diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch index d182f16619a..2945e7c9cb2 100644 --- a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch +++ b/SPECS/application-gateway-kubernetes-ingress/CVE-2022-21698.patch @@ -9,6 +9,9 @@ Differences: - Removed some comments that don't merge - Line numbers and such +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths to work for vendored version + Based on: From 9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 Mon Sep 17 00:00:00 2001 @@ -37,16 +40,16 @@ Signed-off-by: Kemal Akkoyun Signed-off-by: Kemal Akkoyun --- - prometheus/promhttp/instrument_client.go | 28 ++++++-- - prometheus/promhttp/instrument_server.go | 82 ++++++++++++++++++------ - prometheus/promhttp/option.go | 31 +++++++++ + vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go | 28 ++++++-- + vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go | 82 ++++++++++++++++++------ + vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go | 31 +++++++++ 3 files changed, 116 insertions(+), 25 deletions(-) - create mode 100644 prometheus/promhttp/option.go + create mode 100644 vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go -diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go index 83c49b6..861b4d2 100644 ---- a/prometheus/promhttp/instrument_client.go -+++ b/prometheus/promhttp/instrument_client.go +--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go @@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp // http.RoundTripper to observe the request result with the provided CounterVec. // The CounterVec must have zero, one, or two non-const non-curried labels. For @@ -114,10 +117,10 @@ index 83c49b6..861b4d2 100644 } return resp, err }) -diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go index 9db2438..91802f8 100644 ---- a/prometheus/promhttp/instrument_server.go -+++ b/prometheus/promhttp/instrument_server.go +--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go @@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl // // Note that this method is only guaranteed to never observe negative durations @@ -322,11 +325,11 @@ index 9db2438..91802f8 100644 + return "unknown" } } -diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go new file mode 100644 index 0000000..35e41bd --- /dev/null -+++ b/prometheus/promhttp/option.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go @@ -0,0 +1,31 @@ +// Copyright 2022 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2023-44487.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2023-44487.patch new file mode 100644 index 00000000000..3a6538f9098 --- /dev/null +++ b/SPECS/application-gateway-kubernetes-ingress/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From 6e577d297aa8b47651c1a5c3ebfbf3f2d769be96 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index de31d72..daa01a7 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -521,9 +521,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -895,6 +897,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -940,6 +944,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1880,8 +1885,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2124,8 +2128,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec index b7af118bd4d..56f069d4d5d 100644 --- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec +++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec @@ -2,7 +2,7 @@ Summary: Application Gateway Ingress Controller Name: application-gateway-kubernetes-ingress Version: 1.4.0 -Release: 17%{?dist} +Release: 18%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -26,17 +26,21 @@ Source0: %{name}-%{version}.tar.gz Source1: %{name}-%{version}-vendor.tar.gz # If upstream ever upgrades client_goland to 1.11.1, we can get rid of this patch. Patch0: CVE-2022-21698.patch +Patch1: CVE-2023-44487.patch BuildRequires: golang >= 1.13 +%if %{with_check} +BuildRequires: helm +%endif %description -This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway -to act as the ingress for an AKS cluster. +This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway +to act as the ingress for an AKS cluster. %prep %autosetup -N rm -rf vendor tar -xf %{SOURCE1} --no-same-owner -%patch 0 -p1 -d vendor/github.com/prometheus/client_golang +%autopatch -p1 %build export VERSION=%{version} @@ -44,17 +48,26 @@ export VERSION_PATH=github.com/Azure/application-gateway-kubernetes-ingress/pkg/ go build -ldflags "-s -X $VERSION_PATH.Version=$VERSION" -mod=vendor -v -o appgw-ingress ./cmd/appgw-ingress +%check +export VERSION=%{version} +export VERSION_PATH=github.com/Azure/application-gateway-kubernetes-ingress/pkg/version +# Helm chart generation is slightly off, skip these tests +go test -ldflags "-s -X $VERSION_PATH.Version=$VERSION" -mod=vendor -v -tags unittest -skip 'TestChart' ./... + %install mkdir -p %{buildroot}%{_bindir} cp appgw-ingress %{buildroot}%{_bindir}/ - %files %defattr(-,root,root) %license LICENSE %{_bindir}/appgw-ingress %changelog +* Thu Feb 01 2024 Daniel McIlvaney - 1.4.0-18 +- Address CVE-2023-44487 by patching vendored golang.org/x/net +- Add check section + * Mon Jan 01 2024 Tobias Brick - 1.4.0-17 - Patch for CVE-2022-21698 - Moved vendored tarball extraction into %prep and changed from %autosetup to %setup diff --git a/SPECS/azcopy/CVE-2023-44487.patch b/SPECS/azcopy/CVE-2023-44487.patch new file mode 100644 index 00000000000..f8c3056651b --- /dev/null +++ b/SPECS/azcopy/CVE-2023-44487.patch @@ -0,0 +1,142 @@ +From 01f18342b6c8146391dfdf13e189e51ea4a2c7bd Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index e644d9b..f56dbe9 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -520,9 +520,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -909,6 +911,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -954,6 +958,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1911,8 +1916,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2159,8 +2163,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/azcopy/azcopy.spec b/SPECS/azcopy/azcopy.spec index 0d40e9cf227..44f0d367f0e 100644 --- a/SPECS/azcopy/azcopy.spec +++ b/SPECS/azcopy/azcopy.spec @@ -1,7 +1,7 @@ Summary: The new Azure Storage data transfer utility - AzCopy v10 Name: azcopy Version: 10.15.0 -Release: 14%{?dist} +Release: 15%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -27,6 +27,7 @@ Source0: https://github.com/Azure/azure-storage-azcopy/archive/refs/tags/ # See: https://reproducible-builds.org/docs/archives/ # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: azure-storage-%{name}-%{version}-vendor.tar.gz +Patch0: CVE-2023-44487.patch BuildRequires: golang >= 1.17.9 BuildRequires: git @@ -40,10 +41,12 @@ AzCopy V10 presents easy-to-use commands that are optimized for high performance and throughput. %prep -%setup -q -n azure-storage-%{name}-%{version} +%autosetup -N -n