clamav and rust upgrade

SPECS-EXTENDED/ripgrep/ripgrep.spec

@@ -20,7 +20,7 @@
 
 Name:           ripgrep
 Version:        13.0.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        A search tool that combines ag with grep
 License:        MIT AND Unlicense
 Vendor:         Microsoft Corporation
@@ -104,6 +104,9 @@ install -Dm 644 complete/_rg %{buildroot}%{_datadir}/zsh/site-functions/_rg
 %{_datadir}/zsh
 
 %changelog
+* Fri March 20 2026 Mayank Singh <mayansingh@microsoft.com> - 13.0.0-6
+- Bump package to rebuild with rust 1.90.0
+
 * Thu Sep 07 2023 Daniel McIlvaney <damcilva@microsoft.com> - 13.0.0-5
 - Bump package to rebuild with rust 1.72.0
 

SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec

@@ -2,7 +2,7 @@
 Summary:        Tool for generating C bindings to Rust code
 Name:           rust-cbindgen
 Version:        0.24.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -96,6 +96,9 @@ RUSTFLAGS=%{rustflags} cargo test --release
 %endif
 
 %changelog
+* Fri March 20 2026 Mayank Singh <mayansingh@microsoft.com> - 0.24.3-2
+- Bump package to rebuild with rust 1.90.0
+
 * Mon Sep 25 2023 Shweta Bindal <shwetabindal@microsoft.com> - 0.24.3-1
 - Initial CBL-Mariner import from Fedora 38 (license: MIT).
 - License verified

SPECS/clamav/clamav.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "clamav-1.0.9-cargo.tar.gz": "d9e596d93abedbe2cf5f79bbc3dd3539ea1d185620a91f387c1779fd22e75e0b",
-  "clamav-1.0.9.tar.gz": "c3ac983568e3df274833839a7aa45c1b2650b192f7d2a8524cddbb0111062d93"
+  "clamav-1.5.2-cargo.tar.gz": "f33e672af10502dbc3fad117bbe09d8098672b161dd54e22f386b556792e9e8a",
+  "clamav-1.5.2.tar.gz": "26815066815ef974fd778be6ab431064f32110199e3b6f89f32a6d3c492fe730"
  }
 }

SPECS/clamav/clamav.spec

@@ -1,6 +1,6 @@
 Summary:        Open source antivirus engine
 Name:           clamav
-Version:        1.0.9
+Version:        1.5.2
 Release:        1%{?dist}
 License:        ASL 2.0 AND BSD AND bzip2-1.0.4 AND GPLv2 AND LGPLv2+ AND MIT AND Public Domain AND UnRar
 Vendor:         Microsoft Corporation
@@ -83,6 +83,10 @@ cd build
 %cmake_install
 # do not install html doc ('clamav' cmake has no flag to specify that => remove the doc)
 rm -rf %{buildroot}%{_docdir}
+
+# Remove unintended static Rust archive
+rm -f %{buildroot}%{_libdir}/libclamav_rust.a
+
 mkdir -p %{buildroot}%{_sharedstatedir}/clamav
 
 ### freshclam config processing (from Fedora)
@@ -126,13 +130,19 @@ fi
 %{_sbindir}/*
 %{_sysconfdir}/clamav/*.sample
 %{_sysconfdir}/clamav/freshclam.conf
+%dir %{_sysconfdir}/clamav
+%dir %{_sysconfdir}/clamav/certs
+%config(noreplace) %{_sysconfdir}/clamav/certs/clamav.crt
 %{_includedir}/*.h
 %{_mandir}/man1/*
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 %dir %attr(-,clamav,clamav) %{_sharedstatedir}/clamav
 
 %changelog
+* Fri Mar 20 2026 Mayank Singh <mayansingh@microsoft.com> - 1.5.2-1
+- Upgrade to version 1.5.2
+
 * Tue Jun 24 2025 Kshitiz Godara <kgodara@microsoft.com> - 1.0.9-1
 - Upgrade to version 1.0.9 to fix CVE-2025-20260
 

