Skip to content

[AutoPR- Security] Patch libsoup for CVE-2026-1536, CVE-2025-32049 [HIGH]#167

Draft
azurelinux-security wants to merge 159 commits intofasttrack/3.0from
azure-autosec/libsoup/3.0/1042913
Draft

[AutoPR- Security] Patch libsoup for CVE-2026-1536, CVE-2025-32049 [HIGH]#167
azurelinux-security wants to merge 159 commits intofasttrack/3.0from
azure-autosec/libsoup/3.0/1042913

Conversation

@azurelinux-security
Copy link
Owner

@azurelinux-security azurelinux-security commented Feb 4, 2026

Auto Patch libsoup for CVE-2026-1536, CVE-2025-32049.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1042913&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

sandeepkarambelkar and others added 30 commits December 11, 2025 13:46
@sandeepkarambelkar
Remove qt5-qtconnectivity and add qt6-qtconnectivity (microsoft#15197)
aadbc95
@azurelinux-security
[AutoPR- Security] Patch telegraf for CVE-2025-10543 [MEDIUM] (micros…
d665a99 
…oft#15275)
@xordux
Systemd network/tc: fix stack overflow when dropping tclass or qdisc (m…
a6140cc 
…icrosoft#15165)

Add patch to systemd to fix stack overflow when dropping tclass or qdisc in systemd-networkd. It avoids systemd SEGV crash in certain cases.
@mayankfz
BUG 59454970: Make kexec-tools do not depend on ethtool only, enable …
f4e3c2f 
…user to choose either ethtool or mlnx-ethtool during installation, default is ethtool. (microsoft#15014)

Make kexec-tools do not depend on ethtool only, enable user to choose either ethtool or mlnx-ethtool during installation, default is ethtool.

Signed-off-by: Mayank Singh <mayansingh@microsoft.com>
Co-authored-by: Mayank Singh <mayansingh@microsoft.com>
@durgajagadeesh
Upgrade apache-commons-compress to 1.26.1 and address dependency buil…
790852b 
…d warnings (microsoft#13854)
@chalamalasetty
Upgrade MOFED 24.10 to DOCA-OFED 25.07 and its dependencies (microsof…
303210c 
…t#15028)

Co-authored-by: Suresh Babu Chalamalasetty <schalam@microsoft.com>
@jykanase
upgrade pacemaker to version 3.0.1 (microsoft#15046)
fa584c8
@v-aaditya
[Medium] Patch kubevirt for CVE-2025-64435 (microsoft#15137)
7750a32
@sandeepkarambelkar
Remove qt5-qtsensors and add qt6-qtsensors (microsoft#15205)
3eb9deb
@jykanase @kgodara912
Upgrade hdf5 version to 1.14.6 and patch hdf5 for CVE-2025-2153, CVE-…
49403f7 
…2025-2310, CVE-2025-2914, CVE-2025-2926, CVE-2025-6816, CVE-2025-2925, CVE-2025-2924, CVE-2025-44905,CVE-2025-6269, CVE-2025-6750, CVE-2025-6857, CVE-2025-7067, CVE-2025-7068, CVE-2025-6858, CVE_2025-2923, CVE-2025-2913, CVE-2025-6516, CVE-2025-6818, CVE-2025-6817, CVE-2025-6856, CVE-2025-7069 (microsoft#15115)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: kgodara912 <kshigodara@outlook.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@sandeepkarambelkar
Remove qt5-qtserialport and add qt6-qtserialport (microsoft#15233)
21b8a73
@akhila-guruju
[Medium] Patch grub2 for CVE-2025-61661, CVE-2025-61662 & CVE-2025-61663
e019d04 
 (microsoft#15157)
@AkarshHCL
Upgrade: Jtidy to version 1.0.4 (microsoft#15168)
9bd782a
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch cni-plugins for C…
96bb3b2 
…VE-2025-65637 [HIGH] - branch 3.0-dev" microsoft#15305

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@akhila-guruju @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch python-urllib3 for
66cd71f 
CVE-2025-66418, CVE-2025-66471 [HIGH] - branch 3.0-dev" microsoft#15306

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@BinduSri-6522866 @Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch qtdeclarative for
c4dce60 
…CVE-2025-12385 [HIGH] - branch 3.0-dev" microsoft#15307

