-
Notifications
You must be signed in to change notification settings - Fork 565
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch kubernetes for CVE-2024-45338 (#11765)
Co-authored-by: jslobodzian <[email protected]>
- Loading branch information
1 parent
ee194d9
commit 7b739b6
Showing
2 changed files
with
85 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 | ||
| From: Roland Shoemaker <[email protected]> | ||
| Date: Wed, 04 Dec 2024 09:35:55 -0800 | ||
| Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves | ||
|
|
||
| Instead of using strings.ToLower and == to check case insensitive | ||
| equality, just use strings.EqualFold, even when the strings are only | ||
| ASCII. This prevents us unnecessarily lowering extremely long strings, | ||
| which can be a somewhat expensive operation, even if we're only | ||
| attempting to compare equality with five characters. | ||
|
|
||
| Thanks to Guido Vranken for reporting this issue. | ||
|
|
||
| Fixes golang/go#70906 | ||
| Fixes CVE-2024-45338 | ||
|
|
||
| Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Reviewed-by: Tatiana Bradley <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/net/html/doctype.go | 2 +- | ||
| vendor/golang.org/x/net/html/foreign.go | 3 +-- | ||
| vendor/golang.org/x/net/html/parse.go | 4 ++-- | ||
| 3 files changed, 4 insertions(+), 5 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go | ||
| index c484e5a9..bca3ae9a 100644 | ||
| --- a/vendor/golang.org/x/net/html/doctype.go | ||
| +++ b/vendor/golang.org/x/net/html/doctype.go | ||
| @@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { | ||
| } | ||
| } | ||
| if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && | ||
| - strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { | ||
| + strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { | ||
| quirks = true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go | ||
| index 9da9e9dc..e8515d8e 100644 | ||
| --- a/vendor/golang.org/x/net/html/foreign.go | ||
| +++ b/vendor/golang.org/x/net/html/foreign.go | ||
| @@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { | ||
| if n.Data == "annotation-xml" { | ||
| for _, a := range n.Attr { | ||
| if a.Key == "encoding" { | ||
| - val := strings.ToLower(a.Val) | ||
| - if val == "text/html" || val == "application/xhtml+xml" { | ||
| + if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { | ||
| return true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go | ||
| index 46a89eda..5b8374bf 100644 | ||
| --- a/vendor/golang.org/x/net/html/parse.go | ||
| +++ b/vendor/golang.org/x/net/html/parse.go | ||
| @@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { | ||
| if p.tok.DataAtom == a.Input { | ||
| for _, t := range p.tok.Attr { | ||
| if t.Key == "type" { | ||
| - if strings.ToLower(t.Val) == "hidden" { | ||
| + if strings.EqualFold(t.Val, "hidden") { | ||
| // Skip setting framesetOK = false | ||
| return true | ||
| } | ||
| @@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { | ||
| return inHeadIM(p) | ||
| case a.Input: | ||
| for _, t := range p.tok.Attr { | ||
| - if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { | ||
| + if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { | ||
| p.addElement() | ||
| p.oe.pop() | ||
| return true | ||
| -- | ||
| 2.25.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,7 +10,7 @@ | |
| Summary: Microsoft Kubernetes | ||
| Name: kubernetes | ||
| Version: 1.28.4 | ||
| Release: 12%{?dist} | ||
| Release: 13%{?dist} | ||
| License: ASL 2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -24,6 +24,7 @@ Patch2: CVE-2023-5408.patch | |
| Patch3: CVE-2023-45288.patch | ||
| Patch4: CVE-2024-28180.patch | ||
| Patch5: CVE-2024-24786.patch | ||
| Patch6: CVE-2024-45338.patch | ||
| BuildRequires: flex-devel | ||
| BuildRequires: glibc-static >= 2.35-7%{?dist} | ||
| BuildRequires: golang | ||
|
|
@@ -270,6 +271,9 @@ fi | |
| %{_exec_prefix}/local/bin/pause | ||
|
|
||
| %changelog | ||
| * Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 1.28.4-13 | ||
| - Add patch for CVE-2024-45338 | ||
|
|
||
| * Mon Oct 14 2024 Henry Li <[email protected]> - 1.28.4-12 | ||
| - Add patch to resolve CVE-2024-24786 | ||
|
|
||
|
|
||