From 86b5072b5981d157c2175bf7e5fb39d36bee8ae1 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Wed, 4 Feb 2026 09:12:27 +0000
Subject: [PATCH 1/2] Patch influxdb for CVE-2025-11065

---
 SPECS/influxdb/CVE-2025-11065.patch | 277 ++++++++++++++++++++++++++++
 SPECS/influxdb/influxdb.spec        |   6 +-
 2 files changed, 282 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/influxdb/CVE-2025-11065.patch

diff --git a/SPECS/influxdb/CVE-2025-11065.patch b/SPECS/influxdb/CVE-2025-11065.patch
new file mode 100644
index 00000000000..8e83f33bf18
--- /dev/null
+++ b/SPECS/influxdb/CVE-2025-11065.patch
@@ -0,0 +1,277 @@
+From c6c7b92099fb55d8c2773dea56a1f8b05471ac35 Mon Sep 17 00:00:00 2001
+From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
+Date: Sat, 12 Jul 2025 07:25:50 +0200
+Subject: [PATCH] fix: error message leaks
+
+Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
+
+Upstream Patch reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
+---
+ .../mitchellh/mapstructure/decode_hooks.go    |  12 +-
+ .../mitchellh/mapstructure/error.go           | 156 ++++++++++++++++++
+ .../mitchellh/mapstructure/mapstructure.go    |   8 +-
+ 3 files changed, 168 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
+index 1f0abc6..4f70b03 100644
+--- a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
++++ b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
+@@ -113,7 +113,9 @@ func StringToTimeDurationHookFunc() DecodeHookFunc {
+ 		}
+ 
+ 		// Convert it by parsing
+-		return time.ParseDuration(data.(string))
++		d, err := time.ParseDuration(data.(string))
++
++		return d, wrapTimeParseDurationError(err)
+ 	}
+ }
+ 
+@@ -134,7 +136,7 @@ func StringToIPHookFunc() DecodeHookFunc {
+ 		// Convert it by parsing
+ 		ip := net.ParseIP(data.(string))
+ 		if ip == nil {
+-			return net.IP{}, fmt.Errorf("failed parsing ip %v", data)
++			return net.IP{}, fmt.Errorf("failed parsing ip")
+ 		}
+ 
+ 		return ip, nil
+@@ -157,7 +159,7 @@ func StringToIPNetHookFunc() DecodeHookFunc {
+ 
+ 		// Convert it by parsing
+ 		_, net, err := net.ParseCIDR(data.(string))
+-		return net, err
++		return net, wrapNetParseError(err)
+ 	}
+ }
+ 
+@@ -176,7 +178,9 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc {
+ 		}
+ 
+ 		// Convert it by parsing
+-		return time.Parse(layout, data.(string))
++		ti, err := time.Parse(layout, data.(string))
++
++		return ti, wrapTimeParseError(err)
+ 	}
+ }
+ 
+diff --git a/vendor/github.com/mitchellh/mapstructure/error.go b/vendor/github.com/mitchellh/mapstructure/error.go
+index 47a99e5..8c3b078 100644
+--- a/vendor/github.com/mitchellh/mapstructure/error.go
++++ b/vendor/github.com/mitchellh/mapstructure/error.go
+@@ -3,8 +3,12 @@ package mapstructure
+ import (
+ 	"errors"
+ 	"fmt"
++	"net"
++	"net/url"
+ 	"sort"
++	"strconv"
+ 	"strings"
++	"time"
+ )
+ 
+ // Error implements the error interface and can represents multiple
+@@ -48,3 +52,155 @@ func appendErrors(errors []string, err error) []string {
+ 		return append(errors, e.Error())
+ 	}
+ }
++
++func wrapStrconvNumError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if err, ok := err.(*strconv.NumError); ok {
++		return &strconvNumError{Err: err}
++	}
++
++	return err
++}
++
++type strconvNumError struct {
++	Err *strconv.NumError
++}
++
++func (e *strconvNumError) Error() string {
++	return "strconv." + e.Err.Func + ": " + e.Err.Err.Error()
++}
++
++func (e *strconvNumError) Unwrap() error { return e.Err }
++
++func wrapUrlError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if err, ok := err.(*url.Error); ok {
++		return &urlError{Err: err}
++	}
++
++	return err
++}
++
++type urlError struct {
++	Err *url.Error
++}
++
++func (e *urlError) Error() string {
++	return fmt.Sprintf("%s", e.Err.Err)
++}
++
++func (e *urlError) Unwrap() error { return e.Err }
++
++func wrapNetParseError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if err, ok := err.(*net.ParseError); ok {
++		return &netParseError{Err: err}
++	}
++
++	return err
++}
++
++type netParseError struct {
++	Err *net.ParseError
++}
++
++func (e *netParseError) Error() string {
++	return "invalid " + e.Err.Type
++}
++
++func (e *netParseError) Unwrap() error { return e.Err }
++
