diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml index fc0962302ad..dfb8529fec3 100644 --- a/.github/workflows/check-entangled-specs.yml +++ b/.github/workflows/check-entangled-specs.yml @@ -25,10 +25,10 @@ jobs: uses: actions/checkout@v4 # For consistency, we use the same major/minor version of Python that CBL-Mariner ships - - name: Setup Python 3.7 + - name: Setup Python 3.9 uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: 3.9 - name: Get Python dependencies run: python3 -m pip install -r toolkit/scripts/requirements.txt diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml index 887bb0812ce..a415a239109 100644 --- a/.github/workflows/lint-specs.yml +++ b/.github/workflows/lint-specs.yml @@ -62,10 +62,10 @@ jobs: path: 'spec-cleaner' # For consistency, we use the same major/minor version of Python that CBL-Mariner ships - - name: Setup Python 3.7 + - name: Setup Python 3.9 uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: 3.9 # We take our version of the linting tool from the master branch to ensure rules # are consistent across all branches diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml index ea1426f5c3a..c3d412d897f 100644 --- a/.pipelines/prchecks/PackageBuildPRCheck.yml +++ b/.pipelines/prchecks/PackageBuildPRCheck.yml @@ -80,9 +80,11 @@ extends: # GCC fails to build as a regular package. ignoredSpecs: ["gcc"] - - script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)" + - script: | + echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)" + echo "##vso[task.setvariable variable=toolchainTarballName;isOutput=true]toolchain_built_rpms_all.tar.gz" name: "ToolchainArtifactName" - displayName: "Set variable for published artifact name" + displayName: "Set variables for published toolchain tarball" # 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because # then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions @@ -104,24 +106,38 @@ extends: isCustom: true name: ${{ configuration.agentPool }} variables: + inputArtifactsLocation: $(Agent.TempDirectory) ob_artifactBaseName: $(rpmsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt) ob_outputDirectory: $(Build.ArtifactStagingDirectory) + outputRPMsTarballName: "rpms.tar.gz" toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ] + toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ] steps: + - task: DownloadPipelineArtifact@2 + displayName: "Download toolchain" + inputs: + artifact: $(toolchainArtifactName) + patterns: "**/$(toolchainTarballName)" + targetPath: $(inputArtifactsLocation) + - template: .pipelines/templates/PackageBuild.yml@self parameters: checkBuildRetries: "1" - customToolchainArtifactName: $(toolchainArtifactName) + customToolchainTarballName: $(toolchainTarballName) + inputArtifactsFolder: $(inputArtifactsLocation) isCheckBuild: true isQuickRebuildPackages: true isUseCCache: true maxCPU: "${{ configuration.maxCPUs }}" outputArtifactsFolder: $(ob_outputDirectory) + outputRPMsTarballName: $(outputRPMsTarballName) pipArtifactFeeds: "mariner/Mariner-Pypi-Feed" selfRepoName: self testSuiteName: "[${{ configuration.name }}] Package test" - - script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)" + - script: | + echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)" + echo "##vso[task.setvariable variable=rpmsTarballName;isOutput=true]$(outputRPMsTarballName)" name: "RPMsArtifactName" displayName: "Set variable for published artifact name" @@ -142,15 +158,25 @@ extends: isCustom: true name: ${{ configuration.agentPool }} variables: + inputArtifactsLocation: $(Agent.TempDirectory) ob_artifactBaseName: $(toolchainTestsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt) ob_outputDirectory: $(Build.ArtifactStagingDirectory) testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ] toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ] + toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ] steps: + - task: DownloadPipelineArtifact@2 + displayName: "Download toolchain" + inputs: + artifact: $(toolchainArtifactName) + patterns: "**/$(toolchainTarballName)" + targetPath: $(inputArtifactsLocation) + - template: .pipelines/templates/PackageBuild.yml@self parameters: checkBuildRetries: "1" - customToolchainArtifactName: $(toolchainArtifactName) + customToolchainTarballName: $(toolchainTarballName) + inputArtifactsFolder: $(inputArtifactsLocation) isAllowToolchainRebuilds: true isCheckBuild: true isQuickRebuildPackages: true @@ -179,8 +205,18 @@ extends: isCustom: true name: ${{ configuration.agentPool }} variables: + inputArtifactsLocation: $(Agent.TempDirectory) rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ] + rpmsTarballName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsTarballName'] ] steps: + - task: DownloadPipelineArtifact@2 + displayName: "Download RPMs tarball" + inputs: + artifact: $(rpmsArtifactName) + patterns: "**/$(rpmsTarballName)" + targetPath: $(inputArtifactsLocation) + - template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self parameters: - inputArtifactName: $(rpmsArtifactName) + inputArtifactsFolder: $(inputArtifactsLocation) + inputRPMsTarballName: $(rpmsTarballName) diff --git a/.pipelines/templates/PackageBuild.yml b/.pipelines/templates/PackageBuild.yml index 4ce30b7e65f..abb9ac1d9ca 100644 --- a/.pipelines/templates/PackageBuild.yml +++ b/.pipelines/templates/PackageBuild.yml @@ -14,13 +14,9 @@ parameters: type: number default: 12 - - name: customToolchainArtifactName - type: string - default: "" - - name: customToolchainTarballName type: string - default: "toolchain_built_rpms_all.tar.gz" + default: "" - name: extraPackageRepos type: string @@ -30,12 +26,16 @@ parameters: type: boolean default: true - - name: inputCacheArtifacts + - name: inputArtifactsFolder + type: string + default: "$(Agent.TempDirectory)" + + - name: inputCacheRPMsTarballs type: object default: [] # Sample: - # - name: build-artifacts - # rpmsTarball: cache.tar.gz + # - cache.tar.gz + # - cache2.tar.gz - name: isAllowToolchainRebuilds type: string @@ -160,15 +160,9 @@ steps: artifactFeeds: "${{ parameters.pipArtifactFeeds }}" displayName: "Authenticate to custom pip artifact feeds" - - ${{ if parameters.customToolchainArtifactName }}: - - task: DownloadPipelineArtifact@2 - displayName: "Download toolchain" - inputs: - artifact: "${{ parameters.customToolchainArtifactName }}" - patterns: "**/${{ parameters.customToolchainTarballName }}" - + - ${{ if parameters.customToolchainTarballName }}: - script: | - toolchain_archive="$(find "$(Pipeline.Workspace)" -name "${{ parameters.customToolchainTarballName }}" -print -quit)" + toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)" if [[ ! -f "$toolchain_archive" ]]; then echo "ERROR: toolchain archive not found!" >&2 exit 1 @@ -178,17 +172,11 @@ steps: sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive" displayName: "Populate toolchain" - - ${{ each inputCacheArtifact in parameters.inputCacheArtifacts }}: - - task: DownloadPipelineArtifact@2 - displayName: "Download input cache RPM from ${{ inputCacheArtifact.name }}" - inputs: - artifact: "${{ inputCacheArtifact.name }}" - patterns: "**/${{ inputCacheArtifact.rpmsTarball }}" - + - ${{ each inputCacheRPMsTarball in parameters.inputCacheRPMsTarballs }}: - script: | - rpms_archive="$(find "$(Pipeline.Workspace)" -name "${{ inputCacheArtifact.rpmsTarball }}" -print -quit)" + rpms_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ inputCacheRPMsTarball }}" -print -quit)" if [[ ! -f "$rpms_archive" ]]; then - echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2 + echo "ERROR: cache RPMs archive '${{ inputCacheRPMsTarball }}' not found!" >&2 exit 1 fi @@ -200,7 +188,7 @@ steps: check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}" fi - if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then + if [[ -n "${{ parameters.customToolchainTarballName }}" ]]; then toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)" fi diff --git a/.pipelines/templatesWithCheckout/SodiffCheck.yml b/.pipelines/templatesWithCheckout/SodiffCheck.yml index 76971d60407..58ed7295167 100644 --- a/.pipelines/templatesWithCheckout/SodiffCheck.yml +++ b/.pipelines/templatesWithCheckout/SodiffCheck.yml @@ -6,8 +6,9 @@ parameters: type: string default: "$(Build.SourcesDirectory)" - - name: inputArtifactName + - name: inputArtifactsFolder type: string + default: "$(Agent.TempDirectory)" - name: inputRPMsTarballName type: string @@ -26,19 +27,11 @@ parameters: default: "$(Agent.TempDirectory)/SourcesWorkspace" steps: - - task: DownloadPipelineArtifact@2 - displayName: "Download sources for signing" - inputs: - artifact: ${{ parameters.inputArtifactName }} - patterns: | - **/${{ parameters.inputRPMsTarballName }} - targetPath: "$(Agent.TempDirectory)" - - script: | set -e mkdir -p "${{ parameters.sourcesWorkspace }}" - find "$(Agent.TempDirectory)" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf + find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf displayName: "Extract sources tarball" - script: | diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json index 8348c78a905..1a2a357595b 100644 --- a/SPECS/ca-certificates/ca-certificates.signatures.json +++ b/SPECS/ca-certificates/ca-certificates.signatures.json @@ -11,6 +11,7 @@ "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8", "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a", "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57", + "certdata.distrusted.txt": "93aebf0f1e5253ed91fe269f7128fdb8b20630ef19558f629c79a8b7eb0ba30d", "certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd", "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33", "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426", diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec index 02a65aabfdc..84145a40567 100644 --- a/SPECS/ca-certificates/ca-certificates.spec +++ b/SPECS/ca-certificates/ca-certificates.spec @@ -6,6 +6,8 @@ %define p11_format_base_bundle ca-bundle.trust.base.p11-kit +%define p11_format_distrusted_bundle ca-bundle.trust.distrusted.p11-kit + %define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit # List of packages triggering legacy certs generation if 'ca-certificates-legacy' @@ -45,7 +47,7 @@ Name: ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well. Epoch: 1 Version: 2.0.0 -Release: 18%{?dist} +Release: 19%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -69,6 +71,8 @@ Source21: certdata.base.txt Source22: bundle2pem.sh # The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program. Source23: certdata.microsoft.txt +# The certdata.distrusted.txt is provided by Microsoft's Trusted Root Program. +Source24: certdata.distrusted.txt BuildRequires: /bin/ln BuildRequires: asciidoc @@ -91,7 +95,7 @@ Provides: ca-certificates-mozilla = %{version}-%{release} BuildArch: noarch %description -The Public Key Inrastructure is used for many security issues in +The Public Key Infrastructure is used for many security issues in a Linux system. In order for a certificate to be trusted, it must be signed by a trusted agent called a Certificate Authority (CA). The certificates loaded by this section are from the list of CAs trusted @@ -146,6 +150,7 @@ cp -p %{SOURCE20} . %convert_certdata %{SOURCE21} %convert_certdata %{SOURCE23} +%convert_certdata %{SOURCE24} #manpage cp %{SOURCE10} %{name}/update-ca-trust.8.txt @@ -186,6 +191,9 @@ install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README # Microsoft certs %install_bundles %{SOURCE23} %{p11_format_microsoft_bundle} +# Distrusted certs +%install_bundles %{SOURCE24} %{p11_format_distrusted_bundle} + # TODO: consider to dynamically create the update-ca-trust script from within # this .spec file, in order to have the output file+directory names at once place only. install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust @@ -257,13 +265,16 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle} %files +%defattr(-,root,root) # Microsoft certs bundle file with trust %{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle} %files base +%defattr(-,root,root) %{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle} %files shared +%defattr(-,root,root) %license LICENSE # symlinks for old locations @@ -307,6 +318,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %dir %{pkidir}/tls %dir %{pkidir}/tls/certs +# Distrusted CAs +%{_datadir}/pki/ca-trust-source/%{p11_format_distrusted_bundle} + %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem @@ -315,15 +329,21 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %ghost %{catrustdir}/extracted/edk2/cacerts.bin %files tools +%defattr(-,root,root) # update/extract tool %{_bindir}/update-ca-trust %{_mandir}/man8/update-ca-trust.8.gz %files legacy +%defattr(-,root,root) %{_bindir}/bundle2pem.sh %changelog +* Wed Dec 11 2024 Pawel Winogrodzki - 2.0.0-19 +- Update adding Microsoft distrusted CAs. +- Explicitly set default file ownership to root:root. + * Fri Aug 09 2024 CBL-Mariner Servicing Account - 2.0.0-18 - Updating Microsoft trusted root CAs. diff --git a/SPECS/ca-certificates/certdata.distrusted.txt b/SPECS/ca-certificates/certdata.distrusted.txt new file mode 100644 index 00000000000..913d0e76496 --- /dev/null +++ b/SPECS/ca-certificates/certdata.distrusted.txt @@ -0,0 +1,302 @@ +# Release: December 2024 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# certdata.txt +# +# This file contains the object definitions for the certs and other +# information "built into" NSS. +# +# Object definitions: +# +# Certificates +# +# -- Attribute -- -- type -- -- value -- +# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +# CKA_TOKEN CK_BBOOL CK_TRUE +# CKA_PRIVATE CK_BBOOL CK_FALSE +# CKA_MODIFIABLE CK_BBOOL CK_FALSE +# CKA_LABEL UTF8 (varies) +# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +# CKA_SUBJECT DER+base64 (varies) +# CKA_ID byte array (varies) +# CKA_ISSUER DER+base64 (varies) +# CKA_SERIAL_NUMBER DER+base64 (varies) +# CKA_VALUE DER+base64 (varies) +# CKA_NSS_EMAIL ASCII7 (unused here) +# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies) +# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies) +# +# Trust +# +# -- Attribute -- -- type -- -- value -- +# CKA_CLASS CK_OBJECT_CLASS CKO_TRUST +# CKA_TOKEN CK_BBOOL CK_TRUE +# CKA_PRIVATE CK_BBOOL CK_FALSE +# CKA_MODIFIABLE CK_BBOOL CK_FALSE +# CKA_LABEL UTF8 (varies) +# CKA_ISSUER DER+base64 (varies) +# CKA_SERIAL_NUMBER DER+base64 (varies) +# CKA_CERT_HASH binary+base64 (varies) +# CKA_EXPIRES CK_DATE (not used here) +# CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST (varies) +# CKA_TRUST_NON_REPUDIATION CK_TRUST (varies) +# CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST (varies) +# CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST (varies) +# CKA_TRUST_KEY_AGREEMENT CK_TRUST (varies) +# CKA_TRUST_KEY_CERT_SIGN CK_TRUST (varies) +# CKA_TRUST_CRL_SIGN CK_TRUST (varies) +# CKA_TRUST_SERVER_AUTH CK_TRUST (varies) +# CKA_TRUST_CLIENT_AUTH CK_TRUST (varies) +# CKA_TRUST_CODE_SIGNING CK_TRUST (varies) +# CKA_TRUST_EMAIL_PROTECTION CK_TRUST (varies) +# CKA_TRUST_IPSEC_END_SYSTEM CK_TRUST (varies) +# CKA_TRUST_IPSEC_TUNNEL CK_TRUST (varies) +# CKA_TRUST_IPSEC_USER CK_TRUST (varies) +# CKA_TRUST_TIME_STAMPING CK_TRUST (varies) +# CKA_TRUST_STEP_UP_APPROVED CK_BBOOL (varies) +# (other trust attributes can be defined) +# + +# +# The object to tell NSS that this is a root list and we don't +# have to go looking for others. +# +BEGINDATA +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Microsoft Builtin Distrusted Certificates" + +# +# Certificate "google.com" +# +# Issuer: CN=AC Certisign ICP-Brasil SSL EV G4,OU=Autoridade Certificadora Raiz Brasileira v10,O=ICP-Brasil,C=BR +# Serial Number:28:85:34:47:39:1a:72:1e:76:94:85:49:4e:73:57:52 +# Subject: CN=google.com,UID=b27bb194-0258-47ac-acba-c6f06f39787c,OID.2.5.4.97=OFBBR-ef0d9576-f46c-4c95-b690-e882e0b49bc0,L=Sao Paulo,ST=SP,O=GOOGLE PAY BRASIL INSTITUICAO DE PAGAMENTO LTDA,C=BR,serialNumber=43394419000188,incorporationCountry=BR,businessCategory=Private Organization +# Not Valid Before: Thu Nov 28 21:19:48 2024 +# Not Valid After : Fri Nov 28 21:19:48 2025 +# Fingerprint (SHA-256): 42:13:29:F0:DC:2F:68:3D:6E:96:C1:B5:B3:10:97:4D:09:97:AD:98:4E:F6:91:20:F5:53:72:B4:F4:8E:10:37 +# Fingerprint (SHA1): 1C:68:E6:97:AB:50:91:FE:76:16:D5:2F:A0:36:02:5C:47:43:BB:73 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "google.com" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\202\001\065\061\035\060\033\006\003\125\004\017\014\024\120 +\162\151\166\141\164\145\040\117\162\147\141\156\151\172\141\164 +\151\157\156\061\023\060\021\006\013\053\006\001\004\001\202\067 +\074\002\001\003\023\002\102\122\061\027\060\025\006\003\125\004 +\005\023\016\064\063\063\071\064\064\061\071\060\060\060\061\070 +\070\061\013\060\011\006\003\125\004\006\023\002\102\122\061\070 +\060\066\006\003\125\004\012\014\057\107\117\117\107\114\105\040 +\120\101\131\040\102\122\101\123\111\114\040\111\116\123\124\111 +\124\125\111\103\101\117\040\104\105\040\120\101\107\101\115\105 +\116\124\117\040\114\124\104\101\061\013\060\011\006\003\125\004 +\010\014\002\123\120\061\022\060\020\006\003\125\004\007\014\011 +\123\141\157\040\120\141\165\154\157\061\063\060\061\006\003\125 +\004\141\014\052\117\106\102\102\122\055\145\146\060\144\071\065 +\067\066\055\146\064\066\143\055\064\143\071\065\055\142\066\071 +\060\055\145\070\070\062\145\060\142\064\071\142\143\060\061\064 +\060\062\006\012\011\222\046\211\223\362\054\144\001\001\014\044 +\142\062\067\142\142\061\071\064\055\060\062\065\070\055\064\067 +\141\143\055\141\143\142\141\055\143\066\146\060\066\146\063\071 +\067\070\067\143\061\023\060\021\006\003\125\004\003\014\012\147 +\157\157\147\154\145\056\143\157\155 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\205\061\013\060\011\006\003\125\004\006\023\002\102\122 +\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102 +\162\141\163\151\154\061\065\060\063\006\003\125\004\013\023\054 +\101\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151 +\146\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162 +\141\163\151\154\145\151\162\141\040\166\061\060\061\052\060\050 +\006\003\125\004\003\023\041\101\103\040\103\145\162\164\151\163 +\151\147\156\040\111\103\120\055\102\162\141\163\151\154\040\123 +\123\114\040\105\126\040\107\064 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\050\205\064\107\071\032\162\036\166\224\205\111\116\163 +\127\122 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\010\001\060\202\005\351\240\003\002\001\002\002\020\050 +\205\064\107\071\032\162\036\166\224\205\111\116\163\127\122\060 +\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201 +\205\061\013\060\011\006\003\125\004\006\023\002\102\122\061\023 +\060\021\006\003\125\004\012\023\012\111\103\120\055\102\162\141 +\163\151\154\061\065\060\063\006\003\125\004\013\023\054\101\165 +\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146\151 +\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141\163 +\151\154\145\151\162\141\040\166\061\060\061\052\060\050\006\003 +\125\004\003\023\041\101\103\040\103\145\162\164\151\163\151\147 +\156\040\111\103\120\055\102\162\141\163\151\154\040\123\123\114 +\040\105\126\040\107\064\060\036\027\015\062\064\061\061\062\070 +\062\061\061\071\064\070\132\027\015\062\065\061\061\062\070\062 +\061\061\071\064\070\132\060\202\001\065\061\035\060\033\006\003 +\125\004\017\014\024\120\162\151\166\141\164\145\040\117\162\147 +\141\156\151\172\141\164\151\157\156\061\023\060\021\006\013\053 +\006\001\004\001\202\067\074\002\001\003\023\002\102\122\061\027 +\060\025\006\003\125\004\005\023\016\064\063\063\071\064\064\061 +\071\060\060\060\061\070\070\061\013\060\011\006\003\125\004\006 +\023\002\102\122\061\070\060\066\006\003\125\004\012\014\057\107 +\117\117\107\114\105\040\120\101\131\040\102\122\101\123\111\114 +\040\111\116\123\124\111\124\125\111\103\101\117\040\104\105\040 +\120\101\107\101\115\105\116\124\117\040\114\124\104\101\061\013 +\060\011\006\003\125\004\010\014\002\123\120\061\022\060\020\006 +\003\125\004\007\014\011\123\141\157\040\120\141\165\154\157\061 +\063\060\061\006\003\125\004\141\014\052\117\106\102\102\122\055 +\145\146\060\144\071\065\067\066\055\146\064\066\143\055\064\143 +\071\065\055\142\066\071\060\055\145\070\070\062\145\060\142\064 +\071\142\143\060\061\064\060\062\006\012\011\222\046\211\223\362 +\054\144\001\001\014\044\142\062\067\142\142\061\071\064\055\060 +\062\065\070\055\064\067\141\143\055\141\143\142\141\055\143\066 +\146\060\066\146\063\071\067\070\067\143\061\023\060\021\006\003 +\125\004\003\014\012\147\157\157\147\154\145\056\143\157\155\060 +\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 +\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 +\245\071\062\166\146\112\020\362\222\260\147\320\324\326\000\245 +\162\170\155\042\014\366\350\006\234\273\346\243\106\262\207\204 +\365\316\016\143\113\113\351\240\024\326\123\263\340\043\116\355 +\201\352\030\177\366\120\142\300\126\373\004\303\011\033\263\025 +\110\177\001\170\272\370\214\026\336\360\057\320\301\103\271\005 +\336\135\034\023\341\103\247\050\130\355\027\324\072\376\174\222 +\360\006\062\201\354\321\230\061\114\025\072\162\013\314\154\030 +\230\241\170\130\202\215\017\366\016\110\003\325\202\331\300\376 +\236\320\033\267\330\334\217\332\331\107\030\277\212\346\126\160 +\310\326\015\051\365\172\366\252\230\347\322\005\307\135\351\037 +\312\236\236\377\176\217\070\203\262\003\026\025\272\170\136\271 +\044\126\313\012\217\257\006\311\057\321\275\055\302\201\124\130 +\042\132\315\142\113\221\247\012\167\301\152\276\254\274\344\163 +\206\013\020\217\110\141\263\046\133\164\110\004\207\122\145\373 +\151\241\005\022\012\373\335\137\226\323\165\051\047\256\316\236 +\250\021\054\170\147\214\275\125\374\300\152\224\353\165\217\131 +\002\003\001\000\001\243\202\002\270\060\202\002\264\060\030\006 +\003\125\035\021\001\001\377\004\016\060\014\202\012\147\157\157 +\147\154\145\056\143\157\155\060\011\006\003\125\035\023\004\002 +\060\000\060\037\006\003\125\035\043\004\030\060\026\200\024\027 +\111\323\106\270\151\244\056\077\011\203\116\024\215\111\076\220 +\325\014\050\060\201\232\006\003\125\035\040\004\201\222\060\201 +\217\060\201\202\006\006\140\114\001\002\001\152\060\170\060\166 +\006\010\053\006\001\005\005\007\002\001\026\152\150\164\164\160 +\072\057\057\151\143\160\055\142\162\141\163\151\154\056\143\145 +\162\164\151\163\151\147\156\056\143\157\155\056\142\162\057\162 +\145\160\157\163\151\164\157\162\151\157\057\144\160\143\057\141 +\143\137\143\145\162\164\151\163\151\147\156\137\151\143\160\137 +\142\162\137\163\163\154\057\104\120\103\137\101\103\137\103\145 +\162\164\151\163\151\147\156\137\111\143\160\137\102\162\137\123 +\163\154\056\160\144\146\060\010\006\006\147\201\014\001\002\002 +\060\201\312\006\003\125\035\037\004\201\302\060\201\277\060\136 +\240\134\240\132\206\130\150\164\164\160\072\057\057\151\143\160 +\055\142\162\141\163\151\154\056\143\145\162\164\151\163\151\147 +\156\056\143\157\155\056\142\162\057\162\145\160\157\163\151\164 +\157\162\151\157\057\154\143\162\057\101\103\103\145\162\164\151 +\163\151\147\156\111\103\120\102\122\123\123\114\105\126\107\064 +\057\114\141\164\145\163\164\103\122\114\056\143\162\154\060\135 +\240\133\240\131\206\127\150\164\164\160\072\057\057\151\143\160 +\055\142\162\141\163\151\154\056\157\165\164\162\141\154\143\162 +\056\143\157\155\056\142\162\057\162\145\160\157\163\151\164\157 +\162\151\157\057\154\143\162\057\101\103\103\145\162\164\151\163 +\151\147\156\111\103\120\102\122\123\123\114\105\126\107\064\057 +\114\141\164\145\163\164\103\122\114\056\143\162\154\060\016\006 +\003\125\035\017\001\001\377\004\004\003\002\003\250\060\035\006 +\003\125\035\045\004\026\060\024\006\010\053\006\001\005\005\007 +\003\001\006\010\053\006\001\005\005\007\003\002\060\023\006\012 +\053\006\001\004\001\326\171\002\004\003\001\001\377\004\002\005 +\000\060\201\275\006\010\053\006\001\005\005\007\001\001\004\201 +\260\060\201\255\060\151\006\010\053\006\001\005\005\007\060\002 +\206\135\150\164\164\160\072\057\057\151\143\160\055\142\162\141 +\163\151\154\056\143\145\162\164\151\163\151\147\156\056\143\157 +\155\056\142\162\057\162\145\160\157\163\151\164\157\162\151\157 +\057\143\145\162\164\151\146\151\143\141\144\157\163\057\101\103 +\137\103\145\162\164\151\163\151\147\156\137\111\143\160\137\102 +\162\137\123\163\154\137\105\126\137\107\064\056\160\067\143\060 +\100\006\010\053\006\001\005\005\007\060\001\206\064\150\164\164 +\160\072\057\057\157\143\163\160\055\141\143\055\143\145\162\164 +\151\163\151\147\156\055\151\143\160\055\142\162\055\163\163\154 +\056\143\145\162\164\151\163\151\147\156\056\143\157\155\056\142 +\162\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000 +\003\202\002\001\000\004\277\164\275\336\224\331\155\317\017\142 +\333\066\327\114\036\123\143\176\215\160\003\240\323\006\373\365 +\167\164\071\324\202\171\354\345\013\353\226\072\237\323\247\366 +\271\247\132\155\174\371\260\177\135\207\024\165\006\057\263\077 +\160\345\152\161\147\363\344\255\257\115\172\163\033\154\164\354 +\344\304\061\003\030\275\234\022\233\223\053\021\073\364\221\165 +\160\055\102\341\220\147\212\270\007\064\347\165\346\020\170\137 +\001\301\316\344\226\363\337\263\307\302\004\333\110\224\200\320 +\352\261\025\020\211\034\317\151\256\172\161\207\032\063\050\117 +\300\232\310\161\146\345\321\007\267\323\320\035\127\002\273\173 +\131\016\216\076\155\115\044\146\112\245\154\360\264\244\356\312 +\050\213\212\270\111\211\206\146\233\013\160\027\260\075\217\022 +\360\241\202\146\334\052\053\314\363\150\240\055\363\122\341\116 +\162\052\075\357\317\137\311\045\005\262\133\046\055\247\332\062 +\377\250\105\167\142\023\333\014\142\240\133\271\346\160\313\001 +\007\332\010\105\114\354\326\061\110\110\164\106\220\340\302\270 +\231\034\204\021\027\341\336\266\037\320\275\366\247\206\333\336 +\120\347\244\215\210\141\141\106\146\070\300\253\260\320\220\326 +\245\307\041\351\224\320\063\071\110\345\052\042\254\163\164\205 +\242\067\151\350\036\302\102\130\346\211\372\151\262\305\002\213 +\203\200\230\261\344\051\153\361\103\323\353\062\365\150\122\052 +\167\301\250\367\375\266\337\130\107\336\106\302\044\261\136\025 +\024\073\255\246\116\242\351\241\011\113\326\051\105\332\143\216 +\041\201\017\276\036\222\150\134\235\033\130\215\031\016\025\322 +\310\337\152\331\232\214\341\060\243\114\175\074\303\132\250\053 +\333\021\267\140\135\231\223\003\335\056\241\062\176\313\134\305 +\114\114\100\377\066\116\252\160\037\027\322\121\305\277\344\105 +\111\036\012\031\346\335\247\203\043\132\351\355\150\076\022\153 +\155\110\337\121\224\002\112\337\374\023\040\307\113\024\077\154 +\364\153\003\136\374\242\242\164\321\300\100\324\211\367\307\146 +\005\331\230\314\124\045\273\245\306\024\036\224\214\100\075\215 +\104\265\367\204\063\367\037\075\221\056\263\325\023\135\313\040 +\173\136\210\017\230 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "google.com" +# Issuer: CN=AC Certisign ICP-Brasil SSL EV G4,OU=Autoridade Certificadora Raiz Brasileira v10,O=ICP-Brasil,C=BR +# Serial Number:28:85:34:47:39:1a:72:1e:76:94:85:49:4e:73:57:52 +# Subject: CN=google.com,UID=b27bb194-0258-47ac-acba-c6f06f39787c,OID.2.5.4.97=OFBBR-ef0d9576-f46c-4c95-b690-e882e0b49bc0,L=Sao Paulo,ST=SP,O=GOOGLE PAY BRASIL INSTITUICAO DE PAGAMENTO LTDA,C=BR,serialNumber=43394419000188,incorporationCountry=BR,businessCategory=Private Organization +# Not Valid Before: Thu Nov 28 21:19:48 2024 +# Not Valid After : Fri Nov 28 21:19:48 2025 +# Fingerprint (SHA-256): 42:13:29:F0:DC:2F:68:3D:6E:96:C1:B5:B3:10:97:4D:09:97:AD:98:4E:F6:91:20:F5:53:72:B4:F4:8E:10:37 +# Fingerprint (SHA1): 1C:68:E6:97:AB:50:91:FE:76:16:D5:2F:A0:36:02:5C:47:43:BB:73 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "google.com" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\034\150\346\227\253\120\221\376\166\026\325\057\240\066\002\134 +\107\103\273\163 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\016\067\034\146\242\243\030\173\162\334\023\136\201\340\143\150 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\205\061\013\060\011\006\003\125\004\006\023\002\102\122 +\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102 +\162\141\163\151\154\061\065\060\063\006\003\125\004\013\023\054 +\101\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151 +\146\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162 +\141\163\151\154\145\151\162\141\040\166\061\060\061\052\060\050 +\006\003\125\004\003\023\041\101\103\040\103\145\162\164\151\163 +\151\147\156\040\111\103\120\055\102\162\141\163\151\154\040\123 +\123\114\040\105\126\040\107\064 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\050\205\064\107\071\032\162\036\166\224\205\111\116\163 +\127\122 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE \ No newline at end of file diff --git a/SPECS/cloud-init/cloud-init.signatures.json b/SPECS/cloud-init/cloud-init.signatures.json index 0a4179948c9..816bf9f2cab 100644 --- a/SPECS/cloud-init/cloud-init.signatures.json +++ b/SPECS/cloud-init/cloud-init.signatures.json @@ -1,6 +1,7 @@ { "Signatures": { "10-azure-kvp.cfg": "79e0370c010be5cd4717960e4b414570c9ec6e6d29aede77ccecc43d2b03bb9a", - "cloud-init-23.3.tar.gz": "1a5a54369f78891b79f43061c1ff0fb31e2bd74ff9527d7150ddd6517c3e2b07" + "cloud-init-23.3.tar.gz": "1a5a54369f78891b79f43061c1ff0fb31e2bd74ff9527d7150ddd6517c3e2b07", + "module-setup.sh": "aee825f849ce35a5a178cf095c2b9c46e586d50082f681d7f8d2c5d769c2f592" } } diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec index 04e50b4f6a8..7ffd74c0f7c 100644 --- a/SPECS/cloud-init/cloud-init.spec +++ b/SPECS/cloud-init/cloud-init.spec @@ -5,7 +5,7 @@ Summary: Cloud instance init scripts Name: cloud-init Epoch: 1 Version: %{package_version} -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv3 Vendor: Microsoft Corporation Distribution: Mariner @@ -13,6 +13,8 @@ Group: System Environment/Base URL: https://launchpad.net/cloud-init Source0: https://launchpad.net/cloud-init/trunk/%{upstream_version_group}/+download/%{name}-%{version}.tar.gz Source1: 10-azure-kvp.cfg +# This script is to prevent an intermittent issue where ephemeral disk not being formatted by cloud-init on Azure +Source2: module-setup.sh Patch0: overrideDatasourceDetection.patch Patch1: exec_cmd_error_handling.patch Patch2: Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch @@ -43,6 +45,7 @@ BuildRequires: python3-xml BuildRequires: systemd BuildRequires: systemd-devel Requires: dhcp-client +Requires: dracut Requires: e2fsprogs Requires: iproute Requires: net-tools @@ -106,6 +109,9 @@ mkdir -p %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg.d install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg.d/ +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99azure-cloud/ +install -m 755 %{SOURCE2} %{buildroot}%{_prefix}/lib/dracut/modules.d/99azure-cloud/module-setup.sh + %check touch vd ud @@ -150,11 +156,16 @@ make check %{?_smp_mflags} %{_systemdgeneratordir}/cloud-init-generator /usr/lib/udev/rules.d/66-azure-ephemeral.rules %{_datadir}/bash-completion/completions/cloud-init +%dir %attr(0700, root, root) %{_prefix}/lib/dracut/modules.d/99azure-cloud +%{_prefix}/lib/dracut/modules.d/99azure-cloud/module-setup.sh %files azure-kvp %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg %changelog +* Tue Dec 10 2024 Minghe Ren - 1:23.3-6 +- Add module-setup.sh to prevent an intermittent issue where ephemeral disk not being formatted on Azure + * Fri Sep 13 2024 Minghe Ren - 1:23.3-5 - Add patche to have PPS support for azure-proxy-agent. diff --git a/SPECS/cloud-init/module-setup.sh b/SPECS/cloud-init/module-setup.sh new file mode 100644 index 00000000000..e1401a6ad15 --- /dev/null +++ b/SPECS/cloud-init/module-setup.sh @@ -0,0 +1,15 @@ +#!