[AutoPR- Security] Patch libsoup for CVE-2026-1536, CVE-2025-32049 [HIGH]

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -147,6 +147,7 @@
                 "cpufrequtils",
                 "cpuid",
                 "criu",
+                "crun",
                 "crypto-policies",
                 "cryptsetup",
                 "cscope",
@@ -847,6 +848,7 @@
                 "linuxptp",
                 "lksctp-tools",
                 "lldpd",
+                "llhttp",
                 "lockdev",
                 "logwatch",
                 "lpsolve",
@@ -1516,7 +1518,6 @@
                 "perl-Test-Requires",
                 "perl-Test-RequiresInternet",
                 "perl-Test-Script",
-                "perl-Test-Simple",
                 "perl-Test-SubCalls",
                 "perl-Test-Synopsis",
                 "perl-Test-Taint",
@@ -1828,6 +1829,7 @@
                 "python-ruamel-yaml-clib",
                 "python-s3transfer",
                 "python-schedutils",
+                "python-scikit-build-core",
                 "python-semantic_version",
                 "python-should_dsl",
                 "python-simpleline",
@@ -1909,9 +1911,9 @@
                 "qperf",
                 "qr-code-generator",
                 "qt-rpm-macros",
-                "qt5-qtconnectivity",
-                "qt5-qtsensors",
-                "qt5-qtserialport",
+                "qt6-qtconnectivity",
+                "qt6-qtsensors",
+                "qt6-qtserialport",
                 "qtbase",
                 "qtdeclarative",
                 "qtsvg",
@@ -2473,10 +2475,6 @@
         "NVIDIA": {
             "license": "[ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0)",
             "specs": [
-                "fwctl",
-                "fwctl-hwe",
-                "fwctl-hwe-signed",
-                "fwctl-signed",
                 "ibarr",
                 "ibsim",
                 "iser",
@@ -2492,6 +2490,7 @@
                 "knem-hwe-modules-signed",
                 "knem-modules-signed",
                 "libnvidia-container",
+                "libvma",
                 "mft_kernel",
                 "mft_kernel-hwe",
                 "mft_kernel-hwe-signed",
@@ -2588,6 +2587,7 @@
                 "cpulimit",
                 "cri-o",
                 "ecj",
+                "ed25519-java",
                 "fillup",
                 "flux",
                 "gd",
@@ -2610,6 +2610,7 @@
                 "javacc",
                 "javacc-bootstrap",
                 "javassist",
+                "jbcrypt",
                 "jboss-interceptors-1.2-api",
                 "jdepend",
                 "jflex",
@@ -2946,6 +2947,7 @@
                 "nginx",
                 "ninja-build",
                 "nodejs",
+                "nodejs24",
                 "npth",
                 "nspr",
                 "nss",

SPECS-EXTENDED/389-ds-base/389-ds-base.spec

@@ -68,7 +68,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (%{variant})
 Name:             389-ds-base
 Version:          3.1.1
-Release:          7%{?dist}
+Release:          9%{?dist}
 License:          GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
 URL:              https://www.port389.org
 Vendor:           Microsoft Corporation
@@ -83,6 +83,7 @@ Source4:          389-ds-base.sysusers
 Source5:          https://fedorapeople.org/groups/389ds/libdb-5.3.28-59.tar.bz2
 %endif
 
+Patch0:           rust-1.90-fixes.patch
 Provides:         ldif2ldbm >= 0
 
 # Attach the buildrequires to the top level package:
@@ -732,6 +733,13 @@ exit 0
 %endif
 
 %changelog
+* Tue Jan 13 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 3.1.1-9
+- Bump release to rebuild with rust
+- Add patch add explicit lifetime for ValueArrayRef iterator
+
+* Tue Jan 06 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.1.1-8
+- Bumping release to rebuild with new 'net-snmp' libs.
+
 * Fri Aug 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.1.1-7
 - Bump release to rebuild with rust
 

