Merge pull request #5829 from microsoft/sammeluch/1.0-release

Mariner 1.0 July Update

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.10.183.1
+Version:        5.10.185.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -147,6 +147,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %endif
 
 %changelog
+* Wed Jun 28 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.185.1-1
+- Auto-upgrade to 5.10.185.1
+
 * Tue Jun 13 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.183.1-1
 - Auto-upgrade to 5.10.183.1
 

SPECS/apr/CVE-2022-28331.nopatch

@@ -0,0 +1 @@
+CVE reference https://nvd.nist.gov/vuln/detail/CVE-2022-28331. Only affects windows version, therefore not CBL-Mariner.

SPECS/apr/apr.spec

@@ -1,32 +1,34 @@
 Summary:        The Apache Portable Runtime
 Name:           apr
 Version:        1.6.5
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0
-URL:            https://apr.apache.org/
-Group:          System Environment/Libraries
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Libraries
+URL:            https://apr.apache.org/
 Source0:        http://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.gz
 %define         aprver  1
-
 %if %{with_check}
 # test_serv_by_name test requires /etc/services file from iana-etc package
 BuildRequires:  iana-etc
 %endif
 
 %description
 The Apache Portable Runtime.
+
 %package        devel
 Summary:        Header and development files
 Requires:       %{name} = %{version}-%{release}
+
 %description    devel
 It contains the libraries and header files to create applications
 
 %prep
-%setup -q
+%autosetup -p1
+
 %build
-./configure --prefix=/usr \
+./configure --prefix=%{_prefix} \
         --includedir=%{_includedir}/apr-%{aprver} \
         --with-installbuilddir=%{_libdir}/apr/build-%{aprver} \
         --with-devrandom=/dev/urandom \
@@ -52,7 +54,7 @@ make -j1 check
 %exclude %{_libdir}/pkgconfig
 %{_bindir}/*
 
-%files  devel
+%files devel
 %defattr(-,root,root)
 %{_includedir}/*
 %{_libdir}/*.la
@@ -61,29 +63,44 @@ make -j1 check
 %{_libdir}/pkgconfig
 
 %changelog
+* Mon Jul 03 2023 Mykhailo Bykhovtsev <[email protected]> - 1.6.5-6
+- Nopatch CVE-2022-28331 as it affects only Windows.
+- Switch to use autosetup.
+
 * Thu Oct 28 2021 Pawel Winogrodzki <[email protected]> - 1.6.5-5
 - Fixing tests further by making them run on a single thread.
 - Removed `%%sha1` macro.
 - License verified.
+
 * Mon Dec 07 2020 Andrew Phelps <[email protected]> - 1.6.5-4
 - Fix check tests.
+
 * Sat May 09 2020 Nick Samson <[email protected]> - 1.6.5-3
 - Added %%license line automatically
+
 * Tue Sep 03 2019 Mateusz Malisz <[email protected]> - 1.6.5-2
 - Initial CBL-Mariner import from Photon (license: Apache2).
+
 * Tue Sep 18 2018 Ankit Jain <[email protected]> - 1.6.5-1
 - Updated to version 1.6.5
+
 * Fri Dec 08 2017 Xiaolin Li <[email protected]> - 1.5.2-7
 - Fix CVE-2017-12613
+
 * Tue May 24 2016 Priyesh Padmavilasom <[email protected]> - 1.5.2-6
 - GA - Bump release of all rpms
+
 * Mon Sep 21 2015 Harish Udaiya Kumar <[email protected]> - 1.5.2-5
 - Repacked to move the include files in devel package.
+
 * Wed Jul 15 2015 Sarah Choi <[email protected]> - 1.5.2-4
 - Use aprver(=1) instead of version for mesos
+
 * Mon Jul 13 2015 Alexey Makhalov <[email protected]> - 1.5.2-3
 - Exclude /usr/lib/debug
+
 * Wed Jul 01 2015 Touseef Liaqat <[email protected]> - 1.5.2-2
 - Fix tags and paths.
+
 * Wed May 20 2015 Touseef Liaqat <[email protected]> - 1.5.2-1
 - Initial build. First version

