diff --git a/SPECS/influxdb/CVE-2021-4238.patch b/SPECS/influxdb/CVE-2021-4238.patch index bd63254729c..00e24372f88 100644 --- a/SPECS/influxdb/CVE-2021-4238.patch +++ b/SPECS/influxdb/CVE-2021-4238.patch @@ -1,7 +1,14 @@ -Partial backport of 869801f20f9f1e7ecdbdb6422049d8241270d5e1 +From 3bc11c771ec4a6ce1c84c8c768e6d5e33feb7594 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Tue, 30 Dec 2025 12:04:59 +0000 +Subject: [PATCH] CVE-2021-4238.patch + +--- + .../aokoli/goutils/randomstringutils.go | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/vendor/github.com/aokoli/goutils/randomstringutils.go b/vendor/github.com/aokoli/goutils/randomstringutils.go -index 1364e0c..8c6ccab 100644 +index 1364e0c..02270a0 100644 --- a/vendor/github.com/aokoli/goutils/randomstringutils.go +++ b/vendor/github.com/aokoli/goutils/randomstringutils.go @@ -20,7 +20,6 @@ import ( @@ -12,21 +19,7 @@ index 1364e0c..8c6ccab 100644 "time" "unicode" ) -@@ -75,12 +74,10 @@ func RandomNumeric(count int) (string, error) { - - /* - RandomAlphabetic creates a random string whose length is the number of characters specified. --Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments. -+Characters will be chosen from the set of alphabetic characters. - - Parameters: - count - the length of random string to create -- letters - if true, generated string may include alphabetic characters -- numbers - if true, generated string may include numeric characters - - Returns: - string - the random string -@@ -106,19 +103,8 @@ func RandomAlphaNumeric(count int) (string, error) { +@@ -106,19 +105,7 @@ func RandomAlphaNumeric(count int) (string, error) { if err != nil { return "", fmt.Errorf("Error: %s", err) } @@ -34,7 +27,7 @@ index 1364e0c..8c6ccab 100644 - if err != nil { - panic(err) - } - +- - if !match { - //Get the position between 0 and the length of the string-1 to insert a random number - position := rand.Intn(count) @@ -46,4 +39,7 @@ index 1364e0c..8c6ccab 100644 + return RandomString[:count], nil } - \ No newline at end of file + +-- +2.45.4 + diff --git a/SPECS/influxdb/CVE-2023-45288.patch b/SPECS/influxdb/CVE-2023-45288.patch deleted file mode 100644 index e1e6fe149d5..00000000000 --- a/SPECS/influxdb/CVE-2023-45288.patch +++ /dev/null @@ -1,81 +0,0 @@ -From ba872109ef2dc8f1da778651bd1fd3792d0e4587 Mon Sep 17 00:00:00 2001 -From: Damien Neil -Date: Wed, 10 Jan 2024 13:41:39 -0800 -Subject: [PATCH] http2: close connections when receiving too many headers - -Maintaining HPACK state requires that we parse and process -all HEADERS and CONTINUATION frames on a connection. -When a request's headers exceed MaxHeaderBytes, we don't -allocate memory to store the excess headers but we do -parse them. This permits an attacker to cause an HTTP/2 -endpoint to read arbitrary amounts of data, all associated -with a request which is going to be rejected. - -Set a limit on the amount of excess header frames we -will process before closing a connection. - -Thanks to Bartek Nowotarski for reporting this issue. - -Fixes CVE-2023-45288 -Fixes golang/go#65051 - -Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley -Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 -Reviewed-by: Dmitri Shuralyov -Auto-Submit: Dmitri Shuralyov -Reviewed-by: Than McIntosh -LUCI-TryBot-Result: Go LUCI ---- - -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go -index e2b298d..a5a9441 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go -@@ -1564,6 +1564,7 @@ - if size > remainSize { - hdec.SetEmitEnabled(false) - mh.Truncated = true -+ remainSize = 0 - return - } - remainSize -= size -@@ -1576,6 +1577,36 @@ - var hc headersOrContinuation = hf - for { - frag := hc.HeaderBlockFragment() -+ -+ // Avoid parsing large amounts of headers that we will then discard. -+ // If the sender exceeds the max header list size by too much, -+ // skip parsing the fragment and close the connection. -+ // -+ // "Too much" is either any CONTINUATION frame after we've already -+ // exceeded the max header list size (in which case remainSize is 0), -+ // or a frame whose encoded size is more than twice the remaining -+ // header list bytes we're willing to