Merge branch '3.0-dev' into 3.0

SPECS/ceph/CVE-2012-6708.patch

@@ -0,0 +1,28 @@
+From c993d7d4b9ddb5d9dcb0c4120f798730aacfff0a Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <[email protected]>
+Date: Mon, 13 Jan 2025 14:53:54 -0800
+Subject: [PATCH] Adjust jQuery('html') detection to only match when html
+ starts with '<' (not counting space characters). Fixes #11290.
+
+Source: https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d.patch
+---
+ qa/workunits/erasure-code/jquery.js | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/qa/workunits/erasure-code/jquery.js b/qa/workunits/erasure-code/jquery.js
+index 8c24ffc61..45c208837 100644
+--- a/qa/workunits/erasure-code/jquery.js
++++ b/qa/workunits/erasure-code/jquery.js
+@@ -56,7 +56,8 @@ var
+
+ 	// A simple way to check for HTML strings
+ 	// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+-	rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
++	// Strict HTML recognition (#11290: must start with <)
++	rquickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,
+
+ 	// Match a standalone tag
+ 	rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>|)$/,
+-- 
+2.34.1
+

SPECS/ceph/CVE-2014-5461.patch

@@ -0,0 +1,29 @@
+From 4c6ecee6fcb3c3deead402098c6de1cfd53bb91b Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <[email protected]>
+Date: Tue, 28 Jan 2025 15:47:50 -0800
+Subject: [PATCH] Patch ceph to fix CVE-2014-5461
+
+Stack overflow in vararg functions with many fixed parameters called
+with few arguments.
+
+Link: https://www.lua.org/bugs.html#5.2.2-1
+---
+ .../3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c       | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c b/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c
+index d1bf786cb..30333bfa5 100644
+--- a/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c
++++ b/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c
+@@ -274,7 +274,7 @@ int luaD_precall (lua_State *L, StkId func, int nresults) {
+     CallInfo *ci;
+     StkId st, base;
+     Proto *p = cl->p;
+-    luaD_checkstack(L, p->maxstacksize);
++    luaD_checkstack(L, p->maxstacksize + p->numparams);
+     func = restorestack(L, funcr);
+     if (!p->is_vararg) {  /* no varargs? */
+       base = func + 1;
+-- 
+2.34.1
+

SPECS/ceph/CVE-2015-9251.patch

@@ -0,0 +1,32 @@
+From 124fa2abfde0939c5a7684be1c9f11565888a3a5 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <[email protected]>
+Date: Tue, 28 Jan 2025 17:30:43 -0800
+Subject: [PATCH] [Medium] Patch ceph to fix CVE-2015-9251
+
+Link: https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc.patch
+---
+ qa/workunits/erasure-code/jquery.js | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/qa/workunits/erasure-code/jquery.js b/qa/workunits/erasure-code/jquery.js
+index 8c24ffc61..f4ce660b1 100644
+--- a/qa/workunits/erasure-code/jquery.js
++++ b/qa/workunits/erasure-code/jquery.js
+@@ -8245,6 +8245,14 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) {
+ 		return "script";
+ 	}
+ });
++
++// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
++jQuery.ajaxPrefilter( function( s ) {
++    if ( s.crossDomain ) {
++        s.contents.script = false;
++    }
++} );
++
+ // Install script dataType
+ jQuery.ajaxSetup({
+ 	accepts: {
+-- 
+2.34.1
+

SPECS/ceph/CVE-2020-22217.patch

@@ -0,0 +1,27 @@
+From 97568ddb836a9680c93335a3f8ca0f2c0616ccdc Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <[email protected]>
+Date: Mon, 27 Jan 2025 16:19:53 -0800
+Subject: [PATCH] Fix CVE-2020-22217 in c-ares
+
+Link: https://github.com/c-ares/c-ares/pull/332
+---
+ src/c-ares/ares_parse_soa_reply.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/c-ares/ares_parse_soa_reply.c b/src/c-ares/ares_parse_soa_reply.c
+index 35af0a75c..5924bbca9 100644
+--- a/src/c-ares/ares_parse_soa_reply.c
++++ b/src/c-ares/ares_parse_soa_reply.c
+@@ -65,6 +65,9 @@ ares_parse_soa_reply(const unsigned char *abuf, int alen,
+   status = ares__expand_name_for_response(aptr, abuf, alen, &qname, &len);
+   if (status != ARES_SUCCESS)
+     goto failed_stat;
++
++  if (alen <= len + HFIXEDSZ + 1)
++    goto failed;
+   aptr += len;
+
+   /* skip qtype & qclass */
+-- 
+2.34.1
+