SPECS/cloud-hypervisor/CVE-2023-0465.patch

@@ -0,0 +1 @@
+The CVE-2023-2650.patch also fixes CVE-2023-0465

SPECS/cloud-hypervisor/CVE-2023-2650.patch

@@ -0,0 +1,40 @@
+From 724eeff414725dd8b6be8429f3acd316b92f7a56 Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <[email protected]>
+Date: Fri, 30 Jun 2023 09:49:24 +0530
+Subject: [PATCH] Patch for CVE-2023-2650 and CVE-2023-0465
+
+---
+ Cargo.lock | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Cargo.lock b/Cargo.lock
+index f99b516..99af0b2 100644
+--- a/Cargo.lock
++++ b/Cargo.lock
+@@ -119,9 +119,9 @@ checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
+
+ [[package]]
+ name = "cc"
+-version = "1.0.73"
++version = "1.0.79"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11"
++checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f"
+
+ [[package]]
+ name = "cfg-if"
+@@ -574,9 +574,9 @@ dependencies = [
+
+ [[package]]
+ name = "openssl-src"
+-version = "111.17.0+1.1.1m"
++version = "111.26.0+1.1.1u"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "05d6a336abd10814198f66e2a91ccd7336611f30334119ca8ce300536666fcf4"
++checksum = "efc62c9f12b22b8f5208c23a7200a442b2e5999f8bdf80233852122b5a4f6f37"
+ dependencies = [
+  "cc",
+ ]
+-- 
+2.38.1
+

SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json

@@ -1,6 +1,7 @@
 {
  "Signatures": {
-  "cloud-hypervisor-22.0-cargo.tar.gz": "550e2e2ad6c64ae7fa4786582c2357993cfad1f205566f6c80bcef7888cbd702",
-  "cloud-hypervisor-22.0.tar.gz": "5c5440435f78d4acdbb3ea91abe17d6704da6c18b6f52fe77f15835cfc60d17a"
+  "cloud-hypervisor-22.0-cargo-3.cm1.tar.gz": "c54238aa053bfcba7b507982a1e8583bd6885dddf261e1a908977dcc84434214",
+  "cloud-hypervisor-22.0.tar.gz": "5c5440435f78d4acdbb3ea91abe17d6704da6c18b6f52fe77f15835cfc60d17a",
+  "cloud-hypervisor-22.0-vendor-3.cm1.tar.gz": "61721dce31d7a5c5c55347ecef6f0752d0d28a1b48f5e03b8e4cbb07b2eb2e6a"
  }
-}
+}

SPECS/cloud-hypervisor/cloud-hypervisor.spec

@@ -1,18 +1,19 @@
 Summary:        A Rust-VMM based cloud hypervisor from Intel
 Name:           cloud-hypervisor
 Version:        22.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0 or BSD
 URL:            https://github.com/cloud-hypervisor/cloud-hypervisor
 Group:          Development/Tools
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Source0:       %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-# Note: the %%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME.
-# To update the cache run:
-#   [repo_root]/toolkit/scripts/build_cargo_cache.sh %%{name}-%%{version}.tar.gz
-Source1:        %{name}-%{version}-cargo.tar.gz
+Source0:        %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# Note: the %%{name}-%%{version}-cargo-%%{release}.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME.
+Source1:        %{name}-%{version}-cargo-%{release}.tar.gz
+# Note: the %%{name}-%%{version}-vendor-%%{release}.tar.gz file contains vendor sources by capturing the contents downloaded into "vendor" folder when "cargo vendor" is run.
+Source2:        %{name}-%{version}-vendor-%{release}.tar.gz
 Patch0:         CVE-2023-28448.patch
+Patch1:         CVE-2023-2650.patch
 ExclusiveArch:  x86_64
 
 BuildRequires:  gcc
@@ -26,15 +27,14 @@ A Rust-VMM based cloud hypervisor from Intel.
 