azure-storage-%{name}-%{version} +# Apply vendor before patching +tar --no-same-owner -xf %{SOURCE1} +%autopatch -p1 %build -tar --no-same-owner -xf %{SOURCE1} export GOPATH=%{our_gopath} go build -buildmode=pie -mod=vendor @@ -61,6 +64,9 @@ go test -mod=vendor %{_bindir}/azcopy %changelog +* Thu Feb 01 2024 Daniel McIlvaney - 10.15.0-15 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 10.15.0-14 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/cf-cli/CVE-2023-44487.patch b/SPECS/cf-cli/CVE-2023-44487.patch new file mode 100644 index 00000000000..aec84cb4945 --- /dev/null +++ b/SPECS/cf-cli/CVE-2023-44487.patch @@ -0,0 +1,142 @@ +From da2ab23db5f9fe2a57a42c6882e5fb7791ad9de4 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index c67e9b7..9636fc0 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -520,9 +520,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -901,6 +903,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -946,6 +950,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1903,8 +1908,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2151,8 +2155,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/cf-cli/cf-cli.spec b/SPECS/cf-cli/cf-cli.spec index 1c30573bfa9..24d99fab04a 100644 --- a/SPECS/cf-cli/cf-cli.spec +++ b/SPECS/cf-cli/cf-cli.spec @@ -1,7 +1,7 @@ Summary: The official command line client for Cloud Foundry. Name: cf-cli Version: 8.4.0 -Release: 14%{?dist} +Release: 15%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -27,6 +27,7 @@ Source0: https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version # See: https://reproducible-builds.org/docs/archives/ # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: cli-%{version}-vendor.tar.gz +Patch0: CVE-2023-44487.patch BuildRequires: golang >= 1.18.3 %global debug_package %{nil} @@ -36,10 +37,12 @@ BuildRequires: golang >= 1.18.3 The official command line client for Cloud Foundry. %prep -%setup -q -n cli-%{version} +%autosetup -N -n cli-%{version} +# Apply vendor before patching +tar --no-same-owner -xf %{SOURCE1} +%autopatch -p1 %build -tar --no-same-owner -xf %{SOURCE1} export GOPATH=%{our_gopath} # No mod download use vednor cache locally sed -i 's/GOFLAGS := -mod=mod/GOFLAGS := -mod=vendor/' ./Makefile @@ -59,6 +62,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf %{_bindir}/cf %changelog +* Thu Feb 01 2024 Daniel McIlvaney - 8.4.0-15 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 8.4.0-14 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/containerized-data-importer/CVE-2023-44487.patch b/SPECS/containerized-data-importer/CVE-2023-44487.patch new file mode 100644 index 00000000000..77e6b7c55e8 --- /dev/null +++ b/SPECS/containerized-data-importer/CVE-2023-44487.patch @@ -0,0 +1,144 @@ +From 3e8ce1c39cf6d172525355eafebaaef98417f1da Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code +--- + .../vendor/golang.org/x/net/http2/server.go | 62 +- + .../golang.org/x/net/http2/server.go.orig | 3032 +++++++++++++++++ + 2 files changed, 3092 insertions(+), 2 deletions(-) + create mode 100644 containerized-data-importer-1.55.0/vendor/golang.org/x/net/http2/server.go.orig + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index e644d9b..f56dbe9 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -520,9 +520,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -909,6 +911,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -954,6 +958,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1911,8 +1916,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2159,8 +2163,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec index 50daaca9830..22fc9f6421a 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.spec +++ b/SPECS/containerized-data-importer/containerized-data-importer.spec @@ -18,7 +18,7 @@ Summary: Container native virtualization Name: containerized-data-importer Version: 1.55.0 -Release: 16%{?dist} +Release: 17%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -33,6 +33,7 @@ BuildRequires: rsync BuildRequires: sed Provides: cdi = %{version}-%{release} ExclusiveArch: x86_64 aarch64 +Patch0: CVE-2023-44487.patch %description Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes @@ -106,8 +107,10 @@ kubernetes installation with kubectl apply. # Note: having bar symlink'ed to DIR/src/foo/bar does not seem to work. Looks # like symlinks in go path are not resolved correctly. Hence the sources need # to be 'physically' placed into the proper location. -%setup -q -n go/src/kubevirt.io/%{name} -c -T +%autosetup -N -n go/src/kubevirt.io/%{name} -c -T +# Apply vendor before patching tar --strip-components=1 -xf %{SOURCE0} +%autopatch -p1 %build @@ -198,6 +201,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m %{_datadir}/cdi/manifests %changelog +* Thu Feb 01 2024 Daniel McIlvaney - 1.55.0-17 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.55.0-16 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/coredns/CVE-2023-44487.patch b/SPECS/coredns/CVE-2023-44487.patch index 8f973507db9..fb641fa243b 100644 --- a/SPECS/coredns/CVE-2023-44487.patch +++ b/SPECS/coredns/CVE-2023-44487.patch @@ -1,4 +1,8 @@ +<<<<<<< HEAD From fb899a313ff29828e2c64ee5ce05a0187451aec9 Mon Sep 17 00:00:00 2001 +======= +From 7a9639b4702703fa7d11b154ae814471b1c0ed88 Mon Sep 17 00:00:00 2001 +>>>>>>> 298f5d5ad (Patch CVE-2023-44487 in vendored golang (#7780)) From: Damien Neil Date: Fri, 6 Oct 2023 09:51:19 -0700 Subject: [PATCH] http2: limit maximum handler goroutines to @@ -84,7 +88,11 @@ index 033b6e6..4561e3c 100644 + sc.curHandlers++ go sc.runHandler(rw, req, sc.handler.ServeHTTP) } +<<<<<<< HEAD +======= + +>>>>>>> 298f5d5ad (Patch CVE-2023-44487 in vendored golang (#7780)) @@ -2286,8 +2294,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response return &responseWriter{rws: rws} } @@ -148,3 +156,5 @@ index 033b6e6..4561e3c 100644 didPanic := true defer func() { rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec index 3f3b846e8db..0cf24450436 100644 --- a/SPECS/coredns/coredns.spec +++ b/SPECS/coredns/coredns.spec @@ -3,7 +3,7 @@ Summary: Fast and flexible DNS server Name: coredns Version: 1.11.1 -Release: 3%{?dist} +Release: 4%{?dist} License: Apache License 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -31,10 +31,8 @@ Source0: %{name}-%{version}.tar.gz # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: %{name}-%{version}-vendor.tar.gz Patch0: makefile-buildoption-commitnb.patch - -# Patch for old x/net/http2 vendored code, apply after vendored code is extracted. -Patch1000: CVE-2023-44487.patch -Patch1001: CVE-2023-49295.patch +Patch1: CVE-2023-44487.patch +Patch2: CVE-2023-49295.patch BuildRequires: golang >= 1.12 @@ -43,8 +41,8 @@ CoreDNS is a fast and flexible DNS server. %prep %autosetup -N -# create vendor folder from the vendor tarball and set vendor mode -tar -xf %{SOURCE1} --no-same-owner +# Apply vendor before