-
Notifications
You must be signed in to change notification settings - Fork 563
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'fasttrack/2.0' into kanbansal/python-jinja2/2.0-CVEs
- Loading branch information
Showing
19 changed files
with
775 additions
and
13 deletions.
There are no files selected for viewing
80 changes: 80 additions & 0 deletions
80
SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 | ||
| From: Roland Shoemaker <[email protected]> | ||
| Date: Wed, 04 Dec 2024 09:35:55 -0800 | ||
| Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves | ||
|
|
||
| Instead of using strings.ToLower and == to check case insensitive | ||
| equality, just use strings.EqualFold, even when the strings are only | ||
| ASCII. This prevents us unnecessarily lowering extremely long strings, | ||
| which can be a somewhat expensive operation, even if we're only | ||
| attempting to compare equality with five characters. | ||
|
|
||
| Thanks to Guido Vranken for reporting this issue. | ||
|
|
||
| Fixes golang/go#70906 | ||
| Fixes CVE-2024-45338 | ||
|
|
||
| Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Reviewed-by: Tatiana Bradley <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/net/html/doctype.go | 2 +- | ||
| vendor/golang.org/x/net/html/foreign.go | 3 +-- | ||
| vendor/golang.org/x/net/html/parse.go | 4 ++-- | ||
| 3 files changed, 4 insertions(+), 5 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go | ||
| index c484e5a..bca3ae9 100644 | ||
| --- a/vendor/golang.org/x/net/html/doctype.go | ||
| +++ b/vendor/golang.org/x/net/html/doctype.go | ||
| @@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { | ||
| } | ||
| } | ||
| if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && | ||
| - strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { | ||
| + strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { | ||
| quirks = true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go | ||
| index 74774c4..d6aa84d 100644 | ||
| --- a/vendor/golang.org/x/net/html/foreign.go | ||
| +++ b/vendor/golang.org/x/net/html/foreign.go | ||
| @@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { | ||
| if n.Data == "annotation-xml" { | ||
| for _, a := range n.Attr { | ||
| if a.Key == "encoding" { | ||
| - val := strings.ToLower(a.Val) | ||
| - if val == "text/html" || val == "application/xhtml+xml" { | ||
| + if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { | ||
| return true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go | ||
| index 2cd12fc..851dc42 100644 | ||
| --- a/vendor/golang.org/x/net/html/parse.go | ||
| +++ b/vendor/golang.org/x/net/html/parse.go | ||
| @@ -1007,7 +1007,7 @@ func inBodyIM(p *parser) bool { | ||
| if p.tok.DataAtom == a.Input { | ||
| for _, t := range p.tok.Attr { | ||
| if t.Key == "type" { | ||
| - if strings.ToLower(t.Val) == "hidden" { | ||
| + if strings.EqualFold(t.Val, "hidden") { | ||
| // Skip setting framesetOK = false | ||
| return true | ||
| } | ||
| @@ -1435,7 +1435,7 @@ func inTableIM(p *parser) bool { | ||
| return inHeadIM(p) | ||
| case a.Input: | ||
| for _, t := range p.tok.Attr { | ||
| - if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { | ||
| + if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { | ||
| p.addElement() | ||
| p.oe.pop() | ||
| return true | ||
| -- | ||
| 2.25.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ | |
| Summary: Application Gateway Ingress Controller | ||
| Name: application-gateway-kubernetes-ingress | ||
| Version: 1.4.0 | ||
| Release: 23%{?dist} | ||
| Release: 24%{?dist} | ||
| License: MIT | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -30,6 +30,7 @@ Patch0: CVE-2022-21698.patch | |
| Patch1: CVE-2023-44487.patch | ||
| Patch2: CVE-2021-44716.patch | ||
| Patch3: CVE-2022-32149.patch | ||
| Patch4: CVE-2024-45338.patch | ||
|
|
||
| BuildRequires: golang | ||
| %if %{with_check} | ||
|
|
@@ -68,6 +69,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/ | |
| %{_bindir}/appgw-ingress | ||
|
|
||
| %changelog | ||