SPECS/cloud-hypervisor/cloud-hypervisor.spec

@@ -5,7 +5,7 @@
 Summary:        Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM.
 Name:           cloud-hypervisor
 Version:        32.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0 OR BSD-3-clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -168,6 +168,9 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{
 %license LICENSE-BSD-3-Clause
 
 %changelog
+* Fri March 20 2026 Mayank Singh <mayansingh@microsoft.com> - 32.0-8
+- Bump package to rebuild with rust 1.90.0
+
 * Thu May 22 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 32.0-7
 - Patch CVE-2024-43806
 

SPECS/kata-containers-cc/kata-containers-cc.spec

@@ -13,7 +13,7 @@
 
 Name:         kata-containers-cc
 Version:      3.2.0.azl2
-Release:      8%{?dist}
+Release:      9%{?dist}
 Summary:      Kata Confidential Containers package developed for Confidential Containers on AKS
 License:      ASL 2.0
 Vendor:       Microsoft Corporation
@@ -27,6 +27,7 @@ Patch2:       CVE-2024-24786.patch
 Patch3:       CVE-2023-44487.patch
 Patch4:       CVE-2024-43806.patch
 Patch5:       CVE-2025-5791.patch
+Patch6:       rust-1.90-fixes.patch
 
 ExclusiveArch: x86_64
 
@@ -295,6 +296,9 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder
 %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu
 
 %changelog
+* Fri Mar 20 2026 Mayank Singh <mayansingh@microsoft.com> - 3.2.0.azl-9
+- Bump package to rebuild with rust 1.90.0
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 3.2.0.azl2-8
 - Bump release to rebuild with golang
 

SPECS/kata-containers-cc/rust-1.90-fixes.patch

@@ -0,0 +1,80 @@
+From 40df9e0f016e4ce67e90e3e7f5b0ec87c5cb0a32 Mon Sep 17 00:00:00 2001
+From: Mayank Singh <mayansingh@microsoft.com>
+Date: Sun, 23 Mar 2026 12:34:56 +0000
+Subject: [PATCH] Fix Rust 1.90 build errors for kata-containers
+
+Add explicit lifetime for U32Set iterator, suppress unexpected_cfgs
+warning for powerpc64le target_arch in kata-sys-util, suppress
+renamed_and_removed_lints for box_pointers in protocols crate, suppress
+dead_code for supports_seccomp field and VirtioBlkCcwHandler struct.
+---
+ src/agent/src/config.rs                  | 1 +
+ src/agent/src/storage/block_handler.rs   | 1 +
+ src/libs/kata-sys-util/src/lib.rs        | 1 +
+ src/libs/kata-types/src/utils/u32_set.rs | 2 +-
+ src/libs/protocols/src/lib.rs            | 1 +
+ 5 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/agent/src/config.rs b/src/agent/src/config.rs
+index aaa1111..bbb2222 100644
+--- a/src/agent/src/config.rs
++++ b/src/agent/src/config.rs
+@@ -63,6 +63,7 @@
+     pub server_addr: String,
+     pub unified_cgroup_hierarchy: bool,
+     pub tracing: bool,
++    #[allow(dead_code)]
+     pub supports_seccomp: bool,
+ }
+
+diff --git a/src/agent/src/storage/block_handler.rs b/src/agent/src/storage/block_handler.rs
+index ccc3333..ddd4444 100644
+--- a/src/agent/src/storage/block_handler.rs
++++ b/src/agent/src/storage/block_handler.rs
+@@ -77,6 +77,7 @@
+ }
+
+ #[derive(Debug)]
++#[allow(dead_code)]
+ pub struct VirtioBlkCcwHandler {}
+
+ #[async_trait::async_trait]
+diff --git a/src/libs/kata-sys-util/src/lib.rs b/src/libs/kata-sys-util/src/lib.rs
+index 1234567..abcdefg 100644
+--- a/src/libs/kata-sys-util/src/lib.rs
++++ b/src/libs/kata-sys-util/src/lib.rs
+@@ -2,6 +2,7 @@
+ //
+ // SPDX-License-Identifier: Apache-2.0
+ //
++#![allow(unexpected_cfgs)]
+
+ #[macro_use]
+ extern crate slog;
+diff --git a/src/libs/kata-types/src/utils/u32_set.rs b/src/libs/kata-types/src/utils/u32_set.rs
+index 44c55a1..837e7a0 100644
+--- a/src/libs/kata-types/src/utils/u32_set.rs
++++ b/src/libs/kata-types/src/utils/u32_set.rs
+@@ -47,7 +47,7 @@
+     }
+
+     /// Get an iterator over the CPU set.
+-    pub fn iter(&self) -> Iter<u32> {
++    pub fn iter(&self) -> Iter<'_, u32> {
+         self.0.iter()
+     }
+ }
+diff --git a/src/libs/protocols/src/lib.rs b/src/libs/protocols/src/lib.rs
+index 2345678..bcdefgh 100644
+--- a/src/libs/protocols/src/lib.rs
++++ b/src/libs/protocols/src/lib.rs
+@@ -2,6 +2,7 @@
+ //
+ // SPDX-License-Identifier: Apache-2.0
+ //
++#![allow(renamed_and_removed_lints)]
+ #![allow(bare_trait_objects)]
+ #![allow(clippy::redundant_field_names)]
+
+-- 
+2.45.4