patching +tar --no-same-owner -xf %{SOURCE1} %autopatch -p1 %build @@ -56,11 +54,11 @@ make %check # From go.test.yml go install github.com/fatih/faillint@latest && \ -(cd request && go test -v -race ./...) && \ -(cd core && go test -v -race ./...) && \ -(cd coremain && go test -v -race ./...) && \ -(cd plugin && go test -v -race ./...) && \ -(cd test && go test -v -race ./...) && \ +(cd request && go test -v -mod=vendor -race ./...) && \ +(cd core && go test -v -mod=vendor -race ./...) && \ +(cd coremain && go test -v -mod=vendor -race ./...) && \ +(cd plugin && go test -v -mod=vendor -race ./...) && \ +(cd test && go test -v -mod=vendor -race ./...) && \ ./coredns -version %install @@ -73,9 +71,13 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name} %{_bindir}/%{name} %changelog -* Fri Feb 02 2024 Mykhailo Bykhovtsev - 1.11.1-3 +* Fri Feb 10 2024 Mykhailo Bykhovtsev - 1.11.1-4 - patched vendored quic-go package to address CVE-2023-49295 +* Mon Feb 05 2024 Daniel McIlvaney - 1.11.1-3 +- Refactor vendor patch application +- Force vendored components during test + * Mon Jan 29 2024 Daniel McIlvaney - 1.11.1-2 - Address CVE-2023-44487 by patching vendored golang.org/x/net diff --git a/SPECS/git-lfs/CVE-2023-44487.patch b/SPECS/git-lfs/CVE-2023-44487.patch new file mode 100644 index 00000000000..23d385d8358 --- /dev/null +++ b/SPECS/git-lfs/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From ed07cf0825f6a369c58df6b728caa9f12ad029dd Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index e125bbd..0844864 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -521,9 +521,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -893,6 +895,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -938,6 +942,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1895,8 +1900,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2143,8 +2147,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/git-lfs/git-lfs.spec b/SPECS/git-lfs/git-lfs.spec index 9207737410f..64ee736e9ca 100644 --- a/SPECS/git-lfs/git-lfs.spec +++ b/SPECS/git-lfs/git-lfs.spec @@ -2,7 +2,7 @@ Summary: Git extension for versioning large files Name: git-lfs Version: 3.1.4 -Release: 15%{?dist} +Release: 16%{?dist} Group: System Environment/Programming Vendor: Microsoft Corporation Distribution: Mariner @@ -28,6 +28,7 @@ Source0: https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{ # See: https://reproducible-builds.org/docs/archives/ # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2023-44487.patch BuildRequires: golang BuildRequires: which @@ -41,10 +42,12 @@ Requires: git Git LFS is a command line extension and specification for managing large files with Git %prep -%autosetup +%autosetup -N +# Apply vendor before patching +tar --no-same-owner -xf %{SOURCE1} +%autopatch -p1 %build -tar --no-same-owner -xf %{SOURCE1} export GOPATH=%{our_gopath} export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external" go generate ./commands @@ -77,6 +80,9 @@ git lfs uninstall %{_mandir}/man5/* %changelog +* Thu Feb 01 2024 Daniel McIlvaney - 3.1.4-16 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 3.1.4-15 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/jx/CVE-2023-44487.patch b/SPECS/jx/CVE-2023-44487.patch new file mode 100644 index 00000000000..23d385d8358 --- /dev/null +++ b/SPECS/jx/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From ed07cf0825f6a369c58df6b728caa9f12ad029dd Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index e125bbd..0844864 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -521,9 +521,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -893,6 +895,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -938,6 +942,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1895,8 +1900,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2143,8 +2147,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/jx/jx.spec b/SPECS/jx/jx.spec index 9d4336c4801..71654e92b0c 100644 --- a/SPECS/jx/jx.spec +++ b/SPECS/jx/jx.spec @@ -1,7 +1,7 @@ Summary: Command line tool for working with Jenkins X. Name: jx Version: 3.2.236 -Release: 14%{?dist} +Release: 15%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -27,6 +27,7 @@ Source0: https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na # See: https://reproducible-builds.org/docs/archives/ # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2023-44487.patch BuildRequires: golang >= 1.17.1 %global debug_package %{nil} @@ -36,10 +37,12 @@ BuildRequires: golang >= 1.17.1 Command line tool for working with Jenkins X. %prep -%autosetup -p1 +%autosetup -N +# Apply vendor before patching +tar --no-same-owner -xf %{SOURCE1} +%autopatch -p1 %build -tar --no-same-owner -xf %{SOURCE1} export GOPATH=%{our_gopath} # No download use vednor cache locally sed -i 's/go mod download/# go mod download/' ./Makefile @@ -51,7 +54,14 @@ install -m 755 -d %{buildroot}%{_bindir} install -p -m 755 -t %{buildroot}%{_bindir} ./build/jx %check +# jenkins is not available for aarch64, can only run unit tests for x86_64. +%ifarch x86_64 +sed -i 's/TEST_BUILDFLAGS := -ldflags "$(BUILD_TIME_CONFIG_FLAGS)"/TEST_BUILDFLAGS := -mod=vendor -ldflags "$(BUILD_TIME_CONFIG_FLAGS)"/' ./Makefile +make test && \ ./build/jx --help +%else +./build/jx --help +%endif %files %defattr(-,root,root) @@ -60,6 +70,10 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./build/jx %{_bindir}/jx %changelog +* Thu Feb 01 2024 Daniel McIlvaney -3.2.236-15 +- Address CVE-2023-44487 by patching vendored golang.org/x/net +- Add unit tests to check section + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 3.2.236-14 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/keda/CVE-2023-44487.patch b/SPECS/keda/CVE-2023-44487.patch new file mode 100644 index 00000000000..23d385d8358 --- /dev/null +++ b/SPECS/keda/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From ed07cf0825f6a369c58df6b728caa9f12ad029dd Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index e125bbd..0844864 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -521,9 +521,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -893,6 +895,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -938,6 +942,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1895,8 +1900,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2143,8 +2147,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec index 0e5e35bcf28..f686d1a81e2 100644 --- a/SPECS/keda/keda.spec +++ b/SPECS/keda/keda.spec @@ -1,7 +1,7 @@ Summary: Kubernetes-based Event Driven Autoscaling Name: keda Version: 2.4.0 -Release: 16%{?dist} +Release: 17%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -29,16 +29,19 @@ Source1: %{name}-%{version}-vendor-v2.tar.gz # Patches the version of client_golang used in the vendored source. Should be applied before creating the vendored tarball. # Can be removed if we upgrade