cloud-init: patch for CVE-2022-2084 #3281
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Chris Patterson <[email protected]>
ghost
added
christopherco
approved these changes
Jun 30, 2022
dmcilvaney
approved these changes
Jun 30, 2022
Signed-off-by: Chris Patterson <[email protected]>
|
Added a change to report patch level in version info so it is clear in the logs and cloud-init --version details. |
|
Tested basic provisioning an image with this build on Azure without issue. |
anhvoms
approved these changes
Jul 5, 2022
jslobodzian
added a commit
that referenced
this pull request
Jul 9, 2022
This reverts commit e317430.
jslobodzian
added a commit
that referenced
this pull request
Jul 9, 2022
This reverts commit 0b1ba72.
osamaesmailmsft
added a commit
that referenced
this pull request
Oct 12, 2022
* Only build bond against x86_64 architecture (#1800) (#1801) * fix bond build break for ARM64 on main branch * fix bond build break for ARM64 on main branch * fix bond build break for ARM64 on main branch Co-authored-by: nicolas guibourge <[email protected]> Co-authored-by: nicolas guibourge <[email protected]> * [main extended] Enable libguestfs (#1970) * Remove libreport support from mdadm * Conditionally pull in perl-Sys-Virt test deps * Fix dependency resolution for ocaml-ctypes * Upgrade to latest ocaml-gettext * Fix ocaml-ounit build * Upgrade ocaml-base to latest * Upgrade ocaml-migrate-parsetree to latest * Upgrade ocaml-stdio to 0.15.0 * Upgrade ocaml-parsexp to 0.15.0 * Upgrade ocaml-ppxlib to 0.24.0 * Upgrade ocaml-sexplib to 0.15.0 * Upgrade ocaml-sexplib0 to 0.15.0 * Upgrade supermin to 5.2.1 * Fixup libguestfs patches and configuration * [main extended] Fix dnf-plugins-core, ocaml-findlib builds (#1950) * [main] Removing in-spec sources verification using `libguestfs.keyring`. (#1971) * kernel: Update Mariner cert in kernel keyring (#1979) * kernel: Update mariner cert in kernel keyring * kernel-hyperv: Update mariner cert in kernel keyring * kernel-headers: Bump to match kernel release number * kernel-signed: Bump to match kernel release Signed-off-by: Chris Co <[email protected]> * lttng-consume: disable tests to fix build break (#1980) Signed-off-by: Muhammad Falak R Wani <[email protected]> * Revert "Upgrading Parted to v3.4" (#1966) * Revert "Upgrading Parted to v3.4 (#1898)" This reverts commit 24382cf. * verifying license to unblock upgrade revert pr * Temporary: Add python3-distro to azurevm-packages packagelist (#2016) * Upgrade libmemcached, memcached and promote to core specs (#1981) * kernel-signed: workaround errant .build-id file (#2032) After the upgrade to RPM 4.17, when building on ARM64 only, we are observing an unexpected /usr/lib/debug/.build-id/xx/yyyy.debug file being packaged into the kernel.rpm package. This errant file is causing build errors when repackaging in the kernel-signed build phase. This patch workarounds the build issue by specifically excluding the /usr/lib/debug/.build-id folder when building for ARM64. More investigation underway to identify why this unexpect /usr/lib/debug/.build-id/xx/yyyy.debug file is being included. Signed-off-by: Chris Co <[email protected]> * Fix grubby build with newer versions of RPM (#2036) * Update libgit2 to latest upstream version 1.1.0 (#2021) Signed-off-by: Kate Goldenring <[email protected]> * Fix build break (signature) for libgit2 * Fix TDNF download of packages during libguestfs build * Replace perl(Locale::TextDomain) BR in libguestfs with actual package * [main] Fixing tooling issues during package candidates resolution. (#2091) * Fix dependency constraints, UUID parsing in libguestfs (#2113) * Bring over libguestfs changes