accept. -+ if int64(len(frag)) > int64(2*remainSize) { -+ if VerboseLogs { -+ log.Printf("http2: header list too large") -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ -+ // Also close the connection after any CONTINUATION frame following an -+ // invalid header, since we stop tracking the size of the headers after -+ // an invalid one. -+ if invalid != nil { -+ if VerboseLogs { -+ log.Printf("http2: invalid header: %v", invalid) -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ - if _, err := hdec.Write(frag); err != nil { - return nil, ConnectionError(ErrCodeCompression) - } diff --git a/SPECS/influxdb/CVE-2024-24786.patch b/SPECS/influxdb/CVE-2024-24786.patch deleted file mode 100644 index 6c80204f5b0..00000000000 --- a/SPECS/influxdb/CVE-2024-24786.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 -From: bala -Date: Mon, 25 Nov 2024 16:47:53 +0000 -Subject: [PATCH] Vendor patch applied - ---- - .../protobuf/encoding/protojson/decode.go | 12 ++++ - .../encoding/protojson/well_known_types.go | 59 +++++++------------ - .../protobuf/internal/encoding/json/decode.go | 2 +- - 3 files changed, 33 insertions(+), 40 deletions(-) - -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -index 5f28148..67fe4e7 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -@@ -11,6 +11,7 @@ import ( - "strconv" - "strings" - -+ "google.golang.org/protobuf/encoding/protowire" - "google.golang.org/protobuf/internal/encoding/json" - "google.golang.org/protobuf/internal/encoding/messageset" - "google.golang.org/protobuf/internal/errors" -@@ -47,6 +48,10 @@ type UnmarshalOptions struct { - protoregistry.MessageTypeResolver - protoregistry.ExtensionTypeResolver - } -+ -+ // RecursionLimit limits how deeply messages may be nested. -+ // If zero, a default limit is applied. -+ RecursionLimit int - } - - // Unmarshal reads the given []byte and populates the given proto.Message -@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { - if o.Resolver == nil { - o.Resolver = protoregistry.GlobalTypes - } -+ if o.RecursionLimit == 0 { -+ o.RecursionLimit = protowire.DefaultRecursionLimit -+ } - - dec := decoder{json.NewDecoder(b), o} - if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { -@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { - - // unmarshalMessage unmarshals a message into the given protoreflect.Message. - func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { -+ d.opts.RecursionLimit-- -+ if d.opts.RecursionLimit < 0 { -+ return errors.New("exceeded max recursion depth") -+ } - if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { - return unmarshal(d, m) - } -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -index 6c37d41..4b177c8 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { - // Use another decoder to parse the unread bytes for @type field. This - // avoids advancing a read from current decoder because the current JSON - // object may contain the fields of the embedded type. -- dec := decoder{d.Clone(), UnmarshalOptions{}} -+ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} - tok, err := findTypeURL(dec) - switch err { - case errEmptyObject: -@@ -308,48 +308,29 @@ Loop: - // array) in order to advance the read to the next JSON value. It relies on - // the decoder returning an error if the types are not in valid sequence. - func (d decoder) skipJSONValue() error { -- tok, err := d.Read() -- if err != nil { -- return err -- } -- // Only need to continue reading for objects and arrays. -- switch tok.Kind() { -- case json.ObjectOpen: -- for { -- tok, err := d.Read() -- if err != nil { -- return err -- } -- switch tok.Kind() { -- case json.ObjectClose: -- return nil -- case json.Name: -- // Skip object field value. -- if err := d.skipJSONValue(); err != nil { -- return err -- } -- } -+ var open int -+ for { -+ tok, err := d.Read() -+ if err != nil { -+ return err - } -- -- case json.ArrayOpen: -- for { -- tok, err := d.Peek() -- if err != nil { -- return err -- } -- switch tok.Kind() { -- case json.ArrayClose: -- d.Read() -- return nil -- default: -- // Skip array item. -- if err := d.skipJSONValue(); err != nil { -- return err -- } -+ switch tok.Kind() { -+ case json.ObjectClose, json.ArrayClose: -+ open-- -+ case json.ObjectOpen, json.ArrayOpen: -+ open++ -+ if open > d.opts.RecursionLimit { -+ return errors.New("exceeded max recursion depth") - } -+ case json.EOF: -+ // This can only happen if there's a bug in Decoder.Read. -+ // Avoid an infinite loop if this does happen. -+ return errors.New("unexpected EOF") -+ } -+ if open == 0 { -+ return nil - } - } -- return nil - } - - // unmarshalAnyValue unmarshals the given custom-type message from the JSON -diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -index d043a6e..d2b3ac0 100644 ---- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { - - case ObjectClose: - if len(d.openStack) == 0 || -- d.lastToken.kind == comma || -+ d.lastToken.kind&(Name|comma) != 0 || - d.openStack[len(d.openStack)-1] != ObjectOpen { - return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) - } --- -2.39.4 - diff --git a/SPECS/influxdb/CVE-2024-45338.patch b/SPECS/influxdb/CVE-2024-45338.patch deleted file mode 100644 index 705661e43ef..00000000000 --- a/SPECS/influxdb/CVE-2024-45338.patch +++ /dev/null @@ -1,63 +0,0 @@ -From e90e8414742ccdfcb3271f23732428d8feb8b10d Mon Sep 17 00:00:00 2001 -From: Rohit Rawat -Date: Thu, 2 Jan 2025 10:22:13 +0000 -Subject: [PATCH] Fix CVE CVE-2024-45338 in influxdb - ---- - vendor/golang.org/x/net/html/doctype.go | 2 +- - vendor/golang.org/x/net/html/foreign.go | 3 +-- - vendor/golang.org/x/net/html/parse.go | 4 ++-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go -index c484e5a..bca3ae9 100644 ---- a/vendor/golang.org/x/net/html/doctype.go -+++ b/vendor/golang.org/x/net/html/doctype.go -@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { - } - } - if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && -- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { -+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { - quirks = true - } - } -diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go -index 9da9e9d..e8515d8 100644 ---- a/vendor/golang.org/x/net/html/foreign.go -+++ b/vendor/golang.org/x/net/html/foreign.go -@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { - if n.Data == "annotation-xml" { - for _, a := range n.Attr { - if a.Key == "encoding" { -- val := strings.ToLower(a.Val) -- if val == "text/html" || val == "application/xhtml+xml" { -+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { - return true - } - } -diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go -index 46a89ed..5b8374b 100644 ---- a/vendor/golang.org/x/net/html/parse.go -+++ b/vendor/golang.org/x/net/html/parse.go -@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { - if p.tok.DataAtom == a.Input { - for _, t := range p.tok.Attr { - if t.Key == "type" { -- if strings.ToLower(t.Val) == "hidden" { -+ if strings.EqualFold(t.Val, "hidden") { - // Skip setting framesetOK = false - return true - } -@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { - return inHeadIM(p) - case a.Input: - for _, t := range p.tok.Attr { -- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { -+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { - p.addElement() - p.oe.pop() - return true --- -2.39.4 - diff --git a/SPECS/influxdb/CVE-2024-51744.patch b/SPECS/influxdb/CVE-2024-51744.patch deleted file mode 100644 index 5d1369acae9..00000000000 --- a/SPECS/influxdb/CVE-2024-51744.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 70f398a64b207c0f9da5c11ac414e32d2097e79e Mon Sep 17 00:00:00 2001 -From: Sreenivasulu Malavathula -Date: Mon, 24 Mar 2025 18:07:18 -0500 -Subject: [PATCH] Addressing CVE-2024-51744 -Upstream Patch Reference: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c - ---- - .../github.com/form3tech-oss/jwt-go/parser.go | 36 +++++++++++-------- - vendor/github.com/golang-jwt/jwt/parser.go | 36 +++++++++++-------- - 2 files changed, 42 insertions(+), 30 deletions(-) - -diff --git a/vendor/github.com/form3tech-oss/jwt-go/parser.go b/vendor/github.com/form3tech-oss/jwt-go/parser.go -index d6901d9..bfb480c 100644 ---- a/vendor/github.com/form3tech-oss/jwt-go/parser.go -+++ b/vendor/github.com/form3tech-oss/jwt-go/parser.go -@@ -14,12 +14,21 @@ type Parser