keda to 2.6.0 or later. Patch0: CVE-2022-21698.patch +Patch1: CVE-2023-44487.patch + BuildRequires: golang >= 1.15 %description -KEDA is a Kubernetes-based Event Driven Autoscaling component. -It provides event driven scale for any container running in Kubernetes +KEDA is a Kubernetes-based Event Driven Autoscaling component. +It provides event driven scale for any container running in Kubernetes %prep -%autosetup -p1 +%autosetup -N # create vendor folder from the vendor tarball and set vendor mode tar -xf %{SOURCE1} --no-same-owner +%autopatch -p1 %build export LDFLAGS="-X=github.com/kedacore/keda/v2/version.GitCommit= -X=github.com/kedacore/keda/v2/version.Version=main" diff --git a/SPECS/kube-vip-cloud-provider/CVE-2022-21698.patch b/SPECS/kube-vip-cloud-provider/CVE-2022-21698.patch index d182f16619a..917c6d0f138 100644 --- a/SPECS/kube-vip-cloud-provider/CVE-2022-21698.patch +++ b/SPECS/kube-vip-cloud-provider/CVE-2022-21698.patch @@ -9,6 +9,8 @@ Differences: - Removed some comments that don't merge - Line numbers and such +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths to work for vendored version Based on: From 9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 Mon Sep 17 00:00:00 2001 @@ -37,16 +39,16 @@ Signed-off-by: Kemal Akkoyun Signed-off-by: Kemal Akkoyun --- - prometheus/promhttp/instrument_client.go | 28 ++++++-- - prometheus/promhttp/instrument_server.go | 82 ++++++++++++++++++------ - prometheus/promhttp/option.go | 31 +++++++++ + vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go | 28 ++++++-- + vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go | 82 ++++++++++++++++++------ + vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go | 31 +++++++++ 3 files changed, 116 insertions(+), 25 deletions(-) - create mode 100644 prometheus/promhttp/option.go + create mode 100644 vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go -diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go index 83c49b6..861b4d2 100644 ---- a/prometheus/promhttp/instrument_client.go -+++ b/prometheus/promhttp/instrument_client.go +--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go @@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp // http.RoundTripper to observe the request result with the provided CounterVec. // The CounterVec must have zero, one, or two non-const non-curried labels. For @@ -114,10 +116,10 @@ index 83c49b6..861b4d2 100644 } return resp, err }) -diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go index 9db2438..91802f8 100644 ---- a/prometheus/promhttp/instrument_server.go -+++ b/prometheus/promhttp/instrument_server.go +--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go @@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl // // Note that this method is only guaranteed to never observe negative durations @@ -322,11 +324,11 @@ index 9db2438..91802f8 100644 + return "unknown" } } -diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go new file mode 100644 index 0000000..35e41bd --- /dev/null -+++ b/prometheus/promhttp/option.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go @@ -0,0 +1,31 @@ +// Copyright 2022 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/SPECS/kube-vip-cloud-provider/CVE-2023-44487.patch b/SPECS/kube-vip-cloud-provider/CVE-2023-44487.patch new file mode 100644 index 00000000000..23d385d8358 --- /dev/null +++ b/SPECS/kube-vip-cloud-provider/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From ed07cf0825f6a369c58df6b728caa9f12ad029dd Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index e125bbd..0844864 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -521,9 +521,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -893,6 +895,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -938,6 +942,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1895,8 +1900,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2143,8 +2147,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec index d0258b0a046..323f539c255 100644 --- a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec +++ b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec @@ -1,7 +1,7 @@ Summary: The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups Name: kube-vip-cloud-provider Version: 0.0.2 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 URL: https://github.com/kube-vip/kube-vip-cloud-provider Group: Applications/Text @@ -23,28 +23,37 @@ Source0: https://github.com/kube-vip/%{name}/archive/refs/tags/v%{version Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2022-21698.patch Patch1: CVE-2021-44716.patch +Patch2: CVE-2023-44487.patch BuildRequires: golang %description -The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups. +The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups. %prep %autosetup -N +# Apply vendor before patching tar -xvf %{SOURCE1} -%patch 0 -p1 -d vendor/github.com/prometheus/client_golang -%patch 1 -p1 +%autopatch -p1 -%build +%build go build -mod=vendor %install install -d %{buildroot}%{_bindir} install kube-vip-cloud-provider %{buildroot}%{_bindir}/kube-vip-cloud-provider +%check +go test -mod=vendor ./... + %files %{_bindir}/kube-vip-cloud-provider %changelog +* Wed Feb 07 2024 Daniel McIlvaney - 0.0.2-16 +- Address CVE-2023-44487 by patching vendored golang.org/x/net +- Rework CVE-2023-21698.patch to apply without directory change +- Add check section + * Mon Feb 05 2024 Osama Esmail - 0.0.2-15 - Fix CVE-2021-44716 diff --git a/SPECS/kubevirt/CVE-2023-44487.patch b/SPECS/kubevirt/CVE-2023-44487.patch new file mode 100644 index 00000000000..3fef9284e2b --- /dev/null +++ b/SPECS/kubevirt/CVE-2023-44487.patch @@ -0,0 +1,152 @@ +From 59641361d4922b9a4b77ad1aea98f168720818d3 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go +--- + .../vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index fd873b9..bfb06c6 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -554,9 +554,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -943,6 +945,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -988,6 +992,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1957,8 +1962,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (sc *serverConn) upgradeRequest(req *http.Request) { +@@ -1978,6 +1982,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { + sc.conn.SetReadDeadline(time.Time{}) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + +@@ -2227,8 +2235,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response + return &responseWriter{rws: rws} + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index c3b938fe3e9..0b524ea1554 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -19,7 +19,7 @@ Summary: Container native virtualization Name: kubevirt Version: 0.59.0 -Release: 11%{?dist} +Release: 12%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -32,6 +32,7 @@ Source1: disks-images-provider.yaml Patch0: Cleanup-housekeeping-cgroup-on-vm-del.patch Patch1: Allocate-2-cpu-for-the-emulator-thread.patch Patch2: Hotplug_detach_grace_period.patch +Patch3: CVE-2023-44487.patch %global debug_package %{nil} BuildRequires: glibc-devel BuildRequires: glibc-static >= 2.35-6%{?dist} @@ -211,6 +212,9 @@ install -p -m 0644 cmd/virt-handler/nsswitch.conf %{buildroot}%{_datadir}/kube-v %{_bindir}/virt-tests %changelog +* Thu Feb 01 2024 Daniel McIlvaney - 0.59.0-12 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Wed Oct 18 2023 Minghe Ren - 0.59.0-11 - Bump release to rebuild against glibc 2.35-6 @@ -239,10 +243,10 @@ install -p -m 0644 cmd/virt-handler/nsswitch.conf %{buildroot}%{_datadir}/kube-v - Bump release to rebuild with go 1.19.10 * Fri May 12 2023 Kanika Nema - 0.59.0-2 -- Patch 0.59.0 with Operator Nexus patches +- Patch 0.59.0 with Operator Nexus patches * Fri May 05 2023 Kanika Nema - 0.59.0-1 -- Upgrade to v0.59.0 +- Upgrade to v0.59.0 * Wed Apr 05 2023 CBL-Mariner Servicing Account - 0.58.0-7 - Bump release to rebuild with go 1.19.8 diff --git a/SPECS/local-path-provisioner/CVE-2022-21698.patch b/SPECS/local-path-provisioner/CVE-2022-21698.patch index d182f16619a..d57405ed3bf 100644 --- a/SPECS/local-path-provisioner/CVE-2022-21698.patch +++ b/SPECS/local-path-provisioner/CVE-2022-21698.patch @@ -43,10 +43,10 @@ Signed-off-by: Kemal Akkoyun 3 files changed, 116 insertions(+), 25 deletions(-) create mode 100644 prometheus/promhttp/option.go -diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go index 83c49b6..861b4d2 100644 ---- a/prometheus/promhttp/instrument_client.go -+++ b/prometheus/promhttp/instrument_client.go +--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go @@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp // http.RoundTripper to observe the request result with the provided CounterVec. // The CounterVec must have zero, one, or two non-const non-curried labels. For @@ -114,10 +114,10 @@ index 83c49b6..861b4d2 100644 } return resp, err }) -diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go index 9db2438..91802f8 100644 ---- a/prometheus/promhttp/instrument_server.go -+++ b/prometheus/promhttp/instrument_server.go +--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go @@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl // // Note that this method is only guaranteed to never observe negative durations @@ -322,11 +322,11 @@ index 9db2438..91802f8 100644 + return "unknown" } } -diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go new file mode 100644 index 0000000..35e41bd --- /dev/null -+++ b/prometheus/promhttp/option.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go @@ -0,0 +1,31 @@ +// Copyright 2022 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/SPECS/local-path-provisioner/CVE-2023-44487.patch b/SPECS/local-path-provisioner/CVE-2023-44487.patch new file mode 100644 index 00000000000..dd5656aade4 --- /dev/null +++ b/SPECS/local-path-provisioner/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From f894329282d8fd3b34e62190266fce58c8e3a60f Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + .../vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 2aa859f..126a9e2 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -521,9 +521,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -893,6 +895,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -938,6 +942,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1879,8 +1884,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2127,8 +2131,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/local-path-provisioner/local-path-provisioner.spec b/SPECS/local-path-provisioner/local-path-provisioner.spec index fdfeb5a48e5..d382f2007fb 100644 --- a/SPECS/local-path-provisioner/local-path-provisioner.spec +++ b/SPECS/local-path-provisioner/local-path-provisioner.spec @@ -1,7 +1,7 @@ Summary: Provides a way for the Kubernetes users to utilize the local storage in each node Name: local-path-provisioner Version: 0.0.21 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 URL: https://github.com/rancher/local-path-provisioner Group: Applications/Text @@ -12,20 +12,19 @@ Source0: https://github.com/rancher/%{name}/archive/refs/tags/v%{version} # Fixed in upstream 0.0.24, so we can remove this patch when we upgrade to that version Patch0: CVE-2022-21698.patch Patch1: CVE-2021-44716.patch +Patch2: CVE-2023-44487.patch BuildRequires: golang %description -Provides a way for the Kubernetes users to utilize the local storage in each node. +Provides a way for the Kubernetes users to utilize the local storage in each node. %prep -%setup -q -%patch 0 -p1 -d vendor/github.com/prometheus/client_golang -%patch 1 -p1 +%autosetup -p1 %build export CGO_ENABLED=0 -go build -mod=vendor +go build -mod=vendor %install install -d %{buildroot}%{_bindir} @@ -35,6 +34,9 @@ install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner %{_bindir}/local-path-provisioner %changelog +* Wed Feb 07 2024 Daniel McIlvaney - 0.0.21-16 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Tue Feb 06 2024 Osama Esmail - 0.0.21-15 - Fix CVE-2021-44716 diff --git a/SPECS/moby-buildx/CVE-2022-21698.patch b/SPECS/moby-buildx/CVE-2022-21698.patch index d703e4b707e..0964671cd95 100644 --- a/SPECS/moby-buildx/CVE-2022-21698.patch +++ b/SPECS/moby-buildx/CVE-2022-21698.patch @@ -43,10 +43,10 @@ Co-authored-by: Kemal Akkoyun 3 files changed, 138 insertions(+), 32 deletions(-) create mode 100644 prometheus/promhttp/option.go -diff --git a/prometheus/promhttp/instrument_client.go b/prometheus/promhttp/instrument_client.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go index 83c49b6..861b4d2 100644 ---- a/prometheus/promhttp/instrument_client.go -+++ b/prometheus/promhttp/instrument_client.go +--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go @@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp // http.RoundTripper to observe the request result with the provided CounterVec. // The CounterVec must have zero, one, or two non-const non-curried labels. For @@ -114,10 +114,10 @@ index 83c49b6..861b4d2 100644 } return resp, err }) -diff --git a/prometheus/promhttp/instrument_server.go b/prometheus/promhttp/instrument_server.