diff --git a/SPECS-EXTENDED/389-ds-base/389-ds-base.spec b/SPECS-EXTENDED/389-ds-base/389-ds-base.spec index ac9240923ae..8955db4cee7 100644 --- a/SPECS-EXTENDED/389-ds-base/389-ds-base.spec +++ b/SPECS-EXTENDED/389-ds-base/389-ds-base.spec @@ -68,7 +68,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (%{variant}) Name: 389-ds-base Version: 3.1.1 -Release: 10%{?dist} +Release: 11%{?dist} License: GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0 URL: https://www.port389.org Vendor: Microsoft Corporation @@ -733,6 +733,9 @@ exit 0 %endif %changelog +* Tue Mar 31 2026 BinduSri Adabala - 3.1.1-11 +- Bump release to rebuild with rust + * Mon Feb 02 2026 Archana Shettigar - 3.1.1-10 - Bump release to rebuild with rust diff --git a/SPECS-EXTENDED/ripgrep/ripgrep.spec b/SPECS-EXTENDED/ripgrep/ripgrep.spec index 9a72cf91f8b..6c0e2e21c4b 100644 --- a/SPECS-EXTENDED/ripgrep/ripgrep.spec +++ b/SPECS-EXTENDED/ripgrep/ripgrep.spec @@ -20,7 +20,7 @@ Name: ripgrep Version: 13.0.0 -Release: 12%{?dist} +Release: 13%{?dist} Summary: A search tool that combines ag with grep License: MIT AND Unlicense Vendor: Microsoft Corporation @@ -104,6 +104,9 @@ install -Dm 644 complete/_rg %{buildroot}%{_datadir}/zsh/site-functions/_rg %{_datadir}/zsh %changelog +* Tue Mar 31 2026 BinduSri Adabala - 13.0.0-13 +- Bump release to rebuild with rust + * Mon Feb 02 2026 Archana Shettigar - 13.0.0-12 - Bump release to rebuild with rust diff --git a/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec b/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec index 2cfe1bddd54..1462d638534 100644 --- a/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec +++ b/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec @@ -2,7 +2,7 @@ Summary: Tool for generating C bindings to Rust code Name: rust-cbindgen Version: 0.24.3 -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -96,6 +96,9 @@ RUSTFLAGS=%{rustflags} cargo test --release %endif %changelog +* Tue Mar 31 2026 BinduSri Adabala - 0.24.3-9 +- Bump release to rebuild with rust + * Mon Feb 02 2026 Archana Shettigar - 0.24.3-8 - Bump release to rebuild with rust diff --git a/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec b/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec index 8f56afda339..edcf2e15295 100644 --- a/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec +++ b/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec @@ -3,7 +3,7 @@ Summary: Tardev Snapshotter for containerd Name: tardev-snapshotter Version: 3.2.0.tardev1 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation @@ -67,6 +67,9 @@ fi %config(noreplace) %{_unitdir}/%{name}.service %changelog +* Tue Mar 31 2026 BinduSri Adabala - 3.2.0.tardev1-7 +- Bump release to rebuild with rust + * Mon Feb 02 2026 Archana Shettigar - 3.2.0.tardev1-6 - Bump release to rebuild with rust diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.spec b/SPECS/cloud-hypervisor/cloud-hypervisor.spec index 8bbf3ccece4..8ad60f77f85 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.spec +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.spec @@ -5,7 +5,7 @@ Name: cloud-hypervisor Summary: Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of the KVM hypervisor and the Microsoft Hypervisor (MSHV). Version: 48.0.246 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 OR BSD-3-clause Vendor: Microsoft Corporation Distribution: Azure Linux @@ -139,6 +139,9 @@ cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{c %license LICENSES/CC-BY-4.0.txt %changelog +* Tue Mar 31 2026 BinduSri Adabala - 48.0.246-4 +- Bump release to rebuild with rust + * Thu Feb 26 2026 Archana Shettigar - 48.0.246-3 - Bump release