diff --git a/SPECS/azurelinux-image-tools/CVE-2026-27141.patch b/SPECS/azurelinux-image-tools/CVE-2026-27141.patch deleted file mode 100644 index 0df16c8ead2..00000000000 --- a/SPECS/azurelinux-image-tools/CVE-2026-27141.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 09313f6d249a0c11eeb3ce16578033bdd6602fcb Mon Sep 17 00:00:00 2001 -From: Konnyaku -Date: Tue, 17 Feb 2026 21:23:54 +0800 -Subject: [PATCH] http2: fix nil panic in typeFrameParser for unassigned frame - types - -The addition of FramePriorityUpdate (0x10) in RFC 9218 introduced a gap -in the frameParsers array indices (0x0a-0x0f). These indices were -initialized to nil, causing a panic when typeFrameParser accessed them -for unassigned frame types (e.g., ALTSVC 0x0a). - -This change adds a nil check in typeFrameParser to safely fallback to -parseUnknownFrame for these unassigned types, preventing the crash. - -Fixes golang/go#77652 - -Change-Id: I14d7ad85afc1eafabc46417a9fff10f9e0a22446 -Reviewed-on: https://go-review.googlesource.com/c/net/+/746180 -LUCI-TryBot-Result: Go LUCI -Reviewed-by: Damien Neil -Auto-Submit: Damien Neil -Reviewed-by: Mark Freeman -Signed-off-by: Azure Linux Security Servicing Account -Upstream-reference: https://github.com/golang/net/commit/19f580fd686a6bb31d4af15febe789827169bc26.patch ---- - vendor/golang.org/x/net/http2/frame.go | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go -index 9a4bd12..6e393e9 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go -@@ -139,7 +139,9 @@ var frameParsers = [...]frameParser{ - - func typeFrameParser(t FrameType) frameParser { - if int(t) < len(frameParsers) { -- return frameParsers[t] -+ if f := frameParsers[t]; f != nil { -+ return f -+ } - } - return parseUnknownFrame - } --- -2.45.4 - diff --git a/SPECS/azurelinux-image-tools/azurelinux-image-tools.signatures.json b/SPECS/azurelinux-image-tools/azurelinux-image-tools.signatures.json index d83beb5f5eb..223e193e3f6 100644 --- a/SPECS/azurelinux-image-tools/azurelinux-image-tools.signatures.json +++ b/SPECS/azurelinux-image-tools/azurelinux-image-tools.signatures.json @@ -1,6 +1,6 @@ { - "Signatures": { - "azurelinux-image-tools-1.2.0.tar.gz": "7bfc2abf2b8a23bdcc3828e14c830f6a3f02a8c6fce9f9876e2a39a79ec74eda", - "azurelinux-image-tools-1.2.0-vendor.tar.gz": "b46fee0371838f1a3a3f1148b14d08a17aaef33789ecd481c9c7dab0bf496f17" - } -} \ No newline at end of file + "Signatures": { + "azurelinux-image-tools-1.3.0-vendor.tar.gz": "0f8cde7b29cd24a5b8f695e9bf3f836f79d7d7ad2b02696de776843d071de291", + "azurelinux-image-tools-1.3.0.tar.gz": "a217ac57e88f07da52fe822d8423fa842901e5b9d9c1baaa2592198aa9b7a165" + } +} diff --git a/SPECS/azurelinux-image-tools/azurelinux-image-tools.spec b/SPECS/azurelinux-image-tools/azurelinux-image-tools.spec index 3cad0890004..29f3e77d97a 100644 --- a/SPECS/azurelinux-image-tools/azurelinux-image-tools.spec +++ b/SPECS/azurelinux-image-tools/azurelinux-image-tools.spec @@ -2,8 +2,8 @@ Summary: Azure Linux Image Tools Name: azurelinux-image-tools -Version: 1.2.0 -Release: 2%{?dist} +Version: 1.3.0 +Release: 1%{?dist} License: MIT URL: https://github.com/microsoft/azure-linux-image-tools/ Group: Applications/System @@ -15,8 +15,7 @@ Source0: https://github.com/microsoft/azure-linux-image-tools/archive/ref # Use generate_source_tarball.sh script with the package version to build this tarball. # Source1: %{name}-%{version}-vendor.tar.gz -Patch0: CVE-2026-27141.patch -BuildRequires: golang < 1.25 +BuildRequires: golang >= 1.25 BuildRequires: systemd-udev