Merge branch 'fasttrack/2.0' into pawelwi/templates_update_fasttrack_2.0

microsoft · Jan 7, 2025 · bee4d25 · bee4d25
2 parents fb41a19 + b94dca4
commit bee4d25
Show file tree

Hide file tree

Showing 27 changed files with 594 additions and 58 deletions.
diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json
@@ -11,6 +11,7 @@
     "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
     "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
     "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
+    "certdata.distrusted.txt": "93aebf0f1e5253ed91fe269f7128fdb8b20630ef19558f629c79a8b7eb0ba30d",
     "certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd",
     "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
     "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",

diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec
@@ -6,6 +6,8 @@
 
 %define p11_format_base_bundle ca-bundle.trust.base.p11-kit
 
+%define p11_format_distrusted_bundle ca-bundle.trust.distrusted.p11-kit
+
 %define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit
 
 # List of packages triggering legacy certs generation if 'ca-certificates-legacy'
@@ -45,7 +47,7 @@ Name:           ca-certificates
 # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well.
 Epoch:          1
 Version:        2.0.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +71,8 @@ Source21:       certdata.base.txt
 Source22:       bundle2pem.sh
 # The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program.
 Source23:       certdata.microsoft.txt
+# The certdata.distrusted.txt is provided by Microsoft's Trusted Root Program.
+Source24:       certdata.distrusted.txt
 
 BuildRequires:  /bin/ln
 BuildRequires:  asciidoc
@@ -91,7 +95,7 @@ Provides:       ca-certificates-mozilla = %{version}-%{release}
 BuildArch:      noarch
 
 %description
-The Public Key Inrastructure is used for many security issues in
+The Public Key Infrastructure is used for many security issues in
 a Linux system. In order for a certificate to be trusted, it must be
 signed by a trusted agent called a Certificate Authority (CA).
 The certificates loaded by this section are from the list of CAs trusted
@@ -146,6 +150,7 @@ cp -p %{SOURCE20} .
 
 %convert_certdata %{SOURCE21}
 %convert_certdata %{SOURCE23}
+%convert_certdata %{SOURCE24}
 
 #manpage
 cp %{SOURCE10} %{name}/update-ca-trust.8.txt
@@ -186,6 +191,9 @@ install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README
 # Microsoft certs
 %install_bundles %{SOURCE23} %{p11_format_microsoft_bundle}
 
+# Distrusted certs
+%install_bundles %{SOURCE24} %{p11_format_distrusted_bundle}
+
 # TODO: consider to dynamically create the update-ca-trust script from within
 #       this .spec file, in order to have the output file+directory names at once place only.
 install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
@@ -257,13 +265,16 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle}
 
 %files
+%defattr(-,root,root)
 # Microsoft certs bundle file with trust
 %{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}
 
 %files base
+%defattr(-,root,root)
 %{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle}
 
 %files shared
+%defattr(-,root,root)
 %license LICENSE
 
 # symlinks for old locations
@@ -307,6 +318,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
 
+# Distrusted CAs
+%{_datadir}/pki/ca-trust-source/%{p11_format_distrusted_bundle}
+
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
@@ -315,15 +329,21 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
 %files tools
+%defattr(-,root,root)
 # update/extract tool
 %{_bindir}/update-ca-trust
 
 %{_mandir}/man8/update-ca-trust.8.gz
 
 %files legacy
+%defattr(-,root,root)
 %{_bindir}/bundle2pem.sh
 
 %changelog
+* Wed Dec 11 2024 Pawel Winogrodzki <[email protected]> - 2.0.0-19
+- Update adding Microsoft distrusted CAs.
+- Explicitly set default file ownership to root:root.
+
 * Fri Aug 09 2024 CBL-Mariner Servicing Account <[email protected]> - 2.0.0-18
 - Updating Microsoft trusted root CAs.
 