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go index ab037db..a23f0ed 100644 ---- a/prometheus/promhttp/instrument_server.go -+++ b/prometheus/promhttp/instrument_server.go +--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go @@ -45,7 +45,10 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl // http.Handler to observe the request duration with the provided ObserverVec. // The ObserverVec must have valid metric and label names and must have zero, @@ -386,11 +386,11 @@ index ab037db..a23f0ed 100644 + return "unknown" } } -diff --git a/prometheus/promhttp/option.go b/prometheus/promhttp/option.go +diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go new file mode 100644 index 0000000..35e41bd --- /dev/null -+++ b/prometheus/promhttp/option.go ++++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go @@ -0,0 +1,31 @@ +// Copyright 2022 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/SPECS/moby-buildx/CVE-2023-44487.patch b/SPECS/moby-buildx/CVE-2023-44487.patch new file mode 100644 index 00000000000..b979779a031 --- /dev/null +++ b/SPECS/moby-buildx/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From e5d2d20ca92b7868ca601b41b0109326f59d9198 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + .../vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 09bc705..390243f 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -515,9 +515,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -887,6 +889,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -932,6 +936,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1889,8 +1894,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2137,8 +2141,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/moby-buildx/moby-buildx.spec b/SPECS/moby-buildx/moby-buildx.spec index 105f7748887..f96968bd476 100644 --- a/SPECS/moby-buildx/moby-buildx.spec +++ b/SPECS/moby-buildx/moby-buildx.spec @@ -5,7 +5,7 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKi Name: moby-%{upstream_name} # update "commit_hash" above when upgrading version Version: 0.7.1 -Release: 16%{?dist} +Release: 17%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation @@ -14,6 +14,7 @@ URL: https://www.github.com/docker/buildx Source0: https://github.com/docker/buildx/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz # Fixed in upstream v0.8.0. Can remove when we upgrade to that version. Patch0: CVE-2022-21698.patch +Patch1: CVE-2023-44487.patch BuildRequires: bash BuildRequires: golang >= 1.17 @@ -26,8 +27,7 @@ Conflicts: docker-ee A Docker CLI plugin for extended build capabilities with BuildKit %prep -%setup -q -n %{upstream_name}-%{version} -%patch 0 -p1 -d vendor/github.com/prometheus/client_golang +%autosetup -p1 -n %{upstream_name}-%{version} %build export CGO_ENABLED=0 @@ -45,6 +45,9 @@ cp -aT buildx "%{buildroot}/%{_libexecdir}/docker/cli-plugins/docker-buildx" %{_libexecdir}/docker/cli-plugins/docker-buildx %changelog +* Wed Feb 07 2024 Daniel McIlvaney - 0.7.1-17 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Thu Feb 01 2024 Tobias Brick - 0.7.1-16 - Fix CVE-2022-21698 diff --git a/SPECS/moby-compose/CVE-2023-44487.patch b/SPECS/moby-compose/CVE-2023-44487.patch new file mode 100644 index 00000000000..8dd774b9204 --- /dev/null +++ b/SPECS/moby-compose/CVE-2023-44487.patch @@ -0,0 +1,152 @@ +From d46e08c00adc5db733c22f71656fab007662bca7 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go +--- + vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 8cb14f3..6000140 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -581,9 +581,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + peerMaxHeaderListSize uint32 // zero means unknown (default) +@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -1028,6 +1032,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + } + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (sc *serverConn) upgradeRequest(req *http.Request) { +@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { + sc.conn.SetReadDeadline(time.Time{}) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + +@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response + return &responseWriter{rws: rws} + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/moby-compose/moby-compose.spec b/SPECS/moby-compose/moby-compose.spec index 21ff35240e3..042f757e56b 100644 --- a/SPECS/moby-compose/moby-compose.spec +++ b/SPECS/moby-compose/moby-compose.spec @@ -1,13 +1,14 @@ Summary: Define and run multi-container applications with Docker Name: moby-compose Version: 2.17.2 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner Group: Tools/Container URL: https://github.com/docker/compose Source0: https://github.com/docker/compose/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2023-44487.patch # Leverage the `generate_source_tarball.sh` to create the vendor sources # NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store. @@ -24,8 +25,10 @@ Then, with a single command, you create and start all the services from your configuration. %prep -%autosetup -n compose-%{version} +%autosetup -N -n compose-%{version} +# Apply vendor before patching %setup -q -n compose-%{version} -T -D -a 1 +%autopatch -p1 %build go build \ @@ -44,6 +47,9 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl %{_libexecdir}/docker/cli-plugins/docker-compose %changelog +* Fri Feb 02 2024 Daniel McIlvaney - 2.17.2-7 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 2.17.2-6 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/moby-containerd-cc/CVE-2023-44487.patch b/SPECS/moby-containerd-cc/CVE-2023-44487.patch new file mode 100644 index 00000000000..d311a2499cf --- /dev/null +++ b/SPECS/moby-containerd-cc/CVE-2023-44487.patch @@ -0,0 +1,152 @@ +From 84b30b3380727ea94e05c438ab695ea24e38fb0c Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go +--- + .../vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 8cb14f3..6000140 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -581,9 +581,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + peerMaxHeaderListSize uint32 // zero means unknown (default) +@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -1028,6 +1032,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + } + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (sc *serverConn) upgradeRequest(req *http.Request) { +@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { + sc.conn.SetReadDeadline(time.Time{}) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + +@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response + return &responseWriter{rws: rws} + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/moby-containerd-cc/moby-containerd-cc.spec b/SPECS/moby-containerd-cc/moby-containerd-cc.spec index a71f6a2ff9c..7536b250dff 100644 --- a/SPECS/moby-containerd-cc/moby-containerd-cc.spec +++ b/SPECS/moby-containerd-cc/moby-containerd-cc.spec @@ -6,7 +6,7 @@ Summary: Industry-standard container runtime for confidential containers Name: moby-%{upstream_name} Version: 1.7.2 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -17,6 +17,7 @@ Source0: https://github.com/microsoft/confidential-containers-containerd/archiv Source1: containerd.service Source2: containerd.toml Patch0: CVE-2023-47108.patch +Patch1: CVE-2023-44487.patch %{?systemd_requires} @@ -78,6 +79,9 @@ fi %config(noreplace) %{_sysconfdir}/containerd/config.toml %changelog +* Fri Feb 02 2024 Daniel McIlvaney - 1.7.2-4 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Wed Dec 20 2023 Manuel Huber - 1.7.2-3 - Set