/usr/bin/bash +# called by dracut +check() { + return 0 +} +# called by dracut +depends() { + return 0 +} +# called by dracut to make sure 66-azure-ephemeral.rules is installed +install() { + inst_multiple cut readlink + inst_rules 66-azure-ephemeral.rules +} + diff --git a/SPECS/dbus/dbus.spec b/SPECS/dbus/dbus.spec index 546034cf550..2c419a09b2a 100644 --- a/SPECS/dbus/dbus.spec +++ b/SPECS/dbus/dbus.spec @@ -2,7 +2,7 @@ Summary: DBus for systemd Name: dbus Version: 1.15.6 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ OR AFL Vendor: Microsoft Corporation Distribution: Mariner @@ -23,7 +23,8 @@ Recommends: systemd Provides: dbus-libs = %{version}-%{release} # NOTE: We currently do not build with X11 support. # build with X11 support in the future. -Provides: %{name}-x11 +Provides: %{name}-x11 = %{version}-%{release} +Obsoletes: %{name}-x11 <= 1.14.0-1%{?dist} %description The dbus package contains dbus. @@ -86,6 +87,9 @@ make %{?_smp_mflags} check %{_libdir}/*.so %changelog +* Mon Dec 23 2024 Pawel Winogrodzki - 1.15.6-2 +- Obsolete older 'dbus-x11'. + * Thu Dec 28 2023 Neha Agarwal - 1.15.6-1 - Update to v1.15.6 to fix CVE-2023-34969 diff --git a/SPECS/iperf3/iperf3.signatures.json b/SPECS/iperf3/iperf3.signatures.json index 41945ca1cf0..9b3d0c2df02 100644 --- a/SPECS/iperf3/iperf3.signatures.json +++ b/SPECS/iperf3/iperf3.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "iperf3-3.17.tar.gz": "0d88489d1730e1161b61ce9b4c5f0943eb31232a78c771566f03b38152aff4ba" - } -} \ No newline at end of file + "Signatures": { + "iperf3-3.18.tar.gz": "ef9ffabf16926701a11c9b7e95dccdf64ff304b7b20dcb6f28aed06b240b7e99" + } +} diff --git a/SPECS/iperf3/iperf3.spec b/SPECS/iperf3/iperf3.spec index c33dc2dd62b..51d31d29fd7 100644 --- a/SPECS/iperf3/iperf3.spec +++ b/SPECS/iperf3/iperf3.spec @@ -1,6 +1,6 @@ Summary: A network performance benchmark tool. Name: iperf3 -Version: 3.17 +Version: 3.18 Release: 1%{?dist} License: BSD and MIT and Public Domain Vendor: Microsoft Corporation @@ -66,6 +66,9 @@ make %{?_smp_mflags} check %{_mandir}/man3/libiperf.3.gz %changelog +* Sun Dec 22 2024 CBL-Mariner Servicing Account - 3.18-1 +- Auto-upgrade to 3.18 - CVE-2024-53580 + * Thu May 16 2024 Muhammad Falak - 3.17-1 - Bump version to 3.17 to address CVE-2024-26306 diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec index 6d76665a49e..6550494897b 100644 --- a/SPECS/mariner-release/mariner-release.spec +++ b/SPECS/mariner-release/mariner-release.spec @@ -1,7 +1,7 @@ Summary: CBL-Mariner release files Name: mariner-release Version: 2.0 -Release: 69%{?dist} +Release: 70%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -62,6 +62,9 @@ EOF %config(noreplace) %{_sysconfdir}/issue.net %changelog +* Sat Dec 21 2024 Jon Slobodzian - 2.0-70 +- Bump release for January 2025 Update + * Fri Nov 22 2024 CBL-Mariner Servicing Account - 2.0-69 - Bump release for December 2024 Update diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 81407afb0f4..0e69c6b933e 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -29,7 +29,6 @@ Patch9: CVE-2024-36623.patch Patch10: CVE-2024-45337.patch Patch11: CVE-2024-24786.patch - %{?systemd_requires} BuildRequires: bash diff --git a/SPECS/msft-golang/msft-golang.signatures.json b/SPECS/msft-golang/msft-golang.signatures.json index d92ca320b25..5f7c3962023 100644 --- a/SPECS/msft-golang/msft-golang.signatures.json +++ b/SPECS/msft-golang/msft-golang.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95", "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd", - "go1.22.8-20241001.6.src.tar.gz": "549a43643849c73ffd8579d63e2e3488428f0a4c436169abe02be01a3dbd41c8", + "go1.22.10-20241203.4.src.tar.gz": "3a6318a0ff28798a1b1797b8d22c4f9604cae2088000c39a6875b2598ec4ab22", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } \ No newline at end of file diff --git a/SPECS/msft-golang/msft-golang.spec b/SPECS/msft-golang/msft-golang.spec index 6921a3af739..938d75c839a 100644 --- a/SPECS/msft-golang/msft-golang.spec +++ b/SPECS/msft-golang/msft-golang.spec @@ -1,7 +1,8 @@ %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode -%global ms_go_filename go1.22.8-20241001.6.src.tar.gz +%global ms_go_filename go1.22.10-20241203.4.src.tar.gz %global ms_go_revision 1 +%global go_priority %(echo %{version}.%{ms_go_revision} | tr -d .) %ifarch aarch64 %global gohostarch arm64 %else @@ -14,7 +15,7 @@ %define __find_requires %{nil} Summary: Go Name: msft-golang -Version: 1.22.8 +Version: 1.22.10 Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation @@ -153,6 +154,9 @@ fi %{_bindir}/* %changelog +* Mon Jan 06 2025 Riken Maharjan - 1.22.10-1 +- Bump version to 1.22.10-1 + * Thu Oct 24 2024 CBL-Mariner Servicing Account - 1.22.8-1 - Auto-upgrade to 1.22.8 - To fix CVE-2022-41717 diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec index 2568cedf98b..552db691b29 100644 --- a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec +++ b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates-base # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: 2.0.0 -Release: 18%{?dist} +Release: 19%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -46,6 +46,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Wed Dec 11 2024 Pawel Winogrodzki - 2.0.0-19 +- Update adding Microsoft distrusted CAs. + * Fri Aug 09 2024 CBL-Mariner Servicing Account - 2.0.0-18 - Making 'Release' match with 'ca-certificates' diff --git a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec index 95902457b19..b004b5486fd 100644 --- a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec +++ b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: 2.0.0 -Release: 18%{?dist} +Release: 19%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -49,6 +49,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Wed Dec 11 2024 Pawel Winogrodzki - 2.0.0-19 +- Update adding Microsoft distrusted CAs. + * Fri Aug 09 2024 CBL-Mariner Servicing Account - 2.0.0-18 - Making 'Release' match with 'ca-certificates' diff --git a/SPECS/socat/CVE-2024-54661.patch b/SPECS/socat/CVE-2024-54661.patch new file mode 100644 index 00000000000..33c0f20e99e --- /dev/null +++ b/SPECS/socat/CVE-2024-54661.patch @@ -0,0 +1,37 @@ +From be474a81dc2d9010ac16f9690f97cf7ff68b36d7 Mon Sep 17 00:00:00 2001 +From: Muhammad Falak R Wani +Date: Sun, 29 Dec 2024 17:47:45 +0530 +Subject: [PATCH] CVE-2024-54661: Arbitrary file overwrite in readline.sh + +Link: https://repo.or.cz/socat.git/commit/4ee1f31cf80019c5907876576d6dfd49368d660f +Author: Gerhard Rieger +Signed-off-by: Muhammad Falak R Wani +--- + readline.sh | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/readline.sh b/readline.sh +index b6f8438..1045303 100755 +--- a/readline.sh ++++ b/readline.sh +@@ -22,9 +22,15 @@ if [ "$withhistfile" ]; then + else + HISTOPT= + fi +-mkdir -p /tmp/$USER || exit 1 + # + # + +-exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2 ++if test -w .; then ++ STDERR=./socat-readline.