Merge pull request #5184 from microsoft/joslobo/mariner-1.0-march-update2

Merge for Mariner 1.0 March 2023 Update 2

Author: jslobodzian

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.10.172.1
+Version:        5.10.174.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -147,6 +147,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %endif
 
 %changelog
+* Tue Mar 14 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.174.1-1
+- Auto-upgrade to 5.10.174.1
+
 * Mon Mar 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.172.1-1
 - Auto-upgrade to 5.10.172.1
 

SPECS/curl/CVE-2022-43551.patch

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "curl-7.86.0.tar.gz": "3dfdd39ba95e18847965cd3051ea6d22586609d9011d91df7bc5521288987a82"
+    "curl-7.88.1.tar.gz": "cdb38b72e36bc5d33d5b8810f8018ece1baa29a8f215b4495e495ded82bbf3c7"
   }
 }

SPECS/curl/CVE-2022-43552.patch

@@ -1,16 +1,14 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 # Heads up: 7.87 breaks perl-WWW-Curl (see #4588).
-Version:        7.86.0
-Release:        3%{?dist}
+Version:        7.88.1
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/NetworkingLibraries
 URL:            https://curl.haxx.se
 Source0:        https://curl.haxx.se/download/%{name}-%{version}.tar.gz
-Patch0:         CVE-2022-43551.patch
-Patch1:         CVE-2022-43552.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  openssl-devel
@@ -91,6 +89,10 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.4*
 
 %changelog
+* Thu Mar 09 2023 Mykhailo Bykhovtsev <[email protected]> - 7.88.1-1
+- Upgrade to version 7.88.1 to fix CVE-2023-23914, CVE-2023-23915, CVE-2023-23916
+- Removing old patches that are fixed in version 7.87.0
+
 * Mon Feb 13 2023 Dallas Delaney <[email protected]> - 7.86.0-3
 - Apply patch to fix CVE-2022-43552
 

SPECS/curl/curl.signatures.json

@@ -0,0 +1,44 @@
+From 11d7325dc418e2ca30c13f64ce237c4a5de3dd56 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <[email protected]>
+Date: Wed, 8 Mar 2023 03:37:46 +0530
+Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232
+
+Backported by @rohitrawat from upstream on 2023-03-23
+Applies on v2.85 cleanly
+
+Signed-off-by: Rohit Rawat <[email protected]>
+---
+ man/dnsmasq.8 | 3 ++-
+ src/config.h  | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index fce580f..4b0b180 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -171,7 +171,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
+ .TP
+ .B \-P, --edns-packet-max=<size>
+ Specify the largest EDNS.0 UDP packet which is supported by the DNS
+-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
++forwarder. Defaults to 1232, which is the recommended size following the
++DNS flag day in 2020. Only increase if you know what you are doing.
+ .TP
+ .B \-Q, --query-port=<query_port>
+ Send outbound DNS queries from, and listen for their replies on, the
+diff --git a/src/config.h b/src/config.h
+index 8c41943..62b7fa1 100644
+--- a/src/config.h
++++ b/src/config.h
+@@ -19,7 +19,7 @@
+ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
+ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+ #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
+-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
+ #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
+ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
+ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */
+-- 
+2.17.1
+

SPECS/curl/curl.spec

@@ -1,14 +1,15 @@
 Summary:        DNS proxy with integrated DHCP server
 Name:           dnsmasq
 Version:        2.85
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2 or GPLv3
 Group:          System Environment/Daemons
 URL:            http://www.thekelleys.org.uk/dnsmasq/
 Source0:        http://www.thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Patch0:         fix-missing-ioctl-SIOCGSTAMP-add-sockios-header-linux-5.2.patch
+Patch1:         CVE-2023-28450.patch
 
 BuildRequires:  kernel-headers
 
@@ -69,6 +70,9 @@ rm -rf %{buildroot}
 %config  /usr/share/dnsmasq/trust-anchors.conf
 
 %changelog
+* Thu Mar 23 2023 Rohit Rawat <[email protected]> - 2.85-2
+- Patch CVE-2023-28450
+
 * Fri Apr 23 2021 Thomas Crain <[email protected]> - 2.85-1
 - Upgrade to version 2.85 to fix  CVE-2021-3348
 

SPECS/dnsmasq/CVE-2023-28450.patch

@@ -0,0 +1,21 @@
+diff --color --color -ruN a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+--- a/lib/gssapi/krb5/arcfour.c	2023-03-15 00:23:03.051530897 +0000
++++ b/lib/gssapi/krb5/arcfour.c	2023-03-15 00:23:46.771143241 +0000
+@@ -365,7 +365,7 @@
+ 	return GSS_S_FAILURE;
+     }
+ 
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@
+ 	return GSS_S_FAILURE;
+     }
+ 
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;