SPECS-EXTENDED/389-ds-base/rust-1.90-fixes.patch

@@ -0,0 +1,25 @@
+From 3a0d6ff3272c4a3d5f2d552a436e4f0fe0756a0a Mon Sep 17 00:00:00 2001
+From: Kavya Sree Kaitepalli <kkaitepalli@microsoft.com>
+Date: Wed, 29 Oct 2025 06:38:08 +0000
+Subject: [PATCH] Add explicit lifetime for ValueArrayRef iterator for Rust 1.90
+
+---
+ src/slapi_r_plugin/src/value.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/slapi_r_plugin/src/value.rs b/src/slapi_r_plugin/src/value.rs
+index 2fd35c8..fec74ac 100644
+--- a/src/slapi_r_plugin/src/value.rs
++++ b/src/slapi_r_plugin/src/value.rs
+@@ -61,7 +61,7 @@ impl ValueArrayRef {
+         ValueArrayRef { raw_slapi_val }
+     }
+
+-    pub fn iter(&self) -> ValueArrayRefIter {
++    pub fn iter(&self) -> ValueArrayRefIter<'_> {
+         ValueArrayRefIter {
+             idx: 0,
+             va_ref: &self,
+-- 
+2.45.4
+

SPECS-EXTENDED/apache-commons-jexl/apache-commons-jexl.spec

@@ -4,7 +4,7 @@
 Summary:        Java Expression Language (JEXL)
 Name:           apache-%{short_name}
 Version:        2.1.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -108,14 +108,40 @@ ln -sf %{name}/%{short_name}-compat.jar %{buildroot}%{_javadir}/%{short_name}-co
 install -dm 0755 %{buildroot}%{_mavenpomdir}/%{name}
 install -pm 0644 pom.xml %{buildroot}%{_mavenpomdir}/%{name}/%{short_name}.pom
 %add_maven_depmap %{name}/%{short_name}.pom %{name}/%{short_name}.jar
-install -pm 0644 jexl2-compat/pom.xml  %{buildroot}%{_mavenpomdir}/%{name}/%{short_name}-compat.pom
+install -pm 0644 jexl2-compat/pom.xml %{buildroot}%{_mavenpomdir}/%{name}/%{short_name}-compat.pom
 %add_maven_depmap %{name}/%{short_name}-compat.pom %{name}/%{short_name}-compat.jar
 # javadoc
 install -dm 0755 %{buildroot}%{_javadocdir}/%{name}/jexl2-compat
 cp -pr target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}/
 cp -pr jexl2-compat/target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}/jexl2-compat/
+
+# Extract LICENSE if present
+legaldir=%{buildroot}%{_javadocdir}/%{name}/legal
+if [ -d "$legaldir" ]; then
+    install -Dm 0644 $legaldir/LICENSE \
+        %{buildroot}%{_licensedir}/apache-commons-jexl/LICENSE.javadoc
+fi
+
+# Delete ALL legal/ dirs
+find %{buildroot}%{_javadocdir}/%{name} -type d -name legal -exec rm -rf {} +
+
+# Run fdupes (this may create new symlinks)
 %fdupes -s %{buildroot}%{_javadocdir}
 
+# Fix absolute symlinks inside jexl2-compat by rewriting relative to parent directory structure
+pushd %{buildroot}%{_javadocdir}/%{name}
+for f in $(find jexl2-compat -type l); do
+    tgt=$(readlink "$f")
+    if [[ "$tgt" = /* ]]; then
+        base=$(basename "$tgt")
+        # Compute depth-aware relative path
+        depth=$(dirname "$f" | awk -F/ '{ print NF-1 }')
+        rel=$(printf '../%.0s' $(seq 1 $depth))"$base"
+        ln -snf "$rel" "$f"
+    fi
+done
+popd
+
 %check
 # commons-jexl
 %{ant} \
@@ -128,16 +154,20 @@ cp -pr jexl2-compat/target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}/jex
   test
 
 %files -f .mfiles
-%license LICENSE.txt
-%doc NOTICE.txt RELEASE-NOTES.txt
+%license LICENSE.txt NOTICE.txt
+%doc RELEASE-NOTES.txt
 %{_javadir}/%{short_name}*.jar
 
 %files javadoc
-%license LICENSE.txt
-%doc NOTICE.txt
+%license %{_licensedir}/apache-commons-jexl/LICENSE.javadoc
 %{_javadocdir}/%{name}
 
