Merge branch 'main' into 2.0

Author: jslobodzian

SPECS-EXTENDED/gdal/gdal.spec

@@ -15,7 +15,7 @@ Summary:        GIS file format library
 #global pre rc1
 Name:           gdal
 Version:        3.6.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -316,6 +316,11 @@ ctest -E "autotest_osr|autotest_alg|autotest_gdrivers|autotest_gcore"
 
 
 %changelog
+* Mon Dec 29 2025 Kshitiz Godara <[email protected]> - 3.6.3-5
+- Bumping the release version so that this package is re-built with
+  the newer 1.14.6 hdf5 libraries. This ensures that the matching
+  1.14.6 .so files Will be used at run time.
+
 * Wed May 22 2024 George Mileka <[email protected]> - 3.6.3-4
   Remove the use of explicit hdf5 version from the build-time dependencies.
 

SPECS-EXTENDED/netcdf/netcdf.spec

@@ -12,7 +12,7 @@
 Summary:        Libraries for the Unidata network Common Data Form
 Name:           netcdf
 Version:        4.9.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        NetCDF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -398,6 +398,11 @@ done
 
 
 %changelog
+* Mon Dec 29 2025 Kshitiz Godara <[email protected]> - 4.9.0-7
+- Bumping the release version so that this package is re-built with
+  the newer 1.14.6 hdf5 libraries. This ensures that the matching
+  1.14.6 .so files Will be used at run time.
+
 * Wed May 22 2024 George Mileka <[email protected]> - 4.9.0-6
   Remove the use of the '_hdf5_version' and explicit hdf5 version from the
   build-time dependencies.

SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec

@@ -12,7 +12,7 @@
 Summary:        Signed GRand Unified Bootloader for %{buildarch} systems
 Name:           grub2-efi-binary-signed-%{buildarch}
 Version:        2.06
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -77,6 +77,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname}
 /boot/efi/EFI/BOOT/%{grubpxeefiname}
 
 %changelog
+* Thu Nov 27 2025 Akhila Guruju <[email protected]> - 2.06-16
+- Bump release number to match grub release
+
 * Tue Jun 17 2025 Kshitiz Godara <[email protected]> - 2.06-15
 - Bump release number to match grub release
 

SPECS-SIGNED/hvloader-signed/hvloader-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +69,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Wed Nov 20 2025 Jyoti kanase <[email protected]> - 1.0.1-15
+- Bump release for consistency with hvloader spec.
+
 * Tue Aug 12 2025 Azure Linux Security Servicing Account <[email protected]> - 1.0.1-14
 - Bump release for consistency with hvloader spec.
 

SPECS/cert-manager/CVE-2025-65637.patch

@@ -0,0 +1,136 @@
+From af32d40d6e7e0936306edd41ed34272777c09eab Mon Sep 17 00:00:00 2001
+From: Chris <[email protected]>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 1/2] This commit fixes a potential denial of service
+ vulnerability in logrus.Writer() that could be triggered by logging text
+ longer than 64kb without newlines. Previously, the bufio.Scanner used by
+ Writer() would hang indefinitely when reading such text without newlines,
+ causing the application to become unresponsive.
+
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 33 ++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 72e8e3a..36032d0 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -4,6 +4,7 @@ import (
+ 	"bufio"
+ 	"io"
+ 	"runtime"
++	"strings"
+ )
+ 
+ // Writer at INFO level. See WriterLevel for details.
+@@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 	return NewEntry(logger).WriterLevel(level)
+ }
+ 
++// Writer returns an io.Writer that writes to the logger at the info log level
+ func (entry *Entry) Writer() *io.PipeWriter {
+ 	return entry.WriterLevel(InfoLevel)
+ }
+ 
++// WriterLevel returns an io.Writer that writes to the logger at the given log level
+ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 	reader, writer := io.Pipe()
+ 
+ 	var printFunc func(args ...interface{})
+ 
++	// Determine which log function to use based on the specified log level
+ 	switch level {
+ 	case TraceLevel:
+ 		printFunc = entry.Trace
+@@ -48,23 +52,50 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 		printFunc = entry.Print
+ 	}
+ 
++	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
++	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
+ 	go entry.writerScanner(reader, printFunc)
++
++	// Set a finalizer function to close the writer when it is garbage collected
+ 	runtime.SetFinalizer(writer, writerFinalizer)
+ 
+ 	return writer
+ }
+ 
++// writerScanner scans the input from the reader and writes it to the logger
+ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
+ 	scanner := bufio.NewScanner(reader)
++
++	// Set the buffer size to the maximum token size to avoid buffer overflows
++	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
++
++	// Define a split function to split the input into chunks of up to 64KB
++	chunkSize := 64 * 1024 // 64KB
++	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
++		if len(data) > chunkSize {
++			return chunkSize, data[:chunkSize], nil
++		}
++		return 0, nil, nil
++	}
++
++	//Use the custom split function to split the input
++	scanner.Split(splitFunc)
++
++	// Scan the input and write it to the logger using the specified print function
+ 	for scanner.Scan() {
+-		printFunc(scanner.Text())
++		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
+ 	}
++
++	// If there was an error while scanning the input, log an error
+ 	if err := scanner.Err(); err != nil {
+ 		entry.Errorf("Error while reading from Writer: %s", err)
+ 	}
++
++	// Close the reader when we are done
+ 	reader.Close()
+ }
+ 
++// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
+ func writerFinalizer(writer *io.PipeWriter) {
+ 	writer.Close()
+ }
+-- 
+2.45.4
+
+
+From be88ae64b9c8109d4ddd9c1981221d03c8476b44 Mon Sep 17 00:00:00 2001
+From: Chris <[email protected]>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 2/2] Scan text in 64KB chunks
+
+This commit fixes a potential denial of service
+vulnerability in logrus.Writer() that could be
+triggered by logging text longer than 64KB
+without newlines. Previously, the bufio.Scanner
+used by Writer() would hang indefinitely when
+reading such text without newlines, causing the
+application to become unresponsive.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/sirupsen/logrus/pull/1376.patch
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 36032d0..7e7703c 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -75,7 +75,8 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...
+ 		if len(data) > chunkSize {
+ 			return chunkSize, data[:chunkSize], nil
+ 		}
+-		return 0, nil, nil
++
++		return len(data), data, nil
+ 	}
+ 
+ 	//Use the custom split function to split the input
+-- 
+2.45.4
+

