release: 3%{?dist} +Version: 5.15.157.mshv1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg %exclude /lib/modules/%{uname_r}/build %changelog +* Tue May 14 2024 CBL-Mariner Servicing Account - 5.15.157.mshv1-1 +- Auto-upgrade to 5.15.157.mshv1 + * Mon Apr 01 2024 Cameron Baird - 5.15.126.mshv9-3 - BuildRequires: grub2-rpm-macros to expand mkconfig configuration requirement diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 091df7a42c7..a653691a317 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md index 40d7da9f037..17e6aeabe5e 100644 --- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md +++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md @@ -9,7 +9,7 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | -| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azl-compliance
azure-iot-sdk-c
azure-storage-cpp
azurelinux-sysinfo
bazel
blobfuse
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor
cmake-fedora
coredns
csi-driver-lvm
dcos-cli
debugedit
dejavu-fonts
distroless-packages
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
hvloader
hvloader-signed
installkernel
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-azure-signed
kernel-hci-signed
kernel-mos-signed
kernel-mshv-signed
kernel-signed
KeysInUse-OpenSSL
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
livepatch-5.15.102.1-1.cm2
livepatch-5.15.102.1-3.cm2
livepatch-5.15.107.1-1.cm2
livepatch-5.15.110.1-1.cm2
livepatch-5.15.111.1-1.cm2
livepatch-5.15.112.1-1.cm2
livepatch-5.15.112.1-2.cm2
livepatch-5.15.116.1-1.cm2
livepatch-5.15.116.1-2.cm2
livepatch-5.15.122.1-2.cm2
livepatch-5.15.125.1-1.cm2
livepatch-5.15.125.1-2.cm2
livepatch-5.15.126.1-1.cm2
livepatch-5.15.131.1-1.cm2
livepatch-5.15.131.1-3.cm2
livepatch-5.15.94.1-1.cm2
livepatch-5.15.94.1-1.cm2-signed
livepatch-5.15.95.1-1.cm2
livepatch-5.15.98.1-1.cm2
livepatching
lld
lld16
local-path-provisioner
lsb-release
ltp
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
maven3
mm-common
moby-buildx
moby-cli
moby-compose
moby-containerd
moby-containerd-cc
moby-engine
moby-runc
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
nmi
node-problem-detector
ntopng
opentelemetry-cpp
osslsigncode
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-logutils
python-nocasedict
python-opt-einsum
python-pecan
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-tensorflow-estimator
python-yamlloader
R
rabbitmq-server
reaper
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-aws-eventstream
rubygem-aws-partitions
rubygem-aws-sdk-core
rubygem-aws-sdk-kms
rubygem-aws-sdk-s3
rubygem-aws-sdk-sqs
rubygem-aws-sigv4
rubygem-bigdecimal
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-s3
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-td
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser.rb
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-td
rubygem-td-client
rubygem-td-logger
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
sdbus-cpp
sgx-backwards-compatability
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
swupdate
SymCrypt
SymCrypt-OpenSSL
tensorflow
terraform
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
verity-read-only-root
vnstat
zstd | +| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azl-compliance
azure-iot-sdk-c
azure-storage-cpp
azurelinux-sysinfo
bazel
blobfuse
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor
cloud-hypervisor-cvm
cmake-fedora
coredns
csi-driver-lvm
dcos-cli
debugedit
dejavu-fonts
distroless-packages
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
hvloader
hvloader-signed
installkernel
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-azure-signed
kernel-hci-signed
kernel-mos-signed
kernel-mshv-signed
kernel-signed
KeysInUse-OpenSSL
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
livepatch-5.15.102.1-1.cm2
livepatch-5.15.102.1-3.cm2
livepatch-5.15.107.1-1.cm2
livepatch-5.15.110.1-1.cm2
livepatch-5.15.111.1-1.cm2
livepatch-5.15.112.1-1.cm2
livepatch-5.15.112.1-2.cm2
livepatch-5.15.116.1-1.cm2
livepatch-5.15.116.1-2.cm2
livepatch-5.15.122.1-2.cm2
livepatch-5.15.125.1-1.cm2
livepatch-5.15.125.1-2.cm2
livepatch-5.15.126.1-1.cm2
livepatch-5.15.131.1-1.cm2
livepatch-5.15.131.1-3.cm2
livepatch-5.15.94.1-1.cm2
livepatch-5.15.94.1-1.cm2-signed
livepatch-5.15.95.1-1.cm2
livepatch-5.15.98.1-1.cm2
livepatching
lld
lld16
local-path-provisioner
lsb-release
ltp
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
maven3
mm-common
moby-buildx
moby-cli
moby-compose
moby-containerd
moby-containerd-cc
moby-engine
moby-runc
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
nmi
node-problem-detector
ntopng
opentelemetry-cpp
osslsigncode
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-logutils
python-nocasedict
python-opt-einsum
python-pecan
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-tensorflow-estimator
python-yamlloader
R
rabbitmq-server
reaper
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-aws-eventstream
rubygem-aws-partitions
rubygem-aws-sdk-core
rubygem-aws-sdk-kms
rubygem-aws-sdk-s3
rubygem-aws-sdk-sqs
rubygem-aws-sigv4
rubygem-bigdecimal
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-s3
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-td
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser.rb
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-td
rubygem-td-client
rubygem-td-logger
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
sdbus-cpp
sgx-backwards-compatability
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
swupdate
SymCrypt
SymCrypt-OpenSSL
tensorflow
terraform
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
verity-read-only-root
vnstat
zstd | | Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan | | Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad | | NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | knem
libnvidia-container
mlnx-ofa_kernel
mlnx-tools
mlx-bootctl
nvidia-container-runtime
nvidia-container-toolkit
nvidia-docker2
ofed-scripts
perftest | diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json index 3b89138790c..468868ee820 100644 --- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json +++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json @@ -2165,6 +2165,7 @@ "check-restart", "clamav", "cloud-hypervisor", + "cloud-hypervisor-cvm", "cmake-fedora", "coredns", "csi-driver-lvm", diff --git a/SPECS/apparmor/CVE-2024-31755.patch b/SPECS/apparmor/CVE-2024-31755.patch new file mode 100644 index 00000000000..1b3c9d20046 --- /dev/null +++ b/SPECS/apparmor/CVE-2024-31755.patch @@ -0,0 +1,40 @@ +commit 7e4d5dabe7a9b754c601f214e65b544e67ba9f59 +Author: Up-wind +Date: Mon Mar 25 20:07:11 2024 +0800 + + Add NULL check to cJSON_SetValuestring() + + If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer dereference will happen. + + This commit adds the NULL check of valuestring before it is dereferenced. + +--- + binutils/cJSON.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/binutils/cJSON.c b/binutils/cJSON.c +index 541934c..e85ac11 100644 +--- a/binutils/cJSON.c ++++ b/binutils/cJSON.c +@@ -393,6 +393,7 @@ CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number) + return object->valuedouble = number; + } + ++/* Note: when passing a NULL valuestring, cJSON_SetValuestring treats this as an error and return NULL */ + CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) + { + char *copy = NULL; +@@ -401,8 +402,8 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) + { + return NULL; + } +- /* return NULL if the object is corrupted */ +- if (object->valuestring == NULL) ++ /* return NULL if the object is corrupted or valuestring is NULL */ ++ if (object->valuestring == NULL || valuestring == NULL) + { + return NULL; + } +-- +2.25.1 + diff --git a/SPECS/apparmor/apparmor.spec b/SPECS/apparmor/apparmor.spec index 0975937612e..c546ed90ecd 100644 --- a/SPECS/apparmor/apparmor.spec +++ b/SPECS/apparmor/apparmor.spec @@ -1,7 +1,7 @@ Summary: AppArmor is an effective and easy-to-use Linux application security system. Name: apparmor Version: 3.0.4 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -10,6 +10,7 @@ URL: https://launchpad.net/apparmor Source0: https://launchpad.net/apparmor/3.0/3.0.4/+download/%{name}-%{version}.tar.gz Patch1: apparmor-service-start-fix.patch Patch2: CVE-2023-50471.patch +Patch3: CVE-2024-31755.patch # CVE-2016-1585 has no upstream fix as of 2020/09/28 Patch100: CVE-2016-1585.nopatch BuildRequires: apr @@ -354,6 +355,9 @@ make DESTDIR=%{buildroot} install %exclude %{perl_archlib}/perllocal.pod %changelog +* Thu May 30 2024 Sumedh Sharma - 3.0.4-4 +- Add patch for CVE-2024-31755 + * Wed Dec 27 2023 Dallas Delaney - 3.0.4-3 - Add patch for CVE-2023-50471 and CVE-2023-50472 diff --git a/SPECS/azl-compliance/azl-compliance.signatures.json b/SPECS/azl-compliance/azl-compliance.signatures.json index 99d442b4d5d..240e1b0c64c 100644 --- a/SPECS/azl-compliance/azl-compliance.signatures.json +++ b/SPECS/azl-compliance/azl-compliance.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "azl-compliance-1.0.1.tar.gz": "1d96b99ec755500383e5ff6bad01f1ac85848f067488f3ce29a99e6eb57a86b7" + "azl-compliance-1.0.2.tar.gz": "552605848f3bf8bf311f5356b13e318babad0f9288b5c75df9094c1d6ad038aa" } } diff --git a/SPECS/azl-compliance/azl-compliance.spec b/SPECS/azl-compliance/azl-compliance.spec index 47502aea8b7..d0d38ee5cdd 100644 --- a/SPECS/azl-compliance/azl-compliance.spec +++ b/SPECS/azl-compliance/azl-compliance.spec @@ -1,6 +1,6 @@ Summary: Azure Linux compliance package to meet all sorts of compliance rules Name: azl-compliance -Version: 1.0.1 +Version: 1.0.2 Release: 1%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation @@ -53,6 +53,9 @@ cd azl-compliance cargo test --release --offline %changelog +* Thu Jun 06 2024 Tobias Brick 1.0.2-1 +- Update to version 1.0.2 + * Tue Mar 19 2024 Tobias Brick 1.0.1-1 - Original version for CBL-Mariner. - License verified diff --git a/SPECS/cert-manager/CVE-2024-26147.patch b/SPECS/cert-manager/CVE-2024-26147.patch new file mode 100644 index 00000000000..6521830cfea --- /dev/null +++ b/SPECS/cert-manager/CVE-2024-26147.patch @@ -0,0 +1,43 @@ +From d02be38fc6c54828d5eec15efe058c61f3df4a60 Mon Sep 17 00:00:00 2001 +From: Mykhailo Bykhovtsev +Date: Thu, 30 May 2024 16:33:17 -0700 +Subject: [PATCH] backport patch CVE-2024-26147. Based off commit https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af + +--- + vendor/helm.sh/helm/v3/pkg/plugin/plugin.go | 4 ++++ + vendor/helm.sh/helm/v3/pkg/repo/index.go | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go +index 1399b71..df580db 100644 +--- a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go ++++ b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go +@@ -173,6 +173,10 @@ var validPluginName = regexp.MustCompile("^[A-Za-z0-9_-]+$") + + // validatePluginData validates a plugin's YAML data. + func validatePluginData(plug *Plugin, filepath string) error { ++ // When metadata section missing, initialize with no data ++ if plug.Metadata == nil { ++ plug.Metadata = &Metadata{} ++ } + if !validPluginName.MatchString(plug.Metadata.Name) { + return fmt.Errorf("invalid plugin name at %q", filepath) + } +diff --git a/vendor/helm.sh/helm/v3/pkg/repo/index.go b/vendor/helm.sh/helm/v3/pkg/repo/index.go +index 60cfe58..94852bb 100644 +--- a/vendor/helm.sh/helm/v3/pkg/repo/index.go ++++ b/vendor/helm.sh/helm/v3/pkg/repo/index.go +@@ -347,6 +347,10 @@ func loadIndex(data []byte, source string) (*IndexFile, error) { + log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source) + continue + } ++ // When metadata section missing, initialize with no data ++ if cvs[idx].Metadata == nil { ++ cvs[idx].Metadata = &chart.Metadata{} ++ } + if cvs[idx].APIVersion == "" { + cvs[idx].APIVersion = chart.APIVersionV1 + } +-- +2.34.1 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 4aad212fe06..4091564e70e 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.11.2 -Release: 9%{?dist} +Release: 10%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -21,6 +21,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version Source1: %{name}-%{version}-govendor.tar.gz Patch0: CVE-2023-48795.patch Patch1: CVE-2023-45288.patch +Patch2: CVE-2024-26147.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -113,6 +114,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Thu May 30 2024 Mykhailo Bykhovtsev - 1.11.2-10 +- Patch for CVE-2024-26147 + * Thu Apr 18 2024 Chris Gunn - 1.11.2-9 - Fix for CVE-2023-45288 diff --git a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json new file mode 100644 index 00000000000..f04f2f31375 --- /dev/null +++ b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json @@ -0,0 +1,7 @@ +{ + "Signatures": { + "cloud-hypervisor-cvm-38.0.72-vendor.tar.gz": "6092868ed042c0397e4e96f2572a59d80491662b6c68fd210fe458a8f7d0d429", + "cloud-hypervisor-cvm-38.0.72.tar.gz": "e6d15d99c5d9ec4bede43ef8fac971d2cc0ae49a7eafffc6ca7e5b948ed4282a", + "config.toml": "74c28b7520c157109b8990b325fe8f13504e56561a9bac51499d4c6bf4a66e52" + } +} \ No newline at end of file diff --git a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec new file mode 100644 index 00000000000..bb7fb68dcef --- /dev/null +++ b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec @@ -0,0 +1,216 @@ +%define using_rustup 0 +%define using_musl_libc 0 +%define using_vendored_crates 1 + +Name: cloud-hypervisor-cvm +Summary: Cloud Hypervisor CVM is an open source Virtual Machine Monitor (VMM) that enables running SEV SNP enabled VMs on top of MSHV using the IGVM file format as payload. +Version: 38.0.72 +Release: 1%{?dist} +License: ASL 2.0 OR BSD-3-clause +Vendor: Microsoft Corporation +Distribution: Mariner +Group: Applications/System +URL: https://github.com/microsoft/cloud-hypervisor +Source0: https://github.com/microsoft/cloud-hypervisor/archive/refs/tags/msft/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +%if 0%{?using_vendored_crates} +# Note: the %%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME. +# To update the cache and config.toml run: +# tar -xf %{name}-%{version}.tar.gz +# cd %{name}-%{version} +# cargo vendor > config.toml +# tar -czf %{name}-%{version}-cargo.tar.gz vendor/ +# rename the tarball to %{name}-%{version}-cargo.tar.gz when updating version +Source1: %{name}-%{version}-vendor.tar.gz +Source2: config.toml +%endif + +Conflicts: cloud-hypervisor + +BuildRequires: binutils +BuildRequires: gcc +BuildRequires: git +BuildRequires: glibc-devel +BuildRequires: openssl-devel + +%if ! 0%{?using_rustup} +BuildRequires: rust >= 1.62.0 +BuildRequires: cargo >= 1.62.0 +%endif + +Requires: bash +Requires: glibc +Requires: libgcc +Requires: libcap + +ExclusiveArch: x86_64 + +%ifarch x86_64 +%define rust_def_target x86_64-unknown-linux-gnu +%define cargo_pkg_feature_opts --no-default-features --features "mshv,kvm,sev_snp,igvm" +%endif +%ifarch aarch64 +%define rust_def_target aarch64-unknown-linux-gnu +%define cargo_pkg_feature_opts --all +%endif + +%if 0%{?using_musl_libc} +%ifarch x86_64 +%define rust_musl_target x86_64-unknown-linux-musl +%endif +%ifarch aarch64 +%define rust_musl_target aarch64-unknown-linux-musl +%endif +%endif + +%if 0%{?using_vendored_crates} +%define cargo_offline --offline +%endif + +%description +Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM. The project focuses on exclusively running modern, cloud workloads, on top of a limited set of hardware architectures and platforms. Cloud workloads refers to those that are usually run by customers inside a cloud provider. For our purposes this means modern Linux* distributions with most I/O handled by paravirtualised devices (i.e. virtio), no requirement for legacy devices and recent CPUs and KVM. + +%prep + +%setup -q -n cloud-hypervisor-%{version} +%if 0%{?using_vendored_crates} +tar xf %{SOURCE1} +mkdir -p .cargo +cp %{SOURCE2} .cargo/ +%endif + +%install +install -d %{buildroot}%{_bindir} +install -D -m755 ./target/%{rust_def_target}/release/cloud-hypervisor %{buildroot}%{_bindir} + +%if 0%{?using_musl_libc} +install -d %{buildroot}%{_libdir}/cloud-hypervisor/static +install -D -m755 target/%{rust_musl_target}/release/cloud-hypervisor %{buildroot}%{_libdir}/cloud-hypervisor/static +install -D -m755 target/%{rust_musl_target}/release/ch-remote %{buildroot}%{_libdir}/cloud-hypervisor/static +%endif + + +%build +cargo_version=$(cargo --version) +if [[ $? -ne 0 ]]; then + echo "Cargo not found, please install cargo. exiting" + exit 0 +fi + +%if 0%{?using_rustup} +which rustup +if [[ $? -ne 0 ]]; then + echo "Rustup not found please install rustup #curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh" +fi +%endif + +echo ${cargo_version} + +%if 0%{?using_rustup} +rustup target list --installed | grep x86_64-unknown-linux-gnu +if [[ $? -ne 0 ]]; then + echo "Target x86_64-unknown-linux-gnu not found, please install(#rustup target add x86_64-unknown-linux-gnu). exiting" +fi + %if 0%{?using_musl_libc} +rustup target list --installed | grep x86_64-unknown-linux-musl +if [[ $? -ne 0 ]]; then + echo "Target x86_64-unknown-linux-musl not found, please install(#rustup target add x86_64-unknown-linux-musl). exiting" +fi + %endif +%endif + +%if 0%{?using_vendored_crates} +# For vendored build, prepend this so openssl-sys doesn't trigger full OpenSSL build +export OPENSSL_NO_VENDOR=1 +%endif +cargo build --release --target=%{rust_def_target} %{cargo_pkg_feature_opts} %{cargo_offline} +%if 0%{?using_musl_libc} +cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{cargo_offline} +%endif + +%files +%defattr(-,root,root,-) +%caps(cap_net_admin=ep) %{_bindir}/cloud-hypervisor +%if 0%{?using_musl_libc} +%{_libdir}/cloud-hypervisor/static/ch-remote +%caps(cap_net_admim=ep) %{_libdir}/cloud-hypervisor/static/cloud-hypervisor +%endif +%license LICENSE-APACHE +%license LICENSE-BSD-3-Clause + +%changelog +* Wed May 15 2024 Saul Paredes - 38.0.72-1 +- Initial CBL-Mariner import from Azure +- Upgrade to v38.0.72 +- Update install to match cloud-hypervisor install locations +- Add conflicts with cloud-hypervisor +- License verified. + +* Mon Nov 6 2023 Dallas Delaney - 32.0.314-2000 +- Upgrade to v32.0.314 + +* Thu Sep 21 2023 Saul Paredes - 32.0.209-2000 +- Upgrade to v32.0.209 + +* Fri Sep 15 2023 Saul Paredes - 32.0.192-2000 +- Upgrade to v32.0.192 + +* Tue Aug 1 2023 Saul Paredes - 32.0.0-2000 +- Accomodate cloud-hypervisor + +* Fri May 19 2023 Anatol Belski - 32.0.0-1000 +- Upgrade to v32.0 + +* Wed Apr 19 2023 Anatol Belski - 31.1.0-1000 +- Upgrade to v31.1 + +* Thu Apr 06 2023 Anatol Belski - 31.0.0-1000 +- Upgrade to v31.0 + +* Fri Feb 24 2023 Anatol Belski - 30.0.0-1000 +- Upgrade to v30.0 + +* Sun Jan 15 2023 Anatol Belski - 29.0.0-1000 +- Upgrade to v29.0 + +* Thu Dec 15 2022 Anatol Belski - 28.1.0-1000 +- Upgrade to v28.1 + +* Thu Nov 17 2022 Anatol Belski - 28.0.0-1000 +- Upgrade to v28.0 + +* Wed Oct 12 2022 Anatol Belski - 27.0.0-1001 +- Spec refactoring towards pulling an arbitrary revision + +* Wed Oct 05 2022 Anatol Belski - 27.0-1 +- Upgrade to 27.0 + +* Thu Sep 15 2022 Anatol Belski - 26.0-2 +- Unbundle tarballs from git + +* Wed Aug 17 2022 Anatol Belski - 26.0-1 +- Pull release 26.0 for Mariner from upstream + +* Tue May 16 2022 Anatol Belski - 23.1-0 +- Initial import 23.1 for Mariner from upstream + +* Thu Apr 13 2022 Rob Bradford 23.0-0 +- Update to 23.0 + +* Thu Mar 03 2022 Rob Bradford 22.0-0 +- Update to 22.0 + +* Thu Jan 20 2022 Rob Bradford 21.0-0 +- Update to 21.0 + +* Thu Dec 02 2021 Sebastien Boeuf 20.0-0 +- Update to 20.0 + +* Mon Nov 08 2021 Fabiano FidĂȘncio 19.0-0 +- Update to 19.0 + +* Fri May 28 2021 Muminul Islam 15.0-0 +- Update version to 15.0 + +* Wed Jul 22 2020 Muminul Islam 0.8.0-0 +- Initial version + diff --git a/SPECS/cloud-hypervisor-cvm/config.toml b/SPECS/cloud-hypervisor-cvm/config.toml new file mode 100644 index 00000000000..28e2cc3014f --- /dev/null +++ b/SPECS/cloud-hypervisor-cvm/config.toml @@ -0,0 +1,50 @@ +[source.crates-io] +replace-with = "vendored-sources" + +[source."git+https://github.com/cloud-hypervisor/kvm-bindings?branch=ch-v0.7.0"] +git = "https://github.com/cloud-hypervisor/kvm-bindings" +branch = "ch-v0.7.0" +replace-with = "vendored-sources" + +[source."git+https://github.com/cloud-hypervisor/versionize_derive?branch=ch-0.1.6"] +git = "https://github.com/cloud-hypervisor/versionize_derive" +branch = "ch-0.1.6" +replace-with = "vendored-sources" + +[source."git+https://github.com/firecracker-microvm/micro-http?branch=main"] +git = "https://github.com/firecracker-microvm/micro-http" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/microsoft/igvm?branch=main"] +git = "https://github.com/microsoft/igvm" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/acpi_tables?branch=main"] +git = "https://github.com/rust-vmm/acpi_tables" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/mshv?branch=main"] +git = "https://github.com/rust-vmm/mshv" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/vfio-user?branch=main"] +git = "https://github.com/rust-vmm/vfio-user" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/vfio?branch=main"] +git = "https://github.com/rust-vmm/vfio" +branch = "main" +replace-with = "vendored-sources" + +[source."git+https://github.com/rust-vmm/vm-fdt?branch=main"] +git = "https://github.com/rust-vmm/vm-fdt" +branch = "main" +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json b/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json index 163a303dec9..c0753fbbf62 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json @@ -1,7 +1,7 @@ { - "Signatures": { - "cloud-hypervisor-32.0-cargo.tar.gz": "2dd7ca374109ba337afeb0ff95d5edac8193431ec74cdbb6b1a400c600f4d915", - "cloud-hypervisor-32.0.tar.gz": "b9754a5ecd26697e5416a642345b2f35f4fdc983a83d540d740978309f2eb419", - "config.toml": "6d2aeec19782ae17eb2708262b0a7c551db3cc36b56542abca18d577de042458" - } + "Signatures": { + "cloud-hypervisor-32.0-cargo.tar.gz": "2dd7ca374109ba337afeb0ff95d5edac8193431ec74cdbb6b1a400c600f4d915", + "cloud-hypervisor-32.0.tar.gz": "b9754a5ecd26697e5416a642345b2f35f4fdc983a83d540d740978309f2eb419", + "config.toml": "6d2aeec19782ae17eb2708262b0a7c551db3cc36b56542abca18d577de042458" + } } \ No newline at end of file diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.spec b/SPECS/cloud-hypervisor/cloud-hypervisor.spec index ca9342d2489..891593cf771 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.spec +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.spec @@ -5,7 +5,7 @@ Summary: Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM. Name: cloud-hypervisor Version: 32.0 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 OR BSD-3-clause Vendor: Microsoft Corporation Distribution: Mariner @@ -28,6 +28,8 @@ Patch2: CVE-2023-50711-vhost.patch Patch3: CVE-2023-50711-versionize.patch %endif +Conflicts: cloud-hypervisor-cvm + BuildRequires: binutils BuildRequires: gcc BuildRequires: git @@ -162,6 +164,9 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{ %license LICENSE-BSD-3-Clause %changelog +* Mon May 20 2024 Saul Paredes - 32.0-4 +- Add conflicts with cloud-hypervisor-cvm + * Mon Jan 15 2024 Sindhu Karri - 32.0-3 - Patch CVE-2023-50711 in vendor/vmm-sys-util, vendor/vhost, vendor/versionize diff --git a/SPECS/cri-o/CVE-2024-3154.patch b/SPECS/cri-o/CVE-2024-3154.patch new file mode 100644 index 00000000000..ef7840ac175 --- /dev/null +++ b/SPECS/cri-o/CVE-2024-3154.patch @@ -0,0 +1,38 @@ +From 976ab1f4c916099fc1f2e6569f13e45df2f26b4f Mon Sep 17 00:00:00 2001 +From: Peter Hunt +Date: Tue, 26 Mar 2024 12:07:17 -0400 +Subject: [PATCH] annotations: add OCI runtime specific annotations to the + AllowedAnnotations + +meaning an admin would have to opt-into allowing them to be used + +Signed-off-by: Peter Hunt +--- + pkg/annotations/annotations.go | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go +index 51920eb..e517f18 100644 +--- a/pkg/annotations/annotations.go ++++ b/pkg/annotations/annotations.go +@@ -48,4 +48,17 @@ var AllAllowedAnnotations = []string{ + OCISeccompBPFHookAnnotation, + rdt.RdtContainerAnnotation, + TrySkipVolumeSELinuxLabelAnnotation, ++ // Keep in sync with ++ // https://github.com/opencontainers/runc/blob/3db0871f1cf25c7025861ba0d51d25794cb21623/features.go#L67 ++ // Once runc 1.2 is released, we can use the `runc features` command to get this programatically, ++ // but we should hardcode these for now to prevent misuse. ++ "bundle", ++ "org.systemd.property.", ++ "org.criu.config", ++ ++ // Simiarly, keep in sync with ++ // https://github.com/containers/crun/blob/475a3fd0be/src/libcrun/container.c#L362-L366 ++ "module.wasm.image/variant", ++ "io.kubernetes.cri.container-type", ++ "run.oci.", + } +-- +2.33.8 + diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec index 2d8784c9fa6..5f785187625 100644 --- a/SPECS/cri-o/cri-o.spec +++ b/SPECS/cri-o/cri-o.spec @@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa # Define macros for further referenced sources Name: cri-o Version: 1.22.3 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -63,6 +63,7 @@ Patch7: CVE-2022-21698.patch Patch8: CVE-2023-44487.patch Patch9: CVE-2024-28180.patch Patch10: CVE-2024-21626.patch +Patch11: CVE-2024-3154.patch BuildRequires: btrfs-progs-devel BuildRequires: device-mapper-devel BuildRequires: fdupes @@ -215,6 +216,9 @@ mkdir -p /opt/cni/bin %{_fillupdir}/sysconfig.kubelet %changelog +* Mon Jun 03 2024 Bala - 1.22.3-2 +- Patch CVE-2024-3154 + * Thu May 21 2024 Henry Li - 1.22.3-1 - Upgrade to 1.22.3 to resolve regressed CVE-2022-0811 - Updated vendor source tar diff --git a/SPECS/dhcp/CVE-2023-2828.patch b/SPECS/dhcp/CVE-2023-2828.patch new file mode 100644 index 00000000000..576b74149c8 --- /dev/null +++ b/SPECS/dhcp/CVE-2023-2828.patch @@ -0,0 +1,190 @@ +Backported patch upstream to apply to CBL-Mariner. +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a + +From da0eafcdee52147e72d407cc3b9f179378ee1d3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 30 May 2023 08:46:17 +0200 +Subject: [PATCH] Improve RBT overmem cache cleaning + +When cache memory usage is over the configured cache size (overmem) and +we are cleaning unused entries, it might not be enough to clean just two +entries if the entries to be expired are smaller than the newly added +rdata. This could be abused by an attacker to cause a remote Denial of +Service by possibly running out of the operating system memory. + +Currently, the addrdataset() tries to do a single TTL-based cleaning +considering the serve-stale TTL and then optionally moves to overmem +cleaning if we are in that condition. Then the overmem_purge() tries to +do another single TTL based cleaning from the TTL heap and then continue +with LRU-based cleaning up to 2 entries cleaned. + +Squash the TTL-cleaning mechanism into single call from addrdataset(), +but ignore the serve-stale TTL if we are currently overmem. + +Then instead of having a fixed number of entries to clean, pass the size +of newly added rdatasetheader to the overmem_purge() function and +cleanup at least the size of the newly added data. This prevents the +cache going over the configured memory limit (`max-cache-size`). + +Additionally, refactor the overmem_purge() function to reduce for-loop +nesting for readability. +--- + bind_ln/lib/dns/rbtdb.c | 102 ++++++++++++++++++------------ + 1 file changed, 60 insertions(+), 42 deletions(-) + +diff --git a/bind_ln/lib/dns/rbtdb.c b/bind_ln/lib/dns/rbtdb.c +index 3ee1876..68b45d8 100644 +--- a/bind_ln/lib/dns/rbtdb.c ++++ b/bind_ln/lib/dns/rbtdb.c +@@ -815,7 +815,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + bool tree_locked, expire_t reason); + static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, +- isc_stdtime_t now, bool tree_locked); ++ size_t purgesize, bool tree_locked); + static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, + rdatasetheader_t *newheader); + static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, +@@ -6817,6 +6817,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, + + static dns_dbmethods_t zone_methods; + ++static size_t ++rdataset_size(rdatasetheader_t *header) { ++ if (!NONEXISTENT(header)) { ++ return (dns_rdataslab_size((unsigned char *)header, ++ sizeof(*header))); ++ } ++ ++ return (sizeof(*header)); ++} ++ + static isc_result_t + addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, +@@ -6971,7 +6981,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + + if (cache_is_overmem) +- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked); ++ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), tree_locked); + + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); +@@ -6986,10 +6996,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + cleanup_dead_nodes(rbtdb, rbtnode->locknum); + + header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1); +- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) +- expire_header(rbtdb, header, tree_locked, +- expire_ttl); ++ if (header != NULL) { ++ dns_ttl_t rdh_ttl = header->rdh_ttl; + ++ if (rdh_ttl < now - RBTDB_VIRTUAL) { ++ expire_header(rbtdb, header, tree_locked, ++ expire_ttl); ++ } ++ } + /* + * If we've been holding a write lock on the tree just for + * cleaning, we can release it now. However, we still need the +@@ -10494,54 +10508,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); + } + +-/*% +- * Purge some expired and/or stale (i.e. unused for some period) cache entries +- * under an overmem condition. To recover from this condition quickly, up to +- * 2 entries will be purged. This process is triggered while adding a new +- * entry, and we specifically avoid purging entries in the same LRU bucket as +- * the one to which the new entry will belong. Otherwise, we might purge +- * entries of the same name of different RR types while adding RRsets from a +- * single response (consider the case where we're adding A and AAAA glue records +- * of the same NS name). ++static size_t ++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, ++ bool tree_locked) { ++ rdatasetheader_t *header, *header_prev; ++ size_t purged = 0; ++ ++ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); ++ header != NULL && purged <= purgesize; header = header_prev) ++ { ++ header_prev = ISC_LIST_PREV(header, link); ++ /* ++ * Unlink the entry at this point to avoid checking it ++ * again even if it's currently used someone else and ++ * cannot be purged at this moment. This entry won't be ++ * referenced any more (so unlinking is safe) since the ++ * TTL was reset to 0. ++ */ ++ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); ++ size_t header_size = rdataset_size(header); ++ expire_header(rbtdb, header, tree_locked, expire_lru); ++ purged += header_size; ++ } ++ ++ return (purged); ++} ++ ++ /*% ++ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache ++ * entries under the overmem condition. To recover from this condition quickly, ++ * we cleanup entries up to the size of newly added rdata (passed as purgesize). ++ * ++ * This process is triggered while adding a new entry, and we specifically avoid ++ * purging entries in the same LRU bucket as the one to which the new entry will ++ * belong. Otherwise, we might purge entries of the same name of different RR ++ * types while adding RRsets from a single response (consider the case where ++ * we're adding A and AAAA glue records of the same NS name). + */ + static void + overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, +- isc_stdtime_t now, bool tree_locked) ++ size_t purgesize, bool tree_locked) + { +- rdatasetheader_t *header, *header_prev; + unsigned int locknum; +- int purgecount = 2; ++ size_t purged = 0; + + for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; +- locknum != locknum_start && purgecount > 0; ++ locknum != locknum_start && purged <= purgesize; + locknum = (locknum + 1) % rbtdb->node_lock_count) { + NODE_LOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + +- header = isc_heap_element(rbtdb->heaps[locknum], 1); +- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) { +- expire_header(rbtdb, header, tree_locked, +- expire_ttl); +- purgecount--; +- } +- +- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); +- header != NULL && purgecount > 0; +- header = header_prev) { +- header_prev = ISC_LIST_PREV(header, link); +- /* +- * Unlink the entry at this point to avoid checking it +- * again even if it's currently used someone else and +- * cannot be purged at this moment. This entry won't be +- * referenced any more (so unlinking is safe) since the +- * TTL was reset to 0. +- */ +- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, +- link); +- expire_header(rbtdb, header, tree_locked, +- expire_lru); +- purgecount--; +- } ++ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged, ++ tree_locked); + + NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); +-- +2.25.1 + diff --git a/SPECS/dhcp/dhcp.spec b/SPECS/dhcp/dhcp.spec index 3349cbffca8..c570b4764b2 100644 --- a/SPECS/dhcp/dhcp.spec +++ b/SPECS/dhcp/dhcp.spec @@ -1,13 +1,14 @@ Summary: Dynamic host configuration protocol Name: dhcp Version: 4.4.3 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 Url: https://www.isc.org/dhcp/ Source0: ftp://ftp.isc.org/isc/dhcp/%{version}/%{name}-%{version}.tar.gz Patch0: CVE-2022-38177.patch Patch1: CVE-2022-38178.patch Patch2: CVE-2022-2795.patch +Patch3: CVE-2023-2828.patch Group: System Environment/Base Vendor: Microsoft Corporation Distribution: Mariner @@ -178,6 +179,9 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/ %{_mandir}/man8/dhclient.8.gz %changelog +* Wed May 29 2024 Sumedh Sharma - 4.4.3-3 +- Fix CVE-2023-2828 + * Tue Apr 30 2024 Elaine Zhao - 4.4.3-2 - Fix CVE-2022-38177, CVE-2022-38178, CVE-2022-2795 for bundled bind diff --git a/SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json b/SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json index 222adbd7c19..12f7e862dc2 100644 --- a/SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json +++ b/SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json @@ -1,5 +1,6 @@ { "Signatures": { - "docbook-xsl-1.79.1.tar.bz2": "725f452e12b296956e8bfb876ccece71eeecdd14b94f667f3ed9091761a4a968" + "docbook-xsl-1.79.1.tar.bz2": "725f452e12b296956e8bfb876ccece71eeecdd14b94f667f3ed9091761a4a968", + "xalan-j_2_7_3-bin.tar.gz": "c3a36e027f91acbec3f2139343a4798a943f8b2957aab1cfb2eb57f4aeadccbc" } } \ No newline at end of file diff --git a/SPECS/docbook-style-xsl/docbook-style-xsl.spec b/SPECS/docbook-style-xsl/docbook-style-xsl.spec index 3a89b3f20bf..3d8a7709098 100644 --- a/SPECS/docbook-style-xsl/docbook-style-xsl.spec +++ b/SPECS/docbook-style-xsl/docbook-style-xsl.spec @@ -1,13 +1,15 @@ Summary: Docbook-xsl-1.79.1 Name: docbook-style-xsl Version: 1.79.1 -Release: 13%{?dist} -License: ASL 2.0 +Release: 14%{?dist} +License: DMIT Vendor: Microsoft Corporation Distribution: Mariner Group: Development/Tools URL: https://www.docbook.org Source0: http://downloads.sourceforge.net/docbook/docbook-xsl-%{version}.tar.bz2 +# CVE-2022-34169: xalan 2.7.2 has security issue that is solved in 2.7.3 +Source1: https://dlcdn.apache.org/xalan/xalan-j/binaries/xalan-j_2_7_3-bin.tar.gz BuildRequires: libxml2 BuildRequires: zip Requires: docbook-dtd-xml @@ -24,6 +26,12 @@ allowing you to utilize transformations already written for that standard. %prep %setup -q -n docbook-xsl-%{version} +# CVE-2022-34169: xalan 2.7.2 has security issue that is solved by 2.7.3, +# so replace the embedded jar files in docbook-xsl release before continuing +mkdir ./CVE-2022-34169 +tar -xf %{SOURCE1} -C ./CVE-2022-34169 +mv ./CVE-2022-34169/xalan-j_2_7_3/*.jar ./tools/lib/. +rm -rf ./CVE-2022-34169 %build zip -d tools/lib/jython.jar Lib/distutils/command/wininst-6.exe @@ -102,6 +110,10 @@ fi %{_docdir}/* %changelog +* Mon Jun 03 2024 Brian Fjeldstad - 1.79.1-14 +- Fix CVE-2022-34169 by using newer release of xalan +- License should be DMIT. License verified + * Sat May 09 2020 Nick Samson - 1.79.1-10 - Added %%license line automatically diff --git a/SPECS/fluent-bit/CVE-2024-34250.patch b/SPECS/fluent-bit/CVE-2024-34250.patch new file mode 100644 index 00000000000..ffcae8c2327 --- /dev/null +++ b/SPECS/fluent-bit/CVE-2024-34250.patch @@ -0,0 +1,114 @@ +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c +index 2a06f42..87af852 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c +@@ -219,7 +219,10 @@ type2str(uint8 type) + static bool + is_32bit_type(uint8 type) + { +- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 ++ if (type == VALUE_TYPE_I32 ++ || type == VALUE_TYPE_F32 ++ /* the operand stack is in polymorphic state */ ++ || type == VALUE_TYPE_ANY + #if WASM_ENABLE_REF_TYPES != 0 + || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF + #endif +@@ -6690,6 +6693,7 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth, + int32 i, available_stack_cell; + uint16 cell_num; + ++ bh_assert(loader_ctx->csp_num > 0); + if (loader_ctx->csp_num < depth + 1) { + set_error_buf(error_buf, error_buf_size, + "unknown label, " +@@ -7758,8 +7762,7 @@ re_scan: + } + + if (available_stack_cell > 0) { +- if (is_32bit_type(*(loader_ctx->frame_ref - 1)) +- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) { ++ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) { + loader_ctx->frame_ref--; + loader_ctx->stack_cell_num--; + #if WASM_ENABLE_FAST_INTERP != 0 +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c +index 47ec549..157a82c 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c +@@ -51,7 +51,10 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string) + static bool + is_32bit_type(uint8 type) + { +- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 ++ if (type == VALUE_TYPE_I32 ++ || type == VALUE_TYPE_F32 ++ /* the operand stack is in polymorphic state */ ++ || type == VALUE_TYPE_ANY + #if WASM_ENABLE_REF_TYPES != 0 + || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF + #endif +@@ -3930,7 +3933,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf, + ctx->frame_ref--; + ctx->stack_cell_num--; + +- if (is_32bit_type(type) || *ctx->frame_ref == VALUE_TYPE_ANY) ++ if (is_32bit_type(type)) + return true; + + ctx->frame_ref--; +@@ -5839,13 +5842,11 @@ re_scan: + case WASM_OP_BR_TABLE: + { + uint8 *ret_types = NULL; +- uint32 ret_count = 0; ++ uint32 ret_count = 0, depth = 0; + #if WASM_ENABLE_FAST_INTERP == 0 +- uint8 *p_depth_begin, *p_depth; +- uint32 depth, j; + BrTableCache *br_table_cache = NULL; +- +- p_org = p - 1; ++ uint8 *p_depth_begin, *p_depth, *p_opcode = p - 1; ++ uint32 j; + #endif + + read_leb_uint32(p, p_end, count); +@@ -5854,6 +5855,16 @@ re_scan: + #endif + POP_I32(); + ++ /* Get each depth and check it */ ++ p_org = p; ++ for (i = 0; i <= count; i++) { ++ read_leb_uint32(p, p_end, depth); ++ bh_assert(loader_ctx->csp_num > 0); ++ bh_assert(loader_ctx->csp_num - 1 >= depth); ++ (void)depth; ++ } ++ p = p_org; ++ + #if WASM_ENABLE_FAST_INTERP == 0 + p_depth_begin = p_depth = p; + #endif +@@ -5879,8 +5890,8 @@ re_scan: + error_buf, error_buf_size))) { + goto fail; + } +- *p_org = EXT_OP_BR_TABLE_CACHE; +- br_table_cache->br_table_op_addr = p_org; ++ *p_opcode = EXT_OP_BR_TABLE_CACHE; ++ br_table_cache->br_table_op_addr = p_opcode; + br_table_cache->br_count = count; + /* Copy previous depths which are one byte */ + for (j = 0; j < i; j++) { +@@ -6099,8 +6110,7 @@ re_scan: + && !cur_block->is_stack_polymorphic)); + + if (available_stack_cell > 0) { +- if (is_32bit_type(*(loader_ctx->frame_ref - 1)) +- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) { ++ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) { + loader_ctx->frame_ref--; + loader_ctx->stack_cell_num--; + #if WASM_ENABLE_FAST_INTERP != 0 diff --git a/SPECS/fluent-bit/fix_issue_8025.patch b/SPECS/fluent-bit/fix_issue_8025.patch new file mode 100644 index 00000000000..d5d97590822 --- /dev/null +++ b/SPECS/fluent-bit/fix_issue_8025.patch @@ -0,0 +1,779 @@ +From c60999c186c23cff79dad4dd31c838404ace228e Mon Sep 17 00:00:00 2001 +From: "jinyong.choi" +Date: Wed, 18 Oct 2023 23:58:38 +0900 +Subject: [PATCH 1/2] in_tail: Delete unmanaged inodes from db during startup + (#8025) (1/2) + +To prevent incorrect inode references, +FluentBit automatically removes unmanaged inodes during startup. + +Signed-off-by: jinyong.choi +--- + plugins/in_tail/tail.c | 9 ++ + plugins/in_tail/tail_db.c | 161 +++++++++++++++++++++++++++++++ + plugins/in_tail/tail_db.h | 3 + + plugins/in_tail/tail_sql.h | 22 +++++ + tests/runtime/in_tail.c | 189 +++++++++++++++++++++++++++++++++++++ + 5 files changed, 384 insertions(+) + +diff --git a/plugins/in_tail/tail.c b/plugins/in_tail/tail.c +index 34a0fec3dbd..37b1f4f6c68 100644 +--- a/plugins/in_tail/tail.c ++++ b/plugins/in_tail/tail.c +@@ -372,6 +372,15 @@ static int in_tail_init(struct flb_input_instance *in, + /* Scan path */ + flb_tail_scan(ctx->path_list, ctx); + ++#ifdef FLB_HAVE_SQLDB ++ /* Delete stale files that are not monitored from the database */ ++ ret = flb_tail_db_stale_file_delete(in, config, ctx); ++ if (ret == -1) { ++ flb_tail_config_destroy(ctx); ++ return -1; ++ } ++#endif ++ + /* + * After the first scan (on start time), all new files discovered needs to be + * read from head, so we switch the 'read_from_head' flag to true so any +diff --git a/plugins/in_tail/tail_db.c b/plugins/in_tail/tail_db.c +index 664963b6dba..99242f8a15b 100644 +--- a/plugins/in_tail/tail_db.c ++++ b/plugins/in_tail/tail_db.c +@@ -168,6 +168,42 @@ static int db_file_insert(struct flb_tail_file *file, struct flb_tail_config *ct + return flb_sqldb_last_id(ctx->db); + } + ++static int stmt_add_param_concat(struct flb_tail_config *ctx, ++ flb_sds_t *stmt_sql, uint64_t count) ++{ ++ uint64_t idx; ++ flb_sds_t sds_tmp; ++ ++ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_START_PARAM, ++ SQL_STMT_START_PARAM_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: param start"); ++ return -1; ++ } ++ *stmt_sql = sds_tmp; ++ ++ for (idx = 1; idx < count; idx++) { ++ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_ADD_PARAM, ++ SQL_STMT_ADD_PARAM_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: add param"); ++ return -1; ++ } ++ ++ *stmt_sql = sds_tmp; ++ } ++ ++ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_PARAM_END, ++ SQL_STMT_PARAM_END_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: param end"); ++ return -1; ++ } ++ *stmt_sql = sds_tmp; ++ ++ return 0; ++} ++ + int flb_tail_db_file_set(struct flb_tail_file *file, + struct flb_tail_config *ctx) + { +@@ -275,3 +311,128 @@ int flb_tail_db_file_delete(struct flb_tail_file *file, + flb_plg_debug(ctx->ins, "db: file deleted from database: %s", file->name); + return 0; + } ++ ++/* ++ * Delete stale file from database ++ */ ++int flb_tail_db_stale_file_delete(struct flb_input_instance *ins, ++ struct flb_config *config, ++ struct flb_tail_config *ctx) ++{ ++ int ret = -1; ++ size_t sql_size; ++ uint64_t idx; ++ uint64_t file_count = ctx->files_static_count; ++ flb_sds_t stale_delete_sql; ++ flb_sds_t sds_tmp; ++ sqlite3_stmt *stmt_delete_inodes = NULL; ++ struct mk_list *tmp; ++ struct mk_list *head; ++ struct flb_tail_file *file; ++ ++ if (!ctx->db) { ++ return 0; ++ } ++ ++ /* Create a stmt sql buffer */ ++ sql_size = SQL_DELETE_STALE_FILE_START_LEN; ++ sql_size += SQL_DELETE_STALE_FILE_WHERE_LEN; ++ sql_size += SQL_STMT_START_PARAM_LEN; ++ sql_size += SQL_STMT_PARAM_END_LEN; ++ sql_size += SQL_STMT_END_LEN; ++ if (file_count > 0) { ++ sql_size += (SQL_STMT_ADD_PARAM_LEN * file_count); ++ } ++ ++ stale_delete_sql = flb_sds_create_size(sql_size + 1); ++ if (!stale_delete_sql) { ++ flb_plg_error(ctx->ins, "cannot allocate buffer for stale_delete_sql:" ++ " size: %zu", sql_size); ++ return -1; ++ } ++ ++ /* Create a stmt sql */ ++ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_DELETE_STALE_FILE_START, ++ SQL_DELETE_STALE_FILE_START_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_error(ctx->ins, ++ "error concatenating stale_delete_sql: start"); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ stale_delete_sql = sds_tmp; ++ ++ if (file_count > 0) { ++ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_DELETE_STALE_FILE_WHERE, ++ SQL_DELETE_STALE_FILE_WHERE_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_error(ctx->ins, ++ "error concatenating stale_delete_sql: where"); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ stale_delete_sql = sds_tmp; ++ ++ ret = stmt_add_param_concat(ctx, &stale_delete_sql, file_count); ++ if (ret == -1) { ++ flb_plg_error(ctx->ins, ++ "error concatenating stale_delete_sql: param"); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ } ++ ++ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_STMT_END, SQL_STMT_END_LEN); ++ if (sds_tmp == NULL) { ++ flb_plg_error(ctx->ins, ++ "error concatenating stale_delete_sql: end"); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ stale_delete_sql = sds_tmp; ++ ++ /* Prepare stmt */ ++ ret = sqlite3_prepare_v2(ctx->db->handler, stale_delete_sql, -1, ++ &stmt_delete_inodes, 0); ++ if (ret != SQLITE_OK) { ++ flb_plg_error(ctx->ins, "error preparing database SQL statement:" ++ " stmt_delete_inodes sql:%s, ret=%d", stale_delete_sql, ++ ret); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ ++ /* Bind parameters */ ++ idx = 1; ++ mk_list_foreach_safe(head, tmp, &ctx->files_static) { ++ file = mk_list_entry(head, struct flb_tail_file, _head); ++ ret = sqlite3_bind_int64(stmt_delete_inodes, idx, file->inode); ++ if (ret != SQLITE_OK) { ++ flb_plg_error(ctx->ins, "error binding to stmt_delete_inodes:" ++ " inode=%lu, ret=%d", file->inode, ret); ++ sqlite3_finalize(stmt_delete_inodes); ++ flb_sds_destroy(stale_delete_sql); ++ return -1; ++ } ++ idx++; ++ } ++ ++ /* Run the delete inodes */ ++ ret = sqlite3_step(stmt_delete_inodes); ++ if (ret != SQLITE_DONE) { ++ sqlite3_finalize(stmt_delete_inodes); ++ flb_sds_destroy(stale_delete_sql); ++ flb_plg_error(ctx->ins, "cannot execute delete stale inodes: ret=%d", ++ ret); ++ return -1; ++ } ++ ++ ret = sqlite3_changes(ctx->db->handler); ++ flb_plg_info(ctx->ins, "db: delete unmonitored stale inodes from the" ++ " database: count=%d", ret); ++ ++ sqlite3_finalize(stmt_delete_inodes); ++ flb_sds_destroy(stale_delete_sql); ++ ++ return 0; ++} +diff --git a/plugins/in_tail/tail_db.h b/plugins/in_tail/tail_db.h +index 7b5355d229c..b1fde721d29 100644 +--- a/plugins/in_tail/tail_db.h ++++ b/plugins/in_tail/tail_db.h +@@ -40,4 +40,7 @@ int flb_tail_db_file_rotate(const char *new_name, + struct flb_tail_config *ctx); + int flb_tail_db_file_delete(struct flb_tail_file *file, + struct flb_tail_config *ctx); ++int flb_tail_db_stale_file_delete(struct flb_input_instance *ins, ++ struct flb_config *config, ++ struct flb_tail_config *ctx); + #endif +diff --git a/plugins/in_tail/tail_sql.h b/plugins/in_tail/tail_sql.h +index 855933a0149..bf724f318cd 100644 +--- a/plugins/in_tail/tail_sql.h ++++ b/plugins/in_tail/tail_sql.h +@@ -53,6 +53,28 @@ + #define SQL_DELETE_FILE \ + "DELETE FROM in_tail_files WHERE id=@id;" + ++#define SQL_STMT_START_PARAM "(?" ++#define SQL_STMT_START_PARAM_LEN (sizeof(SQL_STMT_START_PARAM) - 1) ++ ++#define SQL_STMT_ADD_PARAM ",?" ++#define SQL_STMT_ADD_PARAM_LEN (sizeof(SQL_STMT_ADD_PARAM) - 1) ++ ++#define SQL_STMT_PARAM_END ")" ++#define SQL_STMT_PARAM_END_LEN (sizeof(SQL_STMT_PARAM_END) - 1) ++ ++#define SQL_STMT_END ";" ++#define SQL_STMT_END_LEN (sizeof(SQL_STMT_END) - 1) ++ ++#define SQL_DELETE_STALE_FILE_START \ ++ "DELETE FROM in_tail_files " ++#define SQL_DELETE_STALE_FILE_START_LEN \ ++ (sizeof(SQL_DELETE_STALE_FILE_START) - 1) ++ ++#define SQL_DELETE_STALE_FILE_WHERE \ ++ "WHERE inode NOT IN " ++#define SQL_DELETE_STALE_FILE_WHERE_LEN \ ++ (sizeof(SQL_DELETE_STALE_FILE_WHERE) - 1) ++ + #define SQL_PRAGMA_SYNC \ + "PRAGMA synchronous=%i;" + +diff --git a/tests/runtime/in_tail.c b/tests/runtime/in_tail.c +index ee5fba88744..74accb66ed6 100644 +--- a/tests/runtime/in_tail.c ++++ b/tests/runtime/in_tail.c +@@ -1545,6 +1545,194 @@ void flb_test_db() + test_tail_ctx_destroy(ctx); + unlink(db); + } ++ ++void flb_test_db_delete_stale_file() ++{ ++ struct flb_lib_out_cb cb_data; ++ struct test_tail_ctx *ctx; ++ char *org_file[] = {"test_db.log", "test_db_stale.log"}; ++ char *tmp_file[] = {"test_db.log"}; ++ char *path = "test_db.log, test_db_stale.log"; ++ char *move_file[] = {"test_db_stale.log", "test_db_stale_new.log"}; ++ char *new_file[] = {"test_db.log", "test_db_stale_new.log"}; ++ char *new_path = "test_db.log, test_db_stale_new.log"; ++ char *db = "test_db.db"; ++ char *msg_init = "hello world"; ++ char *msg_end = "hello db end"; ++ int i; ++ int ret; ++ int num; ++ int unused; ++ ++ unlink(db); ++ ++ clear_output_num(); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &org_file[0], ++ sizeof(org_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", path, ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ ret = flb_output_set(ctx->flb, ctx->o_ffd, ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* Start the engine */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ ret = write_msg(ctx, msg_init, strlen(msg_init)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ num = get_output_num(); ++ if (!TEST_CHECK(num > 0)) { ++ TEST_MSG("no output"); ++ } ++ ++ if (ctx->fds != NULL) { ++ for (i=0; ifd_num; i++) { ++ close(ctx->fds[i]); ++ } ++ flb_free(ctx->fds); ++ } ++ flb_stop(ctx->flb); ++ flb_destroy(ctx->flb); ++ flb_free(ctx); ++ ++ /* re-init to use db */ ++ clear_output_num(); ++ ++ /* ++ * Changing the file name from 'test_db_stale.log' to ++ * 'test_db_stale_new.log.' In this scenario, it is assumed that the ++ * file was deleted after the FluentBit was terminated. However, since ++ * the FluentBit was shutdown, the inode remains in the database. ++ * The reason for renaming is to preserve the existing file for later use. ++ */ ++ ret = rename(move_file[0], move_file[1]); ++ TEST_CHECK(ret == 0); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &tmp_file[0], ++ sizeof(tmp_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", path, ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* ++ * Start the engine ++ * FluentBit will delete stale inodes. ++ */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ if (ctx->fds != NULL) { ++ for (i=0; ifd_num; i++) { ++ close(ctx->fds[i]); ++ } ++ flb_free(ctx->fds); ++ } ++ flb_stop(ctx->flb); ++ flb_destroy(ctx->flb); ++ flb_free(ctx); ++ ++ /* re-init to use db */ ++ clear_output_num(); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &new_file[0], ++ sizeof(new_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", new_path, ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* ++ * Start the engine ++ * 'test_db_stale_new.log.' is a new file. ++ * The inode of 'test_db_stale.log' was deleted previously. ++ * So, it reads from the beginning of the file. ++ */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ ret = write_msg(ctx, msg_end, strlen(msg_end)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ num = get_output_num(); ++ if (!TEST_CHECK(num == 3)) { ++ /* 3 = ++ * test_db.log : "hello db end" ++ * test_db_stale.log : "msg_init" + "hello db end" ++ */ ++ TEST_MSG("num error. expect=3 got=%d", num); ++ } ++ ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++} + #endif /* FLB_HAVE_SQLDB */ + + /* Test list */ +@@ -1569,6 +1757,7 @@ TEST_LIST = { + + #ifdef FLB_HAVE_SQLDB + {"db", flb_test_db}, ++ {"db_delete_stale_file", flb_test_db_delete_stale_file}, + #endif + + #ifdef in_tail + +From d06114cbb1419ef9e8969b897730de07b64cfe28 Mon Sep 17 00:00:00 2001 +From: "jinyong.choi" +Date: Thu, 19 Oct 2023 00:37:36 +0900 +Subject: [PATCH 2/2] in_tail: Introducing the compare_filename option to + db_file_exists (#8025)(2/2) + +When checking the existence of a file's inode, if the 'compare_filename' +option is enabled, it is modified to compare the filename as well. +If the inode matches but the filename is different, it removes the stale +inode from the database. + +Signed-off-by: jinyong.choi +--- + plugins/in_tail/tail.c | 8 ++ + plugins/in_tail/tail_config.h | 1 + + plugins/in_tail/tail_db.c | 58 ++++++++++++- + tests/runtime/in_tail.c | 148 ++++++++++++++++++++++++++++++++++ + 4 files changed, 213 insertions(+), 2 deletions(-) + +diff --git a/plugins/in_tail/tail.c b/plugins/in_tail/tail.c +index 37b1f4f6c68..52bf2ed6d40 100644 +--- a/plugins/in_tail/tail.c ++++ b/plugins/in_tail/tail.c +@@ -734,6 +734,14 @@ static struct flb_config_map config_map[] = { + "provides higher performance. Note that WAL is not compatible with " + "shared network file systems." + }, ++ { ++ FLB_CONFIG_MAP_BOOL, "db.compare_filename", "false", ++ 0, FLB_TRUE, offsetof(struct flb_tail_config, compare_filename), ++ "This option determines whether to check both the inode and the filename " ++ "when retrieving file information from the db." ++ "'true' verifies both the inode and filename, while 'false' checks only " ++ "the inode (default)." ++ }, + #endif + + /* Multiline Options */ +diff --git a/plugins/in_tail/tail_config.h b/plugins/in_tail/tail_config.h +index dcfa54e0264..c0263b46503 100644 +--- a/plugins/in_tail/tail_config.h ++++ b/plugins/in_tail/tail_config.h +@@ -107,6 +107,7 @@ struct flb_tail_config { + struct flb_sqldb *db; + int db_sync; + int db_locking; ++ int compare_filename; + flb_sds_t