${1##*/}.log ++ rm -f $STDERR ++else ++ STDERR=/dev/null ++fi ++ ++exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR + +-- +2.40.1 + diff --git a/SPECS/socat/socat.spec b/SPECS/socat/socat.spec index f6902ed92ab..2c1e8e6d5c7 100644 --- a/SPECS/socat/socat.spec +++ b/SPECS/socat/socat.spec @@ -1,19 +1,20 @@ Summary: Multipurpose relay (SOcket CAT) Name: socat Version: 1.7.4.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL2 Vendor: Microsoft Corporation Distribution: Mariner Group: Applications/Internet URL: http://www.dest-unreach.org/socat Source0: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz +Patch0: CVE-2024-54661.patch %description Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes. %prep -%setup -q +%autosetup -p1 %build ./configure --prefix=%{_prefix} --sysconfdir=%{_sysconfdir} @@ -36,6 +37,9 @@ make %{?_smp_mflags} test %{_mandir}/man1/* %changelog +* Sun Dec 29 2024 Muhammad Falak - 1.7.4.3-2 +- Patch CVE-2024-54661 + * Mon Jan 24 2022 Neha Agarwal - 1.7.4.3-1 - Update to version 1.7.4.3. diff --git a/SPECS/telegraf/CVE-2024-45337.patch b/SPECS/telegraf/CVE-2024-45337.patch new file mode 100644 index 00000000000..1c99f069547 --- /dev/null +++ b/SPECS/telegraf/CVE-2024-45337.patch @@ -0,0 +1,79 @@ +From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c2dfe326..39dcc095 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -157,7 +157,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the +-- +2.25.1 + diff --git a/SPECS/telegraf/CVE-2024-45338.patch b/SPECS/telegraf/CVE-2024-45338.patch new file mode 100644 index 00000000000..f091755ef68 --- /dev/null +++ b/SPECS/telegraf/CVE-2024-45338.patch @@ -0,0 +1,80 @@ +From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 04 Dec 2024 09:35:55 -0800 +Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves + +Instead of using strings.ToLower and == to check case insensitive +equality, just use strings.EqualFold, even when the strings are only +ASCII. This prevents us unnecessarily lowering extremely long strings, +which can be a somewhat expensive operation, even if we're only +attempting to compare equality with five characters. + +Thanks to Guido Vranken for reporting this issue. + +Fixes golang/go#70906 +Fixes CVE-2024-45338 + +Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 +Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Gopher Robot +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a9..bca3ae9a 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9dc..e8515d8e 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89eda..5b8374bf 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.25.1 + diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index 2a71676daa0..456d9d9e5a6 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.29.4 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -17,6 +17,8 @@ Patch3: CVE-2024-35255.patch Patch4: CVE-2024-37298.patch Patch5: CVE-2024-24786.patch Patch6: CVE-2024-28180.patch +Patch7: CVE-2024-45337.patch +Patch8: CVE-2024-45338.patch BuildRequires: golang BuildRequires: iana-etc BuildRequires: systemd-devel @@ -87,6 +89,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Mon Jan 06 2025 Sumedh Sharma - 1.29.4-10 +- Add patch for CVE-2024-45337 & CVE-2024-45338. + * Mon Sep 09 2024 CBL-Mariner Servicing Account - 1.29.4-9 - Bump release to rebuild with go 1.22.7 diff --git a/SPECS/terraform/CVE-2024-45338.patch b/SPECS/terraform/CVE-2024-45338.patch new file mode 100644 index 00000000000..c2fb46031c5 --- /dev/null +++ b/SPECS/terraform/CVE-2024-45338.patch @@ -0,0 +1,80 @@ +From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 04 Dec 2024 09:35:55 -0800 +Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves + +Instead of using strings.ToLower and == to check case insensitive +equality, just use strings.EqualFold, even when the strings are only +ASCII. This prevents us unnecessarily lowering extremely long strings, +which can be a somewhat expensive operation, even if we're only +attempting to compare equality with five characters. + +Thanks to Guido Vranken for reporting this issue. + +Fixes golang/go#70906 +Fixes CVE-2024-45338 + +Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 +Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Gopher Robot +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 038941d..cb012d8 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.25.1 + diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec index bb409a78f64..71921630f92 100644 --- a/SPECS/terraform/terraform.spec +++ b/SPECS/terraform/terraform.spec @@ -1,7 +1,7 @@ Summary: Infrastructure as code deployment management tool Name: terraform Version: 1.3.2 -Release: 20%{?dist} +Release: 21%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -34,6 +34,7 @@ Patch3: CVE-2024-6104.patch Patch4: CVE-2022-32149.patch Patch5: CVE-2023-4782.patch Patch6: CVE-2024-24786.patch +Patch7: CVE-2024-45338.patch %global debug_package %{nil} %define our_gopath %{_topdir}/.gopath @@ -67,6 +68,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform %{_bindir}/terraform %changelog +* Mon Jan 06 2025 Sumedh Sharma - 1.3.2-21 +- Add patch for CVE-2024-45338 + * Wed Dec 04 2024 bhapathak - 1.3.2-20 - Patch CVE-2024-24786 diff --git a/SPECS/tzdata/tzdata.signatures.json b/SPECS/tzdata/tzdata.signatures.json index e51cc8e0862..e34724d7988 100644 --- a/SPECS/tzdata/tzdata.signatures.json +++ b/SPECS/tzdata/tzdata.