diff --git a/SPECS/systemd-bootstrap/CVE-2023-7008.patch b/SPECS/systemd-bootstrap/CVE-2023-7008.patch new file mode 100644 index 00000000000..91ca454906c --- /dev/null +++ b/SPECS/systemd-bootstrap/CVE-2023-7008.patch @@ -0,0 +1,36 @@ +From cbed44badf00e62b639e1cf04955080fcc8fc35a Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Thu, 22 May 2025 10:35:31 +0000 +Subject: [PATCH] Address CVE-2023-7008 + +Upstream Patch reference: https://github.com/systemd/systemd-stable/commit/4ada1290584745ab6643eece9e1756a8c0e079ca + +--- + src/resolve/resolved-dns-transaction.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 2ee45ff..5507fd9 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2781,7 +2781,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + /* We found the transaction that was supposed to find the SOA RR for us. It was + * successful, but found no RR for us. This means we are not at a zone cut. In this + * case, we require authentication if the SOA lookup was authenticated too. */ +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +-- +2.45.2 + diff --git a/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch b/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch index b802ead2c6f..6acb9c371b5 100644 --- a/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch +++ b/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch @@ -29,4 +29,4 @@ index a8e3b175ac49..ea535a27af7f 100644 + map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS); server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, LOG_NOTICE, 0); - \ No newline at end of file + diff --git a/SPECS/systemd-bootstrap/systemd-bootstrap.spec b/SPECS/systemd-bootstrap/systemd-bootstrap.spec index 486d3ff08bd..49463a72c49 100644 --- a/SPECS/systemd-bootstrap/systemd-bootstrap.spec +++ b/SPECS/systemd-bootstrap/systemd-bootstrap.spec @@ -1,7 +1,7 @@ Summary: Bootstrap version of systemd. Workaround for systemd circular dependency. Name: systemd-bootstrap Version: 250.3 -Release: 17%{?dist} +Release: 18%{?dist} License: LGPLv2+ AND GPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -48,6 +48,7 @@ Patch7: update-cifs-for-kernel-headers-6.1.patch # 5. Repeat from 2. as needed until it builds # 6. Build both systemd and systemd-bootstrap, validate the contents of systemd-rpm-macros and system-bootstrap-rpm-macros are identical Patch8: use-255-macros.patch +Patch9: CVE-2023-7008.patch BuildRequires: docbook-dtd-xml BuildRequires: docbook-style-xsl BuildRequires: gettext @@ -285,6 +286,9 @@ fi %{_datadir}/pkgconfig/udev.pc %changelog +* Fri May 23 2025 Akhila Guruju - 250.3-18 +- Patch CVE-2023-7008 + * Mon Mar 11 2024 Daniel McIlvaney - 250.3-17 - Split libs into their own subpackage to align with full systemd. diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 1683d00f123..9cfe5f88dbb 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -579,11 +579,11 @@ sqlite-devel-3.44.0-1.azl3.aarch64.rpm sqlite-libs-3.44.0-1.azl3.aarch64.rpm swig-4.2.1-1.azl3.aarch64.rpm swig-debuginfo-4.2.1-1.azl3.aarch64.rpm -systemd-bootstrap-250.3-17.azl3.aarch64.rpm -systemd-bootstrap-debuginfo-250.3-17.azl3.aarch64.rpm -systemd-bootstrap-devel-250.3-17.azl3.aarch64.rpm -systemd-bootstrap-libs-250.3-17.azl3.aarch64.rpm -systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm +systemd-bootstrap-250.3-18.azl3.aarch64.rpm +systemd-bootstrap-debuginfo-250.3-18.azl3.aarch64.rpm +systemd-bootstrap-devel-250.3-18.azl3.aarch64.rpm +systemd-bootstrap-libs-250.3-18.azl3.aarch64.rpm +systemd-bootstrap-rpm-macros-250.3-18.azl3.noarch.rpm tar-1.35-2.azl3.aarch64.rpm tar-debuginfo-1.35-2.azl3.aarch64.rpm tdnf-3.5.8-7.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 86a97749adf..d32131e2c7e 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -587,11 +587,11 @@ sqlite-devel-3.44.0-1.azl3.x86_64.rpm sqlite-libs-3.44.0-1.azl3.x86_64.rpm swig-4.2.1-1.azl3.x86_64.rpm swig-debuginfo-4.2.1-1.azl3.x86_64.rpm -systemd-bootstrap-250.3-17.azl3.x86_64.rpm -systemd-bootstrap-debuginfo-250.3-17.azl3.x86_64.rpm -systemd-bootstrap-devel-250.3-17.azl3.x86_64.rpm -systemd-bootstrap-libs-250.3-17.azl3.x86_64.rpm -systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm +systemd-bootstrap-250.3-18.azl3.x86_64.rpm +systemd-bootstrap-debuginfo-250.3-18.azl3.x86_64.rpm +systemd-bootstrap-devel-250.3-18.azl3.x86_64.rpm +systemd-bootstrap-libs-250.3-18.azl3.x86_64.rpm +systemd-bootstrap-rpm-macros-250.3-18.azl3.noarch.rpm tar-1.35-2.azl3.x86_64.rpm tar-debuginfo-1.35-2.azl3.x86_64.rpm tdnf-3.5.8-7.azl3.x86_64.rpm