to rebuild with rust diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index d75617d1d20..59b6d1b58ca 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -3,7 +3,7 @@ Name: kata-containers-cc Version: 3.15.0.aks0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Kata Confidential Containers package developed for Confidential Containers on AKS License: ASL 2.0 URL: https://github.com/microsoft/kata-containers @@ -150,6 +150,9 @@ fi %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service %changelog +* Tue Mar 31 2026 BinduSri Adabala - 3.15.0-aks0-8 +- Bump release to rebuild with rust + * Mon Feb 02 2026 Archana Shettigar - 3.15.0-aks0-7 - Bump release to rebuild with rust diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index ee5687aca5d..75fe88bed2e 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -2,7 +2,7 @@ Name: kata-containers Version: 3.19.1.kata2 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Kata Containers package developed for Pod Sandboxing on AKS License: ASL 2.0 @@ -117,6 +117,9 @@ popd %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service %changelog +* Tue Mar 31 2026 BinduSri Adabala - 3.19.1.kata2-7 +- Bump release to rebuild with rust + * Thu Feb 26 2026 Archana Shettigar - 3.19.1.kata2-6 - Bump release to rebuild with rust diff --git a/SPECS/rust/CVE-2026-2006.patch b/SPECS/rust/CVE-2026-2006.patch new file mode 100644 index 00000000000..758856f6d3d --- /dev/null +++ b/SPECS/rust/CVE-2026-2006.patch @@ -0,0 +1,236 @@ +From efef05ba995fb2f553c146acb5c33828cc4f898a Mon Sep 17 00:00:00 2001 +From: Thomas Munro +Date: Mon, 26 Jan 2026 11:22:32 +1300 +Subject: [PATCH] Fix mb2wchar functions on short input. + +When converting multibyte to pg_wchar, the UTF-8 implementation would +silently ignore an incomplete final character, while the other +implementations would cast a single byte to pg_wchar, and then repeat +for the remaining byte sequence. While it didn't overrun the buffer, it +was surely garbage output. + +Make all encodings behave like the UTF-8 implementation. A later change +for master only will convert this to an error, but we choose not to +back-patch that behavior change on the off-chance that someone is +relying on the existing UTF-8 behavior. + +Security: CVE-2026-2006 +Backpatch-through: 14 +Author: Thomas Munro +Reported-by: Noah Misch +Reviewed-by: Noah Misch +Reviewed-by: Heikki Linnakangas + +Upstream Patch reference: +https://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=efef05ba995fb2f553c146acb5c33828cc4f898a +and https://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=df0852fe037246289cc00b4d36da6c1f25ff5844 + +--- + .../source/src/common/wchar.c | 66 ++++++++++++------- + 1 file changed, 44 insertions(+), 22 deletions(-) + +diff --git a/vendor/pq-src-0.3.6+libpq-17.4/source/src/common/wchar.c b/vendor/pq-src-0.3.6+libpq-17.4/source/src/common/wchar.c +index 402ad281e..3a050458a 100644 +--- a/vendor/pq-src-0.3.6+libpq-17.4/source/src/common/wchar.c ++++ b/vendor/pq-src-0.3.6+libpq-17.4/source/src/common/wchar.c +@@ -63,6 +63,9 @@ + * subset to the ASCII routines to ensure consistency. + */ + ++/* No error-reporting facility. Ignore incomplete trailing byte sequence. */ ++#define MB2CHAR_NEED_AT_LEAST(len, need) if ((len) < (need)) break ++ + /* + * SQL/ASCII + */ +@@ -108,22 +111,24 @@ pg_euc2wchar_with_len(const unsigned char *from, pg_wchar *to, int len) + + while (len > 0 && *from) + { +- if (*from == SS2 && len >= 2) /* JIS X 0201 (so called "1 byte +- * KANA") */ ++ if (*from == SS2) /* JIS X 0201 (so called "1 byte KANA") */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 2); + from++; + *to = (SS2 << 