 %prep
 # Setup .cargo directory
-mkdir -p $HOME
-pushd $HOME
 tar xf %{SOURCE1} --no-same-owner
 %patch0 -p1
-popd
 %setup -q
+%patch1 -p1
+tar xf %{SOURCE2} -C ../ --no-same-owner
 
 %build
-cargo build --release
+CARGO_HOME=$(pwd)/../.cargo cargo build --release --offline
 
 %install
 install -d %{buildroot}%{_bindir}
@@ -51,6 +51,9 @@ install -d %{buildroot}%{_libdir}/cloud-hypervisor
 %exclude %{_libdir}/debug
 
 %changelog
+* Tue Jul 04 2023 Suresh Thelkar <[email protected]> - 22.0-3
+- Patch CVE-2023-0465 and CVE-2023-2650
+
 * Wed Apr 05 2023 Henry Beberman <[email protected]> - 22.0-2
 - Patch CVE-2023-28448 in vendored versionize crate
 

SPECS/hyperv-daemons/hyperv-daemons.signatures.json

@@ -7,6 +7,6 @@
     "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1",
     "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
     "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-    "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125"
+    "kernel-5.10.185.1.tar.gz": "a86d1c424f6126ba3f55544703533a1b718bf955c817291887e4e67bbe965f71"
   }
 }

SPECS/hyperv-daemons/hyperv-daemons.spec

@@ -8,7 +8,7 @@
 %global udev_prefix 70
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        5.10.183.1
+Version:        5.10.185.1
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@@ -221,6 +221,9 @@ fi
 %{_sbindir}/lsvmbus
 
 %changelog
+* Wed Jun 28 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.185.1-1
+- Auto-upgrade to 5.10.185.1
+
 * Tue Jun 13 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.183.1-1
 - Auto-upgrade to 5.10.183.1
 

SPECS/kernel-headers/kernel-headers.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125"
+    "kernel-5.10.185.1.tar.gz": "a86d1c424f6126ba3f55544703533a1b718bf955c817291887e4e67bbe965f71"
   }
 }

SPECS/kernel-headers/kernel-headers.spec

@@ -1,6 +1,6 @@
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        5.10.183.1
+Version:        5.10.185.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -36,6 +36,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir}
 %{_includedir}/*
 
 %changelog
+* Wed Jun 28 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.185.1-1
+- Auto-upgrade to 5.10.185.1
+
 * Tue Jun 13 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.183.1-1
 - Auto-upgrade to 5.10.183.1
 

SPECS/kernel-hyperv/config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.183.1 Kernel Configuration
+# Linux/x86_64 5.10.185.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0"
 CONFIG_CC_IS_GCC=y
@@ -1369,7 +1369,6 @@ CONFIG_HAVE_NET_DSA=y
 CONFIG_VLAN_8021Q=m
 CONFIG_VLAN_8021Q_GVRP=y
 CONFIG_VLAN_8021Q_MVRP=y
-# CONFIG_DECNET is not set
 CONFIG_LLC=m
 # CONFIG_LLC2 is not set
 # CONFIG_ATALK is not set
@@ -1671,7 +1670,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
 # CONFIG_BLK_DEV_DRBD is not set
 # CONFIG_BLK_DEV_NBD is not set
 # CONFIG_BLK_DEV_SKD is not set
-# CONFIG_BLK_DEV_SX8 is not set
 CONFIG_BLK_DEV_RAM=y
 CONFIG_BLK_DEV_RAM_COUNT=16
 CONFIG_BLK_DEV_RAM_SIZE=4096

SPECS/kernel-hyperv/kernel-hyperv.signatures.json

@@ -1,8 +1,8 @@
 {
   "Signatures": {
     "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-    "config": "3387855f3a5d67d9640385ca53da09a56d6f82c42ef1917d85185572e42bb6f5",
+    "config": "a6fcad6cf7f6fe88ca2fdfe1e108ddd3fb1c4c6ed3fb55190b76a5f1ff936e3a",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
-    "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125"
+    "kernel-5.10.185.1.tar.gz": "a86d1c424f6126ba3f55544703533a1b718bf955c817291887e4e67bbe965f71"
   }
 }