from 2.0 * Fix selinux-policy, file bugs in libguestfs * kernel: Update input aarch64 config file (#2358) ARM64 kernel package builds are failing due to a config diff missing between the expected config and the actual config file. Add missing CONFIG_USBIP_VUDC line Signed-off-by: Chris Co <[email protected]> * Revert "[main] Update envoy to v1.21.0 (#2330)" This reverts commit 5c0c47a. * toolkit only - use local /run folder in chroot instead of mounted tmpfs (#2435) * toolkit - use local /run folder in chroot instead of mounted tmpfs * address PR comments * address PR comments * address PR comments Co-authored-by: Nicolas Guibourge <[email protected]> * [main] iperf3: Update to 3.11 (#2512) * Update iperf3 to 3.11 * toolchain: Remove alsa-lib (#2543) * Fix post-install script args in imageconfig being ignored (#2414) * Upgrade nodejs to 16.14.0 (#2485) * upgrade nodejs to 16.14.0 * upgrade nodejs to 16.14.0 * upgrade nodejs to 16.14.0 * upgrade nodejs Co-authored-by: Nicolas Guibourge <[email protected]> * [main] upgrading libarchive to v3.6.0 (#2515) * upgrading libarchive to v3.6.0 * removing patch file * adding missing URL * fixing URL * [2.0] Modify pam to require audit-libs (#2572) * update pam * update manifests * install audit-libs before systemd (#2584) * Revert "install audit-libs before systemd (#2584)" This reverts commit 2170975. * Build rubygems with ruby to fix build error in pipeline (#2601) * Add rubygems to build with ruby to fix build error in pipeline * Remove bundler requirement * [main] Adding `--assumeyes` for TDNF calls. (#2641) (#2642) * Fix bad ruby merge issue * Revert "python3: Add python-unversioned-command subpackage (#2637)" This reverts commit b62bb32. * dnf-plugins-core: Fix bad python path in cmake call (#2658) * dnf-plugins-core: Fix bad python path in cmake call * Update license map * Empty commit to trigger GH checks * Unblock build, exclude SymCrypt from ARM64 * Update python requirement in azurevm packagelist for 2.0 (#2667) * Revert "Unblock build, exclude SymCrypt from ARM64" This reverts commit 9b0a48f. * Repair toolkit merge issue * fix boringssl license issue (#2775) * revert arm64 exclusion workaround (#2769) * [main] Build break workaround. (#2788) * Revert "fix boringssl license issue (#2775)" This reverts commit 50b3397. * Remove boringssl to reconcile with main branch * [main] Fixing installation paths with new version of Ruby. (#2859) * vim: Fix vi provides with reversed EVR (#2872) * cri-o: Replace openSUSE systemd macros with Mariner's (#2874) * toolchain: Rebuild audit with systemd-bootstrap-rpm-macros installed (#2878) * toolchain: Rebuild audit with systemd-bootstrap-rpm-macros installed * audit: Add BR on systemd-bootstrap-rpm-macros * [2.0] Cherry-pick credscan failure caused by unattended installer image config (#2908) * minor fix to build doc (#2907) Co-authored-by: Henry Li <[email protected]> * fix image config json (#2906) Co-authored-by: Henry Li <[email protected]> Co-authored-by: Henry Li <[email protected]> * download msopenjdk-11 from prod folder (#2921) * Cherry Pick build fixes to Extended (#3105) * ARM64 `buildah` and `edk2` blocked packages fix. (#3101) * Adding missing signature for `perl-Module-Install-Repository`. (#3086) Co-authored-by: Pawel Winogrodzki <[email protected]> * Python-twisted: upgrade to version 22.4.0 to fix CVE-2022-24801 (#3079) * python-twisted upgrade to 22.4.0 to fix CVE-2022-24801 * python-twisted upgrade to 22.4.0 to fix CVE-2022-24801 * python-twisted upgrade to 22.4.0 to fix CVE-2022-24801 * python-twisted upgrade to 22.4.0 to fix CVE-2022-24801 Co-authored-by: Nicolas Guibourge <[email