SPECS/kata-containers/kata-containers.spec

@@ -39,7 +39,7 @@
 Summary:        Kata Containers
 Name:           kata-containers
 Version:        3.2.0.azl2
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 URL:            https://github.com/microsoft/kata-containers
@@ -51,6 +51,7 @@ Patch0:         CVE-2023-45288.patch
 Patch1:         CVE-2023-39325.patch
 Patch2:         CVE-2024-24786.patch
 Patch3:         CVE-2023-44487.patch
+Patch4:         rust-1.90-fixes.patch
 
 BuildRequires:  golang
 BuildRequires:  git-core
@@ -219,6 +220,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime
 %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu
 
 %changelog
+* Fri Mar 20 2026 Mayank Singh <mayansingh@microsoft.com> - 3.2.0.azl-8
+- Bump package to rebuild with rust 1.90.0
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 3.2.0.azl-7
 - Bump release to rebuild with golang
 

SPECS/kata-containers/rust-1.90-fixes.patch

@@ -0,0 +1,80 @@
+From 40df9e0f016e4ce67e90e3e7f5b0ec87c5cb0a32 Mon Sep 17 00:00:00 2001
+From: Mayank Singh <mayansingh@microsoft.com>
+Date: Sun, 23 Mar 2026 12:34:56 +0000
+Subject: [PATCH] Fix Rust 1.90 build errors for kata-containers
+
+Add explicit lifetime for U32Set iterator, suppress unexpected_cfgs
+warning for powerpc64le target_arch in kata-sys-util, suppress
+renamed_and_removed_lints for box_pointers in protocols crate, suppress
+dead_code for supports_seccomp field and VirtioBlkCcwHandler struct.
+---
+ src/agent/src/config.rs                  | 1 +
+ src/agent/src/storage/block_handler.rs   | 1 +
+ src/libs/kata-sys-util/src/lib.rs        | 1 +
+ src/libs/kata-types/src/utils/u32_set.rs | 2 +-
+ src/libs/protocols/src/lib.rs            | 1 +
+ 5 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/agent/src/config.rs b/src/agent/src/config.rs
+index aaa1111..bbb2222 100644
+--- a/src/agent/src/config.rs
++++ b/src/agent/src/config.rs
+@@ -63,6 +63,7 @@
+     pub server_addr: String,
+     pub unified_cgroup_hierarchy: bool,
+     pub tracing: bool,
++    #[allow(dead_code)]
+     pub supports_seccomp: bool,
+ }
+
+diff --git a/src/agent/src/storage/block_handler.rs b/src/agent/src/storage/block_handler.rs
+index ccc3333..ddd4444 100644
+--- a/src/agent/src/storage/block_handler.rs
++++ b/src/agent/src/storage/block_handler.rs
+@@ -77,6 +77,7 @@
+ }
+
+ #[derive(Debug)]
++#[allow(dead_code)]
+ pub struct VirtioBlkCcwHandler {}
+
+ #[async_trait::async_trait]
+diff --git a/src/libs/kata-sys-util/src/lib.rs b/src/libs/kata-sys-util/src/lib.rs