diff --git a/SPECS/ca-certificates/certdata.distrusted.txt b/SPECS/ca-certificates/certdata.distrusted.txt
diff --git a/SPECS/cloud-init/cloud-init.signatures.json b/SPECS/cloud-init/cloud-init.signatures.json
@@ -1,6 +1,7 @@
 {
  "Signatures": {
   "10-azure-kvp.cfg": "79e0370c010be5cd4717960e4b414570c9ec6e6d29aede77ccecc43d2b03bb9a",
-  "cloud-init-23.3.tar.gz": "1a5a54369f78891b79f43061c1ff0fb31e2bd74ff9527d7150ddd6517c3e2b07"
+  "cloud-init-23.3.tar.gz": "1a5a54369f78891b79f43061c1ff0fb31e2bd74ff9527d7150ddd6517c3e2b07",
+  "module-setup.sh": "aee825f849ce35a5a178cf095c2b9c46e586d50082f681d7f8d2c5d769c2f592"
  }
 }
diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec
@@ -5,14 +5,16 @@ Summary:        Cloud instance init scripts
 Name:           cloud-init
 Epoch:          1
 Version:        %{package_version}
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Base
 URL:            https://launchpad.net/cloud-init
 Source0:        https://launchpad.net/cloud-init/trunk/%{upstream_version_group}/+download/%{name}-%{version}.tar.gz
 Source1:        10-azure-kvp.cfg
+# This script is to prevent an intermittent issue where ephemeral disk not being formatted by cloud-init on Azure
+Source2:        module-setup.sh
 Patch0:         overrideDatasourceDetection.patch
 Patch1:         exec_cmd_error_handling.patch
 Patch2:         Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch
@@ -43,6 +45,7 @@ BuildRequires:  python3-xml
 BuildRequires:  systemd
 BuildRequires:  systemd-devel
 Requires:       dhcp-client
+Requires:       dracut
 Requires:       e2fsprogs
 Requires:       iproute
 Requires:       net-tools
@@ -106,6 +109,9 @@ mkdir -p %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg.d
 
 install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/cloud/cloud.cfg.d/
 
+mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99azure-cloud/
+install -m 755 %{SOURCE2} %{buildroot}%{_prefix}/lib/dracut/modules.d/99azure-cloud/module-setup.sh
+
 %check
 touch vd ud
 
@@ -150,11 +156,16 @@ make check %{?_smp_mflags}
 %{_systemdgeneratordir}/cloud-init-generator
 /usr/lib/udev/rules.d/66-azure-ephemeral.rules
 %{_datadir}/bash-completion/completions/cloud-init
+%dir %attr(0700, root, root) %{_prefix}/lib/dracut/modules.d/99azure-cloud
+%{_prefix}/lib/dracut/modules.d/99azure-cloud/module-setup.sh
 
 %files azure-kvp
 %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg
 
 %changelog
+* Tue Dec 10 2024 Minghe Ren <[email protected]> - 1:23.3-6
+- Add module-setup.sh to prevent an intermittent issue where ephemeral disk not being formatted on Azure
+
 * Fri Sep 13 2024 Minghe Ren <[email protected]> - 1:23.3-5
 - Add patche to have PPS support for azure-proxy-agent.
 

diff --git a/SPECS/cloud-init/module-setup.sh b/SPECS/cloud-init/module-setup.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/bash
+# called by dracut
+check() {
+   return 0
+}
+# called by dracut
+depends() {
+   return 0
+}
+# called by dracut to make sure 66-azure-ephemeral.rules is installed 
+install() {
+   inst_multiple cut readlink
+   inst_rules 66-azure-ephemeral.rules
+}
+
diff --git a/SPECS/dbus/dbus.spec b/SPECS/dbus/dbus.spec
@@ -2,7 +2,7 @@
 Summary:        DBus for systemd
 Name:           dbus
 Version:        1.15.6
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2+ OR AFL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -23,7 +23,8 @@ Recommends:     systemd
 Provides:       dbus-libs = %{version}-%{release}
 # NOTE: We currently do not build with X11 support.
 # build with X11 support in the future.
-Provides:       %{name}-x11
+Provides:       %{name}-x11 = %{version}-%{release}
+Obsoletes:      %{name}-x11 <= 1.14.0-1%{?dist}
 
 %description
 The dbus package contains dbus.
@@ -86,6 +87,9 @@ make %{?_smp_mflags} check
 %{_libdir}/*.so
 
 %changelog
+* Mon Dec 23 2024 Pawel Winogrodzki <[email protected]> - 1.15.6-2
+- Obsolete older 'dbus-x11'.
+
 * Thu Dec 28 2023 Neha Agarwal <[email protected]> - 1.15.6-1
 - Update to v1.15.6 to fix CVE-2023-34969
 

diff --git a/SPECS/iperf3/iperf3.signatures.json b/SPECS/iperf3/iperf3.signatures.json
@@ -1,5 +1,5 @@
 {
- "Signatures": {
-  "iperf3-3.17.tar.gz": "0d88489d1730e1161b61ce9b4c5f0943eb31232a78c771566f03b38152aff4ba"
- }
-}
+  "Signatures": {
+    "iperf3-3.18.tar.gz": "ef9ffabf16926701a11c9b7e95dccdf64ff304b7b20dcb6f28aed06b240b7e99"
+  }
+}
diff --git a/SPECS/iperf3/iperf3.spec b/SPECS/iperf3/iperf3.spec
@@ -1,6 +1,6 @@
 Summary:        A network performance benchmark tool.
 Name:           iperf3
-Version:        3.17
+Version:        3.18
 Release:        1%{?dist}
 License:        BSD and MIT and Public Domain
 Vendor:         Microsoft Corporation
@@ -66,6 +66,9 @@ make %{?_smp_mflags} check
 %{_mandir}/man3/libiperf.3.gz
 