protected]> * upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-… (#3087) * upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796 * upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796 * upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796 Co-authored-by: Nicolas Guibourge <[email protected]> * Updating `vim` to version 8.2.5064. (#3112) * Bump Mariner Release (#3140) * Revert "Add missing e2fsprogs dep to cloud-init (#3141)" This reverts commit 7417d8a. Reverting this change temporarily because we are not ready to upgrade cloud-init * Revert "cloud-init: uprev to 22.2 (#3104)" This reverts commit 3bcdc43. Reverting this change temporarily because we are not ready to upgrade cloud-init. * Fix build errors caused by ncurses 6.3 upgrade (#3184) * Fix ARM64 Build Break (#3191) * t1lib: Fix SRPM packing (#3192) * Revert "cloud-init: patch for CVE-2022-2084 (#3281)" This reverts commit e317430. * Revert "Revert "cloud-init: uprev to 22.2 (#3104)"" This reverts commit ae3a7d8. * Revert "Revert "Add missing e2fsprogs dep to cloud-init (#3141)"" This reverts commit 68bd0ec. * Revert "Revert "cloud-init: patch for CVE-2022-2084 (#3281)"" This reverts commit 0b1ba72. * Revert "Initial KeysInUse Integration (#3182)" This reverts commit 7de96f6. * Updating 'mariner-release' version for July update 2. (#3444) * remove provides from unsigned grub2 (#3461) Co-authored-by: Henry Li <[email protected]> * Updating 'mariner-release' for the August release. * Updating licenses after the 'main' merge. * KeysInUse: re-introduce package back to 2.0. (#3531) * Update helm version 3.9.3 (#3586) * Update helm version 3.9.3 * Fix helm version info not displaying correctly * fix cloud-init dependency issue (#3606) * `mariadb`: update to v10.6.9 to fix CVE-2022-32091, CVE-2022-32081 (#3645) * fix npm version in nodejs.spec (#3571) * upgrade vim to 9.0.0232 (#3580) * qemu : fix CVE-2022-35414 (#3597) * qemu : fix CVE-2022-35414 * address PR comment Co-authored-by: Nicolas Guibourge <[email protected]> * libxml2 and python-lxml: fix CVE-2022-2309 (#3583) * libxml2 and python-lxml: fix CVE-2022-2309 * libxml2 and python-lxml: fix CVE-2022-2309 * address PR comments Co-authored-by: Nicolas Guibourge <[email protected]> * rubygem-yajl-ruby: fix CVE 2022 24795 (#3598) * rubygem-yajl-ruby : fix CVE-2022-24795 * rubygem-yajl-ruby : fix CVE-2022-24795 * back port patch from 1.4.1 * fix spec issue * address PR comments Co-authored-by: Nicolas Guibourge <[email protected]> * Update cert-manager to v1.7.3. (#3575) - Update cert-manager to v1.7.3. - Split cert-manager binaries into separate packages. - Remove cert-manager build dependency on Bazel and just build the binaries directly using `go build`. This makes building easier. Also, the latest upstream version of cert-manager does this. - Use the Go "vendor" directory for Go dependencies instead of dumping files in the global Go cache. * Bump supported go versions to 1.17.13, 1.18.5 to fix fifteen CVEs (#3600) Co-authored-by: Pawel Winogrodzki <[email protected]> * dpkd: bump version to 21.11.2 to address CVE-2022-2132 (#3631) * dpkd: bump version to 21.11.2 to address CVE-2022-2132 * dpdk: cgmanifest: update entry Signed-off-by: Muhammad Falak R Wani <[email protected]> * `vim`: upgrade to 9.0.0325 to fix CVE-2022-2980, CVE-2022-2982, CVE-2022-2923, CVE-2022-2946 (#3643) * `python3`: fix CVE-2015-20107 (#3644) * `python3`: fix CVE-2021-28861 (#3654) * `colord`: fix CVE-2021-42523 (#3675) * `virglrenderer`: fix CVE-2022-0135 (#3674) * libtar: Pull misc Fedora patches, fix CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646 (#3686) * Apply Fedora patches * Apply linter * Use upstream patch * Patch qemu