+index 1234567..abcdefg 100644
+--- a/src/libs/kata-sys-util/src/lib.rs
++++ b/src/libs/kata-sys-util/src/lib.rs
+@@ -2,6 +2,7 @@
+ //
+ // SPDX-License-Identifier: Apache-2.0
+ //
++#![allow(unexpected_cfgs)]
+
+ #[macro_use]
+ extern crate slog;
+diff --git a/src/libs/kata-types/src/utils/u32_set.rs b/src/libs/kata-types/src/utils/u32_set.rs
+index 44c55a1..837e7a0 100644
+--- a/src/libs/kata-types/src/utils/u32_set.rs
++++ b/src/libs/kata-types/src/utils/u32_set.rs
+@@ -47,7 +47,7 @@
+     }
+
+     /// Get an iterator over the CPU set.
+-    pub fn iter(&self) -> Iter<u32> {
++    pub fn iter(&self) -> Iter<'_, u32> {
+         self.0.iter()
+     }
+ }
+diff --git a/src/libs/protocols/src/lib.rs b/src/libs/protocols/src/lib.rs
+index 2345678..bcdefgh 100644
+--- a/src/libs/protocols/src/lib.rs
++++ b/src/libs/protocols/src/lib.rs
+@@ -2,6 +2,7 @@
+ //
+ // SPDX-License-Identifier: Apache-2.0
+ //
++#![allow(renamed_and_removed_lints)]
+ #![allow(bare_trait_objects)]
+ #![allow(clippy::redundant_field_names)]
+
+-- 
+2.45.4

SPECS/rust/CVE-2024-11738.patch

@@ -0,0 +1,35 @@
+From 874dd834f5444394deda1f7fcc19cc09afebf6bd Mon Sep 17 00:00:00 2001
+From: Kevin Wang <wy721@qq.com>
+Date: Fri, 22 Nov 2024 20:48:01 +0800
+Subject: [PATCH] Record and restore the processed cursor in
+ first_handshake_message
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/rustls/rustls/pull/2231.patch
+---
+ vendor/rustls-0.23.13/src/conn.rs | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/vendor/rustls-0.23.13/src/conn.rs b/vendor/rustls-0.23.13/src/conn.rs
+index 60b597ba5..d45d71fd0 100644
+--- a/vendor/rustls-0.23.13/src/conn.rs
++++ b/vendor/rustls-0.23.13/src/conn.rs
+@@ -655,6 +655,7 @@ impl<Data> ConnectionCommon<Data> {
+     /// `process_handshake_messages()` path, specialized for the first handshake message.
+     pub(crate) fn first_handshake_message(&mut self) -> Result<Option<Message<'static>>, Error> {
+         let mut buffer_progress = BufferProgress::default();
++        buffer_progress.add_processed(self.deframer_buffer.processed);
+
+         let res = self
+             .core
+@@ -665,6 +666,7 @@ impl<Data> ConnectionCommon<Data> {
+             )
+             .map(|opt| opt.map(|pm| Message::try_from(pm).map(|m| m.into_owned())));
+
++        self.deframer_buffer.processed = buffer_progress.processed();
+         match res? {
+             Some(Ok(msg)) => {
+                 self.deframer_buffer
+-- 
+2.45.4
+