++func wrapTimeParseError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if err, ok := err.(*time.ParseError); ok {
++		return &timeParseError{Err: err}
++	}
++
++	return err
++}
++
++type timeParseError struct {
++	Err *time.ParseError
++}
++
++func (e *timeParseError) Error() string {
++	if e.Err.Message == "" {
++		return fmt.Sprintf("parsing time as %q: cannot parse as %q", e.Err.Layout, e.Err.LayoutElem)
++	}
++
++	return "parsing time " + e.Err.Message
++}
++
++func (e *timeParseError) Unwrap() error { return e.Err }
++
++func wrapNetIPParseAddrError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if errMsg := err.Error(); strings.HasPrefix(errMsg, "ParseAddr") {
++		errPieces := strings.Split(errMsg, ": ")
++
++		return fmt.Errorf("ParseAddr: %s", errPieces[len(errPieces)-1])
++	}
++
++	return err
++}
++
++func wrapNetIPParseAddrPortError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	errMsg := err.Error()
++	if strings.HasPrefix(errMsg, "invalid port ") {
++		return errors.New("invalid port")
++	} else if strings.HasPrefix(errMsg, "invalid ip:port ") {
++		return errors.New("invalid ip:port")
++	}
++
++	return err
++}
++
++func wrapNetIPParsePrefixError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if errMsg := err.Error(); strings.HasPrefix(errMsg, "netip.ParsePrefix") {
++		errPieces := strings.Split(errMsg, ": ")
++
++		return fmt.Errorf("netip.ParsePrefix: %s", errPieces[len(errPieces)-1])
++	}
++
++	return err
++}
++
++func wrapTimeParseDurationError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	errMsg := err.Error()
++	if strings.HasPrefix(errMsg, "time: unknown unit ") {
++		return errors.New("time: unknown unit")
++	} else if strings.HasPrefix(errMsg, "time: ") {
++		idx := strings.LastIndex(errMsg, " ")
++
++		return errors.New(errMsg[:idx])
++	}
++
++	return err
++}
+diff --git a/vendor/github.com/mitchellh/mapstructure/mapstructure.go b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
+index daea331..c2c68c3 100644
+--- a/vendor/github.com/mitchellh/mapstructure/mapstructure.go
++++ b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
+@@ -523,7 +523,7 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er
+ 		if err == nil {
+ 			val.SetInt(i)
+ 		} else {
+-			return fmt.Errorf("cannot parse '%s' as int: %s", name, err)
++			return fmt.Errorf("cannot parse '%s' as int: %s", name, wrapStrconvNumError(err))
+ 		}
+ 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+ 		jn := data.(json.Number)
+@@ -575,7 +575,7 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
+ 		if err == nil {
+ 			val.SetUint(i)
+ 		} else {
+-			return fmt.Errorf("cannot parse '%s' as uint: %s", name, err)
++			return fmt.Errorf("cannot parse '%s' as uint: %s", name, wrapStrconvNumError(err))
+ 		}
+ 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+ 		jn := data.(json.Number)
+@@ -618,7 +618,7 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e
+ 		} else if dataVal.String() == "" {
+ 			val.SetBool(false)
+ 		} else {
+-			return fmt.Errorf("cannot parse '%s' as bool: %s", name, err)
++			return fmt.Errorf("cannot parse '%s' as bool: %s", name, wrapStrconvNumError(err))
+ 		}
+ 	default:
+ 		return fmt.Errorf(
+@@ -652,7 +652,7 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value)
+ 		if err == nil {
+ 			val.SetFloat(f)
+ 		} else {
+-			return fmt.Errorf("cannot parse '%s' as float: %s", name, err)
++			return fmt.Errorf("cannot parse '%s' as float: %s", name, wrapStrconvNumError(err))
+ 		}
+ 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+ 		jn := data.(json.Number)
+-- 
+2.45.4
+
diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec
index eb001f35c2a..47b9b35407e 100644
--- a/SPECS/influxdb/influxdb.spec
+++ b/SPECS/influxdb/influxdb.spec
@@ -18,7 +18,7 @@
 Summary:        Scalable datastore for metrics, events, and real-time analytics
 Name:           influxdb
 Version:        2.7.5
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -69,6 +69,7 @@ Patch10:        CVE-2024-51744.patch
 Patch11:        CVE-2025-22872.patch
 Patch12:        CVE-2025-65637.patch
 Patch13:        CVE-2025-10543.patch
+Patch14:        CVE-2025-11065.patch
 BuildRequires:  clang
 BuildRequires:  golang
 BuildRequires:  kernel-headers
@@ -158,6 +159,9 @@ go test ./...
 %{_tmpfilesdir}/influxdb.conf
 
