From 3abc6824e0f6d18e7ea6ca0361c81b7c0c96e56b Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Wed, 13 May 2026 11:00:41 +0000 Subject: [PATCH] Patch ignition-flatcar for CVE-2026-33814 --- SPECS/ignition-flatcar/CVE-2026-33814.patch | 48 ++++++++++++++++++++ SPECS/ignition-flatcar/ignition-flatcar.spec | 6 ++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 SPECS/ignition-flatcar/CVE-2026-33814.patch diff --git a/SPECS/ignition-flatcar/CVE-2026-33814.patch b/SPECS/ignition-flatcar/CVE-2026-33814.patch new file mode 100644 index 00000000000..b3aef7ff2ba --- /dev/null +++ b/SPECS/ignition-flatcar/CVE-2026-33814.patch @@ -0,0 +1,48 @@ +From f8fa6c0656fb203051061615a79c8d0fe6342f37 Mon Sep 17 00:00:00 2001 +From: "Nicholas S. Husin" +Date: Tue, 31 Mar 2026 15:15:30 -0400 +Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame + +This CL backports https://go.dev/cl/761581 to x/net. + +Fixes golang/go#78476 +Fixes CVE-2026-33814 + +Change-Id: Ied435a51fdd8664d41dae14d082c39c76a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/net/+/761640 +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Nicholas Husin +Reviewed-by: Damien Neil +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49.patch +--- + vendor/golang.org/x/net/http2/transport.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go +index f26356b..a401b27 100644 +--- a/vendor/golang.org/x/net/http2/transport.go ++++ b/vendor/golang.org/x/net/http2/transport.go +@@ -2858,6 +2858,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error { + + var seenMaxConcurrentStreams bool + err := f.ForeachSetting(func(s Setting) error { ++ if err := s.Valid(); err != nil { ++ return err ++ } + switch s.ID { + case SettingMaxFrameSize: + cc.maxFrameSize = s.Val +@@ -2889,9 +2892,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error { + cc.henc.SetMaxDynamicTableSize(s.Val) + cc.peerMaxHeaderTableSize = s.Val + case SettingEnableConnectProtocol: +- if err := s.Valid(); err != nil { +- return err +- } + // If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL, + // we require that it do so in the first SETTINGS frame. + // +-- +2.45.4 + diff --git a/SPECS/ignition-flatcar/ignition-flatcar.spec b/SPECS/ignition-flatcar/ignition-flatcar.spec index 00c1d0aea8b..f60afcc1799 100644 --- a/SPECS/ignition-flatcar/ignition-flatcar.spec +++ b/SPECS/ignition-flatcar/ignition-flatcar.spec @@ -24,7 +24,7 @@ Version: 2.22.0 %global dracutlibdir %{_prefix}/lib/dracut Name: ignition-flatcar -Release: 3%{?dist} +Release: 4%{?dist} Vendor: Microsoft Corporation Distribution: Azure Linux Summary: First boot installer and configuration tool @@ -55,6 +55,7 @@ Patch18: 0019-usr-share-oem-oem.patch Patch19: 0020-internal-exec-stages-mount-Mount-oem.patch Patch20: CVE-2026-27141.patch Patch21: CVE-2026-29181.patch +Patch22: CVE-2026-33814.patch BuildRequires: libblkid-devel BuildRequires: systemd-rpm-macros @@ -203,6 +204,9 @@ VERSION=%{version} GOARCH=%{goarch} ./test %endif %changelog +* Wed May 13 2026 Azure Linux Security Servicing Account - 2.22.0-4 +- Patch for CVE-2026-33814 + * Mon May 04 2026 Azure Linux Security Servicing Account - 2.22.0-3 - Patch for CVE-2026-29181