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "tzdata2024a.tar.gz": "0d0434459acbd2059a7a8da1f3304a84a86591f6ed69c6248fffa502b6edffe3" + "tzdata2024b.tar.gz": "70e754db126a8d0db3d16d6b4cb5f7ec1e04d5f261255e4558a67fe92d39e550" } -} \ No newline at end of file +} diff --git a/SPECS/tzdata/tzdata.spec b/SPECS/tzdata/tzdata.spec index 2b701feb5bc..6faf52da270 100644 --- a/SPECS/tzdata/tzdata.spec +++ b/SPECS/tzdata/tzdata.spec @@ -1,6 +1,6 @@ Summary: Time zone data Name: tzdata -Version: 2024a +Version: 2024b Release: 1%{?dist} License: Public Domain Vendor: Microsoft Corporation @@ -45,6 +45,9 @@ ln -svf %{_datarootdir}/zoneinfo/UTC %{buildroot}%{_sysconfdir}/localtime %{_datadir}/* %changelog +* Fri Sep 06 2024 CBL-Mariner Servicing Account - 2024b-1 +- Auto-upgrade to 2024b + * Fri Feb 02 2024 CBL-Mariner Servicing Account - 2024a-1 - Auto-upgrade to 2024a - upgrade to version 2024a diff --git a/cgmanifest.json b/cgmanifest.json index f87b8bfb06b..591396ed126 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -7381,8 +7381,8 @@ "type": "other", "other": { "name": "iperf3", - "version": "3.17", - "downloadUrl": "https://github.com/esnet/iperf/archive/3.17.tar.gz" + "version": "3.18", + "downloadUrl": "https://github.com/esnet/iperf/archive/3.18.tar.gz" } } }, @@ -13673,8 +13673,8 @@ "type": "other", "other": { "name": "msft-golang", - "version": "1.22.8", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.8-1/go1.22.8-20241001.6.src.tar.gz" + "version": "1.22.10", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.10-1/go1.22.10-20241203.4.src.tar.gz" } } }, @@ -29047,8 +29047,8 @@ "type": "other", "other": { "name": "tzdata", - "version": "2024a", - "downloadUrl": "https://data.iana.org/time-zones/releases/tzdata2024a.tar.gz" + "version": "2024b", + "downloadUrl": "https://data.iana.org/time-zones/releases/tzdata2024b.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index cb112bc938c..2f2790f20c0 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -231,10 +231,10 @@ libffi-devel-3.4.2-3.cm2.aarch64.rpm libtasn1-4.19.0-1.cm2.aarch64.rpm p11-kit-0.24.1-1.cm2.aarch64.rpm p11-kit-trust-0.24.1-1.cm2.aarch64.rpm -ca-certificates-shared-2.0.0-18.cm2.noarch.rpm -ca-certificates-tools-2.0.0-18.cm2.noarch.rpm -ca-certificates-base-2.0.0-18.cm2.noarch.rpm -ca-certificates-2.0.0-18.cm2.noarch.rpm +ca-certificates-shared-2.0.0-19.cm2.noarch.rpm +ca-certificates-tools-2.0.0-19.cm2.noarch.rpm +ca-certificates-base-2.0.0-19.cm2.noarch.rpm +ca-certificates-2.0.0-19.cm2.noarch.rpm dwz-0.14-2.cm2.aarch64.rpm unzip-6.0-21.cm2.aarch64.rpm python3-3.9.19-8.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 8b3d6af8021..dd9ea09d9a3 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -231,10 +231,10 @@ libffi-devel-3.4.2-3.cm2.x86_64.rpm libtasn1-4.19.0-1.cm2.x86_64.rpm p11-kit-0.24.1-1.cm2.x86_64.rpm p11-kit-trust-0.24.1-1.cm2.x86_64.rpm -ca-certificates-shared-2.0.0-18.cm2.noarch.rpm -ca-certificates-tools-2.0.0-18.cm2.noarch.rpm -ca-certificates-base-2.0.0-18.cm2.noarch.rpm -ca-certificates-2.0.0-18.cm2.noarch.rpm +ca-certificates-shared-2.0.0-19.cm2.noarch.rpm +ca-certificates-tools-2.0.0-19.cm2.noarch.rpm +ca-certificates-base-2.0.0-19.cm2.noarch.rpm +ca-certificates-2.0.0-19.cm2.noarch.rpm dwz-0.14-2.cm2.x86_64.rpm unzip-6.0-21.cm2.x86_64.rpm python3-3.9.19-8.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 9acc14e7493..bb8df4c1d3d 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -18,11 +18,11 @@ bzip2-1.0.8-1.cm2.aarch64.rpm bzip2-debuginfo-1.0.8-1.cm2.aarch64.rpm bzip2-devel-1.0.8-1.cm2.aarch64.rpm bzip2-libs-1.0.8-1.cm2.aarch64.rpm -ca-certificates-2.0.0-18.cm2.noarch.rpm -ca-certificates-base-2.0.0-18.cm2.noarch.rpm -ca-certificates-legacy-2.0.0-18.cm2.noarch.rpm -ca-certificates-shared-2.0.0-18.cm2.noarch.rpm -ca-certificates-tools-2.0.0-18.cm2.noarch.rpm +ca-certificates-2.0.0-19.cm2.noarch.rpm +ca-certificates-base-2.0.0-19.cm2.noarch.rpm +ca-certificates-legacy-2.0.0-19.cm2.noarch.rpm +ca-certificates-shared-2.0.0-19.cm2.noarch.rpm +ca-certificates-tools-2.0.0-19.cm2.noarch.rpm ccache-4.8-1.cm2.aarch64.rpm ccache-debuginfo-4.8-1.cm2.aarch64.rpm check-0.15.2-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 9c7af28a3a6..33be00851be 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -19,11 +19,11 @@ bzip2-1.0.8-1.cm2.x86_64.rpm bzip2-debuginfo-1.0.8-1.cm2.x86_64.rpm bzip2-devel-1.0.8-1.cm2.x86_64.rpm bzip2-libs-1.0.8-1.cm2.x86_64.rpm -ca-certificates-2.0.0-18.cm2.noarch.rpm -ca-certificates-base-2.0.0-18.cm2.noarch.rpm -ca-certificates-legacy-2.0.0-18.cm2.noarch.rpm -ca-certificates-shared-2.0.0-18.cm2.noarch.rpm -ca-certificates-tools-2.0.0-18.cm2.noarch.rpm +ca-certificates-2.0.0-19.cm2.noarch.rpm +ca-certificates-base-2.0.0-19.cm2.noarch.rpm +ca-certificates-legacy-2.0.0-19.cm2.noarch.rpm +ca-certificates-shared-2.0.0-19.cm2.noarch.rpm +ca-certificates-tools-2.0.0-19.cm2.noarch.rpm ccache-4.8-1.cm2.x86_64.rpm ccache-debuginfo-4.8-1.cm2.x86_64.rpm check-0.15.2-1.cm2.x86_64.rpm diff --git a/toolkit/tools/go.mod b/toolkit/tools/go.mod index 5f53072b218..f5860e9fe65 100644 --- a/toolkit/tools/go.mod +++ b/toolkit/tools/go.mod @@ -22,7 +22,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.9.0 github.com/ulikunitz/xz v0.5.10 - golang.org/x/sys v0.21.0 + golang.org/x/sys v0.28.0 gonum.org/v1/gonum v0.15.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 gopkg.in/ini.v1 v1.67.0 @@ -48,8 +48,8 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rivo/uniseg v0.1.0 // indirect github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 // indirect - golang.org/x/crypto v0.24.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect - golang.org/x/net v0.26.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/net v0.33.0 // indirect + golang.org/x/text v0.21.0 // indirect ) diff --git a/toolkit/tools/go.sum b/toolkit/tools/go.sum index 88fbb4c6f23..da0e2a5c9cd 100644 --- a/toolkit/tools/go.sum +++ b/toolkit/tools/go.sum @@ -90,12 +90,12 @@ github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 h1:w8V9v0qVympSF6GjdjIyeqR7+EVhAF9CBQmkmW7Zw0w= github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ= golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191018095205-727590c5006e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -103,12 +103,12 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= gonum.org/v1/gonum v0.15.0 h1:2lYxjRbTYyxkJxlhC+LvJIx3SsANPdRybu1tGj9/OrQ= gonum.org/v1/gonum v0.15.0/go.mod h1:xzZVBJBtS+Mz4q0Yl2LJTk+OxOg4jiXZ7qBoM0uISGo=