SPECS/cert-manager/cert-manager.spec

@@ -1,7 +1,7 @@
 Summary:        Automatically provision and manage TLS certificates in Kubernetes
 Name:           cert-manager
 Version:        1.11.2
-Release:        24%{?dist}
+Release:        25%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,6 +38,7 @@ Patch15:        CVE-2025-30204.patch
 Patch16:        CVE-2024-51744.patch
 Patch17:        CVE-2025-32386.patch
 Patch18:        CVE-2025-22872.patch
+Patch19:        CVE-2025-65637.patch
 
 BuildRequires:  golang
 Requires:       %{name}-acmesolver
@@ -131,6 +132,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
 %{_bindir}/webhook
 
 %changelog
+* Mon Dec 08 2025 Azure Linux Security Servicing Account <[email protected]> - 1.11.2-25
+- Patch for CVE-2025-65637
+
 * Thu Sep 04 2025 Akhila Guruju <[email protected]> - 1.11.2-24
 - Bump release to rebuild with golang
 

SPECS/cf-cli/CVE-2025-65637.patch

@@ -0,0 +1,136 @@
+From 93f4a08fe4b678980b16560eff48b5d0a2fb5488 Mon Sep 17 00:00:00 2001
+From: Chris <[email protected]>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 1/2] This commit fixes a potential denial of service
+ vulnerability in logrus.Writer() that could be triggered by logging text
+ longer than 64kb without newlines. Previously, the bufio.Scanner used by
+ Writer() would hang indefinitely when reading such text without newlines,
+ causing the application to become unresponsive.
+
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 33 ++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 9e1f751..bbeef80 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -4,6 +4,7 @@ import (
+ 	"bufio"
+ 	"io"
+ 	"runtime"
++	"strings"
+ )
+ 
+ func (logger *Logger) Writer() *io.PipeWriter {
+@@ -14,15 +15,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 	return NewEntry(logger).WriterLevel(level)
+ }
+ 
++// Writer returns an io.Writer that writes to the logger at the info log level
+ func (entry *Entry) Writer() *io.PipeWriter {
+ 	return entry.WriterLevel(InfoLevel)
+ }
+ 
++// WriterLevel returns an io.Writer that writes to the logger at the given log level
+ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 	reader, writer := io.Pipe()
+ 
+ 	var printFunc func(args ...interface{})
+ 
++	// Determine which log function to use based on the specified log level
+ 	switch level {
+ 	case TraceLevel:
+ 		printFunc = entry.Trace
+@@ -42,23 +46,50 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 		printFunc = entry.Print
+ 	}
+ 
++	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
++	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
+ 	go entry.writerScanner(reader, printFunc)
++
++	// Set a finalizer function to close the writer when it is garbage collected
+ 	runtime.SetFinalizer(writer, writerFinalizer)
+ 
+ 	return writer
+ }
+ 
++// writerScanner scans the input from the reader and writes it to the logger
+ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
+ 	scanner := bufio.NewScanner(reader)
++
++	// Set the buffer size to the maximum token size to avoid buffer overflows
++	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
++
++	// Define a split function to split the input into chunks of up to 64KB
++	chunkSize := 64 * 1024 // 64KB
++	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
++		if len(data) > chunkSize {
++			return chunkSize, data[:chunkSize], nil
++		}
++		return 0, nil, nil
++	}
++
++	//Use the custom split function to split the input
++	scanner.Split(splitFunc)
++
++	// Scan the input and write it to the logger using the specified print function
+ 	for scanner.Scan() {
+-		printFunc(scanner.Text())
++		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
+ 	}
++
++	// If there was an error while scanning the input, log an error
+ 	if err := scanner.Err(); err != nil {
+ 		entry.Errorf("Error while reading from Writer: %s", err)
+ 	}
++
++	// Close the reader when we are done
+ 	reader.Close()
+ }
+ 
++// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
+ func writerFinalizer(writer *io.PipeWriter) {
+ 	writer.Close()
+ }
+-- 
+2.45.4
+
+
+From 944504874319c871da113e3722fe40b7a361e2a1 Mon Sep 17 00:00:00 2001
+From: Chris <[email protected]>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 2/2] Scan text in 64KB chunks
+
+This commit fixes a potential denial of service
+vulnerability in logrus.Writer() that could be
+triggered by logging text longer than 64KB
+without newlines. Previously, the bufio.Scanner
+used by Writer() would hang indefinitely when
+reading such text without newlines, causing the
+application to become unresponsive.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/sirupsen/logrus/pull/1376.patch
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index bbeef80..bc6c19c 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -69,7 +69,8 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...
+ 		if len(data) > chunkSize {
+ 			return chunkSize, data[:chunkSize], nil
+ 		}
+-		return 0, nil, nil
++
++		return len(data), data, nil
+ 	}
+ 
+ 	//Use the custom split function to split the input
+-- 
+2.45.4
+