 %changelog
+* Sun Dec 22 2024 CBL-Mariner Servicing Account <[email protected]> - 3.18-1
+- Auto-upgrade to 3.18 - CVE-2024-53580
+
 * Thu May 16 2024 Muhammad Falak <[email protected]> - 3.17-1
 - Bump version to 3.17 to address CVE-2024-26306
 

diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec
@@ -1,7 +1,7 @@
 Summary:        CBL-Mariner release files
 Name:           mariner-release
 Version:        2.0
-Release:        69%{?dist}
+Release:        70%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -62,6 +62,9 @@ EOF
 %config(noreplace) %{_sysconfdir}/issue.net
 
 %changelog
+* Sat Dec 21 2024 Jon Slobodzian <[email protected]> - 2.0-70
+- Bump release for January 2025 Update
+
 * Fri Nov 22 2024 CBL-Mariner Servicing Account <[email protected]> - 2.0-69
 - Bump release for December 2024 Update
 

diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec
@@ -29,7 +29,6 @@ Patch9:  CVE-2024-36623.patch
 Patch10: CVE-2024-45337.patch
 Patch11:  CVE-2024-24786.patch
 
-
 %{?systemd_requires}
 
 BuildRequires: bash

diff --git a/SPECS/msft-golang/msft-golang.signatures.json b/SPECS/msft-golang/msft-golang.signatures.json
@@ -2,7 +2,7 @@
  "Signatures": {
   "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95",
   "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
-  "go1.22.8-20241001.6.src.tar.gz": "549a43643849c73ffd8579d63e2e3488428f0a4c436169abe02be01a3dbd41c8",
+  "go1.22.10-20241203.4.src.tar.gz": "3a6318a0ff28798a1b1797b8d22c4f9604cae2088000c39a6875b2598ec4ab22",
   "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
  }
 }
diff --git a/SPECS/msft-golang/msft-golang.spec b/SPECS/msft-golang/msft-golang.spec
@@ -1,7 +1,8 @@
 %global goroot          %{_libdir}/golang
 %global gopath          %{_datadir}/gocode
-%global ms_go_filename  go1.22.8-20241001.6.src.tar.gz
+%global ms_go_filename  go1.22.10-20241203.4.src.tar.gz
 %global ms_go_revision  1
+%global go_priority %(echo %{version}.%{ms_go_revision} | tr -d .)
 %ifarch aarch64
 %global gohostarch      arm64
 %else
@@ -14,7 +15,7 @@
 %define __find_requires %{nil}
 Summary:        Go
 Name:           msft-golang
-Version:        1.22.8
+Version:        1.22.10
 Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
@@ -153,6 +154,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Mon Jan 06 2025 Riken Maharjan <[email protected]> - 1.22.10-1
+- Bump version to 1.22.10-1
+
 * Thu Oct 24 2024 CBL-Mariner Servicing Account <[email protected]> - 1.22.8-1
 - Auto-upgrade to 1.22.8 - To fix CVE-2022-41717
 

diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec
@@ -3,7 +3,7 @@ Name:           prebuilt-ca-certificates-base
 # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well.
 Epoch:          1
 Version:        2.0.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -46,6 +46,9 @@ find %{buildroot} -name README -delete
 %{_sysconfdir}/pki/java/cacerts
 
 %changelog
+* Wed Dec 11 2024 Pawel Winogrodzki <[email protected]> - 2.0.0-19
+- Update adding Microsoft distrusted CAs.
+
 * Fri Aug 09 2024 CBL-Mariner Servicing Account <[email protected]> - 2.0.0-18
 - Making 'Release' match with 'ca-certificates'
 

diff --git a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec
@@ -3,7 +3,7 @@ Name:           prebuilt-ca-certificates
 # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well.
 Epoch:          1
 Version:        2.0.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -49,6 +49,9 @@ find %{buildroot} -name README -delete
 %{_sysconfdir}/pki/java/cacerts
 
 %changelog
+* Wed Dec 11 2024 Pawel Winogrodzki <[email protected]> - 2.0.0-19
+- Update adding Microsoft distrusted CAs.
+
 * Fri Aug 09 2024 CBL-Mariner Servicing Account <[email protected]> - 2.0.0-18
 - Making 'Release' match with 'ca-certificates'