| * Thu Jan 02 2025 Sumedh Sharma <[email protected]> - 1.4.0-24 | ||
| - Add patch for CVE-2024-45338. | ||
|
|
||
| * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.4.0-23 | ||
| - Bump release to rebuild with go 1.22.7 | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 | ||
| From: Roland Shoemaker <[email protected]> | ||
| Date: Wed, 04 Dec 2024 09:35:55 -0800 | ||
| Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves | ||
|
|
||
| Instead of using strings.ToLower and == to check case insensitive | ||
| equality, just use strings.EqualFold, even when the strings are only | ||
| ASCII. This prevents us unnecessarily lowering extremely long strings, | ||
| which can be a somewhat expensive operation, even if we're only | ||
| attempting to compare equality with five characters. | ||
|
|
||
| Thanks to Guido Vranken for reporting this issue. | ||
|
|
||
| Fixes golang/go#70906 | ||
| Fixes CVE-2024-45338 | ||
|
|
||
| Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Reviewed-by: Tatiana Bradley <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/net/html/doctype.go | 2 +- | ||
| vendor/golang.org/x/net/html/foreign.go | 3 +-- | ||
| vendor/golang.org/x/net/html/parse.go | 4 ++-- | ||
| 3 files changed, 4 insertions(+), 5 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go | ||
| index c484e5a..bca3ae9 100644 | ||
| --- a/vendor/golang.org/x/net/html/doctype.go | ||
| +++ b/vendor/golang.org/x/net/html/doctype.go | ||
| @@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { | ||
| } | ||
| } | ||
| if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && | ||
| - strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { | ||
| + strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { | ||
| quirks = true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go | ||
| index 9da9e9d..e8515d8 100644 | ||
| --- a/vendor/golang.org/x/net/html/foreign.go | ||
| +++ b/vendor/golang.org/x/net/html/foreign.go | ||
| @@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { | ||
| if n.Data == "annotation-xml" { | ||
| for _, a := range n.Attr { | ||
| if a.Key == "encoding" { | ||
| - val := strings.ToLower(a.Val) | ||
| - if val == "text/html" || val == "application/xhtml+xml" { | ||
| + if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { | ||
| return true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go | ||
| index 46a89ed..5b8374b 100644 | ||
| --- a/vendor/golang.org/x/net/html/parse.go | ||
| +++ b/vendor/golang.org/x/net/html/parse.go | ||
| @@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { | ||
| if p.tok.DataAtom == a.Input { | ||
| for _, t := range p.tok.Attr { | ||
| if t.Key == "type" { | ||
| - if strings.ToLower(t.Val) == "hidden" { | ||
| + if strings.EqualFold(t.Val, "hidden") { | ||
| // Skip setting framesetOK = false | ||
| return true | ||
| } | ||
| @@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { | ||
| return inHeadIM(p) | ||
| case a.Input: | ||
| for _, t := range p.tok.Attr { | ||
| - if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { | ||
| + if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { | ||
| p.addElement() | ||
| p.oe.pop() | ||
| return true | ||
| -- | ||
| 2.25.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: Automatically provision and manage TLS certificates in Kubernetes | ||
| Name: cert-manager | ||
| Version: 1.11.2 | ||
| Release: 16%{?dist} | ||
| Release: 17%{?dist} | ||
| License: ASL 2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -29,6 +29,7 @@ Patch6: CVE-2024-24786.patch | |
| Patch7: CVE-2024-28180.patch | ||
| Patch8: CVE-2023-2253.patch | ||
| Patch9: CVE-2024-45337.patch | ||
| Patch10: CVE-2024-45338.patch | ||
| BuildRequires: golang | ||
| Requires: %{name}-acmesolver | ||
| Requires: %{name}-cainjector | ||
|
|
@@ -121,6 +122,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ | |
| %{_bindir}/webhook | ||
|
|
||
| %changelog | ||
| * Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 1.11.2-17 | ||
| - Add patch for CVE-2024-45338 | ||
|
|
||