 %changelog
+
+* Mon Dec 22 2025 Aninda Pradhan <v-anindap@microsoft.com> - 2.1.1-4
+- Fixed license path warnings
+- License verified
+
 * Mon Nov 14 2022 Sumedh Sharma <sumsharma@microsoft.com> - 2.1.1-3
 - Fix build errors
   * create 'Packages' directory under JDK_HOME

SPECS-EXTENDED/booth/booth.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "booth-1.0.tar.gz": "1f4f6ed4fedebf7c52ca8dc9668218c99fbfe96bfbe9ac8f586bab7ef3b9b5d7"
+  "booth-1.2.tar.gz": "4f1c4581f71af1188893cce6bbe7d69ac7d9e8593ffd18a3a5f2449f4a5df3bf"
  }
 }

SPECS-EXTENDED/booth/booth.spec

@@ -1,12 +1,9 @@
 # Disable automatic compilation of Python files in extra directories
 %global _python_bytecompile_extra 0
-# set following to the actual commit or, for final release, concatenate
-# "boothver" macro to "v" (will yield a tag per the convention)
-%global commit 5d837d2b5bf1c240a5f1c5efe4e8d79f55727cca
-%global shortcommit %(c=%{commit}; echo ${c:0:7})
 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}}
 %{!?_licensedir:%global license %doc}
 %global test_path   %{_datadir}/booth/tests
+%global booth_user booth_test_user
 # RPMs are split as follows:
 # * booth:
 #   - envelope package serving as a syntactic shortcut to install
@@ -31,14 +28,13 @@
 %bcond_with glue
 Summary:        Ticket Manager for Multi-site Clusters
 Name:           booth
-Version:        1.0
-Release:        8%{?dist}
-License:        GPLv2+
+Version:        1.2
+Release:        1%{?dist}
+License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://github.com/ClusterLabs/%{name}
-Source0:        https://github.com/ClusterLabs/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz#/%{name}-%{version}.tar.gz
-Patch0:    CVE-2022-2553.patch
+Source0:        https://github.com/ClusterLabs/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
 # direct build process dependencies
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -78,7 +74,9 @@ Requires:       %{name}-core%{?_isa}
 Requires:       %{name}-site
 
 %files
-# intentionally empty
+%license COPYING
+%dir %{_datadir}/pkgconfig
+%{_datadir}/pkgconfig/booth.pc
 
 %description
 Booth manages tickets which authorize cluster sites located
@@ -154,7 +152,7 @@ BuildArch:      noarch
 Automated tests for running Booth, ticket manager for multi-site clusters.
 
 %prep
-%autosetup -p1 -n %{name}-%{commit}
+%autosetup -n %{name}-%{version}
 
 %build
 export CFLAGS=" %{build_cflags} -I/usr/include/pacemaker "
@@ -182,22 +180,43 @@ cp -a -t %{buildroot}/%{_pkgdocdir} \
 rm -rf %{buildroot}/%{_initrddir}/booth-arbitrator
 rm -rf %{buildroot}/%{_pkgdocdir}/README.upgrade-from-v0.1
 rm -rf %{buildroot}/%{_pkgdocdir}/COPYING
+
+# Removing absolute symlinks
+rm -f %{buildroot}%{_sbindir}/booth
+rm -f %{buildroot}%{_sbindir}/geostore
+ln -s boothd %{buildroot}%{_sbindir}/booth
+ln -s boothd %{buildroot}%{_sbindir}/geostore
+
 # tests
-mkdir -p %{buildroot}/%{test_path}
-cp -a -t %{buildroot}/%{test_path} \
-        -- conf test unit-tests script/unit-test.py
-chmod +x %{buildroot}/%{test_path}/test/booth_path
-chmod +x %{buildroot}/%{test_path}/test/live_test.sh
-mkdir -p %{buildroot}/%{test_path}/src
-ln -s -t %{buildroot}/%{test_path}/src \
-        -- %{_sbindir}/boothd
+mkdir -p %{test_path}
+cp -a -t %{test_path} \
+        -- conf test
+chmod +x %{test_path}/test/booth_path
+chmod +x %{test_path}/test/live_test.sh
+mkdir -p %{test_path}/src
+ln -s -t %{test_path}/src \
+        -- %{buildroot}/%{_sbindir}/boothd
+# Generate runtests.py and boothtestenv.py
+sed -e 's#PYTHON_SHEBANG#%{__python3} -Es#g' \
+    -e 's#TEST_SRC_DIR#%{test_path}/test#g' \
+    -e 's#TEST_BUILD_DIR#%{test_path}/test#g' \
+    %{test_path}/test/runtests.py.in > %{test_path}/test/runtests.py
+
+chmod +x %{test_path}/test/runtests.py
+
+sed -e 's#PYTHON_SHEBANG#%{__python3} -Es#g' \
+    -e 's#TEST_SRC_DIR#%{test_path}/test#g' \
+    -e 's#TEST_BUILD_DIR#%{test_path}/test#g' \
+    %{test_path}/test/boothtestenv.py.in > %{test_path}/test/boothtestenv.py
 