struct { - } - - // Parse, validate, and return a token. --// keyFunc will receive the parsed token and should return the key for validating. --// If everything is kosher, err will be nil -+// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will -+// receive the parsed token and should return the key for validating. - func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { - return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) - } - -+// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object -+// implementing the Claims interface. This provides default values which can be overridden and -+// allows a caller to use their own type, rather than the default MapClaims implementation of -+// Claims. -+// -+// Note: If you provide a custom claim implementation that embeds one of the standard claims (such -+// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or -+// b) if you are using a pointer, allocate the proper memory for it before passing in the overall -+// claims, otherwise you might run into a panic. - func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { - token, parts, err := p.ParseUnverified(tokenString, claims) - if err != nil { -@@ -56,12 +65,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} - } - -+ // Perform validation -+ token.Signature = parts[2] -+ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { -+ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} -+ } -+ - vErr := &ValidationError{} - - // Validate Claims - if !p.SkipClaimsValidation { - if err := token.Claims.Valid(); err != nil { -- - // If the Claims Valid returned an error, check if it is a validation error, - // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set - if e, ok := err.(*ValidationError); !ok { -@@ -69,22 +83,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - } else { - vErr = e - } -+ return token, vErr - } - } - -- // Perform validation -- token.Signature = parts[2] -- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { -- vErr.Inner = err -- vErr.Errors |= ValidationErrorSignatureInvalid -- } -- -- if vErr.valid() { -- token.Valid = true -- return token, nil -- } -+ // No errors so far, token is valid. -+ token.Valid = true - -- return token, vErr -+ return token, nil - } - - // WARNING: Don't use this method unless you know what you're doing -diff --git a/vendor/github.com/golang-jwt/jwt/parser.go b/vendor/github.com/golang-jwt/jwt/parser.go -index d6901d9..bfb480c 100644 ---- a/vendor/github.com/golang-jwt/jwt/parser.go -+++ b/vendor/github.com/golang-jwt/jwt/parser.go -@@ -14,12 +14,21 @@ type Parser struct { - } - - // Parse, validate, and return a token. --// keyFunc will receive the parsed token and should return the key for validating. --// If everything is kosher, err will be nil -+// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will -+// receive the parsed token and should return the key for validating. - func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { - return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) - } - -+// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object -+// implementing the Claims interface. This provides default values which can be overridden and -+// allows a caller to use their own type, rather than the default MapClaims implementation of -+// Claims. -+// -+// Note: If you provide a custom claim implementation that embeds one of the standard claims (such -+// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or -+// b) if you are using a pointer, allocate the proper memory for it before passing in the overall -+// claims, otherwise you might run into a panic. - func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { - token, parts, err := p.ParseUnverified(tokenString, claims) - if err != nil { -@@ -56,12 +65,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} - } - -+ // Perform validation -+ token.Signature = parts[2] -+ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { -+ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} -+ } -+ - vErr := &ValidationError{} - - // Validate Claims - if !p.SkipClaimsValidation { - if err := token.Claims.Valid(); err != nil { -- - // If the Claims Valid returned an error, check if it is a validation error, - // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set - if e, ok := err.