| * Tue Dec 17 2024 Andrew Phelps <[email protected]> - 1.11.2-16 | ||
| - Add patch for CVE-2024-45337 | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 | ||
| From: Roland Shoemaker <[email protected]> | ||
| Date: Wed, 04 Dec 2024 09:35:55 -0800 | ||
| Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves | ||
|
|
||
| Instead of using strings.ToLower and == to check case insensitive | ||
| equality, just use strings.EqualFold, even when the strings are only | ||
| ASCII. This prevents us unnecessarily lowering extremely long strings, | ||
| which can be a somewhat expensive operation, even if we're only | ||
| attempting to compare equality with five characters. | ||
|
|
||
| Thanks to Guido Vranken for reporting this issue. | ||
|
|
||
| Fixes golang/go#70906 | ||
| Fixes CVE-2024-45338 | ||
|
|
||
| Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Reviewed-by: Tatiana Bradley <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/net/html/doctype.go | 2 +- | ||
| vendor/golang.org/x/net/html/foreign.go | 3 +-- | ||
| vendor/golang.org/x/net/html/parse.go | 4 ++-- | ||
| 3 files changed, 4 insertions(+), 5 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go | ||
| index c484e5a..bca3ae9 100644 | ||
| --- a/vendor/golang.org/x/net/html/doctype.go | ||
| +++ b/vendor/golang.org/x/net/html/doctype.go | ||
| @@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { | ||
| } | ||
| } | ||
| if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && | ||
| - strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { | ||
| + strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { | ||
| quirks = true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go | ||
| index 9da9e9d..e8515d8 100644 | ||
| --- a/vendor/golang.org/x/net/html/foreign.go | ||
| +++ b/vendor/golang.org/x/net/html/foreign.go | ||
| @@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { | ||
| if n.Data == "annotation-xml" { | ||
| for _, a := range n.Attr { | ||
| if a.Key == "encoding" { | ||
| - val := strings.ToLower(a.Val) | ||
| - if val == "text/html" || val == "application/xhtml+xml" { | ||
| + if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { | ||
| return true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go | ||
| index 038941d..cb012d8 100644 | ||
| --- a/vendor/golang.org/x/net/html/parse.go | ||
| +++ b/vendor/golang.org/x/net/html/parse.go | ||
| @@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { | ||
| if p.tok.DataAtom == a.Input { | ||
| for _, t := range p.tok.Attr { | ||
| if t.Key == "type" { | ||
| - if strings.ToLower(t.Val) == "hidden" { | ||
| + if strings.EqualFold(t.Val, "hidden") { | ||
| // Skip setting framesetOK = false | ||
| return true | ||
| } | ||
| @@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { | ||
| return inHeadIM(p) | ||
| case a.Input: | ||
| for _, t := range p.tok.Attr { | ||
| - if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { | ||
| + if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { | ||
| p.addElement() | ||
| p.oe.pop() | ||
| return true | ||
| -- | ||
| 2.25.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: The official command line client for Cloud Foundry. | ||
| Name: cf-cli | ||
| Version: 8.4.0 | ||
| Release: 22%{?dist} | ||
| Release: 23%{?dist} | ||
| License: Apache-2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -34,6 +34,7 @@ Patch2: CVE-2021-43565.patch | |
| # git checkout 434eadcdbc3b0256971992e8c70027278364c72c && git format-patch -1 HEAD | ||
| Patch3: CVE-2022-32149.patch | ||
| Patch4: CVE-2024-24786.patch | ||
| Patch5: CVE-2024-45338.patch | ||
|
|
||
| BuildRequires: golang | ||
| %global debug_package %{nil} | ||
|
|
@@ -68,6 +69,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf | |
| %{_bindir}/cf | ||
|
|
||
| %changelog | ||
| * Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 8.4.0-23 | ||
| - Add patch for CVE-2024-45338 | ||
|
|
||
| * Wed Dec 04 2024 bhapathak <[email protected]> - 8.4.0-22 | ||
| - Patch CVE-2024-24786 | ||
|
|
||
|
|
||
Oops, something went wrong.