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @BinduSri-6522866 @jslobodzian
Merge PR "[AUTO-CHERRYPICK] Patch fluent-bit for CVE-2025-12977 [High…
7a1ed75 
…] and CVE-2025-12969 [Medium] - branch 3.0-dev" microsoft#15308

Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@archana25-ms @Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch qtbase for CVE-2…
8ed8f9a 
…025-66293 [HIGH] - branch 3.0-dev" microsoft#15309

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch influxdb for CVE…
d5ff89e 
…-2025-65637 [HIGH] - branch 3.0-dev" microsoft#15310

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch dcos-cli for CVE…
c3bb826 
…-2025-65637 [HIGH] - branch 3.0-dev" microsoft#15311

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot
[AUTOPATCHER-CORE] Upgrade tzdata to 2025c upgrade to version 2025c (m…
2c29e73 
…icrosoft#15284)
@AkarshHCL
Upgrade:perl-FFI-CheckLib to version 0.31 (microsoft#15144)
51bd173
@v-aaditya
Upgrade xmldb-api to version 1.7.0 (microsoft#15290)
2f95523
@azurelinux-security
[AutoPR- Security] Patch influxdb for CVE-2025-10543 [MEDIUM] (micros…
ad2c514 
…oft#15328)
@v-aaditya
Upgrade xbean to version 4.24 (microsoft#15244)
a3d0b8e
@v-aaditya
Upgrade ibus-table version to 1.17.16 (microsoft#15302)
be8e809
@CBL-Mariner-Bot @Kanishk-Bansal
Merge PR "[AUTO-CHERRYPICK] Revert "[AutoPR- Security] Patch qtbase f…
1ac3d58 
…or CVE-2025-66293 [HIGH]" - branch 3.0-dev" microsoft#15351

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@azurelinux-security
[AutoPR- Security] Patch glib for CVE-2025-14087, CVE-2025-14512 [MED…
8f5adbe 
…IUM] (microsoft#15294)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch flannel for CVE-…
868bb3a 
…2025-65637 [HIGH] - branch 3.0-dev" microsoft#15352

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch containerized-da…
3b84639 
…ta-importer for CVE-2025-65637 [HIGH] - branch 3.0-dev" microsoft#15353

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
azurelinux-security and others added 30 commits January 27, 2026 12:03
@azurelinux-security
[AutoPR- Security] Patch libsndfile for CVE-2025-56226 [MEDIUM] (micr…
7ebb2ef 
…osoft#15572)
@azurelinux-security
[AutoPR- Security] Patch glibc for CVE-2025-15281 [MEDIUM] (microsoft…
c326e08 
…#15561)

Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch avahi for CVE-2026-24401 [MEDIUM] (microsoft…
ad816f6 
…#15580)
@Redent0r @CBL-Mariner-Bot
cloud-hypervisor: upgrade to 48.0.246 (microsoft#15573)
affeb9f 
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@BinduSri-6522866 @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch nodejs for CVE-2…
4154787 
…026-21637, CVE-2025-59466, CVE-2025-59465, CVE-2025-55132, CVE-2025-55131 [HIGH] - branch 3.0-dev" microsoft#15624

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @sprt @jslobodzian
[AUTO-CHERRYPICK] [AUTO-PR] azure-core/azurelinux:sprt/CVE-2026-24054…
34e1e83 
…-kata-containerd - branch 3.0-dev (microsoft#15623)

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Signed-off-by: Aurélien Bombo <aurelien.bombo@microsoft.com>
Co-authored-by: Aurélien Bombo <aurelien.bombo@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch pytorch for CVE-…
0fc626c 
…2026-24747 [HIGH] - branch 3.0-dev" microsoft#15625

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@aadhar-agarwal
containerd2: Backport fix for credential leak in CRI error logs (micr…
cbc9f97 
…osoft#15579)

