January 2025 2.0 release merge (#11663)

microsoft · Dec 22, 2024 · d0914ed · d0914ed
2 parents 68eabe7 + d2731c4
commit d0914ed
Show file tree

Hide file tree

Showing 28 changed files with 3,383 additions and 48 deletions.
diff --git a/SPECS/cert-manager/CVE-2024-45337.patch b/SPECS/cert-manager/CVE-2024-45337.patch
@@ -0,0 +1,77 @@
+https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch
+
+From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Tue, 3 Dec 2024 09:03:03 -0800
+Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache
+
+Users of the the ssh package seem to extremely commonly misuse the
+PublicKeyCallback API, assuming that the key passed in the last call
+before a connection is established is the key used for authentication.
+Some users then make authorization decisions based on this key. This
+property is not documented, and may not be correct, due to the caching
+behavior of the package, resulting in users making incorrect
+authorization decisions about the connection.
+
+This change makes the cache a one entry FIFO cache, making the assumed
+property, that the last call to PublicKeyCallback represents the key
+actually used for authentication, actually hold.
+
+Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and
+Jules Duvivier from the Platform.sh / Upsun engineering team
+for reporting this issue.
+
+Fixes golang/go#70779
+Fixes CVE-2024-45337
+
+Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315
+Reviewed-by: Roland Shoemaker <[email protected]>
+Auto-Submit: Gopher Robot <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-by: Nicola Murino <[email protected]>
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+---
+ vendor/golang.org/x/crypto/ssh/server.go      | 15 ++++++++++----
+
+diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
+index c0d1c29e6f..5b5ccd96f4 100644
+--- a/vendor/golang.org/x/crypto/ssh/server.go
++++ b/vendor/golang.org/x/crypto/ssh/server.go
+@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) {
+ }
+
+ // cachedPubKey contains the results of querying whether a public key is
+-// acceptable for a user.
++// acceptable for a user. This is a FIFO cache.
+ type cachedPubKey struct {
+ 	user       string
+ 	pubKeyData []byte
+@@ -157,7 +157,13 @@ type cachedPubKey struct {
+ 	perms      *Permissions
+ }
+
+-const maxCachedPubKeys = 16
++// maxCachedPubKeys is the number of cache entries we store.
++//
++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this
++// to 1, such that the only key in the cache is the most recently seen one. This
++// forces the behavior that the last call to PublicKeyCallback will always be
++// with the key that is used for authentication.
++const maxCachedPubKeys = 1
+
+ // pubKeyCache caches tests for public keys.  Since SSH clients
+ // will query whether a public key is acceptable before attempting to
+@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {
+
+ // add adds the given tuple to the cache.
+ func (c *pubKeyCache) add(candidate cachedPubKey) {
+-	if len(c.keys) < maxCachedPubKeys {
+-		c.keys = append(c.keys, candidate)
++	if len(c.keys) >= maxCachedPubKeys {
++		c.keys = c.keys[1:]
+ 	}
++	c.keys = append(c.keys, candidate)
+ }
+
+ // ServerConn is an authenticated SSH connection, as seen from the
diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec
@@ -1,7 +1,7 @@
 Summary:        Automatically provision and manage TLS certificates in Kubernetes
 Name:           cert-manager
 Version:        1.11.2
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -28,6 +28,7 @@ Patch5:         CVE-2023-3978.patch
 Patch6:         CVE-2024-24786.patch
 Patch7:         CVE-2024-28180.patch
 Patch8:         CVE-2023-2253.patch
+Patch9:         CVE-2024-45337.patch
 BuildRequires:  golang
 Requires:       %{name}-acmesolver
 Requires:       %{name}-cainjector
@@ -120,6 +121,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
 %{_bindir}/webhook
 
 %changelog
+* Tue Dec 17 2024 Andrew Phelps <[email protected]> - 1.11.2-16
+- Add patch for CVE-2024-45337
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.11.2-15
 - Bump release to rebuild with go 1.22.7
 

diff --git a/SPECS/coredns/CVE-2024-24786.patch b/SPECS/coredns/CVE-2024-24786.patch
@@ -0,0 +1,41 @@
+From 867d49d8c566b0f1284f8295ba1286d6c5e93edf Mon Sep 17 00:00:00 2001
+From: kavyasree <[email protected]>
+Date: Mon, 9 Dec 2024 17:03:26 +0530
+Subject: [PATCH] Modified patch
+
+---
+ .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
+ .../protobuf/internal/encoding/json/decode.go                 | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index c85f846..634ba41 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error {
+ 				}
+ 			}
+ 		}
++	case json.EOF:
++		// This can only happen if there's a bug in Decoder.Read.
++		// Avoid an infinite loop if this does happen.
++		return errors.New("unexpected EOF")
+ 	}
+ 	return nil
+ }
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.34.1
+
diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec
@@ -3,7 +3,7 @@
 Summary:        Fast and flexible DNS server
 Name:           coredns
 Version:        1.11.1
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        Apache License 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -36,6 +36,7 @@ Patch2:         CVE-2023-49295.patch
 Patch3:         CVE-2024-22189.patch
 Patch4:         CVE-2023-45288.patch
 Patch5:         CVE-2024-0874.patch
+Patch6:         CVE-2024-24786.patch
 
 BuildRequires:  golang
 
@@ -74,6 +75,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
 %{_bindir}/%{name}
 
 %changelog
+* Mon Dec 09 2024 Kavya Sree Kaitepalli <[email protected]> - 1.11.1-12
+- Patch for CVE-2024-24786
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.11.1-11
 - Bump release to rebuild with go 1.22.7
 

diff --git a/SPECS/etcd/CVE-2024-24786.patch b/SPECS/etcd/CVE-2024-24786.patch
@@ -0,0 +1,41 @@
+From 867d49d8c566b0f1284f8295ba1286d6c5e93edf Mon Sep 17 00:00:00 2001
+From: kavyasree <[email protected]>
+Date: Mon, 9 Dec 2024 17:03:26 +0530
+Subject: [PATCH] Modified patch
+
+---
+ .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
+ .../protobuf/internal/encoding/json/decode.go                 | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index c85f846..634ba41 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error {
+ 				}
+ 			}
+ 		}
++	case json.EOF:
++		// This can only happen if there's a bug in Decoder.Read.
++		// Avoid an infinite loop if this does happen.
++		return errors.New("unexpected EOF")
+ 	}
+ 	return nil
+ }
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.34.1
+
diff --git a/SPECS/etcd/etcd.spec b/SPECS/etcd/etcd.spec
@@ -1,7 +1,7 @@
 Summary:        A highly-available key value store for shared configuration
 Name:           etcd
 Version:        3.5.12
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -14,6 +14,8 @@ Source1:        etcd.service
 #   generate_source_tarball.sh --srcTarball <source_tarball> --pkgVersion %%{version} --outFolder .
 Source2:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-45288.patch
+Patch1:         CVE-2024-24786.patch
+
 BuildRequires:  golang
 
 %description
@@ -117,6 +119,9 @@ install -vdm755 %{buildroot}%{_sharedstatedir}/etcd
 /%{_docdir}/%{name}-%{version}-tools/*
 
 %changelog
+* Mon Dec 09 2024 Kavya Sree Kaitepalli <[email protected]> - 3.5.12-6
+- Patch for CVE-2024-24786
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 3.5.12-5
 - Bump release to rebuild with go 1.22.7