 # https://fedoraproject.org/wiki/Packaging:Python_Appendix#Manual_byte_compilation
-%py_byte_compile %{__python3} %{buildroot}/%{test_path}
+%py_byte_compile %{__python3} %{test_path}
 
 %check
 # alternatively: test/runtests.py
-VERBOSE=1 make check
+# Booth tests cannot run as root in RPM build system
+useradd -s /usr/bin/sh %{booth_user}
+su %{booth_user} -s /bin/sh -c "VERBOSE=1 %{test_path}/test/runtests.py"
 
 %files core
 %license COPYING
@@ -212,6 +231,9 @@ VERBOSE=1 make check
 %dir %{_sysconfdir}/booth
 %exclude %{_sysconfdir}/booth/booth.conf.example
 
+%dir %attr (750, %{uname}, %{gname}) %{_var}/lib/booth/
+%dir %attr (750, %{uname}, %{gname}) %{_var}/lib/booth/cores
+
 %files arbitrator
 %{_unitdir}/booth@.service
 %{_unitdir}/booth-arbitrator.service
@@ -233,11 +255,14 @@ VERBOSE=1 make check
 %files test
 %doc %{_pkgdocdir}/README-testing
 # /usr/share/booth provided by -site
-%{test_path}
 # /usr/lib/ocf/resource.d/booth provided by -site
 %{_libdir}/ocf/resource.d/booth/sharedrsc
 
 %changelog
+* Thu Dec 18 2025 Aditya Singh <v-aditysing@microsoft.com> - 1.2-1
+- Upgrade to version 1.2
+- License verified.
+
 * Wed Aug 30 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.0-8
 - Add patch for CVE-2022-2553
 

SPECS-EXTENDED/bsf/bsf.spec

@@ -1,7 +1,7 @@
 Summary:        Bean Scripting Framework
 Name:           bsf
 Version:        2.4.0
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -85,17 +85,23 @@ install -DTm 644 %{SOURCE1} %{buildroot}%{_mavenpomdir}/JPP-%{name}.pom
 # javadoc
 install -d -m 755 %{buildroot}%{_javadocdir}/%{name}
 cp -pr build/javadocs/* %{buildroot}%{_javadocdir}/%{name}
+mv %{buildroot}%{_javadocdir}/%{name}/legal/ADDITIONAL_LICENSE_INFO .
+mv %{buildroot}%{_javadocdir}/%{name}/legal/LICENSE .
 %fdupes -s %{buildroot}%{_javadocdir}/%{name}
 
 %files -f .mfiles
 %license LICENSE.txt NOTICE.txt
 %doc AUTHORS.txt CHANGES.txt README.txt TODO.txt RELEASE-NOTE.txt
 
 %files javadoc
-%license LICENSE.txt NOTICE.txt
+%license LICENSE LICENSE.txt NOTICE.txt ADDITIONAL_LICENSE_INFO
 %{_javadocdir}/%{name}
 
 %changelog
+* Fri Jan 02 2026 Sumit Jena <v-sumitjena@microsoft.com> - 2.4.0-20
+- Fixed License Warnings.
+- Added additional License file.
+
 * Tue Jan 03 2023 Sumedh Sharma <sumsharma@microsoft.com> - 2.4.0-19
 - License verified