8) | *from++; + len -= 2; + } +- else if (*from == SS3 && len >= 3) /* JIS X 0212 KANJI */ ++ else if (*from == SS3) /* JIS X 0212 KANJI */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 3); + from++; + *to = (SS3 << 16) | (*from++ << 8); + *to |= *from++; + len -= 3; + } +- else if (IS_HIGHBIT_SET(*from) && len >= 2) /* JIS X 0208 KANJI */ ++ else if (IS_HIGHBIT_SET(*from)) /* JIS X 0208 KANJI */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 2); + *to = *from++ << 8; + *to |= *from++; + len -= 2; +@@ -235,22 +240,25 @@ pg_euccn2wchar_with_len(const unsigned char *from, pg_wchar *to, int len) + + while (len > 0 && *from) + { +- if (*from == SS2 && len >= 3) /* code set 2 (unused?) */ ++ if (*from == SS2) /* code set 2 (unused?) */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 3); + from++; + *to = (SS2 << 16) | (*from++ << 8); + *to |= *from++; + len -= 3; + } +- else if (*from == SS3 && len >= 3) /* code set 3 (unused ?) */ ++ else if (*from == SS3) /* code set 3 (unused ?) */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 3); + from++; + *to = (SS3 << 16) | (*from++ << 8); + *to |= *from++; + len -= 3; + } +- else if (IS_HIGHBIT_SET(*from) && len >= 2) /* code set 1 */ ++ else if (IS_HIGHBIT_SET(*from)) /* code set 1 */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 2); + *to = *from++ << 8; + *to |= *from++; + len -= 2; +@@ -267,12 +275,22 @@ pg_euccn2wchar_with_len(const unsigned char *from, pg_wchar *to, int len) + return cnt; + } + ++/* ++ * mbverifychar does not accept SS2 or SS3 (CS2 and CS3 are not defined for ++ * EUC_CN), but mb2wchar_with_len does. Tell a coherent story for code that ++ * relies on agreement between mb2wchar_with_len and mblen. Invalid text ++ * datums (e.g. from shared catalogs) reach this. ++ */ + static int + pg_euccn_mblen(const unsigned char *s) + { + int len; + +- if (IS_HIGHBIT_SET(*s)) ++ if (*s == SS2) ++ len = 3; ++ else if (*s == SS3) ++ len = 3; ++ else if (IS_HIGHBIT_SET(*s)) + len = 2; + else + len = 1; +@@ -302,23 +320,26 @@ pg_euctw2wchar_with_len(const unsigned char *from, pg_wchar *to, int len) + + while (len > 0 && *from) + { +- if (*from == SS2 && len >= 4) /* code set 2 */ ++ if (*from == SS2) /* code set 2 */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 4); + from++; + *to = (((uint32) SS2) << 24) | (*from++ << 16); + *to |= *from++ << 8; + *to |= *from++; + len -= 4; + } +- else if (*from == SS3 && len >= 3) /* code set 3 (unused?) */ ++ else if (*from == SS3) /* code set 3 (unused?) */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 3); + from++; + *to = (SS3 << 16) | (*from++ << 8); + *to |= *from++; + len -= 3; + } +- else if (IS_HIGHBIT_SET(*from) && len >= 2) /* code set 2 */ ++ else if (IS_HIGHBIT_SET(*from)) /* code set 2 */ + { ++ MB2CHAR_NEED_AT_LEAST(len, 2); + *to = *from++ << 8; + *to |= *from++; + len -= 2; +@@ -455,8 +476,7 @@ pg_utf2wchar_with_len(const unsigned char *from, pg_wchar *to, int len) + } + else if ((*from & 0xe0) == 0xc0) + { +- if (len < 2) +- break; /* drop trailing incomplete char */ ++ MB2CHAR_NEED_AT_LEAST(len, 2); + c1 = *from++ & 0x1f; + c2 = *from++ & 0x3f; + *to = (c1 << 6) | c2; +@@ -464,8 +484,7 @@ pg_utf2wchar_with_len(const unsigned char *from, pg_wchar *to, int len) + } + else if ((*from & 0xf0) == 0xe0) + { +- if (len < 3) +- break; /* drop trailing incomplete char */ ++ MB2CHAR_NEED_AT_LEAST(len, 3); + c1 = *from++ & 0x0f; + c2 = *from++ & 0x3f; + c3 = *from++ & 0x3f; +@@ -474,8 +493,7 @@ pg_utf2wchar_with_len(const unsigned char *from, pg_wchar *to, int len) + } + else if ((*from & 0xf8) == 0xf0) + { +- if (len < 4) +- break; /* drop trailing incomplete char */ ++ MB2CHAR_NEED_AT_LEAST(len, 4); + c1 = *from++ & 0x07; + c2 = *from++ & 0x3f; + c3 = *from++ & 0x3f; +@@ -677,28 +695,32 @@ pg_mule2wchar_with_len(const unsigned char *from, pg_wchar *to, int len) + + while (len > 0 && *from) + { +- if (IS_LC1(*from) && len >= 2) ++ if (IS_LC1(*from)) + { ++ MB2CHAR_NEED_AT_LEAST(len, 2); + *to = *from++ << 16; + *to |= *from++; + len -= 2; + } +- else if (IS_LCPRV1(*from) && len >= 3) ++ else if (IS_LCPRV1(*from)) + { ++ MB2CHAR_NEED_AT_LEAST(len, 3); + from++; + *to = *from++ << 16; + *to |= *from++; + len -= 3; + } +- else if (IS_LC2(*from) && len >= 3) ++ else if (IS_LC2(*from)) + { ++ MB2CHAR_NEED_AT_LEAST(len, 3); + *to = *from++ << 16; + *to |= *from++ << 8; + *to |= *from++; + len -= 3; + } +- else if (IS_LCPRV2(*from) && len >= 4) ++ else if (IS_LCPRV2(*from)) + { ++ MB2CHAR_NEED_AT_LEAST(len, 4); + from++; + *to = *from++ << 16; + *to |= *from++ << 8; +@@ -2064,7 +2086,7 @@ pg_encoding_set_invalid(int encoding, char *dst) + const pg_wchar_tbl pg_wchar_table[] = { + [PG_SQL_ASCII] = {pg_ascii2wchar_with_len, pg_wchar2single_with_len, pg_ascii_mblen, pg_ascii_dsplen, pg_ascii_verifychar, pg_ascii_verifystr, 1}, + [PG_EUC_JP] = {pg_eucjp2wchar_with_len, pg_wchar2euc_with_len, pg_eucjp_mblen, pg_eucjp_dsplen, pg_eucjp_verifychar, pg_eucjp_verifystr, 3}, +- [PG_EUC_CN] = {pg_euccn2wchar_with_len, pg_wchar2euc_with_len, pg_euccn_mblen, pg_euccn_dsplen, pg_euccn_verifychar, pg_euccn_verifystr, 2}, ++ [PG_EUC_CN] = {pg_euccn2wchar_with_len, pg_wchar2euc_with_len, pg_euccn_mblen, pg_euccn_dsplen, pg_euccn_verifychar, pg_euccn_verifystr, 3}, + [PG_EUC_KR] = {pg_euckr2wchar_with_len, pg_wchar2euc_with_len, pg_euckr_mblen, pg_euckr_dsplen, pg_euckr_verifychar, pg_euckr_verifystr, 3}, + [PG_EUC_TW] = {pg_euctw2wchar_with_len, pg_wchar2euc_with_len, pg_euctw_mblen, pg_euctw_dsplen, pg_euctw_verifychar, pg_euctw_verifystr, 4}, + [PG_EUC_JIS_2004] = {pg_eucjp2wchar_with_len, pg_wchar2euc_with_len, pg_eucjp_mblen, pg_eucjp_dsplen, pg_eucjp_verifychar, pg_eucjp_verifystr, 3}, +-- +2.43.0 + diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec index e86cb20407b..ca881de171d 100644 --- a/SPECS/rust/rust.spec +++ b/SPECS/rust/rust.spec @@ -9,7 +9,7 @@ Summary: Rust Programming Language Name: rust Version: 1.90.0 -Release: 4%{?dist} +Release: 5%{?dist} License: (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -51,6 +51,7 @@ Patch6: CVE-2025-4207.patch Patch7: CVE-2025-12818.patch Patch8: CVE-2026-24116.patch Patch9: CVE-2025-58160.patch +Patch10: CVE-2026-2006.patch BuildRequires: binutils BuildRequires: cmake # make sure rust relies on curl from CBL-Mariner (instead of using its vendored flavor) @@ -188,6 +189,9 @@ rm %{buildroot}%{_docdir}/docs/html/.lock %{_mandir}/man1/* %changelog +* Tue Mar 31 2026 BinduSri Adabala - 1.90.0-5 +- Patch for CVE-2026-2006 + * Fri Jan 30 2026 Archana Shettigar - 1.90.0-4 - Patch for CVE-2025-68114, CVE-2025-4207, CVE-2025-55159, CVE-2025-12818, CVE-2025-67873, CVE-2026-24116 and CVE-2025-58160 diff --git a/SPECS/trident/trident.spec b/SPECS/trident/trident.spec index 6f6c225d3b7..0a22ee0e840 100644 --- a/SPECS/trident/trident.spec +++ b/SPECS/trident/trident.spec @@ -10,7 +10,7 @@ Summary: Declarative, security-first OS lifecycle agent designed primaril Name: trident # Use hard-coded versions for distro build Version: 0.21.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Group: Applications/System @@ -300,6 +300,9 @@ mkdir -p "$pcrlockroot" ) %changelog +* Tue Mar 31 2026 BinduSri Adabala - 0.21.0-2 +- Bump release to rebuild with rust + * Mon Mar 2 2026 Brian Fjeldstad 0.21.0-1 - Original version for Azure Linux (license: MIT). - License verified.