SPECS/ceph/ceph.spec

@@ -1,11 +1,11 @@
 #disable debuginfo because ceph-debuginfo rpm is too large
 %define debug_package %{nil}
 %define _unpackaged_files_terminate_build 0 
- 
+
 Summary:        User space components of the Ceph file system
 Name:           ceph
 Version:        18.2.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0
 URL:            https://ceph.io/
 Vendor:         Microsoft Corporation
@@ -14,6 +14,10 @@ Source0:        https://download.ceph.com/tarballs/%{name}-%{version}.tar.gz
 Patch0:         0034-src-pybind-rbd-rbd.pyx.patch
 Patch1:         0032-cmake-modules-BuildBoost.cmake.patch
 Patch2:         CVE-2024-52338.patch
+Patch3:         CVE-2014-5461.patch
+Patch4:         CVE-2020-22217.patch
+Patch5:         CVE-2015-9251.patch
+Patch6:         CVE-2012-6708.patch
 #
 # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file
 # at the top-level directory of this distribution and at
@@ -895,7 +899,7 @@ This package provides a Ceph hardware monitoring agent.
 # common
 #################################################################################
 %prep
-%autosetup -p1 
+%autosetup -p1
 
 %build
 pwd
@@ -2004,6 +2008,12 @@ exit 0
 
 
 %changelog
+* Tue Jan 28 2025 Kevin Lockwood <[email protected]> - 18.2.2-4
+- Fix for CVE-2014-5461
+- Fix for CVE-2020-22217
+- Fix for CVE-2015-9251
+- Fix for CVE-2012-6708
+
 * Tue Jan 01 2025 Sandeep Karambelkar <[email protected]> - 18.2.2-3
 - Based on the package build logs, opentelemetry-cpp submodule is not being built
 - Removing opentelemetry-cpp to address below CVEs as this submodule is not relevant

SPECS/hwloc/CVE-2022-47022.patch

@@ -0,0 +1,69 @@
+From b85436757996b58b805dc4d471ec1cb3c6f56781 Mon Sep 17 00:00:00 2001
+From: jykanase <[email protected]>
+Date: Tue, 28 Jan 2025 12:11:44 +0000
+Subject: [PATCH] CVE-2022-47022
+
+Source Link: https://github.com/open-mpi/hwloc/commit/ac1f8db9a0790d2bf153711ff4cbf6101f89aace
+---
+ hwloc/topology-linux.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/hwloc/topology-linux.c b/hwloc/topology-linux.c
+index c7b63d2..fd6745e 100644
+--- a/hwloc/topology-linux.c
++++ b/hwloc/topology-linux.c
+@@ -870,6 +870,8 @@ hwloc_linux_set_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused,
+
+   setsize = CPU_ALLOC_SIZE(last+1);
+   plinux_set = CPU_ALLOC(last+1);
++  if (!plinux_set)
++    return -1;
+
+   CPU_ZERO_S(setsize, plinux_set);
+   hwloc_bitmap_foreach_begin(cpu, hwloc_set)
+@@ -950,7 +952,10 @@ hwloc_linux_find_kernel_nr_cpus(hwloc_topology_t topology)
+   while (1) {
+     cpu_set_t *set = CPU_ALLOC(nr_cpus);
+     size_t setsize = CPU_ALLOC_SIZE(nr_cpus);
+-    int err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */
++    int err;
++    if (!set)
++      return -1; /* caller will return an error, and we'll try again later */
++    err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */
+     CPU_FREE(set);
+     nr_cpus = setsize * 8; /* that's the value that was actually tested */
+     if (!err)
+@@ -978,8 +983,12 @@ hwloc_linux_get_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused,
+
+   /* find the kernel nr_cpus so as to use a large enough cpu_set size */
+   kernel_nr_cpus = hwloc_linux_find_kernel_nr_cpus(topology);
++  if (kernel_nr_cpus < 0)
++    return -1;
+   setsize = CPU_ALLOC_SIZE(kernel_nr_cpus);
+   plinux_set = CPU_ALLOC(kernel_nr_cpus);
++  if (!plinux_set)
++    return -1;
+
+   err = sched_getaffinity(tid, setsize, plinux_set);
+
+@@ -1333,6 +1342,8 @@ hwloc_linux_set_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_c
+
+      setsize = CPU_ALLOC_SIZE(last+1);
+      plinux_set = CPU_ALLOC(last+1);
++     if (!plinux_set)
++       return -1;
+
+      CPU_ZERO_S(setsize, plinux_set);
+      hwloc_bitmap_foreach_begin(cpu, hwloc_set)
+@@ -1424,6 +1435,8 @@ hwloc_linux_get_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_b
+
+      setsize = CPU_ALLOC_SIZE(last+1);
+      plinux_set = CPU_ALLOC(last+1);
++     if (!plinux_set)
++       return -1;
+
+      err = pthread_getaffinity_np(tid, setsize, plinux_set);
+      if (err) {
+-- 
+2.45.2
+