(*ValidationError); !ok { -@@ -69,22 +83,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - } else { - vErr = e - } -+ return token, vErr - } - } - -- // Perform validation -- token.Signature = parts[2] -- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { -- vErr.Inner = err -- vErr.Errors |= ValidationErrorSignatureInvalid -- } -- -- if vErr.valid() { -- token.Valid = true -- return token, nil -- } -+ // No errors so far, token is valid. -+ token.Valid = true - -- return token, vErr -+ return token, nil - } - - // WARNING: Don't use this method unless you know what you're doing --- -2.45.2 - diff --git a/SPECS/influxdb/CVE-2025-22870.patch b/SPECS/influxdb/CVE-2025-22870.patch deleted file mode 100644 index 623fef0d169..00000000000 --- a/SPECS/influxdb/CVE-2025-22870.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 9b0870e4d74b720661460e3a7ac9b45945790799 Mon Sep 17 00:00:00 2001 -From: Sreenivasulu Malavathula -Date: Mon, 24 Mar 2025 17:42:42 -0500 -Subject: [PATCH] Addressing CVE-2025-22870 -Upstream Patch Reference: https://github.com/golang/go/commit/25177ecde0922c50753c043579d17828b7ee88e7 - - ---- - vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/net/http/httpproxy/proxy.go b/vendor/golang.org/x/net/http/httpproxy/proxy.go -index c3bd9a1..864961c 100644 ---- a/vendor/golang.org/x/net/http/httpproxy/proxy.go -+++ b/vendor/golang.org/x/net/http/httpproxy/proxy.go -@@ -14,6 +14,7 @@ import ( - "errors" - "fmt" - "net" -+ "net/netip" - "net/url" - "os" - "strings" -@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool { - if host == "localhost" { - return false - } -- ip := net.ParseIP(host) -- if ip != nil { -+ nip, err := netip.ParseAddr(host) -+ var ip net.IP -+ if err == nil { -+ ip = net.IP(nip.AsSlice()) - if ip.IsLoopback() { - return false - } -@@ -363,6 +366,9 @@ type domainMatch struct { - } - - func (m domainMatch) match(host, port string, ip net.IP) bool { -+ if ip != nil { -+ return false -+ } - if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { - return m.port == "" || m.port == port - } --- -2.45.2 - diff --git a/SPECS/influxdb/CVE-2025-22872.patch b/SPECS/influxdb/CVE-2025-22872.patch deleted file mode 100644 index 7808749581b..00000000000 --- a/SPECS/influxdb/CVE-2025-22872.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a3f5350a002664d23967a79ef563d23ef16b85ee Mon Sep 17 00:00:00 2001 -From: Sreenivasulu Malavathula -Date: Fri, 25 Apr 2025 18:18:46 -0500 -Subject: [PATCH] Address CVE-2025-22872 -Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 - ---- - vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go -index de67f93..9bbdf7d 100644 ---- a/vendor/golang.org/x/net/html/token.go -+++ b/vendor/golang.org/x/net/html/token.go -@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { - if raw { - z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) - } -- // Look for a self-closing token like "
". -- if z.err == nil && z.buf[z.raw.end-2] == '/' { -+ // Look for a self-closing token (e.g.
). -+ // -+ // Originally, we did this by just checking that the last character of the -+ // tag (ignoring the closing bracket) was a solidus (/) character, but this -+ // is not always accurate. -+ // -+ // We need to be careful that we don't misinterpret a non-self-closing tag -+ // as self-closing, as can happen if the tag contains unquoted attribute -+ // values (i.e.

). -+ // -+ // To avoid this, we check that the last non-bracket character of the tag -+ // (z.raw.end-2) isn't the same character as the last non-quote character of -+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has -+ // attributes. -+ nAttrs := len(z.attr) -+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { - return SelfClosingTagToken - } - return StartTagToken --- -2.45.2 - diff --git a/SPECS/influxdb/CVE-2025-65637.patch b/SPECS/influxdb/CVE-2025-65637.patch deleted file mode 100644 index d299bbcfd4b..00000000000 --- a/SPECS/influxdb/CVE-2025-65637.