[AutoPR- Security] Patch kata-containers for CVE-2026-33814 [MEDIUM]

SPECS/kata-containers/CVE-2026-33814.patch

@@ -0,0 +1,48 @@
+From 201f31cfd144c43a8bc5a88ab25892ab7363c788 Mon Sep 17 00:00:00 2001
+From: "Nicholas S. Husin" <nsh@golang.org>
+Date: Tue, 31 Mar 2026 15:15:30 -0400
+Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame
+
+This CL backports https://go.dev/cl/761581 to x/net.
+
+Fixes golang/go#78476
+Fixes CVE-2026-33814
+
+Change-Id: Ied435a51fdd8664d41dae14d082c39c76a6a6964
+Reviewed-on: https://go-review.googlesource.com/c/net/+/761640
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49.patch
+---
+ src/runtime/vendor/golang.org/x/net/http2/transport.go | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/runtime/vendor/golang.org/x/net/http2/transport.go b/src/runtime/vendor/golang.org/x/net/http2/transport.go
+index f26356b9..a401b27b 100644
+--- a/src/runtime/vendor/golang.org/x/net/http2/transport.go
++++ b/src/runtime/vendor/golang.org/x/net/http2/transport.go
+@@ -2858,6 +2858,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
+
+ 	var seenMaxConcurrentStreams bool
+ 	err := f.ForeachSetting(func(s Setting) error {
++		if err := s.Valid(); err != nil {
++			return err
++		}
+ 		switch s.ID {
+ 		case SettingMaxFrameSize:
+ 			cc.maxFrameSize = s.Val
+@@ -2889,9 +2892,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
+ 			cc.henc.SetMaxDynamicTableSize(s.Val)
+ 			cc.peerMaxHeaderTableSize = s.Val
+ 		case SettingEnableConnectProtocol:
+-			if err := s.Valid(); err != nil {
+-				return err
+-			}
+ 			// If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL,
+ 			// we require that it do so in the first SETTINGS frame.
+ 			//
+-- 
+2.45.4
+

SPECS/kata-containers/kata-containers.spec

@@ -2,7 +2,7 @@
 
 Name:           kata-containers
 Version:        3.19.1.kata3
-Release:        1%{?dist}
+Release:        2%{?dist}
 
 Summary:        Kata Containers package developed for Pod Sandboxing on AKS
 License:        ASL 2.0
@@ -17,6 +17,7 @@ Patch2:         CVE-2026-24834.patch
 Patch3:         CVE-2026-25727.patch
 Patch4:         CVE-2026-25541.patch
 Patch5:         CVE-2025-11065.patch
+Patch6:         CVE-2026-33814.patch
 BuildRequires:  azurelinux-release
 BuildRequires:  golang
 BuildRequires:  protobuf-compiler
@@ -116,6 +117,9 @@ popd
 %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service
 
 %changelog
+* Thu May 14 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.19.1.kata3-2
+- Patch for CVE-2026-33814
+
 * Mon Apr 16 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.19.1.kata3-1
 - Auto-upgrade to 3.19.1.kata3
 - Remove CVE-2025-65637.patch that no longer applies