oom_score_adj of containerd to -999 diff --git a/SPECS/packer/CVE-2023-44487.patch b/SPECS/packer/CVE-2023-44487.patch new file mode 100644 index 00000000000..268ddb95168 --- /dev/null +++ b/SPECS/packer/CVE-2023-44487.patch @@ -0,0 +1,152 @@ +From 14055cd02653bb8f90f99f24c889e44ff8899890 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go +--- + vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 8cb14f3..6000140 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -581,9 +581,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + peerMaxHeaderListSize uint32 // zero means unknown (default) +@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -1028,6 +1032,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + } + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (sc *serverConn) upgradeRequest(req *http.Request) { +@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { + sc.conn.SetReadDeadline(time.Time{}) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + +@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response + return &responseWriter{rws: rws} + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec index 919ea41541e..58af7dca5cf 100644 --- a/SPECS/packer/packer.spec +++ b/SPECS/packer/packer.spec @@ -1,7 +1,7 @@ Summary: Tool for creating identical machine images for multiple platforms from a single source configuration. Name: packer Version: 1.8.7 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -27,6 +27,7 @@ Source0: https://github.com/hashicorp/packer/archive/v%{version}.tar.gz#/ # See: https://reproducible-builds.org/docs/archives/ # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2023-44487.patch BuildRequires: golang >= 1.17.1 BuildRequires: kernel-headers @@ -38,10 +39,12 @@ BuildRequires: glibc-devel Packer is a tool for building identical machine images for multiple platforms from a single source configuration. %prep -%autosetup -p1 +%autosetup -N +# Apply vendor before patching +tar --no-same-owner -xf %{SOURCE1} +%autopatch -p1 %build -tar --no-same-owner -xf %{SOURCE1} export GOPATH=%{our_gopath} LD_FLAGS="-X github.com/hashicorp/packer/version.Version=%{version} -X github.com/hashicorp/packer/version.VersionPrerelease=" go build -mod=vendor -v -a -o packer -ldflags="$LD_FLAGS" @@ -61,6 +64,9 @@ go test -mod=vendor %{_bindir}/packer %changelog +* Fri Feb 02 2024 Daniel McIlvaney - 1.8.7-2 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Wed Dec 20 2023 CBL-Mariner Servicing Account - 1.8.7-1 - Auto-upgrade to 1.8.7 - CVE-2023-45286 diff --git a/SPECS/prometheus-node-exporter/CVE-2023-44487.patch b/SPECS/prometheus-node-exporter/CVE-2023-44487.patch new file mode 100644 index 00000000000..1e70a1becec --- /dev/null +++ b/SPECS/prometheus-node-exporter/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From 09521d1d12e9adf1ecd318a034c33b36f9e56eb2 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 09bc705..390243f 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -515,9 +515,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -887,6 +889,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -932,6 +936,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1889,8 +1894,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2137,8 +2141,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/prometheus-node-exporter/prometheus-node-exporter.spec b/SPECS/prometheus-node-exporter/prometheus-node-exporter.spec index 029a200684c..ef2d05160c3 100644 --- a/SPECS/prometheus-node-exporter/prometheus-node-exporter.spec +++ b/SPECS/prometheus-node-exporter/prometheus-node-exporter.spec @@ -5,7 +5,7 @@ Summary: Exporter for machine metrics Name: prometheus-node-exporter Version: 1.3.1 -Release: 22%{?dist} +Release: 23%{?dist} # Upstream license specification: Apache-2.0 License: ASL 2.0 AND MIT Vendor: Microsoft Corporation @@ -38,6 +38,7 @@ Patch1: 0001-Refactor-perf-collector.patch # Patches the vendered source tarball; must be applied after untarring that tarball. # Can be removed if we upgrade to prometheus-node-exporter 1.4.0 or later. Patch2: CVE-2022-21698.patch +Patch3: CVE-2023-44487.patch BuildRequires: golang BuildRequires: systemd-rpm-macros @@ -50,10 +51,9 @@ in Go with pluggable metric collectors. %prep %autosetup -N -n node_exporter-%{version} - +# Apply vendor before patching rm -rf vendor tar -xf %{SOURCE1} --no-same-owner - %autopatch -p1 %build @@ -112,6 +112,9 @@ getent passwd 'prometheus' >/dev/null || useradd -r -g 'prometheus' -d '%{_share %dir %attr(0755,prometheus,prometheus) %{_sharedstatedir}/prometheus/node-exporter %changelog +* Thu Feb 08 2024 Daniel McIlvaney - 1.3.1-23 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Wed Feb 07 2024 Tobias Brick - 1.3.1-22 - Patch CVE-2022-21698 diff --git a/SPECS/prometheus-process-exporter/CVE-2023-44487.patch b/SPECS/prometheus-process-exporter/CVE-2023-44487.patch new file mode 100644 index 00000000000..1e70a1becec --- /dev/null +++ b/SPECS/prometheus-process-exporter/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From 09521d1d12e9adf1ecd318a034c33b36f9e56eb2 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 09bc705..390243f 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -515,9 +515,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -887,6 +889,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -932,6 +936,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1889,8 +1894,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2137,8 +2141,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/prometheus-process-exporter/prometheus-process-exporter.spec b/SPECS/prometheus-process-exporter/prometheus-process-exporter.spec index 826659bb81d..1fa77fe7109 100644 --- a/SPECS/prometheus-process-exporter/prometheus-process-exporter.spec +++ b/SPECS/prometheus-process-exporter/prometheus-process-exporter.spec @@ -5,7 +5,7 @@ Summary: Prometheus exporter exposing process metrics from procfs Name: prometheus-process-exporter Version: 0.7.10 -Release: 16%{?dist} +Release: 17%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -32,6 +32,7 @@ Patch0: 01-fix-RSS-test-on-non4K-pagesize-systems.patch Patch1: 03-disable-fakescraper.patch # Can be removed if we ever update to a version that includes this pull request: https://github.com/ncabatoff/process-exporter/pull/264. Patch2: CVE-2022-21698.patch +Patch3: CVE-2023-44487.patch BuildRequires: golang BuildRequires: systemd-rpm-macros @@ -48,10 +49,9 @@ process metrics from procfs. %prep %autosetup -N -n process-exporter-%{version} - +# Apply vendor before patching rm -rf vendor tar -xf %{SOURCE1} --no-same-owner - %autopatch -p1 %build @@ -101,6 +101,9 @@ getent passwd 'prometheus' >/dev/null || useradd -r -g 'prometheus' -d '%{_share %dir %attr(0755,prometheus,prometheus) %{_sharedstatedir}/prometheus %changelog +* Thu Feb 08 2024 Daniel McIlvaney - 0.7.10-17 