[AutoPR- Security] Patch telegraf for CVE-2026-4645 [HIGH] (#16322)

azurelinux-security · web-flow · commit e81f959b8d3b · 2026-03-27T15:45:38.000-04:00
diff --git a/SPECS/telegraf/CVE-2026-4645.patch b/SPECS/telegraf/CVE-2026-4645.patch
@@ -0,0 +1,34 @@
+From 77ef55ce21fd12b8bd995e1eace449ca6cf8087a Mon Sep 17 00:00:00 2001
+From: zhengchun <zhengchunster@gmail.com>
+Date: Sat, 21 Feb 2026 21:32:17 +0800
+Subject: [PATCH] fix #121
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494.patch
+---
+ vendor/github.com/antchfx/xpath/query.go | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/vendor/github.com/antchfx/xpath/query.go b/vendor/github.com/antchfx/xpath/query.go
+index fe6f4885..14177d2f 100644
+--- a/vendor/github.com/antchfx/xpath/query.go
++++ b/vendor/github.com/antchfx/xpath/query.go
+@@ -965,15 +965,6 @@ type logicalQuery struct {
+ }
+ 
+ func (l *logicalQuery) Select(t iterator) NodeNavigator {
+-	// When a XPath expr is logical expression.
+-	node := t.Current().Copy()
+-	val := l.Evaluate(t)
+-	switch val.(type) {
+-	case bool:
+-		if val.(bool) == true {
+-			return node
+-		}
+-	}
+ 	return nil
+ }
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.31.0
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -31,6 +31,7 @@ Patch16:        CVE-2025-47911.patch
 Patch17:        CVE-2025-58190.patch
 Patch18:        CVE-2026-2303.patch
 Patch19:        CVE-2026-26014.patch
+Patch20:        CVE-2026-4645.patch
 
 
 BuildRequires:  golang
@@ -96,6 +97,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Fri Mar 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-16
+- Patch for CVE-2026-4645
+
 * Fri Feb 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-15
 - Patch for CVE-2026-26014, CVE-2026-2303, CVE-2025-58190, CVE-2025-47911
 