SPECS/kernel-hyperv/kernel-hyperv.spec

@@ -3,7 +3,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Linux Kernel optimized for Hyper-V
 Name:           kernel-hyperv
-Version:        5.10.183.1
+Version:        5.10.185.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -270,6 +270,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_libdir}/perf/include/bpf/*
 
 %changelog
+* Wed Jun 28 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.185.1-1
+- Auto-upgrade to 5.10.185.1
+
 * Tue Jun 13 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.183.1-1
 - Auto-upgrade to 5.10.183.1
 

SPECS/kernel/CVE-2023-3090.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-3090 - patched in 5.10.181.1 - (generated by autopatch tool)
+upstream 90cbed5247439a966b645b34eb0a2e037836ea8e - stable f4a371d3f5a7a71dff1ab48b3122c5cf23cc7ad5
+

SPECS/kernel/CVE-2023-3212.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-3212 - patched in 5.10.183.1 - (generated by autopatch tool)
+upstream 504a10d9e46bc37b23d0a1ae2f28973c8516e636 - stable d03d31d3a206093b9b8759dddf0ba9bd843606ba
+

SPECS/kernel/CVE-2023-3220.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-3220 - patched in 5.10.173.1 - (generated by autopatch tool)
+upstream 93340e10b9c5fc86730d149636e0aa8b47bb5a34 - stable e9743b3052e125c44b555f07f2876a4bdccfd983
+

SPECS/kernel/CVE-2023-3355.nopatch

@@ -0,0 +1,4 @@
+CVE-2023-3355 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
+upstream fix commit: d839f0811a31322c087a859c2b181e2383daa7be 
+upstream introducing commit: 20224d715a882210428ea62bba93f1bc4a0afe23 
+

SPECS/kernel/CVE-2023-3357.nopatch

@@ -0,0 +1,4 @@
+CVE-2023-3357 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
+upstream fix commit: 53ffa6a9f83b2170c60591da1ead8791d5a42e81 
+upstream introducing commit: 4b2c53d93a4bc9d52cc0ec354629cfc9dc217f93 
+

SPECS/kernel/CVE-2023-3358.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-3358 - patched in 5.10.166.1 - (generated by autopatch tool)
+upstream b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8 - stable 7b4516ba56f1fcb13ffc91912f3074e28362228d
+

SPECS/kernel/CVE-2023-3359.nopatch

@@ -0,0 +1,4 @@
+CVE-2023-3359 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
+upstream fix commit: b0576ade3aaf24b376ea1a4406ae138e2a22b0c0 
+upstream introducing commit: 6e977eaa8280e957b87904b536661550f2a6b3e8 
+

SPECS/kernel/CVE-2023-3439.nopatch

@@ -0,0 +1,4 @@
+CVE-2023-3439 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
+upstream fix commit: b561275d633bcd8e0e8055ab86f1a13df75a0269 
+upstream introducing commit: 583be982d93479ea3d85091b0fd0b01201ede87d 
+

SPECS/kernel/CVE-2023-35788.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-35788 - patched in 5.10.183.1 - (generated by autopatch tool)
+upstream 4d56304e5827c8cc8cc18c75343d283af7c4825c - stable 7c5c67aa294444b53f697dc3ddce61b33ff8badd
+

SPECS/kernel/CVE-2023-35823.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-35823 - patched in 5.10.180.1 - (generated by autopatch tool)
+upstream 30cf57da176cca80f11df0d9b7f71581fe601389 - stable 7dac96e9cc985328ec1fae92f0c245f559dc0e11
+

SPECS/kernel/CVE-2023-35824.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-35824 - patched in 5.10.180.1 - (generated by autopatch tool)
+upstream 5abda7a16698d4d1f47af1168d8fa2c640116b4a - stable e9d64e90a0ada4d00ac6562e351ef10ae7d9b911
+

SPECS/kernel/CVE-2023-35829.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-35829 - patched in 5.10.180.1 - (generated by autopatch tool)
+upstream 3228cec23b8b29215e18090c6ba635840190993d - stable de19d02d734ef29f5dbd2c12fe810fa960ecd83f
+