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Wed Feb 07 2024 Tobias Brick - 0.7.10-16 - Patch to fix CVE-2022-21698 diff --git a/SPECS/rook/CVE-2023-44487.patch b/SPECS/rook/CVE-2023-44487.patch new file mode 100644 index 00000000000..1e70a1becec --- /dev/null +++ b/SPECS/rook/CVE-2023-44487.patch @@ -0,0 +1,143 @@ +From 09521d1d12e9adf1ecd318a034c33b36f9e56eb2 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code + - Removed reference to countError() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 09bc705..390243f 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -515,9 +515,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -887,6 +889,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -932,6 +936,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1889,8 +1894,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2137,8 +2141,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/rook/rook.spec b/SPECS/rook/rook.spec index 4d07106bc3e..7bcabffe96e 100644 --- a/SPECS/rook/rook.spec +++ b/SPECS/rook/rook.spec @@ -19,7 +19,7 @@ Summary: Orchestrator for distributed storage systems in cloud-native environments Name: rook Version: 1.6.2 -Release: 16%{?dist} +Release: 17%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -55,6 +55,7 @@ Patch0: flexvolume-dir.patch # Patches the vendered source tarball; must be applied after untarring that tarball. # Can be removed if we upgrade to prometheus-node-exporter 1.10.0 or later. Patch1: CVE-2022-21698.patch +Patch2: CVE-2023-44487.patch # Ceph version is needed to set correct container tag in manifests BuildRequires: ceph # Rook requirements @@ -126,6 +127,7 @@ This package contains Helm Charts for Rook. %prep %autosetup -N +# Apply vendor before patching tar -xf %{SOURCE1} --no-same-owner %autopatch -p1 @@ -252,6 +254,9 @@ sed -i -e "s|\(.*tag: \)VERSION|\1%{helm_appVersion}|" %{values_yaml} # bother adding docs or changelog or anything %changelog +* Thu Feb 08 2024 Daniel McIlvaney - 1.6.2-17 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Wed Feb 07 2024 Tobias Brick - 1.6.2-16 - Patch to fix CVE-2022-21698 diff --git a/SPECS/terraform/CVE-2023-44487.patch b/SPECS/terraform/CVE-2023-44487.patch new file mode 100644 index 00000000000..ef93a0fc7fb --- /dev/null +++ b/SPECS/terraform/CVE-2023-44487.patch @@ -0,0 +1,142 @@ +From 231b82cc8f9f1d35384a5b26917d1a9ac797ab6b Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go + - Removed reference to upgradeRequest() which is not in old versions of the vendored code +--- + vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index e644d9b..f56dbe9 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -520,9 +520,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -909,6 +911,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -954,6 +958,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1911,8 +1916,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2159,8 +2163,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec index a485dbc3b39..4070e1a9327 100644 --- a/SPECS/terraform/terraform.spec +++ b/SPECS/terraform/terraform.spec @@ -1,7 +1,7 @@ Summary: Infrastructure as code deployment management tool Name: terraform Version: 1.3.2 -Release: 12%{?dist} +Release: 13%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -27,6 +27,8 @@ Source0: https://github.com/hashicorp/terraform/archive/refs/tags/v%{vers # See: https://reproducible-builds.org/docs/archives/ # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2023-44487.patch + %global debug_package %{nil} %define our_gopath %{_topdir}/.gopath BuildRequires: golang <= 1.18.8 @@ -35,10 +37,12 @@ BuildRequires: golang <= 1.18.8 Terraform is an infrastructure as code deployment management tool %prep -%autosetup -p1 +%autosetup -N +# Apply vendor before patching +tar --no-same-owner -xf %{SOURCE1} +%autopatch -p1 %build -tar --no-same-owner -xf %{SOURCE1} export GOPATH=%{our_gopath} go build -mod=vendor -v -a -o terraform @@ -57,6 +61,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform %{_bindir}/terraform %changelog +* Thu Feb 01 2024 Daniel McIlvaney - 1.3.2-13 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.3.2-12 - Bump release to rebuild with go 1.20.9 diff --git a/SPECS/vitess/CVE-2023-44487.patch b/SPECS/vitess/CVE-2023-44487.patch new file mode 100644 index 00000000000..8f91fa92d54 --- /dev/null +++ b/SPECS/vitess/CVE-2023-44487.patch @@ -0,0 +1,152 @@ +From cfb6510164d254bb74e00f066883d4a74458f6b5 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go +--- + vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 8cb14f3..6000140 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -581,9 +581,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + peerMaxHeaderListSize uint32 // zero means unknown (default) +@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -1028,6 +1032,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + } + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (sc *serverConn) upgradeRequest(req *http.Request) { +@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { + sc.conn.SetReadDeadline(time.Time{}) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + +@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response + return &responseWriter{rws: rws} + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/vitess/vitess.spec b/SPECS/vitess/vitess.spec index 79a5afcc78e..d619180376c 100644 --- a/SPECS/vitess/vitess.spec +++ b/SPECS/vitess/vitess.spec @@ -3,7 +3,7 @@ Name: vitess Version: 16.0.2 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Database clustering system for horizontal scaling of MySQL # Upstream license specification: MIT and Apache-2.0 License: MIT and ASL 2.0 @@ -25,7 +25,8 @@ Source0: %{name}-%{version}.tar.gz # --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ # -cf %%{name}-%%{version}-vendor.tar.gz vendor # -Source1: %{name}-%{version}-vendor.tar.gz +Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2023-44487.patch BuildRequires: golang %description @@ -39,7 +40,10 @@ with an atomic cutover step that takes only a few seconds. %prep -%autosetup -p1 +%autosetup -N +# Apply vendor before patching +tar --no-same-owner -xf %{SOURCE1} +%autopatch -p1 # sed in Mariner does not work on a group of files; use for-loop to apply # to apply to individual file @@ -52,10 +56,6 @@ rm -rf go/trace/plugin_datadog.go mv go/README.md README-go.md %build - -# create vendor folder from the vendor tarball and set vendor mode -tar -xf %{SOURCE1} --no-same-owner - export VERSION=%{version} for cmd in $(find go/cmd/* -maxdepth 0 -type d); do @@ -104,6 +104,9 @@ go check -t go/cmd \ %{_bindir}/* %changelog +* Thu Feb 01 2024 Daniel McIlvaney - 16.0.2-7 +- Address CVE-2023-44487 by patching vendored golang.org/x/net + * Mon Oct 16 2023 CBL-Mariner Servicing Account - 16.0.2-6 - Bump release to rebuild with go 1.20.9