Requires: %{name}-imagecustomizer = %{version}-%{release} @@ -74,6 +73,7 @@ The Azure Linux OS Modifier is a tool that can modify an OS. %build export GOPATH=%{our_gopath} export GOFLAGS="-mod=vendor" +export GOEXPERIMENT=ms_nocgo_opensslcrypto make -C toolkit go-imagecustomizer REBUILD_TOOLS=y SKIP_LICENSE_SCAN=y IMAGE_CUSTOMIZER_VERSION_PREVIEW= make -C toolkit go-osmodifier REBUILD_TOOLS=y SKIP_LICENSE_SCAN=y @@ -112,6 +112,9 @@ go test -C toolkit/tools ./... %{_bindir}/osmodifier %changelog +* Tue Apr 28 2026 Aditya Singh - 1.3.0-1 +- Upgrade to version 1.3.0 which includes fixes for CVE-2026-27141, CVE-2026-29181 and CVE-2026-39882 + * Thu Mar 05 2026 Azure Linux Security Servicing Account - 1.2.0-2 - Patch for CVE-2026-27141 diff --git a/SPECS/frr/CVE-2025-61099.patch b/SPECS/frr/CVE-2025-61099.patch deleted file mode 100644 index d2a8dcd551a..00000000000 --- a/SPECS/frr/CVE-2025-61099.patch +++ /dev/null @@ -1,114 +0,0 @@ -From b7d9b7aa47627b31e4b50795284408ab6de98660 Mon Sep 17 00:00:00 2001 -From: s1awwhy -Date: Sun, 24 Aug 2025 21:17:55 +0800 -Subject: [PATCH] Address CVE-2025-61099 - -Fix check_tlv_size macro in ospf_ext.c, ospf_ri.c, and ospf_te.c to: -- Add NULL check for vty pointer before calling vty_out -- Return OSPF_MAX_LSA_SIZE + 1 to skip subsequent TLVs on size mismatch -- Improve error messages to indicate subsequent TLVs will be skipped - -Note: The JSON support and other vty refactoring changes from the original -upstream PR #19983 are already included in FRR 10.5.0. This patch only -contains the check_tlv_size security fixes. - -Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/FRRouting/frr/pull/19983.patch ---- -diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c -index df0b3b9..9fbaa1e 100644 ---- a/ospfd/ospf_ext.c -+++ b/ospfd/ospf_ext.c -@@ -1705,13 +1705,18 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op) - * ------------------------------------ - */ - --#define check_tlv_size(size, msg) \ -- do { \ -- if (ntohs(tlvh->length) != size) { \ -- vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \ -- msg, ntohs(tlvh->length), size); \ -- return size + TLV_HDR_SIZE; \ -- } \ -+#define check_tlv_size(size, msg) \ -+ do { \ -+ if (ntohs(tlvh->length) != size) { \ -+ if (vty != NULL) \ -+ vty_out(vty, \ -+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ -+ msg, ntohs(tlvh->length), size); \ -+ else \ -+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \ -+ msg, ntohs(tlvh->length), size); \ -+ return OSPF_MAX_LSA_SIZE + 1; \ -+ } \ - } while (0) - - /* Cisco experimental SubTLV */ -diff --git a/ospfd/ospf_ri.c b/ospfd/ospf_ri.c -index 76e6efe..e094ba4 100644 ---- a/ospfd/ospf_ri.c -+++ b/ospfd/ospf_ri.c -@@ -1204,17 +1204,18 @@ static int ospf_router_info_lsa_update(struct ospf_lsa *lsa) - * Following are vty session control functions. - *------------------------------------------------------------------------*/ - --#define check_tlv_size(size, msg) \ -- do { \ -- if (ntohs(tlvh->length) > size) { \ -- if (vty != NULL) \ -- vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \ -- msg, ntohs(tlvh->length), size); \ -- else \ -- zlog_debug(" Wrong %s TLV size: %d(%d)", \ -- msg, ntohs(tlvh->length), size); \ -- return size + TLV_HDR_SIZE; \ -- } \ -+#define check_tlv_size(size, msg) \ -+ do { \ -+ if (ntohs(tlvh->length) > size) { \ -+ if (vty != NULL) \ -+ vty_out(vty, \ -+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ -+ msg, ntohs(tlvh->length), size); \ -+ else \ -+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \ -+ msg, ntohs(tlvh->length), size); \ -+ return OSPF_MAX_LSA_SIZE + 1; \ -+ } \ - } while (0) - - static uint16_t show_vty_router_cap(struct vty *vty, struct tlv_header *tlvh, -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index d187485..e0a6717 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -3157,17 +3157,18 @@ static void ospf_te_init_ted(struct ls_ted *ted, struct ospf *ospf) - /*------------------------------------------------------------------------* - * Following are vty session control functions. - *------------------------------------------------------------------------*/ --#define check_tlv_size(size, msg) \ -- do { \ -- if (ntohs(tlvh->length) > size) { \ -- if (vty != NULL) \ -- vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \ -- msg, ntohs(tlvh->length), size); \ -- else \ -- zlog_debug(" Wrong %s TLV size: %d(%d)", \ -- msg, ntohs(tlvh->length), size); \ -- return size + TLV_HDR_SIZE; \ -- } \ -+#define check_tlv_size(size, msg) \ -+ do { \ -+ if (ntohs(tlvh->length) > size) { \ -+ if (vty != NULL) \ -+ vty_out(vty, \ -+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ -+ msg, ntohs(tlvh->length), size); \ -+ else \ -+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \ -+ msg, ntohs(tlvh->length), size); \ -+ return OSPF_MAX_LSA_SIZE + 1; \ -+ } \ - } while (0) - - static uint16_t show_vty_router_addr(struct vty *vty, struct tlv_header *tlvh, diff --git a/SPECS/frr/CVE-2026-28532.patch b/SPECS/frr/CVE-2026-28532.patch deleted file mode 100644 index 080e6aeba51..00000000000 --- a/SPECS/frr/CVE-2026-28532.patch +++ /dev/null @@ -1,310 +0,0 @@ -From 263944816e5ea06c9c5dcc35002b819197fbfa60 Mon Sep 17 00:00:00 2001 -From: Jafar Al-Gharaibeh -Date: Wed, 4 Mar 2026 12:38:46 -0600 -Subject: [PATCH] ospfd: harden TE/SR TLV iteration against malformed lengths - -Use 32-bit counters and per-iteration TLV size bounds checks -in OSPF TE/SR TLV parsers so malformed opaque LSAs cannot wrap -loop accounting and advance pointers beyond the LSA buffer. - -- Change loop accumulators from 16-bit to 32-bit (uint32_t) to - prevent wraparound -- Rework TLV iteration so pointer advancement is controlled in-loop -- Add per-iteration guard before advancing: - - `tlv_size <= (len - sum)` (or `length - sum`) -- On malformed size, parser now logs and exits/breaks the loop - safely instead of stepping past buffer limits - -Signed-off-by: Jafar Al-Gharaibeh -(cherry picked from commit d3e8aedb87671f38db59b0df908e25e1d4af027d) -Signed-off-by: Azure Linux Security Servicing Account -Upstream-reference: https://github.com/FRRouting/frr/commit/c06b61a8586df163fc565667d7bff8e05e0df99d.patch ---- - ospfd/ospf_sr.c | 50 ++++++++++++++++++++++++++++++-------- - ospfd/ospf_te.c | 64 +++++++++++++++++++++++++++++++++++++++---------- - 2 files changed, 91 insertions(+), 23 deletions(-) - -diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c -index 078971e..5a9e2c7 100644 ---- a/ospfd/ospf_sr.c -+++ b/ospfd/ospf_sr.c -@@ -985,7 +985,8 @@ static struct sr_link *get_ext_link_sid(struct tlv_header *tlvh, size_t size) - struct ext_subtlv_rmt_itf_addr *rmt_itf; - - struct tlv_header *sub_tlvh; -- uint16_t length = 0, sum = 0, i = 0; -+ uint32_t length = 0, sum = 0; -+ uint16_t i = 0; - - /* Check TLV size */ - if ((ntohs(tlvh->length) > size) -@@ -1000,7 +1001,15 @@ static struct sr_link *get_ext_link_sid(struct tlv_header *tlvh, size_t size) - length = ntohs(tlvh->length) - EXT_TLV_LINK_SIZE; - sub_tlvh = (struct tlv_header *)((char *)(tlvh) + TLV_HDR_SIZE - + EXT_TLV_LINK_SIZE); -- for (; sum < length && sub_tlvh; sub_tlvh = TLV_HDR_NEXT(sub_tlvh)) { -+ for (; sum < length && sub_tlvh;) { -+ uint32_t tlv_size = TLV_SIZE(sub_tlvh); -+ -+ if (tlv_size > length - sum) { -+ zlog_warn("Malformed Extended Link sub-TLV size %u (remaining %u)", -+ tlv_size, length - sum); -+ break; -+ } -+ - switch (ntohs(sub_tlvh->type)) { - case EXT_SUBTLV_ADJ_SID: - adj_sid = (struct ext_subtlv_adj_sid *)sub_tlvh; -@@ -1041,7 +1050,9 @@ static struct sr_link *get_ext_link_sid(struct tlv_header *tlvh, size_t size) - default: - break; - } -- sum += TLV_SIZE(sub_tlvh); -+ sum += tlv_size; -+ if (sum < length) -+ sub_tlvh = TLV_HDR_NEXT(sub_tlvh); - } - - IPV4_ADDR_COPY(&srl->itf_addr, &link->link_data); -@@ -1062,7 +1073,7 @@ static struct sr_prefix *get_ext_prefix_sid(struct tlv_header *tlvh, - struct ext_subtlv_prefix_sid *psid; - - struct tlv_header *sub_tlvh; -- uint16_t length = 0, sum = 0; -+ uint32_t length = 0, sum = 0; - - /* Check TLV size */ - if ((ntohs(tlvh->length) > size) -@@ -1077,7 +1088,15 @@ static struct sr_prefix *get_ext_prefix_sid(struct tlv_header *tlvh, - length = ntohs(tlvh->length) - EXT_TLV_PREFIX_SIZE; - sub_tlvh = (struct tlv_header *)((char *)(tlvh) + TLV_HDR_SIZE - + EXT_TLV_PREFIX_SIZE); -- for (; sum < length && sub_tlvh; sub_tlvh = TLV_HDR_NEXT(sub_tlvh)) { -+ for (; sum < length && sub_tlvh;) { -+ uint32_t tlv_size = TLV_SIZE(sub_tlvh); -+ -+ if (tlv_size > length - sum) { -+ zlog_warn("Malformed Extended Prefix sub-TLV size %u (remaining %u)", -+ tlv_size, length - sum); -+ break; -+ } -+ - switch (ntohs(sub_tlvh->type)) { - case EXT_SUBTLV_PREFIX_SID: - psid = (struct ext_subtlv_prefix_sid *)sub_tlvh; -@@ -1102,7 +1121,9 @@ static struct sr_prefix *get_ext_prefix_sid(struct tlv_header *tlvh, - default: - break; - } -- sum += TLV_SIZE(sub_tlvh); -+ sum += tlv_size; -+ if (sum < length) -+ sub_tlvh = TLV_HDR_NEXT(sub_tlvh); - } - - osr_debug(" |- Found SID %u for prefix %pFX", srp->sid, -@@ -1370,7 +1391,7 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa) - struct ri_sr_tlv_sid_label_range *ri_srlb = NULL; - struct ri_sr_tlv_sr_algorithm *algo = NULL; - struct sr_block srgb; -- uint16_t length = 0, sum = 0; -+ uint32_t length = 0, sum = 0; - uint8_t msd = 0; - - osr_debug("SR (%s): Process Router Information LSA 4.0.0.%u from %pI4", -@@ -1398,8 +1419,15 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa) - srgb.range_size = 0; - srgb.lower_bound = 0; - -- for (tlvh = TLV_HDR_TOP(lsah); (sum < length) && (tlvh != NULL); -- tlvh = TLV_HDR_NEXT(tlvh)) { -+ for (tlvh = TLV_HDR_TOP(lsah); (sum < length) && (tlvh != NULL);) { -+ uint32_t tlv_size = TLV_SIZE(tlvh); -+ -+ if (tlv_size > length - sum) { -+ zlog_warn("Malformed RI TLV size %u (remaining %u)", tlv_size, -+ length - sum); -+ break; -+ } -+ - switch (ntohs(tlvh->type)) { - case RI_SR_TLV_SR_ALGORITHM: - algo = (struct ri_sr_tlv_sr_algorithm *)tlvh; -@@ -1416,7 +1444,9 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa) - default: - break; - } -- sum += TLV_SIZE(tlvh); -+ sum += tlv_size; -+ if (sum < length) -+ tlvh = TLV_HDR_NEXT(tlvh); - } - - /* Check if Segment Routing Capabilities has been found */ -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index 6fdf98f..6b0355a 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -2122,7 +2122,7 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) - struct ls_attributes *old, attr = {}; - struct tlv_header *tlvh; - void *value; -- uint16_t len, sum; -+ uint32_t