diff --git a/SPECS/golang/golang-1.25.signatures.json b/SPECS/golang/golang-1.25.signatures.json index e2e7bad67ba..3047ee43fb9 100644 --- a/SPECS/golang/golang-1.25.signatures.json +++ b/SPECS/golang/golang-1.25.signatures.json @@ -3,7 +3,7 @@ "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95", "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd", "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7", - "go1.25.8-20260306.2.src.tar.gz": "32c83228b338bb31782e8c9e6aee82e160ba679061b728ed2c35a00a8a38d474", + "go1.25.9-20260407.1.src.tar.gz": "985777a40244ac7e2b09ec64e226ed5c955018565edc0b80ee9b95f6605ce9d8", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } diff --git a/SPECS/golang/golang-1.25.spec b/SPECS/golang/golang-1.25.spec index e36f716c7a0..84265e79f9e 100644 --- a/SPECS/golang/golang-1.25.spec +++ b/SPECS/golang/golang-1.25.spec @@ -1,6 +1,6 @@ %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode -%global ms_go_filename go1.25.8-20260306.2.src.tar.gz +%global ms_go_filename go1.25.9-20260407.1.src.tar.gz %global ms_go_revision 1 %ifarch aarch64 %global gohostarch arm64 @@ -14,7 +14,7 @@ %define __find_requires %{nil} Summary: Go Name: golang -Version: 1.25.8 +Version: 1.25.9 Release: 1%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation @@ -160,6 +160,9 @@ fi %{_bindir}/* %changelog +* Wed Apr 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.9-1 +- Bump version to 1.25.9-1 + * Fri Mar 06 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.8-1 - Bump version to 1.25.8-1 diff --git a/SPECS/golang/golang.signatures.json b/SPECS/golang/golang.signatures.json index 30fe4eb9972..79b6abe02f6 100644 --- a/SPECS/golang/golang.signatures.json +++ b/SPECS/golang/golang.signatures.json @@ -4,7 +4,7 @@ "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd", "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7", "go1.24.13-20260204.5.src.tar.gz": "fdf4ec44d7191e59890e988ffba8ab3fd133ec6bd3757955223712f369e2328b", - "go1.26.1-20260306.1.src.tar.gz": "51c4ea1d0f5c5e0b5860903bab4c66a1544da62ecaa67ea2fe883bef64a2e863", + "go1.26.2-20260407.2.src.tar.gz": "609b097d0482f96fa1b4e7f738638d33df1aa4c7a01ff6da03b881edc8534987", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec index 8dd4694d50c..233da5024dd 100644 --- a/SPECS/golang/golang.spec +++ b/SPECS/golang/golang.spec @@ -1,6 +1,6 @@ %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode -%global ms_go_filename go1.26.1-20260306.1.src.tar.gz +%global ms_go_filename go1.26.2-20260407.2.src.tar.gz %global ms_go_revision 1 %ifarch aarch64 %global gohostarch arm64 @@ -14,7 +14,7 @@ %define __find_requires %{nil} Summary: Go Name: golang -Version: 1.26.1 +Version: 1.26.2 Release: 1%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation @@ -166,6 +166,9 @@ fi %{_bindir}/* %changelog +* Wed Apr 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.26.2-1 +- Bump version to 1.26.2-1 + * Fri Mar 06 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.26.1-1 - Bump version to 1.26.1-1 diff --git a/SPECS/nodejs24/CVE-2025-69418.patch b/SPECS/nodejs24/CVE-2025-69418.patch deleted file mode 100644 index e9119f9188b..00000000000 --- a/SPECS/nodejs24/CVE-2025-69418.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 7f2ad153c1417f13eba7a31a2dc336262237e43f Mon Sep 17 00:00:00 2001 -From: Norbert Pocs -Date: Thu, 8 Jan 2026 15:04:54 +0100 -Subject: [PATCH] Fix OCB AES-NI/HW stream path unauthenticated/unencrypted - trailing bytes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path -encrypts/decrypts full blocks but does not advance in/out pointers. The -tail-handling code then operates on the base pointers, effectively reprocessing -the beginning of the buffer while leaving the actual trailing bytes -unencrypted (encryption) or using the wrong plaintext (decryption). The -authentication checksum excludes the true tail. - -CVE-2025-69418 - -Fixes: https://github.com/openssl/srt/issues/58 - -Signed-off-by: Norbert Pocs - -Reviewed-by: Saša Nedvědický -Reviewed-by: Eugene Syromiatnikov -Reviewed-by: Tomas Mraz -MergeDate: Mon Jan 26 19:48:35 2026 -(cherry picked from commit be9375d5d45dfaf897b56ef148a0b58402491fcb) -Signed-off-by: Azure Linux Security Servicing Account -Upstream-reference: https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347.patch ---- - deps/openssl/openssl/crypto/modes/ocb128.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/deps/openssl/openssl/crypto/modes/ocb128.c b/deps/openssl/openssl/crypto/modes/ocb128.c -index 1ae807c1..6fe26698 100644 ---- a/deps/openssl/openssl/crypto/modes/ocb128.c -+++ b/deps/openssl/openssl/crypto/modes/ocb128.c -@@ -338,7 +338,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, - - if (num_blocks && all_num_blocks == (size_t)all_num_blocks - && ctx->stream != NULL) { -- size_t max_idx = 0, top = (size_t)all_num_blocks; -+ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0; - - /* - * See how many L_{i} entries we need to process data at hand -@@ -352,6 +352,9 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, - ctx->stream(in, out, num_blocks, ctx->keyenc, - (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, - (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); -+ processed_bytes = num_blocks * 16; -+ in += processed_bytes; -+ out += processed_bytes; - } else { - /* Loop through all full blocks to be encrypted */ - for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { -@@ -430,7 +433,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, - - if (num_blocks && all_num_blocks == (size_t)all_num_blocks - && ctx->stream != NULL) { -- size_t max_idx = 0, top = (size_t)all_num_blocks; -+ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0; - - /* - * See how many L_{i} entries we need to process data at hand -@@ -444,6 +447,9 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, - ctx->stream(in, out, num_blocks, ctx->keydec, - (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, - (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); -+ processed_bytes = num_blocks * 16; -+ in += processed_bytes; -+ out += processed_bytes; - } else { - OCB_BLOCK tmp; - --- -2.45.4 - diff --git a/SPECS/nodejs24/nodejs24.signatures.json b/SPECS/nodejs24/nodejs24.signatures.json index b601b952650..48d73d2d1b1 100644 --- a/SPECS/nodejs24/nodejs24.signatures.json +++ b/SPECS/nodejs24/nodejs24.signatures.json @@ -3,6 +3,6 @@ "btest402.js": "fabaf4dacc13e93d54f825b87ffde18573214b149388a5f96176236dd31d7768", "icu4c-77_1-data-bin-b.zip": "d8be12e03f782da350508b15354738ed97a3289008a787b6bd2a85434374bff4", "icu4c-77_1-data-bin-l.zip": "0913674ff673c585f8bc08370916b6a6ccc30ffb6408a5c1bc3edbf5a687fd96", - "node-v24.13.0.tar.xz": "320fe909cbb347dcf516201e4964ef177b8138df9a7f810d0d54950481b3158b" + "node-v24.14.1.tar.xz": "7822507713f202cf2a551899d250259643f477b671706db421a6fb55c4aa0991" } -} \ No newline at end of file +} diff --git a/SPECS/nodejs24/nodejs24.spec b/SPECS/nodejs24/nodejs24.spec index 569cd330891..d96d4185bd5 100644 --- a/SPECS/nodejs24/nodejs24.spec +++ b/SPECS/nodejs24/nodejs24.spec @@ -15,8 +15,8 @@ Summary: A JavaScript runtime built on Chrome's V8 JavaScript engine. Name: nodejs24 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. # The version of NPM can be found inside the sources under 'deps/npm/package.json'. -Version: 24.13.0 -Release: 3%{?dist} +Version: 24.14.1 +Release: 1%{?dist} License: BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -35,7 +35,6 @@ Patch2: CVE-2024-22195.patch Patch3: CVE-2020-28493.patch Patch4: CVE-2024-34064.patch Patch5: CVE-2025-27516.patch -Patch6: CVE-2025-69418.patch BuildRequires: brotli-devel BuildRequires: c-ares-devel BuildRequires: coreutils >= 8.22 @@ -46,6 +45,7 @@ BuildRequires: openssl-devel >= 1.1.1 BuildRequires: python3 BuildRequires: which BuildRequires: zlib-devel +BuildRequires: perl-WWW-Curl Requires: brotli Requires: c-ares Requires: coreutils >= 8.22 @@ -180,6 +180,18 @@ make cctest %{_prefix}/lib/node_modules/* %changelog +* Wed Apr 01 2026 Ratiranjan Behera - 24.14.1-1 +- Upgrade to 24.14.1 +- Security fixes included: + CVE-2026-21710: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High + CVE-2026-21637: wrap SNICallback invocation in try/catch (Matteo Collina) - High + CVE-2026-21717: test array index hash collision (Joyee Cheung) - Medium + CVE-2026-21713: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium + CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium + CVE-2026-21712: handle url crash on different url formats (RafaelGSS) - Medium + CVE-2026-21716: include permission check on lib/fs/promises (RafaelGSS) - Low + CVE-2026-21715: add permission check to realpath.native (RafaelGSS) - Low + * Fri Feb 13 2026 Azure Linux Security Servicing Account - 24.13.0-3 - Patch for CVE-2025-69418 diff --git a/SPECS/python-wheel/CVE-2026-24049.patch b/SPECS/python-wheel/CVE-2026-24049.patch new file mode 100644 index 00000000000..94ab5ea0a92 --- /dev/null +++ b/SPECS/python-wheel/CVE-2026-24049.patch @@ -0,0 +1,69 @@ +From 5d21b0f9ba9d397f45bb9003635be81df846f894 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= +Date: Thu, 22 Jan 2026 01:41:14 +0200 +Subject: [PATCH] Fixed security issue around wheel unpack (#675) + +A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered. + +Fixes CVE-2026-24049. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef.patch +--- + src/wheel/cli/unpack.py | 4 ++-- + tests/cli/test_unpack.py | 23 +++++++++++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py +index d48840e..83dc742 100644 +--- a/src/wheel/cli/unpack.py ++++ b/src/wheel/cli/unpack.py +@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None: + destination = Path(dest) / namever + print(f"Unpacking to: {destination}...", end="", flush=True) + for zinfo in wf.filelist: +- wf.extract(zinfo, destination) ++ target_path = Path(wf.extract(zinfo, destination)) + + # Set permissions to the same values as they were set in the archive + # We have to do this manually due to + # https://github.com/python/cpython/issues/59999 + permissions = zinfo.external_attr >> 16 & 0o777 +- destination.joinpath(zinfo.filename).chmod(permissions) ++ target_path.chmod(permissions) + + print("OK") +diff --git a/tests/cli/test_unpack.py b/tests/cli/test_unpack.py +index ae584af..75fe193 100644 +--- a/tests/cli/test_unpack.py ++++ b/tests/cli/test_unpack.py +@@ -34,3 +34,26 @@ def test_unpack_executable_bit(tmp_path): + unpack(str(wheel_path), str(tmp_path)) + assert not script_path.is_dir() + assert stat.S_IMODE(script_path.stat().st_mode) == 0o755 ++ ++ ++@pytest.mark.skipif( ++ platform.system() == "Windows", reason="Windows does not support chmod()" ++) ++def test_chmod_outside_unpack_tree(tmp_path_factory: TempPathFactory) -> None: ++ wheel_path = tmp_path_factory.mktemp("build") / "test-1.0-py3-none-any.whl" ++ with WheelFile(wheel_path, "w") as wf: ++ wf.writestr( ++ "test-1.0.dist-info/METADATA", ++ "Metadata-Version: 2.4\nName: test\nVersion: 1.0\n", ++ ) ++ wf.writestr("../../system-file", b"malicious data") ++ ++ extract_root_path = tmp_path_factory.mktemp("extract") ++ system_file = extract_root_path / "system-file" ++ extract_path = extract_root_path / "subdir" ++ system_file.write_bytes(b"important data") ++ system_file.chmod(0o755) ++ unpack(str(wheel_path), str(extract_path)) ++ ++ assert system_file.read_bytes() == b"important data" ++ assert stat.S_IMODE(system_file.stat().st_mode) == 0o755 +-- +2.45.4 + diff --git a/SPECS/python-wheel/python-wheel.spec b/SPECS/python-wheel/python-wheel.spec index c6880ac23ce..ef5208457e1 100644 --- a/SPECS/python-wheel/python-wheel.spec +++ b/SPECS/python-wheel/python-wheel.spec @@ -4,12 +4,13 @@ Summary: Built-package format for Python Name: python-%{pypi_name} Version: 0.43.