db_journal_mode; + sqlite3_stmt *stmt_get_file; + sqlite3_stmt *stmt_insert_file; +diff --git a/plugins/in_tail/tail_db.c b/plugins/in_tail/tail_db.c +index 99242f8a15b..6f535ea646b 100644 +--- a/plugins/in_tail/tail_db.c ++++ b/plugins/in_tail/tail_db.c +@@ -95,9 +95,38 @@ int flb_tail_db_close(struct flb_sqldb *db) + return 0; + } + ++static int flb_tail_db_file_delete_by_id(struct flb_tail_config *ctx, ++ uint64_t id) ++{ ++ int ret; ++ ++ /* Bind parameters */ ++ ret = sqlite3_bind_int64(ctx->stmt_delete_file, 1, id); ++ if (ret != SQLITE_OK) { ++ flb_plg_error(ctx->ins, "db: error binding id=%"PRIu64", ret=%d", id, ret); ++ return -1; ++ } ++ ++ ret = sqlite3_step(ctx->stmt_delete_file); ++ ++ sqlite3_clear_bindings(ctx->stmt_delete_file); ++ sqlite3_reset(ctx->stmt_delete_file); ++ ++ if (ret != SQLITE_DONE) { ++ flb_plg_error(ctx->ins, "db: error deleting stale entry from database:" ++ " id=%"PRIu64, id); ++ return -1; ++ } ++ ++ flb_plg_info(ctx->ins, "db: stale file deleted from database:" ++ " id=%"PRIu64, id); ++ return 0; ++} ++ + /* +- * Check if an file inode exists in the database. Return FLB_TRUE or +- * FLB_FALSE ++ * Check if an file inode exists in the database. ++ * If the 'compare_filename' option is enabled, ++ * it checks along with the filename. Return FLB_TRUE or FLB_FALSE + */ + static int db_file_exists(struct flb_tail_file *file, + struct flb_tail_config *ctx, +@@ -105,6 +134,7 @@ static int db_file_exists(struct flb_tail_file *file, + { + int ret; + int exists = FLB_FALSE; ++ const unsigned char *name; + + /* Bind parameters */ + sqlite3_bind_int64(ctx->stmt_get_file, 1, file->inode); +@@ -116,11 +146,30 @@ static int db_file_exists(struct flb_tail_file *file, + /* id: column 0 */ + *id = sqlite3_column_int64(ctx->stmt_get_file, 0); + ++ /* name: column 1 */ ++ name = sqlite3_column_text(ctx->stmt_get_file, 1); ++ if (ctx->compare_filename && name == NULL) { ++ flb_plg_error(ctx->ins, "db: error getting name: id=%"PRIu64, *id); ++ return -1; ++ } ++ + /* offset: column 2 */ + *offset = sqlite3_column_int64(ctx->stmt_get_file, 2); + + /* inode: column 3 */ + *inode = sqlite3_column_int64(ctx->stmt_get_file, 3); ++ ++ /* Checking if the file's name and inode match exactly */ ++ if (ctx->compare_filename) { ++ if (flb_tail_target_file_name_cmp((char *) name, file) != 0) { ++ exists = FLB_FALSE; ++ flb_plg_debug(ctx->ins, "db: exists stale file from database:" ++ " id=%"PRIu64" inode=%"PRIu64" offset=%"PRIu64 ++ " name=%s file_inode=%"PRIu64" file_name=%s", ++ *id, *inode, *offset, name, file->inode, ++ file->name); ++ } ++ } + } + else if (ret == SQLITE_DONE) { + /* all good */ +@@ -221,6 +270,11 @@ int flb_tail_db_file_set(struct flb_tail_file *file, + } + + if (ret == FLB_FALSE) { ++ /* Delete stale file of same inode */ ++ if (ctx->compare_filename && id > 0) { ++ flb_tail_db_file_delete_by_id(ctx, id); ++ } ++ + /* Get the database ID for this file */ + file->db_id = db_file_insert(file, ctx); + } +diff --git a/tests/runtime/in_tail.c b/tests/runtime/in_tail.c +index 74accb66ed6..90d8832bc79 100644 +--- a/tests/runtime/in_tail.c ++++ b/tests/runtime/in_tail.c +@@ -1733,6 +1733,153 @@ void flb_test_db_delete_stale_file() + test_tail_ctx_destroy(ctx); + unlink(db); + } ++ ++void flb_test_db_compare_filename() ++{ ++ struct flb_lib_out_cb cb_data; ++ struct test_tail_ctx *ctx; ++ char *org_file[] = {"test_db.log"}; ++ char *moved_file[] = {"test_db_moved.log"}; ++ char *db = "test_db.db"; ++ char *msg_init = "hello world"; ++ char *msg_moved = "hello world moved"; ++ char *msg_end = "hello db end"; ++ int i; ++ int ret; ++ int num; ++ int unused; ++ ++ unlink(db); ++ ++ clear_output_num(); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &org_file[0], ++ sizeof(org_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", org_file[0], ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ "db.compare_filename", "true", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ ret = flb_output_set(ctx->flb, ctx->o_ffd, ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* Start the engine */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ ret = write_msg(ctx, msg_init, strlen(msg_init)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ num = get_output_num(); ++ if (!TEST_CHECK(num > 0)) { ++ TEST_MSG("no output"); ++ } ++ ++ if (ctx->fds != NULL) { ++ for (i=0; ifd_num; i++) { ++ close(ctx->fds[i]); ++ } ++ flb_free(ctx->fds); ++ } ++ flb_stop(ctx->flb); ++ flb_destroy(ctx->flb); ++ flb_free(ctx); ++ ++ /* re-init to use db */ ++ clear_output_num(); ++ ++ /* ++ * Changing the file name from 'test_db.log' to 'test_db_moved.log.' ++ * In this scenario, it is assumed that the FluentBit has been terminated, ++ * and the file has been recreated with the same inode, with offsets equal ++ * to or greater than the previous file. ++ */ ++ ret = rename(org_file[0], moved_file[0]); ++ TEST_CHECK(ret == 0); ++ ++ cb_data.cb = cb_count_msgpack; ++ cb_data.data = &unused; ++ ++ ctx = test_tail_ctx_create(&cb_data, ++ &moved_file[0], ++ sizeof(moved_file)/sizeof(char *), ++ FLB_FALSE); ++ if (!TEST_CHECK(ctx != NULL)) { ++ TEST_MSG("test_ctx_create failed"); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = flb_input_set(ctx->flb, ctx->o_ffd, ++ "path", moved_file[0], ++ "read_from_head", "true", ++ "db", db, ++ "db.sync", "full", ++ "db.compare_filename", "true", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ /* ++ * Start the engine ++ * The file has been newly created, and due to the 'db.compare_filename' ++ * option being set to true, it compares filenames to consider it a new ++ * file even if the inode is the same. If the option is set to false, ++ * it can be assumed to be the same file as before. ++ */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ ret = write_msg(ctx, msg_moved, strlen(msg_moved)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = write_msg(ctx, msg_end, strlen(msg_end)); ++ if (!TEST_CHECK(ret > 0)) { ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* waiting to flush */ ++ flb_time_msleep(500); ++ ++ num = get_output_num(); ++ if (!TEST_CHECK(num == 3)) { ++ /* 3 = msg_init + msg_moved + msg_end */ ++ TEST_MSG("num error. expect=3 got=%d", num); ++ } ++ ++ test_tail_ctx_destroy(ctx); ++ unlink(db); ++} + #endif /* FLB_HAVE_SQLDB */ + + /* Test list */ +@@ -1758,6 +1905,7 @@ TEST_LIST = { + #ifdef FLB_HAVE_SQLDB + {"db", flb_test_db}, + {"db_delete_stale_file", flb_test_db_delete_stale_file}, ++ {"db_compare_filename", flb_test_db_compare_filename}, + #endif + + #ifdef in_tail diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index df3c7a6defb..9bf83a66bbb 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,12 +1,15 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit Version: 2.2.3 -Release: 1%{?dist} +Release: 3%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner URL: https://fluentbit.io Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2024-34250.patch +Patch1: in_emitter_fix_issue_8198.patch +Patch2: fix_issue_8025.patch BuildRequires: bison BuildRequires: cmake BuildRequires: cyrus-sasl-devel @@ -80,6 +83,13 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Wed Jun 05 2024 Sindhu Karri - 2.2.3-3 +- Apply patch in_emitter_fix_issue_8198.patch to fix #8198 ( Potential log loss during high load at Multiline & Rewrite Tag Filter (in_emitter) ) +- Fix issue #8025 with a patch ( in_tail: missing log for offset processing due to non-existent old inodes in sqlite ) + +* Wed May 30 2024 Sindhu Karri - 2.2.3-2 +- Fix CVE-2024-34250 with a patch + * Tue May 28 2024 CBL-Mariner Servicing Account - 2.2.3-1 - Auto-upgrade to 2.2.3 - CVE-2024-4323 diff --git a/SPECS/fluent-bit/in_emitter_fix_issue_8198.patch b/SPECS/fluent-bit/in_emitter_fix_issue_8198.patch new file mode 100644 index 00000000000..d9861ab126d --- /dev/null +++ b/SPECS/fluent-bit/in_emitter_fix_issue_8198.patch @@ -0,0 +1,661 @@ +From feb424367d08666dd9fb0a6405f05c19b6678873 Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Fri, 9 Feb 2024 23:46:32 +0100 +Subject: [PATCH 1/6] in_emitter: Fix to prevent single record chunks and do + pause on mem_buf_limit + +The current code creates a situation, where only one record per chunk + is created. In case of a non-existing ring-buffer, the old mechanism is used. + +Also the in_emitter plugin continued to accept records even after the +set emitter_mem_buf_limit was reached. This commit implements a +check if the plugin was paused and returns accordingly. + +Signed-off-by: Richard Treu +--- + plugins/in_emitter/emitter.c | 67 +++++++++++++++++++++++++++++++++--- + 1 file changed, 62 insertions(+), 5 deletions(-) + +diff --git a/plugins/in_emitter/emitter.c b/plugins/in_emitter/emitter.c +index 62886d1346c..532a629b924 100644 +--- a/plugins/in_emitter/emitter.c ++++ b/plugins/in_emitter/emitter.c +@@ -31,6 +31,9 @@ + + #define DEFAULT_EMITTER_RING_BUFFER_FLUSH_FREQUENCY 2000 + ++/* return values */ ++#define FLB_EMITTER_BUSY 3 ++ + struct em_chunk { + flb_sds_t tag; + struct msgpack_sbuffer mp_sbuf; /* msgpack sbuffer */ +@@ -39,6 +42,7 @@ struct em_chunk { + }; + + struct flb_emitter { ++ int coll_fd; /* collector id */ + struct mk_list chunks; /* list of all pending chunks */ + struct flb_input_instance *ins; /* input instance */ + struct flb_ring_buffer *msgs; /* ring buffer for cross-thread messages */ +@@ -97,7 +101,6 @@ int static do_in_emitter_add_record(struct em_chunk *ec, + em_chunk_destroy(ec); + return -1; + } +- /* Release the echunk */ + em_chunk_destroy(ec); + return 0; + } +@@ -118,6 +121,12 @@ int in_emitter_add_record(const char *tag, int tag_len, + ctx = (struct flb_emitter *) in->context; + ec = NULL; + ++ /* Restricted by mem_buf_limit */ ++ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) { ++ flb_plg_debug(ctx->ins, "emitter memory buffer limit reached. Not accepting record."); ++ return FLB_EMITTER_BUSY; ++ } ++ + /* Use the ring buffer first if it exists */ + if (ctx->msgs) { + memset(&temporary_chunk, 0, sizeof(struct em_chunk)); +@@ -161,8 +170,7 @@ int in_emitter_add_record(const char *tag, int tag_len, + + /* Append raw msgpack data */ + msgpack_sbuffer_write(&ec->mp_sbuf, buf_data, buf_size); +- +- return do_in_emitter_add_record(ec, in); ++ return 0; + } + + /* +@@ -191,6 +199,34 @@ static int in_emitter_ingest_ring_buffer(struct flb_input_instance *in, + return ret; + } + ++static int cb_queue_chunks(struct flb_input_instance *in, ++ struct flb_config *config, void *data) ++{ ++ int ret; ++ struct mk_list *tmp; ++ struct mk_list *head; ++ struct em_chunk *echunk; ++ struct flb_emitter *ctx; ++ ++ /* Get context */ ++ ctx = (struct flb_emitter *) data; ++ ++ /* Try to enqueue chunks under our limits */ ++ mk_list_foreach_safe(head, tmp, &ctx->chunks) { ++ echunk = mk_list_entry(head, struct em_chunk, _head); ++ ++ /* Associate this backlog chunk to this instance into the engine */ ++ ret = do_in_emitter_add_record(echunk, in); ++ if (ret == -1) { ++ flb_error("[in_emitter] error registering chunk with tag: %s", ++ echunk->tag); ++ continue; ++ } ++ } ++ ++ return 0; ++} ++ + static int in_emitter_start_ring_buffer(struct flb_input_instance *in, struct flb_emitter *ctx) + { + if (ctx->ring_buffer_size <= 0) { +@@ -257,6 +293,15 @@ static int cb_emitter_init(struct flb_input_instance *in, + return -1; + } + } ++ else{ ++ ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 50000000, config); ++ if (ret < 0) { ++ flb_error("[in_emitter] could not create collector"); ++ flb_free(ctx); ++ return -1; ++ } ++ ctx->coll_fd = ret; ++ } + + /* export plugin context */ + flb_input_set_context(in, ctx); +@@ -264,6 +309,18 @@ static int cb_emitter_init(struct flb_input_instance *in, + return 0; + } + ++static void cb_emitter_pause(void *data, struct flb_config *config) ++{ ++ struct flb_emitter *ctx = data; ++ flb_input_collector_pause(ctx->coll_fd, ctx->ins); ++} ++ ++static void cb_emitter_resume(void *data, struct flb_config *config) ++{ ++ struct flb_emitter *ctx = data; ++ flb_input_collector_resume(ctx->coll_fd, ctx->ins); ++} ++ + static int cb_emitter_exit(void *data, struct flb_config *config) + { + struct mk_list *tmp; +@@ -312,8 +369,8 @@ struct flb_input_plugin in_emitter_plugin = { + .cb_ingest = NULL, + .cb_flush_buf = NULL, + .config_map = config_map, +- .cb_pause = NULL, +- .cb_resume = NULL, ++ .cb_pause = cb_emitter_pause, ++ .cb_resume = cb_emitter_resume, + .cb_exit = cb_emitter_exit, + + /* This plugin can only be configured and invoked by the Engine only */ + +From 37826b66b29d1ad867d220313178c3feac9b792a Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Thu, 11 Apr 2024 23:53:10 +0200 +Subject: [PATCH 2/6] filter_multiline: Pause source input plugins on filter + pause This commit will pause the inputs (sending to multiline) to not loose + any in-flight records. + +Signed-off-by: Richard Treu +--- + plugins/filter_multiline/ml.c | 14 ++++++++++++-- + plugins/filter_multiline/ml.h | 4 +++- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/plugins/filter_multiline/ml.c b/plugins/filter_multiline/ml.c +index 41b1b8a4d64..ced8ec83739 100644 +--- a/plugins/filter_multiline/ml.c ++++ b/plugins/filter_multiline/ml.c +@@ -176,7 +176,7 @@ static int flush_callback(struct flb_ml_parser *parser, + /* Emit record with original tag */ + flb_plg_trace(ctx->ins, "emitting from %s to %s", stream->input_name, stream->tag); + ret = in_emitter_add_record(stream->tag, flb_sds_len(stream->tag), buf_data, buf_size, +- ctx->ins_emitter); ++ ctx->ins_emitter, ctx->i_ins); + + return ret; + } +@@ -526,7 +526,8 @@ static void partial_timer_cb(struct flb_config *config, void *data) + ret = in_emitter_add_record(packer->tag, flb_sds_len(packer->tag), + packer->log_encoder.output_buffer, + packer->log_encoder.output_length, +- ctx->ins_emitter); ++ ctx->ins_emitter, ++ ctx->i_ins); + if (ret < 0) { + /* this shouldn't happen in normal execution */ + flb_plg_warn(ctx->ins, +@@ -741,6 +742,15 @@ static int cb_ml_filter(const void *data, size_t bytes, + return FLB_FILTER_NOTOUCH; + } + ++ if (ctx->i_ins == NULL){ ++ ctx->i_ins = i_ins; ++ } ++ if (ctx->i_ins != i_ins) { ++ flb_plg_trace(ctx->ins, "input instance changed from %s to %s", ++ ctx->i_ins->name, i_ins->name); ++ ctx->i_ins = i_ins; ++ } ++ + /* 'partial_message' mode */ + if (ctx->partial_mode == FLB_TRUE) { + return ml_filter_partial(data, bytes, tag, tag_len, +diff --git a/plugins/filter_multiline/ml.h b/plugins/filter_multiline/ml.h +index 59bf6c7e826..cae8fb64166 100644 +--- a/plugins/filter_multiline/ml.h ++++ b/plugins/filter_multiline/ml.h +@@ -73,6 +73,7 @@ struct ml_ctx { + size_t emitter_mem_buf_limit; /* Emitter buffer limit */ + struct flb_input_instance *ins_emitter; /* emitter input plugin instance */ + struct flb_config *config; /* Fluent Bit context */ ++ struct flb_input_instance *i_ins; /* Fluent Bit input instance (last used)*/ + + #ifdef FLB_HAVE_METRICS + struct cmt_counter *cmt_emitted; +@@ -82,6 +83,7 @@ struct ml_ctx { + /* Register external function to emit records, check 'plugins/in_emitter' */ + int in_emitter_add_record(const char *tag, int tag_len, + const char *buf_data, size_t buf_size, +- struct flb_input_instance *in); ++ struct flb_input_instance *in, ++ struct flb_input_instance *i_ins); + + #endif + +From 2087601806b39719ac64c2862f81e7c5222efd3a Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Thu, 11 Apr 2024 23:55:40 +0200 +Subject: [PATCH 3/6] filter_rewrite_tag: Pause source input plugins on filter + pause This commit will pause the inputs (sending to rewrite_tag) to not loose + any in-flight records. + +Signed-off-by: Richard Treu +--- + plugins/filter_rewrite_tag/rewrite_tag.c | 7 ++++--- + plugins/filter_rewrite_tag/rewrite_tag.h | 3 ++- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/plugins/filter_rewrite_tag/rewrite_tag.c b/plugins/filter_rewrite_tag/rewrite_tag.c +index 01b0f168fe2..c8bfe029350 100644 +--- a/plugins/filter_rewrite_tag/rewrite_tag.c ++++ b/plugins/filter_rewrite_tag/rewrite_tag.c +@@ -355,7 +355,8 @@ static int ingest_inline(struct flb_rewrite_tag *ctx, + */ + static int process_record(const char *tag, int tag_len, msgpack_object map, + const void *buf, size_t buf_size, int *keep, +- struct flb_rewrite_tag *ctx, int *matched) ++ struct flb_rewrite_tag *ctx, int *matched, ++ struct flb_input_instance *i_ins) + { + int ret; + flb_sds_t out_tag; +@@ -404,7 +405,7 @@ static int process_record(const char *tag, int tag_len, msgpack_object map, + if (!ret) { + /* Emit record with new tag */ + ret = in_emitter_add_record(out_tag, flb_sds_len(out_tag), buf, buf_size, +- ctx->ins_emitter); ++ ctx->ins_emitter, i_ins); + } + else { + ret = 0; +@@ -489,7 +490,7 @@ static int cb_rewrite_tag_filter(const void *data, size_t bytes, + * If a record was emitted, the variable 'keep' will define if the record must + * be preserved or not. + */ +- is_emitted = process_record(tag, tag_len, map, (char *) data + pre, off - pre, &keep, ctx, &is_matched); ++ is_emitted = process_record(tag, tag_len, map, (char *) data + pre, off - pre, &keep, ctx, &is_matched, i_ins); + if (is_emitted == FLB_TRUE) { + /* A record with the new tag was emitted */ + emitted_num++; +diff --git a/plugins/filter_rewrite_tag/rewrite_tag.h b/plugins/filter_rewrite_tag/rewrite_tag.h +index 11c0535fde1..d73b49f12eb 100644 +--- a/plugins/filter_rewrite_tag/rewrite_tag.h ++++ b/plugins/filter_rewrite_tag/rewrite_tag.h +@@ -57,7 +57,8 @@ struct flb_rewrite_tag { + /* Register external function to emit records, check 'plugins/in_emitter' */ + int in_emitter_add_record(const char *tag, int tag_len, + const char *buf_data, size_t buf_size, +- struct flb_input_instance *in); ++ struct flb_input_instance *in, ++ struct flb_input_instance *i_ins); + int in_emitter_get_collector_id(struct flb_input_instance *in); + + + +From 64214ada1ded5afc1dae042473b50fa1f8dc9467 Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Thu, 11 Apr 2024 23:57:15 +0200 +Subject: [PATCH 4/6] in_emitter: Pause source input plugins on in_emitter + pause This commit will pause all known inputs (sending to multiline) to not + loose any in-flight records. in_emitter will keep track of all sending input + plugins and actively pause/resume them in case in_emitter is paused/resumed. + +Signed-off-by: Richard Treu +--- + plugins/in_emitter/emitter.c | 77 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 73 insertions(+), 4 deletions(-) + +diff --git a/plugins/in_emitter/emitter.c b/plugins/in_emitter/emitter.c +index 532a629b924..8092a7954ee 100644 +--- a/plugins/in_emitter/emitter.c ++++ b/plugins/in_emitter/emitter.c +@@ -32,7 +32,7 @@ + #define DEFAULT_EMITTER_RING_BUFFER_FLUSH_FREQUENCY 2000 + + /* return values */ +-#define FLB_EMITTER_BUSY 3 ++#define FLB_EMITTER_BUSY -2 + + struct em_chunk { + flb_sds_t tag; +@@ -41,12 +41,18 @@ struct em_chunk { + struct mk_list _head; + }; + ++struct input_ref { ++ struct flb_input_instance *i_ins; ++ struct mk_list _head; ++}; ++ + struct flb_emitter { + int coll_fd; /* collector id */ + struct mk_list chunks; /* list of all pending chunks */ + struct flb_input_instance *ins; /* input instance */ + struct flb_ring_buffer *msgs; /* ring buffer for cross-thread messages */ + int ring_buffer_size; /* size of the ring buffer */ ++ struct mk_list i_ins_list; /* instance list of linked/sending inputs */ + }; + + struct em_chunk *em_chunk_create(const char *tag, int tag_len, +@@ -89,6 +95,12 @@ int static do_in_emitter_add_record(struct em_chunk *ec, + struct flb_emitter *ctx = (struct flb_emitter *) in->context; + int ret; + ++ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) { ++ flb_plg_debug(ctx->ins, "_emitter %s paused. Not processing records.", ++ ctx->ins->name); ++ return FLB_EMITTER_BUSY; ++ } ++ + /* Associate this backlog chunk to this instance into the engine */ + ret = flb_input_log_append(in, + ec->tag, flb_sds_len(ec->tag), +@@ -111,15 +123,45 @@ int static do_in_emitter_add_record(struct em_chunk *ec, + */ + int in_emitter_add_record(const char *tag, int tag_len, + const char *buf_data, size_t buf_size, +- struct flb_input_instance *in) ++ struct flb_input_instance *in, ++ struct flb_input_instance *i_ins) + { + struct em_chunk temporary_chunk; + struct mk_list *head; ++ struct input_ref *i_ref; ++ bool ref_found; ++ struct mk_list *tmp; ++ + struct em_chunk *ec; + struct flb_emitter *ctx; + + ctx = (struct flb_emitter *) in->context; + ec = NULL; ++ /* Iterate over list of already known (source) inputs */ ++ /* If new, add it to the list to be able to pause it later on */ ++ ref_found = false; ++ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) { ++ i_ref = mk_list_entry(head, struct input_ref, _head); ++ if(i_ref->i_ins == i_ins){ ++ ref_found = true; ++ break; ++ } ++ } ++ if (!ref_found) { ++ i_ref = flb_malloc(sizeof(struct input_ref)); ++ if (!i_ref) { ++ flb_errno(); ++ return FLB_FILTER_NOTOUCH; ++ } ++ i_ref->i_ins = i_ins; ++ mk_list_add(&i_ref->_head, &ctx->i_ins_list); ++ /* If in_emitter is paused, but new input plugin is not paused, pause it */ ++ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE && ++ flb_input_buf_paused(i_ins) == FLB_FALSE) { ++ flb_input_pause(i_ins); ++ } ++ } ++ + + /* Restricted by mem_buf_limit */ + if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) { +@@ -268,6 +310,8 @@ static int cb_emitter_init(struct flb_input_instance *in, + ctx->ins = in; + mk_list_init(&ctx->chunks); + ++ mk_list_init(&ctx->i_ins_list); ++ + + ret = flb_input_config_map_set(in, (void *) ctx); + if (ret == -1) { +@@ -294,7 +338,7 @@ static int cb_emitter_init(struct flb_input_instance *in, + } + } + else{ +- ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 50000000, config); ++ ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 25000000, config); + if (ret < 0) { + flb_error("[in_emitter] could not create collector"); + flb_free(ctx); +@@ -312,13 +356,31 @@ static int cb_emitter_init(struct flb_input_instance *in, + static void cb_emitter_pause(void *data, struct flb_config *config) + { + struct flb_emitter *ctx = data; ++ struct mk_list *tmp; ++ struct mk_list *head; ++ struct input_ref *i_ref; ++ ++ /* Pause all known senders */ + flb_input_collector_pause(ctx->coll_fd, ctx->ins); ++ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) { ++ i_ref = mk_list_entry(head, struct input_ref, _head); ++ flb_input_pause(i_ref->i_ins); ++ } + } + + static void cb_emitter_resume(void *data, struct flb_config *config) + { + struct flb_emitter *ctx = data; ++ struct mk_list *tmp; ++ struct mk_list *head; ++ struct input_ref *i_ref; ++ ++ /* Resume all known senders */ + flb_input_collector_resume(ctx->coll_fd, ctx->ins); ++ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) { ++ i_ref = mk_list_entry(head, struct input_ref, _head); ++ flb_input_resume(i_ref->i_ins); ++ } + } + + static int cb_emitter_exit(void *data, struct flb_config *config) +@@ -328,9 +390,9 @@ static int cb_emitter_exit(void *data, struct flb_config *config) + struct flb_emitter *ctx = data; + struct em_chunk *echunk; + struct em_chunk ec; ++ struct input_ref *i_ref; + int ret; + +- + mk_list_foreach_safe(head, tmp, &ctx->chunks) { + echunk = mk_list_entry(head, struct em_chunk, _head); + mk_list_del(&echunk->_head); +@@ -346,6 +408,13 @@ static int cb_emitter_exit(void *data, struct flb_config *config) + flb_ring_buffer_destroy(ctx->msgs); + } + ++ mk_list_foreach_safe(head,tmp, &ctx->i_ins_list) { ++ i_ref = mk_list_entry(head, struct input_ref, _head); ++ mk_list_del(&i_ref->_head); ++ flb_free(i_ref); ++ } ++ ++ + flb_free(ctx); + return 0; + } + +From f6137ec60bdffc6f5c80e491b463541702438772 Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Fri, 12 Apr 2024 00:00:39 +0200 +Subject: [PATCH 5/6] flb_input: Add missing input resume message This commit + will add a resume message, when a paused input plugin is resumed. + +Signed-off-by: Richard Treu +--- + src/flb_input.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/flb_input.c b/src/flb_input.c +index a990a9d2805..7b614ccdb44 100644 +--- a/src/flb_input.c ++++ b/src/flb_input.c +@@ -1729,6 +1729,7 @@ int flb_input_resume(struct flb_input_instance *ins) + flb_input_thread_instance_resume(ins); + } + else { ++ flb_info("[input] resume %s", flb_input_name(ins)); + ins->p->cb_resume(ins->context, ins->config); + } + } + +From 3162d0c3db2f7df9392c6d880280b923002066b1 Mon Sep 17 00:00:00 2001 +From: Richard Treu +Date: Fri, 12 Apr 2024 00:02:03 +0200 +Subject: [PATCH 6/6] tests: filter_multiline: Add test for in_emitter pause by + using multiline This commit will add a test for pause functionality of + in_emitter. The test uses a small emitter buffer size, so the in_emitter will + definitely be paused. + +Signed-off-by: Richard Treu +--- + tests/runtime/filter_multiline.c | 124 +++++++++++++++++++++++++++++++ + 1 file changed, 124 insertions(+) + +diff --git a/tests/runtime/filter_multiline.c b/tests/runtime/filter_multiline.c +index 18253a5b2c7..ed6ffb6b7cb 100644 +--- a/tests/runtime/filter_multiline.c ++++ b/tests/runtime/filter_multiline.c +@@ -2,6 +2,7 @@ + + #include + #include ++#include + #include "flb_tests_runtime.h" + + struct filter_test { +@@ -120,7 +121,34 @@ static int cb_check_str_list(void *record, size_t size, void *data) + return 0; + } + ++void wait_with_timeout(uint32_t timeout_ms, int *output_num, int expected) ++{ ++ struct flb_time start_time; ++ struct flb_time end_time; ++ struct flb_time diff_time; ++ uint64_t elapsed_time_flb = 0; ++ ++ flb_time_get(&start_time); ++ ++ while (true) { ++ *output_num = get_output_num(); ++ ++ if (*output_num == expected) { ++ break; ++ } ++ ++ flb_time_msleep(100); ++ flb_time_get(&end_time); ++ flb_time_diff(&end_time, &start_time, &diff_time); ++ elapsed_time_flb = flb_time_to_nanosec(&diff_time) / 1000000; + ++ if (elapsed_time_flb > timeout_ms) { ++ flb_warn("[timeout] elapsed_time: %ld", elapsed_time_flb); ++ // Reached timeout. ++ break; ++ } ++ } ++} + + static struct filter_test *filter_test_create(struct flb_lib_out_cb *data) + { +@@ -682,6 +710,100 @@ static void flb_test_ml_buffered_16_streams() + filter_test_destroy(ctx); + } + ++/* This test will test the pausing of in_emitter */ ++static void flb_test_ml_buffered_16_streams_pausing() ++{ ++ struct flb_lib_out_cb cb_data; ++ struct filter_test *ctx; ++ int i_ffds[16] = {0}; ++ int ffd_num = sizeof(i_ffds)/sizeof(int); ++ int ret; ++ int i; ++ int j; ++ int bytes; ++ int len; ++ char line_buf[2048] = {0}; ++ char tag_buf[32] = {0}; ++ int line_num; ++ int num; ++ ++ char *expected_strs[] = {"Exception in thread main java.lang.IllegalStateException: ..null property\\n at com.example.myproject.Author.getBookIds(xx.java:38)\\n at com.example.myproject.Bootstrap.main(Bootstrap.java:14)\\nCaused by: java.lang.NullPointerException\\n at com.example.myproject.Book.getId(Book.java:22)\\n at com.example.myproject.Author.getBookIds(Author.java:35)\\n ... 1 more"}; ++ ++ struct str_list expected = { ++ .size = sizeof(expected_strs)/sizeof(char*), ++ .lists = &expected_strs[0], ++ .ignore_min_line_num = 64, ++ }; ++ ++ char *ml_logs[] = {"Exception in thread main java.lang.IllegalStateException: ..null property", ++ " at com.example.myproject.Author.getBookIds(xx.java:38)", ++ " at com.example.myproject.Bootstrap.main(Bootstrap.java:14)", ++ "Caused by: java.lang.NullPointerException", ++ " at com.example.myproject.Book.getId(Book.java:22)", ++ " at com.example.myproject.Author.getBookIds(Author.java:35)", ++ " ... 1 more", ++ "single line"}; ++ ++ cb_data.cb = cb_check_str_list; ++ cb_data.data = (void *)&expected; ++ ++ clear_output_num(); ++ ++ line_num = sizeof(ml_logs)/sizeof(char*); ++ ++ /* Create test context */ ++ ctx = filter_test_create((void *) &cb_data); ++ if (!ctx) { ++ exit(EXIT_FAILURE); ++ } ++ flb_service_set(ctx->flb, ++ "Flush", "0.100000000", ++ "Grace", "2", ++ NULL); ++ ++ i_ffds[0] = ctx->i_ffd; ++ for (i=1; iflb, (char *) "lib", NULL); ++ TEST_CHECK(i_ffds[i] >= 0); ++ sprintf(&tag_buf[0], "test%d", i); ++ flb_input_set(ctx->flb, i_ffds[i], "tag", tag_buf, NULL); ++ } ++ ++ /* Configure filter */ ++ /* Set mem_buf_limit small, so in_emitter will be paused */ ++ ret = flb_filter_set(ctx->flb, ctx->f_ffd, ++ "multiline.key_content", "log", ++ "multiline.parser", "java", ++ "buffer", "on", ++ "debug_flush", "on", ++ "emitter_mem_buf_limit", "1k", ++ NULL); ++ TEST_CHECK(ret == 0); ++ ++ ++ /* Start the engine */ ++ ret = flb_start(ctx->flb); ++ TEST_CHECK(ret == 0); ++ ++ for (i=0; iflb, i_ffds[j], &line_buf[0], len); ++ TEST_CHECK(bytes == len); ++ } ++ } ++ wait_with_timeout(20000, &num, ffd_num); ++ ++ if (!TEST_CHECK(num > 0)) { ++ TEST_MSG("output error. got %d expect more than 0 records.", num); ++ /* The internal flb_lib_push cannot be paused, so records may be lost */ ++ /* However, there should be at least some records */ ++ } ++ ++ filter_test_destroy(ctx); ++} ++ + + + +@@ -695,5 +817,7 @@ TEST_LIST = { + + {"flb_test_multiline_partial_message_concat" , flb_test_multiline_partial_message_concat }, + {"flb_test_multiline_partial_message_concat_two_ids" , flb_test_multiline_partial_message_concat_two_ids }, ++ ++ {"ml_buffered_16_streams_pausing" , flb_test_ml_buffered_16_streams_pausing }, + {NULL, NULL} + }; diff --git a/SPECS/hvloader/hvloader.signatures.json b/SPECS/hvloader/hvloader.signatures.json index cca88bd8b41..36414ed04c5 100644 --- a/SPECS/hvloader/hvloader.signatures.json +++ b/SPECS/hvloader/hvloader.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "hvloader-1.0.1.tar.gz": "4e0a15cfab98a89a0a93f747df876ea3ee5366c3ffbd158c28e296bf52c7dfba", - "edk2-stable202302-submodules.tar.gz": "6e0c992145070d4f9e907a2baf9441b264927902537e888d20d2749055d52f20", + "edk2-stable202305-submodules.tar.gz": "98ad582dde1cedaa1d0767d92968c47c7102a94b1ab1cd6ca5c95eee2acbaa71", "target-x86.txt": "fcf4f427d3b80e67296be2a1d17ec124d65f673d4f6ea37d238f8d3fc1ddc4b8" } } diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec index b039a7f5a0e..88a3190fdc7 100644 --- a/SPECS/hvloader/hvloader.spec +++ b/SPECS/hvloader/hvloader.spec @@ -1,10 +1,10 @@ %define debug_package %{nil} %define name_github HvLoader -%define edk2_tag edk2-stable202302 +%define edk2_tag edk2-stable202305 Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader. Name: hvloader Version: 1.0.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -58,6 +58,11 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{ /boot/efi/HvLoader.efi %changelog +* Fri May 31 2024 Archana Choudhary - 1.0.1-3 +- Update edk2_tag to edk2-stable202305 +- Publish edk2-stable202305-submodules source +- Correct the resolution of openssl related CVEs (CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304) that were not successfully addressed in the previous update + * Wed May 08 2024 Archana Choudhary - 1.0.1-2 - Update edk2_tag to edk2-stable202302 - Publish edk2-stable202302-submodules source diff --git a/SPECS/hyperv-daemons/CVE-2024-26951.nopatch b/SPECS/hyperv-daemons/CVE-2024-26951.nopatch new file mode 100644 index 00000000000..c3d001a4dec --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26951.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26951 - in version 5.15.154.1 +upstream: 55b6c738673871c9b0edae05d0c97995c1ff08c4 +stable: 710a177f347282eea162aec8712beb1f42d5ad87 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26961.nopatch b/SPECS/hyperv-daemons/CVE-2024-26961.nopatch new file mode 100644 index 00000000000..79f529dd3cf --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26961.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26961 - in version 5.15.154.1 +upstream: e8a1e58345cf40b7b272e08ac7b32328b2543e40 +stable: d3d858650933d44ac12c1f31337e7110c2071821 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26965.nopatch b/SPECS/hyperv-daemons/CVE-2024-26965.nopatch new file mode 100644 index 00000000000..1dc3a36c365 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26965.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26965 - in version 5.15.154.1 +upstream: e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96 +stable: 8f562f3b25177c2055b20fd8cf000496f6fa9194 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26966.nopatch b/SPECS/hyperv-daemons/CVE-2024-26966.nopatch new file mode 100644 index 00000000000..319fc23ffc9 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26966.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26966 - in version 5.15.154.1 +upstream: a903cfd38d8dee7e754fb89fd1bebed99e28003d +stable: 3aedcf3755c74dafc187eb76acb04e3e6348b1a9 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26973.nopatch b/SPECS/hyperv-daemons/CVE-2024-26973.nopatch new file mode 100644 index 00000000000..62ae050a492 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26973.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26973 - in version 5.15.154.1 +upstream: fde2497d2bc3a063d8af88b258dbadc86bd7b57c +stable: b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26977.nopatch b/SPECS/hyperv-daemons/CVE-2024-26977.nopatch new file mode 100644 index 00000000000..47411b70734 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26977.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26977 - in version 5.15.154.1 +upsream: 7626913652cc786c238e2dd7d8740b17d41b2637 +stable: 5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-26984.nopatch b/SPECS/hyperv-daemons/CVE-2024-26984.nopatch new file mode 100644 index 00000000000..9cca11ab906 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26984.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26984 - in version 5.15.157.1 +upstream: fff1386cc889d8fb4089d285f883f8cba62d82ce +stable: 3ab056814cd8ab84744c9a19ef51360b2271c572 diff --git a/SPECS/hyperv-daemons/CVE-2024-26993.nopatch b/SPECS/hyperv-daemons/CVE-2024-26993.nopatch new file mode 100644 index 00000000000..4fa84da9e77 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-26993.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26993 - in version 5.15.157.1 +upstream: a90bca2228c0646fc29a72689d308e5fe03e6d78 +stable: 43f00210cb257bcb0387e8caeb4b46375d67f30c \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-27000.nopatch b/SPECS/hyperv-daemons/CVE-2024-27000.nopatch new file mode 100644 index 00000000000..87ce128d432 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-27000.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27000 - in version 5.15.158.1 +upstream: 54c4ec5f8c471b7c1137a1f769648549c423c026 +stable: 479244d68f5d94f3903eced52b093c1e01ddb495 diff --git a/SPECS/hyperv-daemons/CVE-2024-27018.nopatch b/SPECS/hyperv-daemons/CVE-2024-27018.nopatch new file mode 100644 index 00000000000..119dcb985bd --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-27018.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27018 - in version 5.15.157.1 +upstream: 751de2012eafa4d46d8081056761fa0e9cc8a178 +stable: dceb683ab87ca3666a9bb5c0158528b646faedc4 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-35912.nopatch b/SPECS/hyperv-daemons/CVE-2024-35912.nopatch new file mode 100644 index 00000000000..cb970a9e98f --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-35912.