SPECS/hwloc/hwloc.spec

@@ -1,12 +1,13 @@
 Summary:        Portable Hardware Locality - portable abstraction of hierarchical architectures
 Name:           hwloc
 Version:        2.9.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD-2-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://www.open-mpi.org/projects/hwloc/
 Source0:        http://www.open-mpi.org/software/hwloc/v2.9/downloads/%{name}-%{version}.tar.bz2
+Patch0:         CVE-2022-47022.patch
 BuildRequires:  gcc
 # C++ only for hwloc-hello-cpp test:
 BuildRequires:  gcc-c++
@@ -167,6 +168,9 @@ LD_LIBRARY_PATH=$PWD/hwloc/.libs make check
 %{_libdir}/%{name}/hwloc*
 
 %changelog
+* Wed Jan 29 2025 Jyoti Kanase <[email protected]> - 2.9.2-2
+- Fix CVE-2022-47022
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <[email protected]> - 2.9.2-1
 - Auto-upgrade to 2.9.2 - Azure Linux 3.0 - package upgrades
 

SPECS/m2crypto/CVE-2019-11358.patch

@@ -0,0 +1,28 @@
+From d3e8292d3c2ac5e78ee4f8cf7ea00241335159b4 Mon Sep 17 00:00:00 2001
+From: jykanase <[email protected]>
+Date: Wed, 29 Jan 2025 13:46:24 +0000
+Subject: [PATCH] CVE-2019-11358
+
+Source Link: https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+---
+ doc/html/_static/jquery-3.2.1.js | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/doc/html/_static/jquery-3.2.1.js b/doc/html/_static/jquery-3.2.1.js
+index d2d8ca4..8bbd717 100644
+--- a/doc/html/_static/jquery-3.2.1.js
++++ b/doc/html/_static/jquery-3.2.1.js
+@@ -229,8 +229,9 @@ jQuery.extend = jQuery.fn.extend = function() {
+ 				src = target[ name ];
+ 				copy = options[ name ];
+
++				// Prevent Object.prototype pollution
+ 				// Prevent never-ending loop
+-				if ( target === copy ) {
++				if (  name === "__proto__" || target === copy ) {
+ 					continue;
+ 				}
+
+-- 
+2.45.2
+

SPECS/m2crypto/m2crypto.spec

@@ -1,7 +1,7 @@
 Summary:        Crypto and SSL toolkit for Python
 Name:           m2crypto
 Version:        0.38.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,7 @@ URL:            https://pypi.python.org/pypi/M2Crypto
 Source0:        https://files.pythonhosted.org/packages/2c/52/c35ec79dd97a8ecf6b2bbd651df528abb47705def774a4a15b99977274e8/M2Crypto-%{version}.tar.gz
 Patch0:         0001-skip-test_tls1_nok-which-cant-be-run-in-FIPS.patch
 Patch1:         CVE-2020-25657.patch
+Patch2:         CVE-2019-11358.patch
 
 %description
 M2Crypto is a crypto and SSL toolkit for Python
@@ -57,6 +58,9 @@ pip3 install parameterized
 %{python3_sitelib}/*
 
 %changelog
+* Wed Jan 29 2025 Jyoti Kanase <[email protected]> - 0.38.0-4
+- Fix CVE-2019-11358
+
 * Tue Aug 16 2022 Muhammad Falak <[email protected]> - 0.38.0-3
 - Patch CVE-2020-25657
 

SPECS/mysql/CVE-2024-9681.patch

@@ -0,0 +1,64 @@
+From 4584d3ab388a83e2e0753c69437df975b4a13547 Mon Sep 17 00:00:00 2001
+From: jykanase <[email protected]>
+Date: Sat, 25 Jan 2025 13:44:11 +0000
+Subject: [PATCH] CVE-2024-9681
+
+Backported form: https://github.com/curl/curl/commit/a94973805df96269bf   
+---
+ extra/curl/curl-8.9.1/lib/hsts.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/extra/curl/curl-8.9.1/lib/hsts.c b/extra/curl/curl-8.9.1/lib/hsts.c
+index 8cd77ae3..6e2599b1 100644
+--- a/extra/curl/curl-8.9.1/lib/hsts.c
++++ b/extra/curl/curl-8.9.1/lib/hsts.c
+@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
++  struct stsentry *bestsub = NULL;
+   if(h) {
+     char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
++    size_t blen = 0;
+
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -279,15 +281,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         if(ntail < hlen) {
+           size_t offs = hlen - ntail;
+           if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
++             strncasecompare(&hostname[offs], sts->host, ntail) &&
++             (ntail > blen)) {
++            /* save the tail match with the longest tail */
++            bestsub = sts;
++            blen = ntail;
++          }
+         }
+       }
+       if(strcasecompare(hostname, sts->host))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
++  return bestsub;
+ }
+
+ /*
+@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
++    else if(strcasecompare(p, e->host)) {
+       /* the same hostname, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+-- 
+2.45.2
+