microsoft · azurelinux-security · Apr 2, 2026 · Apr 3, 2026
@@ -0,0 +1,58 @@
+From eba8fad44461e01ff37f56e9fea68c5b1112cf93 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Thu, 2 Apr 2026 16:23:13 +0000
+Subject: [PATCH] vendor/nats-server: Guard against LS+/LS- before CONNECT when
+ compression enabled to avoid nil account panic; add auth violation handling
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8.patch
+---
+ .../nats-io/nats-server/v2/server/leafnode.go  | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
+index 02bf4bd8..419acae0 100644
+--- a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
++++ b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
+@@ -2313,6 +2313,14 @@ func (c *client) processLeafSub(argo []byte) (err error) {
+ 	}
+
+ 	acc := c.acc
++	// Guard against LS+ arriving before CONNECT has been processed, which
++	// can happen when compression is enabled.
++	if acc == nil {
++		c.mu.Unlock()
++		c.sendErr("Authorization Violation")
++		c.closeConnection(ProtocolViolation)
++		return nil
++	}
+ 	// Check if we have a loop.
+ 	ldsPrefix := bytes.HasPrefix(sub.subject, []byte(leafNodeLoopDetectionSubjectPrefix))
+ 	if ldsPrefix && bytesToString(sub.subject) == acc.getLDSubject() {
+@@ -2431,7 +2439,6 @@ func (c *client) processLeafUnsub(arg []byte) error {
+ 	// Indicate any activity, so pub and sub or unsubs.
+ 	c.in.subs++
+
+-	acc := c.acc
+ 	srv := c.srv
+
+ 	c.mu.Lock()
+@@ -2440,6 +2447,15 @@ func (c *client) processLeafUnsub(arg []byte) error {
+ 		return nil
+ 	}
+
++	acc := c.acc
++	// Guard against LS- arriving before CONNECT has been processed.
++	if acc == nil {
++		c.mu.Unlock()
++		c.sendErr("Authorization Violation")
++		c.closeConnection(ProtocolViolation)
++		return nil
++	}
++
+ 	updateGWs := false
+ 	spoke := c.isSpokeLeafNode()
+ 	// We store local subs by account and subject and optionally queue name.
+-- 
+2.45.4
+
@@ -0,0 +1,75 @@
+From cd13693e96a8c395121576638bde9312ad038fd3 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Thu, 2 Apr 2026 16:27:36 +0000
+Subject: [PATCH] Backport: avoid exposing MQTT password as JWT in client opts;
+ use local ujwt variable for JWT in auth; remove setting JWT from MQTT
+ password; populate c.opts.JWT after successful JWT auth for MQTT
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099.patch
+---
+ .../nats-io/nats-server/v2/server/auth.go        | 16 ++++++++++++++--
+ .../nats-io/nats-server/v2/server/mqtt.go        |  1 -
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/github.com/nats-io/nats-server/v2/server/auth.go b/vendor/github.com/nats-io/nats-server/v2/server/auth.go
+index b37d245e..6badb210 100644
+--- a/vendor/github.com/nats-io/nats-server/v2/server/auth.go
++++ b/vendor/github.com/nats-io/nats-server/v2/server/auth.go
+@@ -575,6 +575,7 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User
+ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (authorized bool) {
+ 	var (
+ 		nkey *NkeyUser
++		ujwt string
+ 		juc  *jwt.UserClaims
+ 		acc  *Account
+ 		user *User
+@@ -718,13 +719,19 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (au
+
+ 	// Check if we have trustedKeys defined in the server. If so we require a user jwt.
+ 	if s.trustedKeys != nil {
+-		if c.opts.JWT == _EMPTY_ {
++		ujwt = c.opts.JWT
++		if ujwt == _EMPTY_ && c.isMqtt() {
++			// For MQTT, we pass the password as the JWT too, but do so here so it's not
++			// publicly exposed in the client options if it isn't a JWT.
++			ujwt = c.opts.Password
++		}
++		if ujwt == _EMPTY_ {
+ 			s.mu.Unlock()
+ 			c.Debugf("Authentication requires a user JWT")
+ 			return false
+ 		}
+ 		// So we have a valid user jwt here.
+-		juc, err = jwt.DecodeUserClaims(c.opts.JWT)
++		juc, err = jwt.DecodeUserClaims(ujwt)
+ 		if err != nil {
+ 			s.mu.Unlock()
+ 			c.Debugf("User JWT not valid: %v", err)
+@@ -984,6 +991,11 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (au
+ 		// Hold onto the user's public key.
+ 		c.mu.Lock()
+ 		c.pubKey = juc.Subject
++		// If this is a MQTT client, we purposefully didn't populate the JWT as it could contain
++		// a password or token. Now we know it's a valid JWT, we can populate it.
++		if c.isMqtt() {
++			c.opts.JWT = ujwt
++		}
+ 		c.tags = juc.Tags
+ 		c.nameTag = juc.Name
+ 		c.mu.Unlock()
+diff --git a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
+index e82ddb29..fcf607a9 100644
+--- a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
++++ b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
+@@ -3543,7 +3543,6 @@ func (c *client) mqttParseConnect(r *mqttReader, pl int, hasMappings bool) (byte
+ 			return 0, nil, err
+ 		}
+ 		c.opts.Token = c.opts.Password
+-		c.opts.JWT = c.opts.Password
+ 	}
+ 	return 0, cp, nil
+ }
+-- 
+2.45.4
+
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.29.4
-Release:        22%{?dist}
+Release:        23%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -35,6 +35,8 @@ Patch21:        CVE-2026-2303.patch
 Patch22:        CVE-2026-26014.patch
 Patch23:        CVE-2025-11065.patch
 Patch24:        CVE-2026-4645.patch
+Patch25:        CVE-2026-29785.patch
+Patch26:        CVE-2026-33216.patch
 BuildRequires:  golang
 BuildRequires:  iana-etc
 BuildRequires:  systemd-devel
@@ -105,6 +107,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <[email protected]> - 1.29.4-23
+- Patch for CVE-2026-33216, CVE-2026-29785
+
 * Fri Mar 27 2026 Azure Linux Security Servicing Account <[email protected]> - 1.29.4-22
 - Patch for CVE-2026-4645