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35912 - in version 5.15.154.1 +upstream: 06a093807eb7b5c5b29b6cff49f8174a4e702341 +stable: 28db0ae86cb91a4ab0e855cff779daead936b7d5 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2024-36008.nopatch b/SPECS/hyperv-daemons/CVE-2024-36008.nopatch new file mode 100644 index 00000000000..cd889cd4f5f --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2024-36008.nopatch @@ -0,0 +1,3 @@ +CVE-2024-36008 - in version 5.15.158.1 +upstream: 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1 +stable: 03b5a9b2b526862b21bcc31976e393a6e63785d1 \ No newline at end of file diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 5f487cf529a..3f8befe9742 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 1f914d5db85..1631f9e2c40 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -219,6 +219,12 @@ fi %{_sbindir}/lsvmbus %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/kata-containers-cc/kata-containers-cc.signatures.json b/SPECS/kata-containers-cc/kata-containers-cc.signatures.json index e677273b01a..15284fecffd 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.signatures.json +++ b/SPECS/kata-containers-cc/kata-containers-cc.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "mariner-coco-build-uvm.sh": "4f2be6965d8c4d7919fd201a68160fc8ab02a1be50a336abbfea13f16a6ffb89", - "kata-containers-cc-3.2.0.azl1-cargo.tar.gz": "e9225097732f0e9be4da806dac9189c94b43e76dc54b964d1c07beaf8ea65e36", - "kata-containers-cc-3.2.0.azl1.tar.gz": "1c0461a0bcb6920888955ad54c6542b8adfce939e008e6c89f102cf4baeb74a4" + "kata-containers-cc-3.2.0.azl2.tar.gz": "49265e0ecd21af4ed8f23398d1e46ef9961786cb44f40fe582abff06c1c1a873", + "kata-containers-cc-3.2.0.azl2-cargo.tar.gz": "ddf919a672200f0fb53d1cb6c66d6b1c401cf26368541c750d9a12e62da605a1" } } diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index a00762a7c82..46a3cd913b4 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -12,7 +12,7 @@ %global debug_package %{nil} Name: kata-containers-cc -Version: 3.2.0.azl1 +Version: 3.2.0.azl2 Release: 1%{?dist} Summary: Kata Confidential Containers package developed for Confidential Containers on AKS License: ASL 2.0 @@ -158,10 +158,9 @@ mkdir -p %{buildroot}%{share_kata} mkdir -p %{buildroot}%{coco_path}/libexec mkdir -p %{buildroot}/etc/systemd/system/containerd.service.d/ -# for testing policy/snapshotter without SEV SNP we use CH (with kernel-uvm and initrd) instead of CH-CVM with IGVM # Note: our kata-containers config toml expects cloud-hypervisor and kernel under a certain path/name, so we align this through symlinks here ln -s /usr/bin/cloud-hypervisor %{buildroot}%{coco_bin}/cloud-hypervisor -ln -s /usr/bin/cloud-hypervisor-cvm %{buildroot}%{coco_bin}/cloud-hypervisor-snp +ln -s /usr/bin/cloud-hypervisor %{buildroot}%{coco_bin}/cloud-hypervisor-snp # this is again for testing without SEV SNP ln -s /usr/share/cloud-hypervisor/vmlinux.bin %{buildroot}%{share_kata}/vmlinux.container @@ -289,6 +288,10 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu %changelog +* Wed May 29 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-1 +- Auto-upgrade to 3.2.0.azl2 +- Update cloud-hypervisor-snp symlink to also point to /usr/bin/cloud-hypervisor + * Thu May 02 2024 CBL-Mariner Servicing Account - 3.2.0.azl1-1 - Auto-upgrade to 3.2.0.azl1 - Remove opa diff --git a/SPECS/kata-containers/kata-containers.signatures.json b/SPECS/kata-containers/kata-containers.signatures.json index b621b7c58b4..61927a54ba2 100644 --- a/SPECS/kata-containers/kata-containers.signatures.json +++ b/SPECS/kata-containers/kata-containers.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "50-kata": "fb108c6337b3d3bf80b43ab04f2bf9a3bdecd29075ebd16320aefe8f81c502a7", "mariner-build-uvm.sh": "a0fbee4def82ee492eab64a8b5a948c2fef125fa1ca5686aafa0a80c64144068", - "kata-containers-3.2.0.azl1-cargo.tar.gz": "9fb37f5141d09d359f9ddbd6588ddc0f0a58c20e7d8da3e96037f6549b283015", - "kata-containers-3.2.0.azl1.tar.gz": "140118610896fd3ef6c63649e06a9a4d2380dc1fbf2d82ec676245c06ffb6f36" + "kata-containers-3.2.0.azl2-cargo.tar.gz": "830c90cc6e44f492e6366012f8834ae6fc84bd790edf678c23003368c288b98c", + "kata-containers-3.2.0.azl2.tar.gz": "ab65f23787347fae11cf07e0a380e925e9f7b6f0f862ef6440a683b816206011" } } diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index 4f5408e637a..68369d8e79a 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -38,7 +38,7 @@ Summary: Kata Containers Name: kata-containers -Version: 3.2.0.azl1 +Version: 3.2.0.azl2 Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation @@ -215,6 +215,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu %changelog +* Wed May 29 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-1 +- Auto-upgrade to 3.2.0.azl2 + * Thu May 02 2024 CBL-Mariner Servicing Account - 3.2.0.azl1-1 - Auto-upgrade to 3.2.0.azl1 diff --git a/SPECS/kernel-azure/config b/SPECS/kernel-azure/config index 392ef97bcb5..ff6707020a2 100644 --- a/SPECS/kernel-azure/config +++ b/SPECS/kernel-azure/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.1 Kernel Configuration +# Linux/x86_64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/config_aarch64 b/SPECS/kernel-azure/config_aarch64 index 1fb67b440e8..9c2822f6220 100644 --- a/SPECS/kernel-azure/config_aarch64 +++ b/SPECS/kernel-azure/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.158.1 Kernel Configuration +# Linux/arm64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-azure/kernel-azure.signatures.json b/SPECS/kernel-azure/kernel-azure.signatures.json index 4e38e1dd44c..df2048e9d92 100644 --- a/SPECS/kernel-azure/kernel-azure.signatures.json +++ b/SPECS/kernel-azure/kernel-azure.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "30028d043a482088df75ef6a96a133e40fec8688cada0f9ec500859a64d29d1a", - "config_aarch64": "cbab8c30dee0480e67d0a61282b9eafb9e5aadb08e468074f454e8d0644ec801", + "config": "7650bca555140f8b2c2e6b03709da0a8d730993215e9d28751068c799100c7bf", + "config_aarch64": "1c9733a974fa2aa7f38ae3c05887921cb7e94db0f2d5e37f85780da5824dab38", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/kernel-azure/kernel-azure.spec b/SPECS/kernel-azure/kernel-azure.spec index 41d70905c9b..5f18e514b46 100644 --- a/SPECS/kernel-azure/kernel-azure.spec +++ b/SPECS/kernel-azure/kernel-azure.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel-azure -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -420,6 +420,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/kernel-hci/config b/SPECS/kernel-hci/config index 3f62fbe3dfa..8c432a9df1e 100644 --- a/SPECS/kernel-hci/config +++ b/SPECS/kernel-hci/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.1 Kernel Configuration +# Linux/x86_64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hci/kernel-hci.signatures.json b/SPECS/kernel-hci/kernel-hci.signatures.json index 2af302409a7..6af05f9b10d 100644 --- a/SPECS/kernel-hci/kernel-hci.signatures.json +++ b/SPECS/kernel-hci/kernel-hci.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "f471f62f07544a9a4fff98e849cb66d2cc47373f541129546efa19033b8bae4e", - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "config": "c8c6eb36480dc13723e2c29f8df52b2557c88c5fd2c6b28acedd763f90954855", + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/kernel-hci/kernel-hci.spec b/SPECS/kernel-hci/kernel-hci.spec index 71d3fc6afbe..e0788a07278 100644 --- a/SPECS/kernel-hci/kernel-hci.spec +++ b/SPECS/kernel-hci/kernel-hci.spec @@ -17,7 +17,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for HCI Name: kernel-hci -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -547,6 +547,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 48b1416d0e4..1226bbd6072 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 50a77d130cb..bb81130cdde 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -11,7 +11,7 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -73,6 +73,12 @@ done %endif %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/kernel-mos/config b/SPECS/kernel-mos/config index f036139d83e..9acde80b8ea 100644 --- a/SPECS/kernel-mos/config +++ b/SPECS/kernel-mos/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.1 Kernel Configuration +# Linux/x86_64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-mos/kernel-mos.signatures.json b/SPECS/kernel-mos/kernel-mos.signatures.json index 90dd0ed9ead..88afb98b3a9 100644 --- a/SPECS/kernel-mos/kernel-mos.signatures.json +++ b/SPECS/kernel-mos/kernel-mos.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "5d89baeb6cecb07e605145ff17b896602368f56ab5e4e57130d85e284f515379", + "config": "4b6c625c8ac2a089f19b185efe07d0590be5733162ea7eb9b43f89c27ec4f451", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-mos-5.15.158.1.tar.gz": "04e24215aca4887807e0aa04e546b6b05c9bd6fc689eedf37b221a82757c05a9" + "kernel-mos-5.15.158.2.tar.gz": "e55dcfc84a66b80fdeb3629daa38855b8ab9d9e567929ea13243be7194e66317" } } diff --git a/SPECS/kernel-mos/kernel-mos.spec b/SPECS/kernel-mos/kernel-mos.spec index fb7b112eb20..af62b56f6d6 100644 --- a/SPECS/kernel-mos/kernel-mos.spec +++ b/SPECS/kernel-mos/kernel-mos.spec @@ -18,7 +18,7 @@ %define config_source %{SOURCE1} Summary: Linux Kernel for MOS Name: kernel-mos -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -377,6 +377,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Jun 07 2024 Gary Swalling - 5.15.158.2-1 +- Update to 5.15.158.2 + * Wed May 08 2024 Gary Swalling - 5.15.158.1-1 - Update to 5.15.158.1 diff --git a/SPECS/kernel-mshv/config b/SPECS/kernel-mshv/config index 05a8d42aa11..03db4e9e2d6 100644 --- a/SPECS/kernel-mshv/config +++ b/SPECS/kernel-mshv/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.126.mshv9 Kernel Configuration +# Linux/x86_64 5.15.157.mshv1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y @@ -491,6 +491,8 @@ CONFIG_CPU_IBPB_ENTRY=y CONFIG_CPU_IBRS_ENTRY=y CONFIG_CPU_SRSO=y # CONFIG_GDS_FORCE_MITIGATION is not set +CONFIG_MITIGATION_RFDS=y +CONFIG_MITIGATION_SPECTRE_BHI=y CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y @@ -768,6 +770,9 @@ CONFIG_GCC_PLUGINS=y # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set # CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set # CONFIG_GCC_PLUGIN_RANDSTRUCT is not set +CONFIG_FUNCTION_ALIGNMENT_4B=y +CONFIG_FUNCTION_ALIGNMENT_16B=y +CONFIG_FUNCTION_ALIGNMENT=16 # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -1161,6 +1166,7 @@ CONFIG_NFT_HASH=m CONFIG_NFT_TPROXY=m # CONFIG_NFT_SYNPROXY is not set # CONFIG_NF_FLOW_TABLE is not set +CONFIG_NF_FLOW_TABLE_PROCFS=y CONFIG_NETFILTER_XTABLES=y # @@ -1458,7 +1464,6 @@ CONFIG_NET_SCHED=y # # Queueing/Scheduling # -CONFIG_NET_SCH_CBQ=m CONFIG_NET_SCH_HTB=m CONFIG_NET_SCH_HFSC=m CONFIG_NET_SCH_PRIO=m @@ -1472,7 +1477,6 @@ CONFIG_NET_SCH_TBF=m CONFIG_NET_SCH_ETF=m # CONFIG_NET_SCH_TAPRIO is not set CONFIG_NET_SCH_GRED=m -CONFIG_NET_SCH_DSMARK=m CONFIG_NET_SCH_NETEM=m CONFIG_NET_SCH_DRR=m CONFIG_NET_SCH_MQPRIO=m @@ -1500,8 +1504,6 @@ CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m CONFIG_CLS_U32_PERF=y CONFIG_CLS_U32_MARK=y -CONFIG_NET_CLS_RSVP=m -CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_FLOW=m CONFIG_NET_CLS_CGROUP=m CONFIG_NET_CLS_BPF=m @@ -3649,7 +3651,6 @@ CONFIG_MFD_INTEL_LPSS_PCI=m # CONFIG_MFD_SM501 is not set # CONFIG_MFD_SKY81452 is not set # CONFIG_MFD_SYSCON is not set -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -5164,18 +5165,28 @@ CONFIG_VIRTIO_PCI_LIB=y CONFIG_VIRTIO_MENU=y CONFIG_VIRTIO_PCI=y CONFIG_VIRTIO_PCI_LEGACY=y +# CONFIG_VIRTIO_VDPA is not set # CONFIG_VIRTIO_PMEM is not set CONFIG_VIRTIO_BALLOON=y CONFIG_VIRTIO_MEM=m # CONFIG_VIRTIO_INPUT is not set CONFIG_VIRTIO_MMIO=y # CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set -# CONFIG_VDPA is not set +CONFIG_VDPA=m +CONFIG_VDPA_SIM=m +CONFIG_VDPA_SIM_NET=m +CONFIG_VDPA_SIM_BLOCK=m +# CONFIG_VDPA_USER is not set +# CONFIG_IFCVF is not set +# CONFIG_MLX5_VDPA_NET is not set +# CONFIG_VP_VDPA is not set CONFIG_VHOST_IOTLB=m +CONFIG_VHOST_RING=m CONFIG_VHOST=m CONFIG_VHOST_MENU=y CONFIG_VHOST_NET=m CONFIG_VHOST_VSOCK=m +CONFIG_VHOST_VDPA=m # CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set # @@ -5185,6 +5196,7 @@ CONFIG_HYPERV=y CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=y CONFIG_HYPERV_BALLOON=y +CONFIG_HYPERV_NONTLFS_HEADERS=y CONFIG_MSHV=y CONFIG_MSHV_ROOT=y # CONFIG_MSHV_VTL is not set @@ -5472,12 +5484,17 @@ CONFIG_IIO_ST_ACCEL_I2C_3AXIS=m # CONFIG_MAX9611 is not set # CONFIG_MCP3422 is not set # CONFIG_NAU7802 is not set -# CONFIG_STX104 is not set # CONFIG_TI_ADC081C is not set # CONFIG_TI_ADS1015 is not set # CONFIG_XILINX_XADC is not set # end of Analog to digital converters +# +# Analog to digital and digital to analog converters +# +# CONFIG_STX104 is not set +# end of Analog to digital and digital to analog converters + # # Analog Front Ends # @@ -6071,8 +6088,7 @@ CONFIG_NFS_DEBUG=y CONFIG_NFS_DISABLE_UDP_SUPPORT=y # CONFIG_NFS_V4_2_READ_PLUS is not set CONFIG_NFSD=m -CONFIG_NFSD_V2_ACL=y -CONFIG_NFSD_V3=y +# CONFIG_NFSD_V2 is not set CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V4=y CONFIG_NFSD_PNFS=y @@ -6670,8 +6686,9 @@ CONFIG_DEBUG_INFO=y CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y # CONFIG_DEBUG_INFO_DWARF4 is not set # CONFIG_DEBUG_INFO_DWARF5 is not set -# CONFIG_DEBUG_INFO_BTF is not set +CONFIG_DEBUG_INFO_BTF=y CONFIG_PAHOLE_HAS_SPLIT_BTF=y +CONFIG_DEBUG_INFO_BTF_MODULES=y # CONFIG_GDB_SCRIPTS is not set CONFIG_FRAME_WARN=2048 CONFIG_STRIP_ASM_SYMS=y diff --git a/SPECS/kernel-mshv/kernel-mshv.signatures.json b/SPECS/kernel-mshv/kernel-mshv.signatures.json index deff3dd75d8..ce0523c0b98 100644 --- a/SPECS/kernel-mshv/kernel-mshv.signatures.json +++ b/SPECS/kernel-mshv/kernel-mshv.signatures.json @@ -1,8 +1,8 @@ { - "Signatures": { - "kernel-mshv-5.15.126.mshv9.tar.gz": "3ed864ec26340e02b95696784f870eee53ad1e0ba1f30bd9545704bb45a5a2f2", - "50_mariner_mshv.cfg": "0a5fcad1efb1fd37f910f675c5303210a2aeeef9e089d804510ce40ff9b26369", - "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "b266255bd7dfef022aabb578cf928f3435025562a723a95fab6c2ee62acd00ea" - } + "Signatures": { + "50_mariner_mshv.cfg": "0a5fcad1efb1fd37f910f675c5303210a2aeeef9e089d804510ce40ff9b26369", + "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", + "config": "a83f8b5ccf093bae011d89575b410418e31f8705f6cf9ed291b0cfe1ea5896c9", + "kernel-mshv-5.15.157.mshv1.tar.gz": "8240745a0820ee383ebaf8750877c1189772dc0253cd0658deab199fb2140a4b" + } } diff --git a/SPECS/kernel-mshv/kernel-mshv.spec b/SPECS/kernel-mshv/kernel-mshv.spec index a9b97eaeb9f..e68eaa07960 100644 --- a/SPECS/kernel-mshv/kernel-mshv.spec +++ b/SPECS/kernel-mshv/kernel-mshv.spec @@ -10,8 +10,8 @@ Summary: Mariner kernel that has MSHV Host support Name: kernel-mshv -Version: 5.15.126.mshv9 -Release: 3%{?dist} +Version: 5.15.157.mshv1 +Release: 1%{?dist} License: GPLv2 Group: Development/Tools Vendor: Microsoft Corporation @@ -248,6 +248,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg %{_includedir}/perf/perf_dlfilter.h %changelog +* Tue May 14 2024 CBL-Mariner Servicing Account - 5.15.157.mshv1-1 +- Auto-upgrade to 5.15.157.mshv1 + * Mon Apr 01 2024 Cameron Baird - 5.15.126.mshv9-3 - Bump release to match kernel-mshv-signed package diff --git a/SPECS/kernel-uvm/config b/SPECS/kernel-uvm/config index 6f8f3369d08..4aab5a035d8 100644 --- a/SPECS/kernel-uvm/config +++ b/SPECS/kernel-uvm/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 6.1.0.mshv16 Kernel Configuration +# Linux/x86_64 6.1.58.mshv4 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y @@ -170,7 +170,8 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y CONFIG_CC_HAS_INT128=y CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" -CONFIG_GCC12_NO_ARRAY_BOUNDS=y +CONFIG_GCC11_NO_ARRAY_BOUNDS=y +CONFIG_CC_NO_ARRAY_BOUNDS=y CONFIG_ARCH_SUPPORTS_INT128=y # CONFIG_NUMA_BALANCING is not set CONFIG_CGROUPS=y @@ -440,6 +441,8 @@ CONFIG_RETHUNK=y CONFIG_CPU_UNRET_ENTRY=y CONFIG_CPU_IBPB_ENTRY=y CONFIG_CPU_IBRS_ENTRY=y +CONFIG_CPU_SRSO=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y @@ -596,6 +599,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_ARCH_WANTS_NO_INSTR=y @@ -870,6 +874,7 @@ CONFIG_SECRETMEM=y # CONFIG_ANON_VMA_NAME is not set # CONFIG_USERFAULTFD is not set # CONFIG_LRU_GEN is not set +CONFIG_LOCK_MM_AND_FIND_VMA=y # # Data Access Monitoring @@ -919,6 +924,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -1268,12 +1274,9 @@ CONFIG_NET_SCH_FQ=y # CONFIG_NET_CLS=y # CONFIG_NET_CLS_BASIC is not set -# CONFIG_NET_CLS_TCINDEX is not set # CONFIG_NET_CLS_ROUTE4 is not set # CONFIG_NET_CLS_FW is not set # CONFIG_NET_CLS_U32 is not set -# CONFIG_NET_CLS_RSVP is not set -# CONFIG_NET_CLS_RSVP6 is not set # CONFIG_NET_CLS_FLOW is not set CONFIG_NET_CLS_CGROUP=y # CONFIG_NET_CLS_BPF is not set @@ -1573,7 +1576,9 @@ CONFIG_VIRTIO_BLK=y # CONFIG_MISC_RTSX_PCI is not set # CONFIG_HABANA_AI is not set # CONFIG_UACCE is not set -# CONFIG_PVPANIC is not set +CONFIG_PVPANIC=y +# CONFIG_PVPANIC_MMIO is not set +CONFIG_PVPANIC_PCI=y # end of Misc devices # @@ -2265,6 +2270,7 @@ CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y CONFIG_HYPERV=y CONFIG_HYPERV_TIMER=y # CONFIG_HYPERV_BALLOON is not set +# CONFIG_DXGKRNL is not set # end of Microsoft Hyper-V guest support # CONFIG_GREYBUS is not set @@ -2589,7 +2595,7 @@ CONFIG_CIFS_STATS2=y # CONFIG_CIFS_SWN_UPCALL is not set # CONFIG_CIFS_ROOT is not set # CONFIG_SMB_SERVER is not set -CONFIG_SMBFS_COMMON=y +CONFIG_SMBFS=y # CONFIG_CODA_FS is not set # CONFIG_AFS_FS is not set CONFIG_9P_FS=y @@ -3060,7 +3066,10 @@ CONFIG_OBJTOOL=y # # Generic Kernel Debugging Instruments # -# CONFIG_MAGIC_SYSRQ is not set +CONFIG_MAGIC_SYSRQ=y +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1 +CONFIG_MAGIC_SYSRQ_SERIAL=y +CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE="" # CONFIG_DEBUG_FS is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set diff --git a/SPECS/kernel-uvm/kernel-uvm.signatures.json b/SPECS/kernel-uvm/kernel-uvm.signatures.json index f1a56aca498..53a34a7323a 100644 --- a/SPECS/kernel-uvm/kernel-uvm.signatures.json +++ b/SPECS/kernel-uvm/kernel-uvm.signatures.json @@ -1,6 +1,6 @@ { - "Signatures": { - "config": "875ddf9294126989d10aeae4ab0fb31c0e4152d3f15c0a6fe8db29540576bd7c", - "kernel-uvm-6.1.0.mshv16.tar.gz": "f0453c3665387a2a87743782347dbccb6c0a2da1f1e9f35c04acd6ba9a9fd92c" - } -} \ No newline at end of file + "Signatures": { + "config": "f94bc8a7c5e0507b3a19e0771ff0798862bac30aa5ababc0cc05ce60e3fdf9de", + "kernel-uvm-6.1.58.mshv4.tar.gz": "81ac99ab06cf7df0845f0bd596b394658fb3f1801d0ad985f5b64ffa3d90e80a" + } +} diff --git a/SPECS/kernel-uvm/kernel-uvm.spec b/SPECS/kernel-uvm/kernel-uvm.spec index 86df5d251b8..757a5c589e1 100644 --- a/SPECS/kernel-uvm/kernel-uvm.spec +++ b/SPECS/kernel-uvm/kernel-uvm.spec @@ -10,8 +10,8 @@ Summary: Linux Kernel for Kata UVM Name: kernel-uvm -Version: 6.1.0.mshv16 -Release: 2%{?dist} +Version: 6.1.58.mshv4 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -154,6 +154,9 @@ find %{buildroot}/lib/modules -name '*.ko' -exec chmod u+x {} + %{_prefix}/src/linux-headers-%{uname_r} %changelog +* Tue May 14 2024 CBL-Mariner Servicing Account - 6.1.58.mshv4-1 +- Auto-upgrade to 6.1.58.mshv4 + * Wed Mar 27 2024 Archana Choudhary - 6.1.0.mshv16-2 - Enable CIFS modules diff --git a/SPECS/kernel/CVE-2022-38096.nopatch b/SPECS/kernel/CVE-2022-38096.nopatch new file mode 100644 index 00000000000..6c9c97423bc --- /dev/null +++ b/SPECS/kernel/CVE-2022-38096.nopatch @@ -0,0 +1,3 @@ +CVE-2022-38096 - in version 5.15.154.1 +upstream: 517621b7060096e48e42f545fa6646fc00252eac +stable: 899e154f9546fcae18065d74064889d08fff62c2 diff --git a/SPECS/kernel/CVE-2023-47233.nopatch b/SPECS/kernel/CVE-2023-47233.nopatch new file mode 100644 index 00000000000..22bcb7a4d3d --- /dev/null +++ b/SPECS/kernel/CVE-2023-47233.nopatch @@ -0,0 +1,3 @@ +CVE-2023-47233 - in version 5.15.158.1 +upstream: 0f7352557a35ab7888bc7831411ec8a3cbe20d78 +stable: 8c36205123dc57349b59b4f1a2301eb278cbc731 diff --git a/SPECS/kernel/CVE-2023-52827.nopatch b/SPECS/kernel/CVE-2023-52827.nopatch new file mode 100644 index 00000000000..be2dcebc348 --- /dev/null +++ b/SPECS/kernel/CVE-2023-52827.nopatch @@ -0,0 +1,3 @@ +CVE-2023-52827 - ath12k driver support is not in 5.15.X +upstream introducing commit: d889913205cf7ebda905b1e62c5867ed4e39f6c2 +upstream fix commit: 1bc44a505a229bb1dd4957e11aa594edeea3690e diff --git a/SPECS/kernel/CVE-2024-25739.nopatch b/SPECS/kernel/CVE-2024-25739.nopatch new file mode 100644 index 00000000000..569b311f2c7 --- /dev/null +++ b/SPECS/kernel/CVE-2024-25739.nopatch @@ -0,0 +1,3 @@ +CVE-2024-25739 - in version 5.15.158.1 +upstream: 68a24aba7c593eafa8fd00f2f76407b9b32b47a9 +stable: 8ce982285414b741e2dd6ebb5a62e79dede44f7f diff --git a/SPECS/kernel/CVE-2024-26902.nopatch b/SPECS/kernel/CVE-2024-26902.nopatch new file mode 100644 index 00000000000..79f28eaa324 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26902.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26902 - 5.15.X does not support RISCV_PMU_SBI +upstream introducing commit: e9991434596f5373dfd75857b445eb92a9253c56 +upstream fix commit: 34b567868777e9fd39ec5333969728a7f0cf179c diff --git a/SPECS/kernel/CVE-2024-26929.nopatch b/SPECS/kernel/CVE-2024-26929.nopatch new file mode 100644 index 00000000000..e69155b6c9b --- /dev/null +++ b/SPECS/kernel/CVE-2024-26929.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26929 - in version 5.15.158.1 +upstream: 82f522ae0d97119a43da53e0f729275691b9c525 +stable: b03e626bd6d3f0684f56ee1890d70fc9ca991c04 diff --git a/SPECS/kernel/CVE-2024-26934.nopatch b/SPECS/kernel/CVE-2024-26934.nopatch new file mode 100644 index 00000000000..254de989565 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26934.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26934 - in version 5.15.158.1 +upstream: 80ba43e9f799cbdd83842fc27db667289b3150f5 +stable: 1b175bc579f46520b11ecda443bcd2ee4904f66a diff --git a/SPECS/kernel/CVE-2024-26949.nopatch b/SPECS/kernel/CVE-2024-26949.nopatch new file mode 100644 index 00000000000..af26c683f0a --- /dev/null +++ b/SPECS/kernel/CVE-2024-26949.nopatch @@ -0,0 +1,4 @@ +CVE-2024-26949 - introducing commit not present in 5.15.159.1 +(5.15.X does not support for getting power1_cap_min value for drm/amd/pm) +upstream introducing commit: 7968e9748fbbd7ae49770d9f8a8231d8bce2aebb +upstream fix commit: 08ae9ef829b8055c2fdc8cfee37510c1f4721a07 diff --git a/SPECS/kernel/CVE-2024-26952.nopatch b/SPECS/kernel/CVE-2024-26952.nopatch new file mode 100644 index 00000000000..1a395ae4824 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26952.nopatch @@ -0,0 +1,2 @@ +CVE-2024-26952 - Mariner does not enable ksmbd at this time (5.15.159.1-1) +Upstream commit: c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da diff --git a/SPECS/kernel/CVE-2024-26979.nopatch b/SPECS/kernel/CVE-2024-26979.nopatch new file mode 100644 index 00000000000..6c45589d9f2 --- /dev/null +++ b/SPECS/kernel/CVE-2024-26979.nopatch @@ -0,0 +1,3 @@ +CVE-2024-26979 - in version 5.15.158.1 +upstream: 517621b7060096e48e42f545fa6646fc00252eac +stable: 899e154f9546fcae18065d74064889d08fff62c2 diff --git a/SPECS/kernel/CVE-2024-27013.nopatch b/SPECS/kernel/CVE-2024-27013.nopatch new file mode 100644 index 00000000000..2a02ef84a3e --- /dev/null +++ b/SPECS/kernel/CVE-2024-27013.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27013 - in version 5.15.158.1 +upstream: f8bbc07ac535593139c875ffa19af924b1084540 +stable: a50dbeca28acf7051dfa92786b85f704c75db6eb diff --git a/SPECS/kernel/CVE-2024-27015.nopatch b/SPECS/kernel/CVE-2024-27015.nopatch new file mode 100644 index 00000000000..116c16fb132 --- /dev/null +++ b/SPECS/kernel/CVE-2024-27015.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27015 - in version 5.15.158.1 +upstream: 6db5dc7b351b9569940cd1cf445e237c42cd6d27 +stable: e719b52d0c56989b0f3475a03a6d64f182c85b56 diff --git a/SPECS/kernel/CVE-2024-27016.nopatch b/SPECS/kernel/CVE-2024-27016.nopatch new file mode 100644 index 00000000000..91196658e3c --- /dev/null +++ b/SPECS/kernel/CVE-2024-27016.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27016 - in version 5.15.158.1 +upstream: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf +stable: d06977b9a4109f8738bb276125eb6a0b772bc433 diff --git a/SPECS/kernel/CVE-2024-27018.nopatch b/SPECS/kernel/CVE-2024-27018.nopatch new file mode 100644 index 00000000000..62541743005 --- /dev/null +++ b/SPECS/kernel/CVE-2024-27018.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27018 - in version 5.15.157.1 +upstream: 751de2012eafa4d46d8081056761fa0e9cc8a178 +stable: dceb683ab87ca3666a9bb5c0158528b646faedc4 diff --git a/SPECS/kernel/CVE-2024-27019.nopatch b/SPECS/kernel/CVE-2024-27019.nopatch new file mode 100644 index 00000000000..08cbdc9b5af --- /dev/null +++ b/SPECS/kernel/CVE-2024-27019.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27019 - in version 5.15.158.1 +upstream: d78d867dcea69c328db30df665be5be7d0148484 +stable: 379bf7257bc5f2a1b1ca8514e08a871b7bf6d920 diff --git a/SPECS/kernel/CVE-2024-27020.nopatch b/SPECS/kernel/CVE-2024-27020.nopatch new file mode 100644 index 00000000000..3cea0d907f1 --- /dev/null +++ b/SPECS/kernel/CVE-2024-27020.nopatch @@ -0,0 +1,3 @@ +CVE-2024-27020 - in version 5.15.158.1 +upstream: f969eb84ce482331a991079ab7a5c4dc3b7f89bf +stable: 0b6de00206adbbfc6373b3ae38d2a6f197987907 diff --git a/SPECS/kernel/CVE-2024-35978.nopatch b/SPECS/kernel/CVE-2024-35978.nopatch new file mode 100644 index 00000000000..10c0476ff33 --- /dev/null +++ b/SPECS/kernel/CVE-2024-35978.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35978 - in version 5.15.158.1 +upstream: 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810 +stable: 75193678cce993aa959e7764b6df2f599886dd06 diff --git a/SPECS/kernel/CVE-2024-35982.nopatch b/SPECS/kernel/CVE-2024-35982.nopatch new file mode 100644 index 00000000000..2111dc361d1 --- /dev/null +++ b/SPECS/kernel/CVE-2024-35982.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35982 - in version 5.15.158.1 +upstream: b1f532a3b1e6d2e5559c7ace49322922637a28aa +stable: 87b6af1a7683e021710c08fc0551fc078346032f diff --git a/SPECS/kernel/CVE-2024-35984.nopatch b/SPECS/kernel/CVE-2024-35984.nopatch new file mode 100644 index 00000000000..9048b2378cd --- /dev/null +++ b/SPECS/kernel/CVE-2024-35984.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35984 - in version 5.15.158.1 +upstream: 91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f +stable: 5a09eae9a7db597fe0c1fc91636205b4a25d2620 diff --git a/SPECS/kernel/CVE-2024-35990.nopatch b/SPECS/kernel/CVE-2024-35990.nopatch new file mode 100644 index 00000000000..1d709be6fbe --- /dev/null +++ b/SPECS/kernel/CVE-2024-35990.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35990 - in version 5.15.158.1 +upstream: 244296cc3a155199a8b080d19e645d7d49081a38 +stable: 0ccac964520a6f19e355652c8ca38af2a7f27076 diff --git a/SPECS/kernel/CVE-2024-35997.nopatch b/SPECS/kernel/CVE-2024-35997.nopatch new file mode 100644 index 00000000000..e9d37bd32d7 --- /dev/null +++ b/SPECS/kernel/CVE-2024-35997.nopatch @@ -0,0 +1,3 @@ +CVE-2024-35997 - in version 5.15.158.1 +upstream: 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e +stable: b65fb50e04a95eec34a9d1bc138454a98a5578d8 diff --git a/SPECS/kernel/CVE-2024-36008.nopatch b/SPECS/kernel/CVE-2024-36008.nopatch new file mode 100644 index 00000000000..8ff29b11d2b --- /dev/null +++ b/SPECS/kernel/CVE-2024-36008.nopatch @@ -0,0 +1,3 @@ +CVE-2024-36008 - in version 5.15.158.1 +upstream: 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1 +stable: 03b5a9b2b526862b21bcc31976e393a6e63785d1 diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 79d36c7c31e..e9f1648a87d 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.158.1 Kernel Configuration +# Linux/x86_64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 2627bce805c..4dd532bba17 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.15.158.1 Kernel Configuration +# Linux/arm64 5.15.158.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 727afa837b2..f9ae0436f3a 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "ee6ff87ddcfc431a089479d1971e30bb0bc0498c4ec95a788460e5eac26f16f2", - "config_aarch64": "6fdb0d7e5d04ab07df019f15c6e2706450d456db8c3057fec3b90514597cdc93", + "config": "4c524dadcc8f306d8cd9e34ba5aa03cf1fb6b1f40fca0b811861ac09d916f4a8", + "config_aarch64": "764d801459dd24b7676b30a6fa05c68bf544ff8b577bd8085adbe01d56b8c697", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5" + "kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 714ec6ecd9c..84e20b0b7bb 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel -Version: 5.15.158.1 +Version: 5.15.158.2 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -426,6 +426,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Jun 07 2024 Rachel Menge - 5.15.158.2-1 +- Revert to 5.15.158.2 + +* Wed May 22 2024 CBL-Mariner Servicing Account - 5.15.159.1-1 +- Auto-upgrade to 5.15.159.1 + * Fri May 10 2024 CBL-Mariner Servicing Account - 5.15.158.1-1 - Auto-upgrade to 5.15.158.1 diff --git a/SPECS/moby-engine/CVE-2023-44487.patch b/SPECS/moby-engine/CVE-2023-44487.patch new file mode 100644 index 00000000000..b363a44076c --- /dev/null +++ b/SPECS/moby-engine/CVE-2023-44487.patch @@ -0,0 +1,200 @@ +From acdb7b9731b3d1eb14352328d2976d4b7baaafea Mon Sep 17 00:00:00 2001 +From: Mitch Zhu +Date: Fri, 31 May 2024 17:00:00 +0000 +Subject: [PATCH] Address CVE-2023-44487 + +--- + .../grpc/internal/transport/http2_server.go | 11 +-- + vendor/google.golang.org/grpc/server.go | 77 +++++++++++++------ + 2 files changed, 57 insertions(+), 31 deletions(-) + +diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go +index 3dd1564..9d9a3fd 100644 +--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go ++++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go +@@ -165,15 +165,10 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, + ID: http2.SettingMaxFrameSize, + Val: http2MaxFrameLen, + }} +- // TODO(zhaoq): Have a better way to signal "no limit" because 0 is +- // permitted in the HTTP2 spec. +- maxStreams := config.MaxStreams +- if maxStreams == 0 { +- maxStreams = math.MaxUint32 +- } else { ++ if config.MaxStreams != math.MaxUint32 { + isettings = append(isettings, http2.Setting{ + ID: http2.SettingMaxConcurrentStreams, +- Val: maxStreams, ++ Val: config.MaxStreams, + }) + } + dynamicWindow := true +@@ -252,7 +247,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, + framer: framer, + readerDone: make(chan struct{}), + writerDone: make(chan struct{}), +- maxStreams: maxStreams, ++ maxStreams: config.MaxStreams, + inTapHandle: config.InTapHandle, + fc: &trInFlow{limit: uint32(icwz)}, + state: reachable, +diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go +index f4dde72..17d39cf 100644 +--- a/vendor/google.golang.org/grpc/server.go ++++ b/vendor/google.golang.org/grpc/server.go +@@ -115,12 +115,6 @@ type serviceInfo struct { + mdata interface{} + } + +-type serverWorkerData struct { +- st transport.ServerTransport +- wg *sync.WaitGroup +- stream *transport.Stream +-} +- + // Server is a gRPC server to serve RPC requests. + type Server struct { + opts serverOptions +@@ -145,7 +139,7 @@ type Server struct { + channelzID *channelz.Identifier + czData *channelzData + +- serverWorkerChannels []chan *serverWorkerData ++ serverWorkerChannel chan func() + } + + type serverOptions struct { +@@ -177,6 +171,7 @@ type serverOptions struct { + } + + var defaultServerOptions = serverOptions{ ++ maxConcurrentStreams: math.MaxUint32, + maxReceiveMessageSize: defaultServerMaxReceiveMessageSize, + maxSendMessageSize: defaultServerMaxSendMessageSize, + connectionTimeout: 120 * time.Second, +@@ -387,6 +382,9 @@ func MaxSendMsgSize(m int) ServerOption { + // MaxConcurrentStreams returns a ServerOption that will apply a limit on the number + // of concurrent streams to each ServerTransport. + func MaxConcurrentStreams(n uint32) ServerOption { ++ if n == 0 { ++ n = math.MaxUint32 ++ } + return newFuncServerOption(func(o *serverOptions) { + o.maxConcurrentStreams = n + }) +@@ -565,35 +563,31 @@ const serverWorkerResetThreshold = 1 << 16 + // re-allocations (see the runtime.morestack problem [1]). + // + // [1] https://github.com/golang/go/issues/18138 +-func (s *Server) serverWorker(ch chan *serverWorkerData) { ++func (s *Server) serverWorker() { + // To make sure all server workers don't reset at the same time, choose a + // random number of iterations before resetting. + threshold := serverWorkerResetThreshold + grpcrand.Intn(serverWorkerResetThreshold) + for completed := 0; completed < threshold; completed++ { +- data, ok := <-ch ++ f, ok := <-s.serverWorkerChannel + if !ok { + return + } +- s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream)) +- data.wg.Done() ++ f() + } +- go s.serverWorker(ch) ++ go s.serverWorker() + } + + // initServerWorkers creates worker goroutines and channels to process incoming + // connections to reduce the time spent overall on runtime.morestack. + func (s *Server) initServerWorkers() { +- s.serverWorkerChannels = make([]chan *serverWorkerData, s.opts.numServerWorkers) ++ s.serverWorkerChannel = make(chan func()) + for i := uint32(0); i < s.opts.numServerWorkers; i++ { +- s.serverWorkerChannels[i] = make(chan *serverWorkerData) +- go s.serverWorker(s.serverWorkerChannels[i]) ++ go s.serverWorker() + } + } + + func (s *Server) stopServerWorkers() { +- for i := uint32(0); i < s.opts.numServerWorkers; i++ { +- close(s.serverWorkerChannels[i]) +- } ++ close(s.serverWorkerChannel) + } + + // NewServer creates a gRPC server which has no service registered and has not +@@ -945,13 +939,20 @@ func (s *Server) serveStreams(st transport.ServerTransport) { + defer st.Close() + var wg sync.WaitGroup + +- var roundRobinCounter uint32 ++ streamQuota := newHandlerQuota(s.opts.maxConcurrentStreams) + st.HandleStreams(func(stream *transport.Stream) { + wg.Add(1) ++ ++ streamQuota.acquire() ++ f := func() { ++ defer streamQuota.release() ++ defer wg.Done() ++ s.handleStream(st, stream, s.traceInfo(st, stream)) ++ } ++ + if s.opts.numServerWorkers > 0 { +- data := &serverWorkerData{st: st, wg: &wg, stream: stream} + select { +- case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data: ++ case s.serverWorkerChannel <- f: + default: + // If all stream workers are busy, fallback to the default code path. + go func() { +@@ -961,8 +962,7 @@ func (s *Server) serveStreams(st transport.ServerTransport) { + } + } else { + go func() { +- defer wg.Done() +- s.handleStream(st, stream, s.traceInfo(st, stream)) ++ go f() + }() + } + }, func(ctx context.Context, method string) context.Context { +@@ -1978,3 +1978,34 @@ type channelzServer struct { + func (c *channelzServer) ChannelzMetric() *channelz.ServerInternalMetric { + return c.s.channelzMetric() + } ++ ++// atomicSemaphore implements a blocking, counting semaphore. acquire should be ++// called synchronously; release may be called asynchronously. ++type atomicSemaphore struct { ++ n atomic.Int64 ++ wait chan struct{} ++} ++ ++func (q *atomicSemaphore) acquire() { ++ if q.n.Add(-1) < 0 { ++ // We ran out of quota. Block until a release happens. ++ <-q.wait ++ } ++} ++ ++func (q *atomicSemaphore) release() { ++ // N.B. the "<= 0" check below should allow for this to work with multiple ++ // concurrent calls to acquire, but also note that with synchronous calls to ++ // acquire, as our system does, n will never be less than -1. There are ++ // fairness issues (queuing) to consider if this was to be generalized. ++ if q.n.Add(1) <= 0 { ++ // An acquire was waiting on us. Unblock it. ++ q.wait <- struct{}{} ++ } ++} ++ ++func newHandlerQuota(n uint32) *atomicSemaphore { ++ a := &atomicSemaphore{wait: make(chan struct{}, 1)} ++ a.n.Store(int64(n)) ++ return a ++} +-- +2.34.1 + diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 81bcf45dd80..041f06eb10f 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 24.0.9 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -21,6 +21,7 @@ Patch1: CVE-2024-23651.patch # Remove once we upgrade this package at least to version 25.0+. Patch2: CVE-2024-23652.patch Patch3: CVE-2023-45288.patch +Patch4: CVE-2023-44487.patch %{?systemd_requires} @@ -126,6 +127,9 @@ fi %{_unitdir}/* %changelog +* Fri May 31 2024 Mitch Zhu - 24.0.9-4 +- Fix for CVE-2023-44487 + * Fri May 03 2024 Chris Gunn - 24.0.9-3 - Fix for CVE-2023-45288 diff --git a/SPECS/nodejs/CVE-2023-21100.patch b/SPECS/nodejs/CVE-2023-21100.patch new file mode 100644 index 00000000000..9d42e324ffc --- /dev/null +++ b/SPECS/nodejs/CVE-2023-21100.patch @@ -0,0 +1,50 @@ +From 901960817a6dc7b40c68c47bcd77037d5fc5d1ea Mon Sep 17 00:00:00 2001 +From: Mitch Zhu +Date: Wed, 29 May 2024 19:11:14 +0000 +Subject: [PATCH] Address CVE-2023-21100 + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. +--- + deps/v8/third_party/zlib/contrib/optimizations/inflate.c | 5 +++-- + deps/v8/third_party/zlib/inflate.