 %changelog
+* Wed Feb 04 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.7.5-11
+- Patch for CVE-2025-11065
+
 * Wed Dec 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.7.5-10
 - Patch for CVE-2025-10543
 

From 0e54303fccc475324b61093e093742674dabfe5e Mon Sep 17 00:00:00 2001
From: Akhila Guruju <v-guakhila@microsoft.com>
Date: Thu, 5 Feb 2026 12:05:20 +0530
Subject: [PATCH 2/2] modified AI patch

This patch updates error messages to prevent information leakage by wrapping original errors with more generic messages.
---
 SPECS/influxdb/CVE-2025-11065.patch | 30 ++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/SPECS/influxdb/CVE-2025-11065.patch b/SPECS/influxdb/CVE-2025-11065.patch
index 8e83f33bf18..9fca63e0f54 100644
--- a/SPECS/influxdb/CVE-2025-11065.patch
+++ b/SPECS/influxdb/CVE-2025-11065.patch
@@ -1,4 +1,4 @@
-From c6c7b92099fb55d8c2773dea56a1f8b05471ac35 Mon Sep 17 00:00:00 2001
+From 742921c9ba2854d27baa64272487fc5075d2c39c Mon Sep 17 00:00:00 2001
 From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
 Date: Sat, 12 Jul 2025 07:25:50 +0200
 Subject: [PATCH] fix: error message leaks
@@ -6,14 +6,11 @@ Subject: [PATCH] fix: error message leaks
 Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
 
 Upstream Patch reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
-
-Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
-Upstream-reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
 ---
  .../mitchellh/mapstructure/decode_hooks.go    |  12 +-
  .../mitchellh/mapstructure/error.go           | 156 ++++++++++++++++++
- .../mitchellh/mapstructure/mapstructure.go    |   8 +-
- 3 files changed, 168 insertions(+), 8 deletions(-)
+ .../mitchellh/mapstructure/mapstructure.go    |  10 +-
+ 3 files changed, 169 insertions(+), 9 deletions(-)
 
 diff --git a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
 index 1f0abc6..4f70b03 100644
@@ -233,10 +230,10 @@ index 47a99e5..8c3b078 100644
 +	return err
 +}
 diff --git a/vendor/github.com/mitchellh/mapstructure/mapstructure.go b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
-index daea331..c2c68c3 100644
+index b384d9d..21c2264 100644
 --- a/vendor/github.com/mitchellh/mapstructure/mapstructure.go
 +++ b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
-@@ -523,7 +523,7 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er
+@@ -592,7 +592,7 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er
  		if err == nil {
  			val.SetInt(i)
  		} else {
@@ -245,7 +242,7 @@ index daea331..c2c68c3 100644
  		}
  	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
  		jn := data.(json.Number)
-@@ -575,7 +575,7 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
+@@ -644,14 +644,14 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
  		if err == nil {
  			val.SetUint(i)
  		} else {
@@ -254,7 +251,15 @@ index daea331..c2c68c3 100644
  		}
  	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
  		jn := data.(json.Number)
-@@ -618,7 +618,7 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e
+ 		i, err := jn.Int64()
+ 		if err != nil {
+ 			return fmt.Errorf(
+-				"error decoding json.Number into %s: %s", name, err)
++				"error decoding json.Number into %s: %s", name, wrapStrconvNumError(err))
+ 		}
+ 		if i < 0 && !d.config.WeaklyTypedInput {
+ 			return fmt.Errorf("cannot parse '%s', %d overflows uint",
+@@ -687,7 +687,7 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e
  		} else if dataVal.String() == "" {
  			val.SetBool(false)
  		} else {
@@ -263,7 +268,7 @@ index daea331..c2c68c3 100644
  		}
  	default:
  		return fmt.Errorf(
-@@ -652,7 +652,7 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value)
+@@ -721,7 +721,7 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value)
  		if err == nil {
  			val.SetFloat(f)
  		} else {
@@ -273,5 +278,4 @@ index daea331..c2c68c3 100644
  	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
  		jn := data.(json.Number)
 -- 
-2.45.4
-
+2.43.0