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 41548ebae4b6e3a9706658428fa6f6784a9f39d0 Mon Sep 17 00:00:00 2001 -From: Chris -Date: Fri, 10 Mar 2023 13:45:41 -0800 -Subject: [PATCH 1/2] This commit fixes a potential denial of service - vulnerability in logrus.Writer() that could be triggered by logging text - longer than 64kb without newlines. Previously, the bufio.Scanner used by - Writer() would hang indefinitely when reading such text without newlines, - causing the application to become unresponsive. - ---- - vendor/github.com/sirupsen/logrus/writer.go | 33 ++++++++++++++++++++- - 1 file changed, 32 insertions(+), 1 deletion(-) - -diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go -index 72e8e3a..36032d0 100644 ---- a/vendor/github.com/sirupsen/logrus/writer.go -+++ b/vendor/github.com/sirupsen/logrus/writer.go -@@ -4,6 +4,7 @@ import ( - "bufio" - "io" - "runtime" -+ "strings" - ) - - // Writer at INFO level. See WriterLevel for details. -@@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter { - return NewEntry(logger).WriterLevel(level) - } - -+// Writer returns an io.Writer that writes to the logger at the info log level - func (entry *Entry) Writer() *io.PipeWriter { - return entry.WriterLevel(InfoLevel) - } - -+// WriterLevel returns an io.Writer that writes to the logger at the given log level - func (entry *Entry) WriterLevel(level Level) *io.PipeWriter { - reader, writer := io.Pipe() - - var printFunc func(args ...interface{}) - -+ // Determine which log function to use based on the specified log level - switch level { - case TraceLevel: - printFunc = entry.Trace -@@ -48,23 +52,50 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter { - printFunc = entry.Print - } - -+ // Start a new goroutine to scan the input and write it to the logger using the specified print function. -+ // It splits the input into chunks of up to 64KB to avoid buffer overflows. - go entry.writerScanner(reader, printFunc) -+ -+ // Set a finalizer function to close the writer when it is garbage collected - runtime.SetFinalizer(writer, writerFinalizer) - - return writer - } - -+// writerScanner scans the input from the reader and writes it to the logger - func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) { - scanner := bufio.NewScanner(reader) -+ -+ // Set the buffer size to the maximum token size to avoid buffer overflows -+ scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize) -+ -+ // Define a split function to split the input into chunks of up to 64KB -+ chunkSize := 64 * 1024 // 64KB -+ splitFunc := func(data []byte, atEOF bool) (int, []byte, error) { -+ if len(data) > chunkSize { -+ return chunkSize, data[:chunkSize], nil -+ } -+ return 0, nil, nil -+ } -+ -+ //Use the custom split function to split the input -+ scanner.Split(splitFunc) -+ -+ // Scan the input and write it to the logger using the specified print function - for scanner.Scan() { -- printFunc(scanner.Text()) -+ printFunc(strings.TrimRight(scanner.Text(), "\r\n")) - } -+ -+ // If there was an error while scanning the input, log an error - if err := scanner.Err(); err != nil { - entry.Errorf("Error while reading from Writer: %s", err) - } -+ -+ // Close the reader when we are done - reader.Close() - } - -+// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected - func writerFinalizer(writer *io.PipeWriter) { - writer.Close() - } --- -2.45.4 - - -From a1351838d31739b7a5e8c11f102cf7f733f29a3a Mon Sep 17 00:00:00 2001 -From: Chris -Date: Fri, 10 Mar 2023 13:45:41 -0800 -Subject: [PATCH 2/2] Scan text in 64KB chunks - -This commit fixes a potential denial of service -vulnerability in logrus.Writer() that could be -triggered by logging text longer than 64KB -without newlines. Previously, the bufio.Scanner -used by Writer() would hang indefinitely when -reading such text without newlines, causing the -application to become unresponsive. - -Signed-off-by: Azure Linux Security Servicing Account -Upstream-reference: https://github.com/sirupsen/logrus/pull/1376.patch ---- - vendor/github.com/sirupsen/logrus/writer.go | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go -index 36032d0..7e7703c 100644 ---- a/vendor/github.com/sirupsen/logrus/writer.go -+++ b/vendor/github.com/sirupsen/logrus/writer.go -@@ -75,7 +75,8 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ... - if len(data) > chunkSize { - return chunkSize, data[:chunkSize], nil - } -- return 0, nil, nil -+ -+ return len(data), data, nil - } - - //Use the custom split function to split the input --- -2.45.4 - diff --git a/SPECS/influxdb/config.yaml b/SPECS/influxdb/config.yaml index 87c3ee52b26..24cb3070e55 100644 --- a/SPECS/influxdb/config.yaml +++ b/SPECS/influxdb/config.yaml @@ -5,6 +5,9 @@ # No reporting by default reporting-disable: true +#Enable token hashing +use-hashed-tokens: true + # Avoid OOM, adjust according to your HW specs # By default it can easily exhaust RAM, so play it safe by default diff --git a/SPECS/influxdb/influxdb.signatures.json b/SPECS/influxdb/influxdb.signatures.json index e8cee76290d..5fa380df3b8 100644 --- a/SPECS/influxdb/influxdb.signatures.json +++ b/SPECS/influxdb/influxdb.signatures.json @@ -1,11 +1,11 @@ { "Signatures": { - "influxdb-2.7.5-vendor.tar.gz": "190ddfeb625f24fc4791da536290cd15b919821666ae52a50d668536fc0f3cb8", - "influxdb-2.7.5-static-data.tar.gz": "23e0f0503368bae46d41840934f3c907f3978cdbbc9a1f8f250e396b2d004842", - "config.yaml": "d3c2224c67665929764d9056583df9796f71c36499ace0ef9dccd1df235d5ee5", + "influxdb-2.8.0-vendor.tar.gz": "498ba467b6b5b0adbe9a5e6e1079725fbcba6aabb6e130239063b0ea3170ce8e", + "influxdb-2.8.0-static-data.tar.gz": "066b616fc1a27acf96b2c1ebc158769b9a82d2053ead8db2298f074e0da4f2ae", + "config.yaml": "e512d544fe0f04f4c53a8ceafbccafa0dd1ccbc42829e15504a876938177aeed", "influxdb.service": "570fdbb685c8468f3c4e75b7f482bbc5c0ab4382ad2259a595e7839244747645", "influxdb-user.conf": "ca5a50bb6ca9f4fcb91d745d552e70af934fdad86196c535c4eb8699a20e7aa0", "influxdb.tmpfiles": "2e1880f1d7675464b93984a635e770f6f8ac1777d21a607f7e4d9d1480776f68", - "influxdb-2.7.5.tar.gz": "4850fd4de964034fe92ef3c12940107eaf04ab377760de66dc90bf40ca6b7c92" + "influxdb-2.8.0.tar.gz": "95f0a2ee723407de7af1ae34bc9ab3066a2d19cb14f50d56e950b8f6e7f94e4e" } } diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec index 3da89fa1557..4e28e243c11 100644 --- a/SPECS/influxdb/influxdb.spec +++ b/SPECS/influxdb/influxdb.spec @@ -17,8 +17,8 @@ Summary: Scalable datastore for metrics, events, and real-time analytics Name: influxdb -Version: 2.7.5 -Release: 9%{?dist} +Version: 2.8.0 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -58,16 +58,9 @@ Source6: influxdb-user.conf Patch0: CVE-2021-4238.patch Patch1: CVE-2019-0205.patch Patch2: CVE-2024-6104.patch -Patch3: CVE-2023-45288.patch -Patch4: CVE-2024-24786.patch -Patch5: CVE-2024-45338.patch -Patch6: CVE-2024-28180.patch -Patch7: CVE-2025-27144.patch -Patch8: CVE-2025-22868.patch -Patch9: CVE-2025-22870.patch -Patch10: CVE-2024-51744.patch -Patch11: CVE-2025-22872.patch -Patch12: CVE-2025-65637.patch +Patch3: CVE-2024-28180.patch +Patch4: CVE-2025-27144.patch +Patch5: CVE-2025-22868.patch BuildRequires: clang BuildRequires: golang BuildRequires: kernel-headers @@ -75,7 +68,7 @@ BuildRequires: protobuf-devel BuildRequires: rust < 1.85.0 BuildRequires: systemd-rpm-macros BuildRequires: tzdata -# IMPORTANT: when upgrading this, make sure the flux version matches what is required by go.mod file in the soure code of influxdb. +# IMPORTANT: when upgrading this, make sure the flux version matches what is required by go.mod file in the source code of influxdb. BuildRequires: pkgconfig(flux) >= 0.194.5 Requires: tzdata Requires(post): systemd @@ -157,6 +150,9 @@ go test ./... %{_tmpfilesdir}/influxdb.conf %changelog +* Fri Jan 02 2026 Jyoti Kanase - 2.8.0-1 +- Upgrade to 2.8.0 for CVE-CVE-2024-30896 + * Mon Dec 08 2025 Azure Linux Security Servicing Account - 2.7.5-9 - Patch for CVE-2025-65637 diff --git a/cgmanifest.json b/cgmanifest.json index d838e6db00e..d2b6d29e9a3 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -7321,8 +7321,8 @@ "type": "other", "other": { "name": "influxdb", - "version": "2.7.5", - "downloadUrl": "https://github.com/influxdata/influxdb/archive/refs/tags/v2.7.5.tar.gz" + "version": "2.8.0", + "downloadUrl": "https://github.com/influxdata/influxdb/archive/refs/tags/v2.8.0.tar.gz" } } },