SPECS/dnsmasq/dnsmasq.spec

@@ -12,7 +12,7 @@
 Summary:        A Kerberos 5 implementation without export restrictions
 Name:           heimdal
 Version:        7.7.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -42,6 +42,7 @@ Patch1:         heimdal-1.6.0-c25f45a-rename-commands.patch
 # Use Python2 explicity.
 Patch3:         heimdal-7.7.1-explicit-python2.patch
 Patch4:         heimdal-7.7.0-configure.patch
+Patch5:         CVE-2022-45142.patch
 BuildRequires:  bison
 #libcom_err-devel is in
 #BuildRequires:  libcom_err-devel
@@ -486,6 +487,9 @@ fi
 %{_sysconfdir}/profile.d/%{name}.csh
 
 %changelog
+* Tue Mar 14 2023 Thien Trung Vuong <[email protected]> - 7.7.1-2
+- Add patch for CVE-2022-45142
+
 * Wed Jan 04 2023 CBL-Mariner Servicing Account <[email protected]> - 7.7.1-1
 - Auto-upgrade to 7.7.1 - to fix CVE-2022-41916
 

SPECS/heimdal/CVE-2022-45142.patch

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "httpd-2.4.55.tar.bz2": "11d6ba19e36c0b93ca62e47e6ffc2d2f2884942694bce0f23f39c71bdc5f69ac"
+    "httpd-2.4.56.tar.bz2": "d8d45f1398ba84edd05bb33ca7593ac2989b17cb9c7a0cafe5442d41afdb2d7c"
   }
-}
+}

SPECS/heimdal/heimdal.spec

@@ -1,6 +1,6 @@
 Summary:        The Apache HTTP Server
 Name:           httpd
-Version:        2.4.55
+Version:        2.4.56
 Release:        1%{?dist}
 License:        Apache-2.0
 URL:            https://httpd.apache.org/
@@ -10,7 +10,7 @@ Distribution:   Mariner
 Source0:        https://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.bz2
 
 # Patch0 is taken from:
-# https://www.linuxfromscratch.org/patches/blfs/svn/httpd-2.4.53-blfs_layout-3.patch
+# https://www.linuxfromscratch.org/patches/blfs/svn/httpd-2.4.56-blfs_layout-3.patch
 Patch0:         httpd-2.4.53-blfs_layout-3.patch
 Patch1:         httpd-uncomment-ServerName.patch
 
@@ -207,6 +207,9 @@ fi
 %{_bindir}/dbmmanage
 
 %changelog
+* Tue Mar 14 2023 Thien Trung Vuong <[email protected]> - 2.4.56-1
+- Upgrade to version 2.4.56 - Fixes CVE-2023-27522, CVE-2023-25690
+
 * Mon Feb 06 2023 Dan Streetman <[email protected]> - 2.4.55-1
 - Upgrade to version 2.4.55 - Fixes CVE-2022-36760
 

SPECS/httpd/httpd.signatures.json

@@ -7,6 +7,6 @@
     "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1",
     "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
     "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-    "kernel-5.10.172.1.tar.gz": "eaaa625153c397d420824408ef7bc5d50364c8d30c8fe5fecaf15bd03d3a241b"
+    "kernel-5.10.174.1.tar.gz": "41a516c957c274ee9da65d0c58c4e65161ec17a33c5740d102c20e798f336bc2"
   }
 }

SPECS/httpd/httpd.spec

@@ -8,7 +8,7 @@
 %global udev_prefix 70
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        5.10.172.1
+Version:        5.10.174.1
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@@ -221,6 +221,9 @@ fi
 %{_sbindir}/lsvmbus
 
 %changelog
+* Tue Mar 14 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.174.1-1
+- Auto-upgrade to 5.10.174.1
+
 * Mon Mar 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.172.1-1
 - Auto-upgrade to 5.10.172.1
 

SPECS/hyperv-daemons/hyperv-daemons.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "kernel-5.10.172.1.tar.gz": "eaaa625153c397d420824408ef7bc5d50364c8d30c8fe5fecaf15bd03d3a241b"
+    "kernel-5.10.174.1.tar.gz": "41a516c957c274ee9da65d0c58c4e65161ec17a33c5740d102c20e798f336bc2"
   }
 }

SPECS/hyperv-daemons/hyperv-daemons.spec

@@ -1,6 +1,6 @@
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        5.10.172.1
+Version:        5.10.174.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -36,6 +36,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir}
 %{_includedir}/*
 
 %changelog
+* Tue Mar 14 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.174.1-1
+- Auto-upgrade to 5.10.174.1
+
 * Mon Mar 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.172.1-1
 - Auto-upgrade to 5.10.172.1