CVE-2021-4158 (#3696) * libtar: Fixup spec formatting, remove .la files, remove explicit provides (#3698) * Fixup libtar spec formatting, .la files, provides * Add comment so we can track CVE fixes * update mariner-release to 2.0-19 (#3723) * fix br in libvirt (#3726) * Added nopatch to libtirpc for CVE-2021-46828 (#3779) Co-authored-by: Nick Samson <[email protected]> * update mariner-release to 2.0-21 (#3778) * revert changes for adding sysinit.target dependency (#3777) * Expat fix CVE-2022-40674 (#3799) Co-authored-by: Betty Lakes <[email protected]> * bump mariner-release to 2.0-21 * switching branches * Ensure rpm-* ABI compatibility (#3880) * Ensure `python3-rpm` pulls in appropriate libs * Add rpm-build-libs -> rpm-libs dependency too * Declare release `4.18.0-2` with fixes * toolkit.mk: fix 'clean-rpms-snapshot' target. (#3843) * 7.4.14 to 8.1.11; need to delete the old SPECS-EXTENDED folders * php 8.1.11 build now * removed libraries from SPECS-EXTENDED * merged current 2.0; added changelog for php & updated other licenses; need to verify changelog for php & version thing olivia said * update cgmanifest.json * reresolving old mr comments * updated hunspell to fix CVE; added aspell patch to fix CVE; fixed some PHP linting issues * one linting fix * removed commented-out modphp code; updated changelog * debugging url issues * trying 2sec timeout instead of 1sec * echoing to txt log * undoing validate-cg-manifests.sh changes; trying new url * resolving mr comments * updating malaga in cgmanifest * trying source-git's mirror * trying with local tarball * trying with local tarball * using blob storage * Delete bad_registrations.txt * updating tokyocabinet url * changing branches * resolving conflicts with upstream/main * mr comments * updating cgmanifest * actually fixing validate_cg_manifest.sh * Delete php-8.1.11.tar.xz.asc * Delete php-keyring.gpg Signed-off-by: Chris Co <[email protected]> Signed-off-by: Muhammad Falak R Wani <[email protected]> Signed-off-by: Kate Goldenring <[email protected]> Co-authored-by: nicolas guibourge <[email protected]> Co-authored-by: nicolas guibourge <[email protected]> Co-authored-by: Jon Slobodzian <[email protected]> Co-authored-by: Thomas Crain <[email protected]> Co-authored-by: Pawel Winogrodzki <[email protected]> Co-authored-by: Christopher Co <[email protected]> Co-authored-by: Muhammad Falak R Wani <[email protected]> Co-authored-by: Max Brodeur-Urbas <[email protected]> Co-authored-by: Kate Goldenring <[email protected]> Co-authored-by: rlmenge <[email protected]> Co-authored-by: Vince Perri <[email protected]> Co-authored-by: Andrew Phelps <[email protected]> Co-authored-by: Neha Agarwal <[email protected]> Co-authored-by: Olivia Crain <[email protected]> Co-authored-by: Henry Li <[email protected]> Co-authored-by: Henry Li <[email protected]> Co-authored-by: CBL-Mariner Servicing Account <[email protected]> Co-authored-by: chalamalasetty <[email protected]> Co-authored-by: Nan Liu <[email protected]> Co-authored-by: Henry Beberman <[email protected]> Co-authored-by: Cameron E Baird <[email protected]> Co-authored-by: Chris Gunn <[email protected]> Co-authored-by: Daniel McIlvaney <[email protected]> Co-authored-by: Nick Samson <[email protected]> Co-authored-by: Nick Samson <[email protected]> Co-authored-by: Minghe Ren <[email protected]> Co-authored-by: Betty <[email protected]> Co-authored-by: Betty Lakes <[email protected]> Co-authored-by: Andrew Phelps <[email protected]> Co-authored-by: Andy Caldwell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Chris Patterson [email protected]
Built, installed, rebooted on a mariner2 instance with no obvious concerns.