Backports a fix for a credential leak vulnerability in containerd2's CRI error handling. When image pulls fail from private registries using URL-based authentication (e.g., Azure Blob Storage with SAS tokens), sensitive query parameters were being exposed in both containerd logs and Kubernetes pod events (visible via kubectl describe pod).
@sandeepkarambelkar
Add nodejs24 to coexist with nodejs 20, add fix for runtime internati…
ec35977 
…onalization support in nodejs24 (microsoft#15385)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@azurelinux-security
[AutoPR- Security] Patch python3 for CVE-2026-0865, CVE-2025-11468, C…
0e55d09 
…VE-2026-0672 [MEDIUM] (microsoft#15595)
@azurelinux-security
[AutoPR- Security] Patch memcached for CVE-2026-24809 [MEDIUM] (micro…
693cb87 
…soft#15615)
@v-aaditya
[Medium] Patch coredns for CVE-2025-68151 (microsoft#15515)
153b4cb
@sandeepkarambelkar
Upgrade nginx to latest stable version 1.28.1 (microsoft#14919)
2045810
@Camelron
Update kernel-uvm config to support extended attributes with CIFS (mi…
cc2b238 
…crosoft#15498)
@SeanDougherty @jiria
kernel: Enable CONFIG_SQUASHFS_ZSTD and CONFIG_FW_CFG_SYSFS (microsof…
a5bd3e3 
…t#15612)

CONFIG_SQUASHFS_ZSTD

With this a better compression algo (zstd) becomes available to users, this is a read-only kernel feature with minimal overhead when not in use. Already enabled in our ARM kernel.

CONFIG_FW_CFG_SYSFS

Enables module that permits firmware config injection. Minimal overhead, not loaded when not in use. Already enabled in our ARM kernel

Co-authored-by: Jiri Appl <jiria@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch expat for CVE-2026-24515 [LOW] (microsoft#15585
9819417 
)
@akhila-guruju
[Medium] Patch gnutls for CVE-2025-9820 (microsoft#15603)
884e179
@azurelinux-security @archana25-ms
[AutoPR- Security] Patch nmap for CVE-2025-11961 [LOW] (microsoft#15435)
4cdf058 
Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch glib for CVE-2026-1484 [LOW] (microsoft#15650)
004e03d
@azurelinux-security
[AutoPR- Security] Patch expat for CVE-2026-25210 [MEDIUM] (microsoft…
be30df0 
…#15651)
@CBL-Mariner-Bot @corvus-callidus @jslobodzian
[AUTO-CHERRYPICK] Patch openssl for CVE-2025-15467, CVE-2025-15468, C…
3efa245 
…VE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69420, CVE-2025-69421 - branch 3.0-dev (microsoft#15627)

Co-authored-by: corvus-callidus <lyrydber@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot
[AUTO-CHERRYPICK] [AutoPR- Security] Patch edk2 for CVE-2025-15467 [C…
bc393da 
…RITICAL] - branch 3.0-dev (microsoft#15646)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

approving PR.  Buddy build and expected tests passed.
@Kanishk-Bansal
edk2 : Fix merge conflict and changelog (microsoft#15701)
950b256 
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@CBL-Mariner-Bot @corvus-callidus @jslobodzian
[AUTO-CHERRYPICK] Patch openssl for CVE-2025-69419, CVE-2026-22795, and
347a49c 
CVE-2026-22796 - branch 3.0-dev (microsoft#15698)

Co-authored-by: corvus-callidus <lyrydber@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch edk2 for CVE-2026-22796, CVE-2025-69421, CVE…
d5206d3 
…-2025-69420, CVE-2025-69418, CVE-2025-68160 [HIGH] (microsoft#15702)

Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@CBL-Mariner-Bot @rlmenge
[AUTOPATCHER-kernel] Kernel upgrade to version 6.6.121.1 - branch 3.0…
0083585 
…-dev (microsoft#15660)

Co-authored-by: Rachel Menge <rachelmenge@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
[AUTO-CHERRYPICK] [AutoPR- Security] Patch nodejs for CVE-2025-55130
82d82f0 
…[HIGH] - branch 3.0-dev (microsoft#15703)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch gnupg2 for CVE-2…
9021815 
…026-24882 [HIGH] - branch 3.0-dev" microsoft#15713

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
@archana25-ms @Kanishk-Bansal
[MEDIUM] Upgrade python-wheel to 0.46.3 for CVE-2026-24049 (microso…
a4afa0c 
…ft#15601)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@azurelinux-security
Patch libsoup for CVE-2026-1536, CVE-2025-32049
aa20587
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.