len, sum; - uint8_t lsa_id; - - /* Initialize Attribute */ -@@ -2152,11 +2152,19 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) - - sum = sizeof(struct tlv_header); - /* Browse sub-TLV and fulfill Link State Attributes */ -- for (tlvh = TLV_DATA(tlvh); sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { -+ tlvh = TLV_DATA(tlvh); -+ while (sum < len) { -+ uint32_t tlv_size = TLV_SIZE(tlvh); - uint32_t val32, tab32[2]; - float valf, tabf[8]; - struct in_addr addr; - -+ if (tlv_size > len - sum) { -+ zlog_warn("Malformed TE sub-TLV size %u (remaining %u)", tlv_size, -+ len - sum); -+ break; -+ } -+ - value = TLV_DATA(tlvh); - switch (ntohs(tlvh->type)) { - case TE_LINK_SUBTLV_LCLIF_IPADDR: -@@ -2251,7 +2259,9 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) - default: - break; - } -- sum += TLV_SIZE(tlvh); -+ sum += tlv_size; -+ if (sum < len) -+ tlvh = TLV_HDR_NEXT(tlvh); - } - - /* Get corresponding Edge from Link State Data Base */ -@@ -2351,7 +2361,7 @@ static int ospf_te_delete_te(struct ls_ted *ted, struct ospf_lsa *lsa) - struct tlv_header *tlvh; - struct in_addr addr; - struct ls_edge_key key = {.family = AF_UNSPEC}; -- uint16_t len, sum; -+ uint32_t len, sum; - uint8_t lsa_id; - - /* Initialize TLV browsing */ -@@ -2363,14 +2373,25 @@ static int ospf_te_delete_te(struct ls_ted *ted, struct ospf_lsa *lsa) - sum = sizeof(struct tlv_header); - - /* Browse sub-TLV to find Link ID */ -- for (tlvh = TLV_DATA(tlvh); sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { -+ tlvh = TLV_DATA(tlvh); -+ while (sum < len) { -+ uint32_t tlv_size = TLV_SIZE(tlvh); -+ -+ if (tlv_size > len - sum) { -+ zlog_warn("Malformed TE sub-TLV size %u (remaining %u)", tlv_size, -+ len - sum); -+ break; -+ } -+ - if (ntohs(tlvh->type) == TE_LINK_SUBTLV_LCLIF_IPADDR) { - memcpy(&addr, TLV_DATA(tlvh), TE_LINK_SUBTLV_DEF_SIZE); - key.family = AF_INET; - IPV4_ADDR_COPY(&key.k.addr, &addr); - break; - } -- sum += TLV_SIZE(tlvh); -+ sum += tlv_size; -+ if (sum < len) -+ tlvh = TLV_HDR_NEXT(tlvh); - } - if (key.family == AF_UNSPEC) - return 0; -@@ -2445,7 +2466,7 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - struct ls_node *node; - struct lsa_header *lsah = lsa->data; - struct tlv_header *tlvh; -- uint16_t len = 0, sum = 0; -+ uint32_t len = 0, sum = 0; - - /* Get vertex / Node from LSA Advertised Router ID */ - vertex = get_vertex(ted, lsa); -@@ -2456,13 +2477,18 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - - /* Initialize TLV browsing */ - len = lsa->size - OSPF_LSA_HEADER_SIZE; -- for (tlvh = TLV_HDR_TOP(lsah); sum < len && tlvh; -- tlvh = TLV_HDR_NEXT(tlvh)) { -+ for (tlvh = TLV_HDR_TOP(lsah); sum < len && tlvh;) { -+ uint32_t tlv_size = TLV_SIZE(tlvh); - struct ri_sr_tlv_sr_algorithm *algo; - struct ri_sr_tlv_sid_label_range *range; - struct ri_sr_tlv_node_msd *msd; - uint32_t size, lower; - -+ if (tlv_size > len - sum) { -+ zlog_warn("Malformed RI TLV size %u (remaining %u)", tlv_size, len - sum); -+ break; -+ } -+ - switch (ntohs(tlvh->type)) { - case RI_SR_TLV_SR_ALGORITHM: - if (TLV_BODY_SIZE(tlvh) < 1 || -@@ -2547,7 +2573,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - default: - break; - } -- sum += TLV_SIZE(tlvh); -+ sum += tlv_size; -+ if (sum < len) -+ tlvh = TLV_HDR_NEXT(tlvh); - } - - /* Vertex has been created or updated: export it */ -@@ -2759,7 +2787,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - struct ext_tlv_link *ext; - struct ls_edge *edge; - struct ls_attributes *atr; -- uint16_t len = 0, sum = 0, i; -+ uint32_t len = 0, sum = 0; -+ uint16_t i; - uint32_t label; - - /* Get corresponding Edge from Link State Data Base */ -@@ -2793,11 +2822,18 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - len -= EXT_TLV_LINK_SIZE; - tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE - + EXT_TLV_LINK_SIZE); -- for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { -+ for (; sum < len;) { -+ uint32_t tlv_size = TLV_SIZE(tlvh); - struct ext_subtlv_adj_sid *adj; - struct ext_subtlv_lan_adj_sid *ladj; - struct ext_subtlv_rmt_itf_addr *rmt; - -+ if (tlv_size > len - sum) { -+ zlog_warn("Malformed Extended Link sub-TLV size %u (remaining %u)", -+ tlv_size, len - sum); -+ break; -+ } -+ - switch (ntohs(tlvh->type)) { - case EXT_SUBTLV_ADJ_SID: - if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE) -@@ -2876,7 +2912,9 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - default: - break; - } -- sum += TLV_SIZE(tlvh); -+ sum += tlv_size; -+ if (sum < len) -+ tlvh = TLV_HDR_NEXT(tlvh); - } - - /* Export Link State Edge if needed */ --- -2.45.4 - diff --git a/SPECS/frr/CVE-2026-5107.patch b/SPECS/frr/CVE-2026-5107.patch deleted file mode 100644 index 676d13d1e4f..00000000000 --- a/SPECS/frr/CVE-2026-5107.patch +++ /dev/null @@ -1,103 +0,0 @@ -From f708d9a5e33c8bcb17c266e8917c90dd2f84b0f9 Mon Sep 17 00:00:00 2001 -From: Mark Stapp -Date: Wed, 11 Mar 2026 14:52:54 -0400 -Subject: [PATCH] bgpd: improve packet parsing for EVPN and ENCAP/VNC - -Improve packet validation for EVPN NLRIs and for ENCAP/VNC. - -Signed-off-by: Mark Stapp -(cherry picked from commit 7676cad65114aa23adde583d91d9d29e2debd045) -Signed-off-by: Azure Linux Security Servicing Account -Upstream-reference: https://github.com/FRRouting/frr/commit/52c72c5ad8ccb491a9bab096002072667089d2d3.patch ---- - bgpd/bgp_evpn.c | 17 +++++++++++++++++ - bgpd/bgp_evpn_mh.c | 10 +++++++++- - bgpd/rfapi/rfapi_rib.c | 9 +++++++++ - 3 files changed, 35 insertions(+), 1 deletion(-) - -diff --git a/bgpd/bgp_evpn.c b/bgpd/bgp_evpn.c -index e33a30b..d061908 100644 ---- a/bgpd/bgp_evpn.c -+++ b/bgpd/bgp_evpn.c -@@ -4917,6 +4917,14 @@ static int process_type2_route(struct peer *peer, afi_t afi, safi_t safi, - goto fail; - } - -+ /* Validate ipaddr_len against the NLRI length */ -+ if ((psize != 33 + (ipaddr_len / 8)) && (psize != 36 + (ipaddr_len / 8))) { -+ flog_err(EC_BGP_EVPN_ROUTE_INVALID, -+ "%u:%s - Rx EVPN Type-2 NLRI with invalid IP address length %d", -+ peer->bgp->vrf_id, peer->host, ipaddr_len); -+ goto fail; -+ } -+ - if (ipaddr_len) { - ipaddr_len /= 8; /* Convert to bytes. */ - p.prefix.macip_addr.ip.ipa_type = (ipaddr_len == IPV4_MAX_BYTELEN) -@@ -5014,6 +5022,15 @@ static int process_type3_route(struct peer *peer, afi_t afi, safi_t safi, - - /* Get the IP. */ - ipaddr_len = *pfx++; -+ -+ /* Validate */ -+ if (psize != 13 + (ipaddr_len / 8)) { -+ flog_err(EC_BGP_EVPN_ROUTE_INVALID, -+ "%u:%s - Rx EVPN Type-3 NLRI with invalid IP address length %d", -+ peer->bgp->vrf_id, peer->host, ipaddr_len); -+ return -1; -+ } -+ - if (ipaddr_len == IPV4_MAX_BITLEN) { - p.prefix.imet_addr.ip.ipa_type = IPADDR_V4; - memcpy(&p.prefix.imet_addr.ip.ip.addr, pfx, IPV4_MAX_BYTELEN); -diff --git a/bgpd/bgp_evpn_mh.c b/bgpd/bgp_evpn_mh.c -index 1ce5ef2..5905349 100644 ---- a/bgpd/bgp_evpn_mh.c -+++ b/bgpd/bgp_evpn_mh.c -@@ -752,9 +752,17 @@ int bgp_evpn_type4_route_process(struct peer *peer, afi_t afi, safi_t safi, - memcpy(&esi, pfx, ESI_BYTES); - pfx += ESI_BYTES; - -- - /* Get the IP. */ - ipaddr_len = *pfx++; -+ -+ /* Validate */ -+ if (psize != 19 + (ipaddr_len / 8)) { -+ flog_err(EC_BGP_EVPN_ROUTE_INVALID, -+ "%u:%s - Rx EVPN Type-4 NLRI with invalid IP address length %d", -+ peer->bgp->vrf_id, peer->host, ipaddr_len); -+ return -1; -+ } -+ - if (ipaddr_len == IPV4_MAX_BITLEN) { - memcpy(&vtep_ip, pfx, IPV4_MAX_BYTELEN); - } else { -diff --git a/bgpd/rfapi/rfapi_rib.c b/bgpd/rfapi/rfapi_rib.c -index 9a3d56b..11384b5 100644 ---- a/bgpd/rfapi/rfapi_rib.c -+++ b/bgpd/rfapi/rfapi_rib.c -@@ -668,11 +668,20 @@ static void rfapiRibBi2Ri(struct bgp_path_info *bpi, struct rfapi_info *ri, - break; - - case BGP_VNC_SUBTLV_TYPE_RFPOPTION: -+ /* Check for short subtlv: drop */ -+ if (pEncap->length < 3) -+ break; -+ -+ /* Length of zero not valid */ -+ if (pEncap->value[1] == 0) -+ break; -+ - hop = XCALLOC(MTYPE_BGP_TEA_OPTIONS, - sizeof(struct bgp_tea_options)); - assert(hop); - hop->type = pEncap->value[0]; - hop->length = pEncap->value[1]; -+ - hop->value = XCALLOC(MTYPE_BGP_TEA_OPTIONS_VALUE, - pEncap->length - 2); - assert(hop->value); --- -2.45.4 - diff --git a/SPECS/frr/frr.signatures.json b/SPECS/frr/frr.signatures.json index 6f9db6da023..21b2c21b8c8 100644 --- a/SPECS/frr/frr.signatures.json +++ b/SPECS/frr/frr.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "frr-10.5.0.tar.gz": "a84b973e713349dca09e2009f33dc499564f2e9faba01c0d3cba9204802b0cd5", + "frr-10.5.4.tar.gz": "1e8401e1bfcbb9b0dfefc9b335013733a3c77cdf85c79ff66d9e65167d9cfb1e", "frr-sysusers.conf": "c6f5a54402aa5f11e21dac3bd0e6cdeadfbf7937e9b34775b5fd368a9ca96fa4", "frr-tmpfiles.conf": "edd7b01b11f2be66bb6b4531496d1eaf6536add9f4b549c659b27f5a32cdc512" } diff --git a/SPECS/frr/frr.spec b/SPECS/frr/frr.spec index 2b54571d8e9..cd58876ff18 100644 --- a/SPECS/frr/frr.spec +++ b/SPECS/frr/frr.spec @@ -2,8 +2,8 @@ Summary: Routing daemon Name: frr -Version: 10.5.0 -Release: 3%{?dist} +Version: 10.5.4 +Release: 1%{?dist} License: GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -17,11 +17,6 @@ Patch2: 0002-disable-eigrp-crypto.patch Patch3: 0003-fips-mode.patch Patch4: 0004-remove-grpc-test.patch Patch5: 0001-Fix-frr-c90-complaint-error.patch -# Following CVE-2025-61099 fixes CVE-2025-61100, CVE-2025-61101, CVE-2025-61102, -# CVE-2025-61103, CVE-2025-61104, CVE-2025-61105, CVE-2025-61106 and CVE-2025-61107. -Patch6: CVE-2025-61099.patch -Patch7: CVE-2026-5107.patch -Patch8: CVE-2026-28532.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -201,6 +196,9 @@ rm tests/lib/*grpc* %{_sysusersdir}/%{name}.conf %changelog +* Mon May 04 2026 Kanishk Bansal - 10.5.4-1 +- Upgrade to 10.5.4 for CVE-2026-37457 + * Fri May 01 2026 Azure Linux Security Servicing Account - 10.5.0-3 - Patch for CVE-2026-28532 diff --git a/SPECS/golang/golang-1.25.signatures.json b/SPECS/golang/golang-1.25.signatures.json index 3047ee43fb9..1eb9c1ad974 100644 --- a/SPECS/golang/golang-1.25.signatures.json +++ b/SPECS/golang/golang-1.25.signatures.json @@ -3,7 +3,7 @@ "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95", "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd", "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7", - "go1.25.9-20260407.1.src.tar.gz": "985777a40244ac7e2b09ec64e226ed5c955018565edc0b80ee9b95f6605ce9d8", + "go1.25.10-20260507.2.src.tar.gz": "7b612739e17971a53bccf2f5f336766e71ec155e30d4a345b49b67d6bf431325", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } diff --git a/SPECS/golang/golang-1.25.spec b/SPECS/golang/golang-1.25.spec index 84265e79f9e..b05ec641991 100644 --- a/SPECS/golang/golang-1.25.spec +++ b/SPECS/golang/golang-1.25.spec @@ -1,6 +1,6 @@ %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode -%global ms_go_filename go1.25.9-20260407.1.src.tar.gz +%global ms_go_filename go1.25.10-20260507.2.src.tar.gz %global ms_go_revision 1 %ifarch aarch64 %global gohostarch arm64 @@ -14,7 +14,7 @@ %define __find_requires %{nil} Summary: Go Name: golang -Version: 1.25.9 +Version: 1.25.10 Release: 1%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation @@ -160,6 +160,9 @@ fi %{_bindir}/* %changelog +* Fri May 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.10-1 +- Bump version to 1.25.10-1 + * Wed Apr 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.9-1 - Bump version to 1.25.9-1 diff --git a/SPECS/golang/golang.signatures.json b/SPECS/golang/golang.signatures.json index 79b6abe02f6..3094c8964ce 100644 --- a/SPECS/golang/golang.signatures.json +++ b/SPECS/golang/golang.signatures.json @@ -4,7 +4,7 @@ "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd", "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7", "go1.24.13-20260204.5.src.tar.gz": "fdf4ec44d7191e59890e988ffba8ab3fd133ec6bd3757955223712f369e2328b", - "go1.26.2-20260407.2.src.tar.gz": "609b097d0482f96fa1b4e7f738638d33df1aa4c7a01ff6da03b881edc8534987", + "go1.26.3-20260508.1.src.tar.gz": "aea84b62f4bf76cd66cd421530209589e1b62489d793be8ec3c6a0e600c67c72", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec index 233da5024dd..19160073479 100644 --- a/SPECS/golang/golang.spec +++ b/SPECS/golang/golang.spec @@ -1,6 +1,6 @@ %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode -%global ms_go_filename go1.26.2-20260407.2.src.tar.gz +%global ms_go_filename go1.26.3-20260508.1.src.tar.gz %global ms_go_revision 1 %ifarch aarch64 %global gohostarch arm64 @@ -14,7 +14,7 @@ %define __find_requires %{nil} Summary: Go Name: golang -Version: 1.26.2 +Version: 1.26.3 Release: 1%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation @@ -166,6 +166,9 @@ fi %{_bindir}/* %changelog +* Fri May 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.26.3-1 +- Bump version to 1.26.3-1 + * Wed Apr 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.26.2-1 - Bump version to 1.26.2-1 diff --git a/cgmanifest.json b/cgmanifest.json index ba467a9e1cd..5ee4fe31222 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -915,8 +915,8 @@ "type": "other", "other": { "name": "azurelinux-image-tools", - "version": "1.2.0", - "downloadUrl": "https://github.com/microsoft/azure-linux-image-tools/archive/refs/tags/v1.2.0.tar.gz" + "version": "1.3.0", + "downloadUrl": "https://github.com/microsoft/azure-linux-image-tools/archive/refs/tags/v1.3.0.tar.gz" } } }, @@ -4000,8 +4000,8 @@ "type": "other", "other": { "name": "frr", - "version": "10.5.0", - "downloadUrl": "https://github.com/FRRouting/frr/archive/refs/tags/frr-10.5.0.tar.gz" + "version": "10.5.4", + "downloadUrl": "https://github.com/FRRouting/frr/archive/refs/tags/frr-10.5.4.tar.gz" } } }, @@ -4730,8 +4730,8 @@ "type": "other", "other": { "name": "golang", - "version": "1.26.2", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.26.2-1/go1.26.2-20260407.2.src.tar.gz" + "version": "1.26.3", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.26.3-1/go1.26.3-20260508.1.src.tar.gz" } } }, @@ -4740,8 +4740,8 @@ "type": "other", "other": { "name": "golang", - "version": "1.25.9", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.25.9-1/go1.25.9-20260407.1.src.tar.gz" + "version": "1.25.10", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.25.10-1/go1.25.10-20260507.2.src.tar.gz" } } },