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://github.com/pypa/wheel Source0: %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz +Patch0: CVE-2026-24049.patch %global pypi_name wheel %global python_wheel_name %{pypi_name}-%{version}-py3-none-any.whl %global python_wheeldir %{_datadir}/python-wheels @@ -115,6 +116,9 @@ pip3 install iniconfig %endif %changelog +* Thu Apr 02 2026 Azure Linux Security Servicing Account - 0.43.0-2 +- Patch for CVE-2026-24049 + * Fri May 10 2024 Betty Lakes - 0.43.0-1 - Updated to 0.43.0 diff --git a/cgmanifest.json b/cgmanifest.json index 4ef892de00a..6c9bf1e8e45 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -4730,8 +4730,8 @@ "type": "other", "other": { "name": "golang", - "version": "1.26.1", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.26.1-1/go1.26.1-20260306.1.src.tar.gz" + "version": "1.26.2", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.26.2-1/go1.26.2-20260407.2.src.tar.gz" } } }, @@ -4740,8 +4740,8 @@ "type": "other", "other": { "name": "golang", - "version": "1.25.8", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.25.8-1/go1.25.8-20260306.2.src.tar.gz" + "version": "1.25.9", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.25.9-1/go1.25.9-20260407.1.src.tar.gz" } } }, @@ -14542,8 +14542,8 @@ "type": "other", "other": { "name": "nodejs24", - "version": "24.13.0", - "downloadUrl": "https://nodejs.org/download/release/v24.13.0/node-v24.13.0.tar.xz" + "version": "24.14.1", + "downloadUrl": "https://nodejs.org/download/release/v24.14.1/node-v24.14.1.tar.xz" } } }, diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 7d45428d3fb..7e86e350e74 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -530,7 +530,7 @@ procps-ng-lang-4.0.4-1.azl3.aarch64.rpm pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm python-markupsafe-debuginfo-2.1.3-1.azl3.aarch64.rpm -python-wheel-wheel-0.43.0-1.azl3.noarch.rpm +python-wheel-wheel-0.43.0-2.azl3.noarch.rpm python3-3.12.9-10.azl3.aarch64.rpm python3-audit-3.1.2-1.azl3.aarch64.rpm python3-cracklib-2.9.11-1.azl3.aarch64.rpm @@ -557,7 +557,7 @@ python3-rpm-generators-14-11.azl3.noarch.rpm python3-setuptools-69.0.3-5.azl3.noarch.rpm python3-test-3.12.9-10.azl3.aarch64.rpm python3-tools-3.12.9-10.azl3.aarch64.rpm -python3-wheel-0.43.0-1.azl3.noarch.rpm +python3-wheel-0.43.0-2.azl3.noarch.rpm readline-8.2-2.azl3.aarch64.rpm readline-debuginfo-8.2-2.azl3.aarch64.rpm readline-devel-8.2-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 65804348084..87a35b09786 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -538,7 +538,7 @@ procps-ng-lang-4.0.4-1.azl3.x86_64.rpm pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm python-markupsafe-debuginfo-2.1.3-1.azl3.x86_64.rpm -python-wheel-wheel-0.43.0-1.azl3.noarch.rpm +python-wheel-wheel-0.43.0-2.azl3.noarch.rpm python3-3.12.9-10.azl3.x86_64.rpm python3-audit-3.1.2-1.azl3.x86_64.rpm python3-cracklib-2.9.11-1.azl3.x86_64.rpm @@ -565,7 +565,7 @@ python3-rpm-generators-14-11.azl3.noarch.rpm python3-setuptools-69.0.3-5.azl3.noarch.rpm python3-test-3.12.9-10.azl3.x86_64.rpm python3-tools-3.12.9-10.azl3.x86_64.rpm -python3-wheel-0.43.0-1.azl3.noarch.rpm +python3-wheel-0.43.0-2.azl3.noarch.rpm readline-8.2-2.azl3.x86_64.rpm readline-debuginfo-8.2-2.azl3.x86_64.rpm readline-devel-8.2-2.azl3.x86_64.rpm