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c +index 4841cd96..1007f062 100644 +--- a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c ++++ b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c +@@ -772,8 +772,9 @@ int flush; + if (copy > have) copy = have; + if (copy) { + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && +++ (len = state->head->extra_len - state->length) < +++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +diff --git a/deps/v8/third_party/zlib/inflate.c b/deps/v8/third_party/zlib/inflate.c +index 7543c33d..384af93f 100644 +--- a/deps/v8/third_party/zlib/inflate.c ++++ b/deps/v8/third_party/zlib/inflate.c +@@ -761,8 +761,9 @@ int flush; + if (copy > have) copy = have; + if (copy) { + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && +++ (len = state->head->extra_len - state->length) < +++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +-- +2.34.1 + diff --git a/SPECS/nodejs/CVE-2023-42282.patch b/SPECS/nodejs/CVE-2023-42282.patch deleted file mode 100644 index 3b97b26bf4f..00000000000 --- a/SPECS/nodejs/CVE-2023-42282.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 32f468f1245574785ec080705737a579be1223aa Mon Sep 17 00:00:00 2001 -From: Luke McFarlane -Date: Mon, 12 Feb 2024 13:22:18 +1100 -Subject: [PATCH] lib: fixed CVE-2023-42282 and added unit test - -Unit test code is not applicable for NodeJS sources hence not included. - -diff --git a/deps/npm/node_modules/ip/lib/ip.js b/deps/npm/node_modules/ip/lib/ip.js -index 4b2adb5add..9022443ae5 100644 ---- a/deps/npm/node_modules/ip/lib/ip.js -+++ b/deps/npm/node_modules/ip/lib/ip.js -@@ -306,12 +306,26 @@ ip.isEqual = function (a, b) { - }; - - ip.isPrivate = function (addr) { -- return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i -- .test(addr) -+ // check loopback addresses first -+ if (ip.isLoopback(addr)) { -+ return true; -+ } -+ -+ // ensure the ipv4 address is valid -+ if (!ip.isV6Format(addr)) { -+ const ipl = ip.normalizeToLong(addr); -+ if (ipl < 0) { -+ throw new Error('invalid ipv4 address'); -+ } -+ // normalize the address for the private range checks that follow -+ addr = ip.fromLong(ipl); -+ } -+ -+ // check private ranges -+ return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) - || /^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) - || /^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i - .test(addr) -- || /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) - || /^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) - || /^f[cd][0-9a-f]{2}:/i.test(addr) - || /^fe80:/i.test(addr) -@@ -324,9 +338,16 @@ ip.isPublic = function (addr) { - }; - - ip.isLoopback = function (addr) { -+ // If addr is an IPv4 address in long integer form (no dots and no colons), convert it -+ if (!/\./.test(addr) && !/:/.test(addr)) { -+ addr = ip.fromLong(Number(addr)); -+ } -+ - return /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/ - .test(addr) -- || /^fe80::1$/.test(addr) -+ || /^0177\./.test(addr) -+ || /^0x7f\./i.test(addr) -+ || /^fe80::1$/i.test(addr) - || /^::1$/.test(addr) - || /^::$/.test(addr); - }; -@@ -420,3 +441,51 @@ ip.fromLong = function (ipl) { - ipl >> 8 & 255}.${ - ipl & 255}`); - }; -+ -+ip.normalizeToLong = function (addr) { -+ const parts = addr.split('.').map(part => { -+ // Handle hexadecimal format -+ if (part.startsWith('0x') || part.startsWith('0X')) { -+ return parseInt(part, 16); -+ } -+ // Handle octal format (strictly digits 0-7 after a leading zero) -+ else if (part.startsWith('0') && part !== '0' && /^[0-7]+$/.test(part)) { -+ return parseInt(part, 8); -+ } -+ // Handle decimal format, reject invalid leading zeros -+ else if (/^[1-9]\d*$/.test(part) || part === '0') { -+ return parseInt(part, 10); -+ } -+ // Return NaN for invalid formats to indicate parsing failure -+ else { -+ return NaN; -+ } -+ }); -+ -+ if (parts.some(isNaN)) return -1; // Indicate error with -1 -+ -+ let val = 0; -+ const n = parts.length; -+ -+ switch (n) { -+ case 1: -+ val = parts[0]; -+ break; -+ case 2: -+ if (parts[0] > 0xff || parts[1] > 0xffffff) return -1; -+ val = (parts[0] << 24) | (parts[1] & 0xffffff); -+ break; -+ case 3: -+ if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xffff) return -1; -+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] & 0xffff); -+ break; -+ case 4: -+ if (parts.some(part => part > 0xff)) return -1; -+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]; -+ break; -+ default: -+ return -1; // Error case -+ } -+ -+ return val >>> 0; -+}; diff --git a/SPECS/nodejs/CVE-2024-22025.patch b/SPECS/nodejs/CVE-2024-22025.patch deleted file mode 100644 index 16583437501..00000000000 --- a/SPECS/nodejs/CVE-2024-22025.patch +++ /dev/null @@ -1,144 +0,0 @@ -From f31d47e135973746c4f490d5eb635eded8bb3dda Mon Sep 17 00:00:00 2001 -From: Matteo Collina -Date: Tue, 6 Feb 2024 16:47:20 +0100 -Subject: [PATCH] zlib: pause stream if outgoing buffer is full - -Signed-off-by: Matteo Collina -PR-URL: https://github.com/nodejs-private/node-private/pull/540 -Reviewed-By: Robert Nagy -Ref: https://hackerone.com/reports/2284065 -PR-URL: https://github.com/nodejs-private/node-private/pull/542 -CVE-ID: CVE-2024-22025 ---- - lib/zlib.js | 33 +++++++++++++++++++------- - test/parallel/test-zlib-brotli-16GB.js | 22 +++++++++++++++++ - test/parallel/test-zlib-params.js | 24 ++++++++++++------- - 3 files changed, 62 insertions(+), 17 deletions(-) - create mode 100644 test/parallel/test-zlib-brotli-16GB.js - -diff --git a/lib/zlib.js b/lib/zlib.js -index 2b90c6f91fed76..5e6a97937054fb 100644 ---- a/lib/zlib.js -+++ b/lib/zlib.js -@@ -560,10 +560,11 @@ function processCallback() { - self.bytesWritten += inDelta; - - const have = handle.availOutBefore - availOutAfter; -+ let streamBufferIsFull = false; - if (have > 0) { - const out = self._outBuffer.slice(self._outOffset, self._outOffset + have); - self._outOffset += have; -- self.push(out); -+ streamBufferIsFull = !self.push(out); - } else { - assert(have === 0, 'have should not go down'); - } -@@ -588,13 +589,29 @@ function processCallback() { - handle.inOff += inDelta; - handle.availInBefore = availInAfter; - -- this.write(handle.flushFlag, -- this.buffer, // in -- handle.inOff, // in_off -- handle.availInBefore, // in_len -- self._outBuffer, // out -- self._outOffset, // out_off -- self._chunkSize); // out_len -+ -+ if (!streamBufferIsFull) { -+ this.write(handle.flushFlag, -+ this.buffer, // in -+ handle.inOff, // in_off -+ handle.availInBefore, // in_len -+ self._outBuffer, // out -+ self._outOffset, // out_off -+ self._chunkSize); // out_len -+ } else { -+ const oldRead = self._read; -+ self._read = (n) => { -+ self._read = oldRead; -+ this.write(handle.flushFlag, -+ this.buffer, // in -+ handle.inOff, // in_off -+ handle.availInBefore, // in_len -+ self._outBuffer, // out -+ self._outOffset, // out_off -+ self._chunkSize); // out_len -+ self._read(n); -+ }; -+ } - return; - } - -diff --git a/test/parallel/test-zlib-brotli-16GB.js b/test/parallel/test-zlib-brotli-16GB.js -new file mode 100644 -index 00000000000000..ba4f7ef5aef561 ---- /dev/null -+++ b/test/parallel/test-zlib-brotli-16GB.js -@@ -0,0 +1,22 @@ -+'use strict'; -+ -+const common = require('../common'); -+const { createBrotliDecompress } = require('node:zlib'); -+const strictEqual = require('node:assert').strictEqual; -+ -+// This tiny HEX string is a 16GB file. -+// This test verifies that the stream actually stops. -+/* eslint-disable max-len */ -+const content = 'cfffff7ff82700e2b14020f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c32200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bffcfffff7ff82700e2b00040f7fe9ffffffff04f00c4610180eefd3fffffffe19f0088c30200ddfb7ffeffffc33f0110870500baf7fffcffff877f02200e0b0074effff9ffff0fff04401c1600e8defff3ffff1ffe0980382c00d0bdffe7ffff3ffc1300715800a07bff3f'; -+ -+const buf = Buffer.from(content, 'hex'); -+ -+const decoder = createBrotliDecompress(); -+decoder.end(buf); -+ -+// We need to wait to verify that the libuv thread pool had time -+// to process the data and the buffer is not empty. -+setTimeout(common.mustCall(() => { -+ // There is only one chunk in the buffer -+ strictEqual(decoder._readableState.buffer.length, 1); -+}), common.platformTimeout(100)); -diff --git a/test/parallel/test-zlib-params.js b/test/parallel/test-zlib-params.js -index 30d4f133ad43bd..18271fe022a96d 100644 ---- a/test/parallel/test-zlib-params.js -+++ b/test/parallel/test-zlib-params.js -@@ -12,23 +12,29 @@ const deflater = zlib.createDeflate(opts); - const chunk1 = file.slice(0, chunkSize); - const chunk2 = file.slice(chunkSize); - const blkhdr = Buffer.from([0x00, 0x5a, 0x82, 0xa5, 0x7d]); --const expected = Buffer.concat([blkhdr, chunk2]); --let actual; -+const blkftr = Buffer.from('010000ffff7dac3072', 'hex'); -+const expected = Buffer.concat([blkhdr, chunk2, blkftr]); -+const bufs = []; -+ -+function read() { -+ let buf; -+ while ((buf = deflater.read()) !== null) { -+ bufs.push(buf); -+ } -+} - - deflater.write(chunk1, function() { - deflater.params(0, zlib.constants.Z_DEFAULT_STRATEGY, function() { - while (deflater.read()); -- deflater.end(chunk2, function() { -- const bufs = []; -- let buf; -- while ((buf = deflater.read()) !== null) -- bufs.push(buf); -- actual = Buffer.concat(bufs); -- }); -+ -+ deflater.on('readable', read); -+ -+ deflater.end(chunk2); - }); - while (deflater.read()); - }); - - process.once('exit', function() { -+ const actual = Buffer.concat(bufs); - assert.deepStrictEqual(actual, expected); - }); - \ No newline at end of file diff --git a/SPECS/nodejs/CVE-2024-24806.patch b/SPECS/nodejs/CVE-2024-24806.patch deleted file mode 100644 index f183ff3f72b..00000000000 --- a/SPECS/nodejs/CVE-2024-24806.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9c2cf90e5b3952a202a0fb8435470eaa527d3f63 Mon Sep 17 00:00:00 2001 -From: Suresh Thelkar -Date: Tue, 27 Feb 2024 10:24:03 +0530 -Subject: [PATCH] Patch CVE-2024-24806 - -Upstream patch details are given below. -https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629 ---- - deps/uv/src/idna.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c -index 93d982ca..197650af 100644 ---- a/deps/uv/src/idna.c -+++ b/deps/uv/src/idna.c -@@ -308,8 +308,10 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { - return rc; - } - -- if (d < de) -- *d++ = '\0'; -+ if (d >= de) -+ return UV_EINVAL; -+ -+ *d++ = '\0'; - - return d - ds; /* Number of bytes written. */ - } --- -2.34.1 - diff --git a/SPECS/nodejs/CVE-2024-27983.patch b/SPECS/nodejs/CVE-2024-27983.patch deleted file mode 100644 index a13516673ed..00000000000 --- a/SPECS/nodejs/CVE-2024-27983.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0fb816dbccde955cd24acc1b16497a91fab507c8 Mon Sep 17 00:00:00 2001 -From: RafaelGSS -Date: Tue, 26 Mar 2024 15:55:13 -0300 -Subject: [PATCH] src: ensure to close stream when destroying session - -Co-Authored-By: Anna Henningsen -PR-URL: https://github.com/nodejs-private/node-private/pull/561 -Fixes: https://hackerone.com/reports/2319584 -Reviewed-By: Michael Dawson -Reviewed-By: Marco Ippolito -Reviewed-By: Matteo Collina -Reviewed-By: Benjamin Gruenbaum -CVE-ID: CVE-2024-27983 ---- - src/node_http2.cc | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/node_http2.cc b/src/node_http2.cc -index 528bf3aa58b322..eb3506ff5e609b 100644 ---- a/src/node_http2.cc -+++ b/src/node_http2.cc -@@ -528,6 +528,12 @@ Http2Session::Http2Session(Http2State* http2_state, - Http2Session::~Http2Session() { - CHECK(!is_in_scope()); - Debug(this, "freeing nghttp2 session"); -+ // Ensure that all `Http2Stream` instances and the memory they hold -+ // on to are destroyed before the nghttp2 session is. -+ for (const auto& [id, stream] : streams_) { -+ stream->Detach(); -+ } -+ streams_.clear(); - // Explicitly reset session_ so the subsequent - // current_nghttp2_memory_ check passes. - session_.reset(); diff --git a/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch b/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch deleted file mode 100644 index 0a40760b4f7..00000000000 --- a/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff -ru node-v16.14.0-orig/src/crypto/crypto_context.cc node-v16.14.0/src/crypto/crypto_context.cc ---- node-v16.14.0-orig/src/crypto/crypto_context.cc 2022-02-08 04:37:50.000000000 -0800 -+++ node-v16.14.0/src/crypto/crypto_context.cc 2022-02-25 09:17:21.964960342 -0800 -@@ -467,28 +467,16 @@ - min_version = 0; - max_version = kMaxSupportedVersion; - method = TLS_client_method(); -- } else if (sslmethod == "TLSv1_method") { -- min_version = TLS1_VERSION; -- max_version = TLS1_VERSION; -- } else if (sslmethod == "TLSv1_server_method") { -- min_version = TLS1_VERSION; -- max_version = TLS1_VERSION; -- method = TLS_server_method(); -- } else if (sslmethod == "TLSv1_client_method") { -- min_version = TLS1_VERSION; -- max_version = TLS1_VERSION; -- method = TLS_client_method(); -- } else if (sslmethod == "TLSv1_1_method") { -- min_version = TLS1_1_VERSION; -- max_version = TLS1_1_VERSION; -- } else if (sslmethod == "TLSv1_1_server_method") { -- min_version = TLS1_1_VERSION; -- max_version = TLS1_1_VERSION; -- method = TLS_server_method(); -- } else if (sslmethod == "TLSv1_1_client_method") { -- min_version = TLS1_1_VERSION; -- max_version = TLS1_1_VERSION; -- method = TLS_client_method(); -+ } else if (sslmethod == "TLSv1_method" || -+ sslmethod == "TLSv1_server_method" || -+ sslmethod == "TLSv1_client_method") { -+ THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1 methods disabled"); -+ return; -+ } else if (sslmethod == "TLSv1_1_method" || -+ sslmethod == "TLSv1_1_server_method" || -+ sslmethod == "TLSv1_1_client_method") { -+ THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1_1 methods disabled"); -+ return; - } else if (sslmethod == "TLSv1_2_method") { - min_version = TLS1_2_VERSION; - max_version = TLS1_2_VERSION; diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec index 4338244bb99..26ecdff0e1b 100644 --- a/SPECS/nodejs/nodejs18.spec +++ b/SPECS/nodejs/nodejs18.spec @@ -6,7 +6,7 @@ Name: nodejs18 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. # The version of NPM can be found inside the sources under 'deps/npm/package.json'. Version: 18.20.2 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0 Group: Applications/System Vendor: Microsoft Corporation @@ -16,6 +16,7 @@ URL: https://github.com/nodejs/node # !!!! because it contains patented algorithms. # !!! => use clean-source-tarball.sh script to create a clean and reproducible source tarball. Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz +Patch0: CVE-2023-21100.patch BuildRequires: brotli-devel BuildRequires: coreutils >= 8.22 BuildRequires: gcc @@ -116,6 +117,10 @@ make cctest %{_datadir}/systemtap/tapset/node.stp %changelog +* Wed May 29 2024 Mitch Zhu - 18.20.2-2 +- Patch CVE-2023-21100. +- Remove unused patches. + * Fri Apr 26 2024 CBL-Mariner Servicing Account - 18.20.2-1 - Auto-upgrade to 18.20.2 - address multiple CVEs. - Remove patches as the upgrade already has these changes. diff --git a/SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch b/SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch new file mode 100644 index 00000000000..f5c67b87906 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch @@ -0,0 +1,67 @@ +From f7a045f3143fc6da2ee66bf52d8df04829590dd4 Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +--- + ssl/record/rec_layer_s3.c | 9 +++++++++ + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 1db1712a0..525c3abf4 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++ if (rl->rstate == SSL_ST_READ_BODY) ++ return 1; ++ if (RECORD_LAYER_processed_read_pending(rl)) ++ return 1; ++ return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index af56206e0..513ab3988 100644 +--- a/ssl/record/record.h ++++ b/ssl/record/record.h +@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index c01ad8291..356d65cb6 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -5248,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++ if (RECORD_LAYER_data_present(rl)) ++ return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.33.8 + diff --git a/SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch b/SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch new file mode 100644 index 00000000000..f3c2b9b66f4 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-pkcs1-implicit-rejection.patch @@ -0,0 +1,1141 @@ +--- openssl-1.1.1k/doc/man3/EVP_PKEY_CTX_ctrl.pod.pkcs1-implicit-rejection 2023-11-17 17:29:02.881552878 +0100 ++++ openssl-1.1.1k/doc/man3/EVP_PKEY_CTX_ctrl.pod 2023-11-17 17:29:02.923553658 +0100 +@@ -256,6 +256,15 @@ B