-Date: Thu, 8 May 2025 12:53:56 -0700
-Subject: [PATCH] Patch CVE-2025-22872
-
-Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9.patch
----
- cmd/ctl/vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/cmd/ctl/vendor/golang.org/x/net/html/token.go b/cmd/ctl/vendor/golang.org/x/net/html/token.go
-index 3c57880..6598c1f 100644
---- a/cmd/ctl/vendor/golang.org/x/net/html/token.go
-+++ b/cmd/ctl/vendor/golang.org/x/net/html/token.go
-@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
- if raw {
- z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
- }
-- // Look for a self-closing token like "
".
-- if z.err == nil && z.buf[z.raw.end-2] == '/' {
-+ // Look for a self-closing token (e.g.
).
-+ //
-+ // Originally, we did this by just checking that the last character of the
-+ // tag (ignoring the closing bracket) was a solidus (/) character, but this
-+ // is not always accurate.
-+ //
-+ // We need to be careful that we don't misinterpret a non-self-closing tag
-+ // as self-closing, as can happen if the tag contains unquoted attribute
-+ // values (i.e. ).
-+ //
-+ // To avoid this, we check that the last non-bracket character of the tag
-+ // (z.raw.end-2) isn't the same character as the last non-quote character of
-+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
-+ // attributes.
-+ nAttrs := len(z.attr)
-+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
- return SelfClosingTagToken
- }
- return StartTagToken
---
-2.34.1
-
diff --git a/SPECS/cert-manager/CVE-2025-27144.patch b/SPECS/cert-manager/CVE-2025-27144.patch
deleted file mode 100644
index 89e37594d5..0000000000
--- a/SPECS/cert-manager/CVE-2025-27144.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 46c92791edfab05377ba880024389a356d58ea20 Mon Sep 17 00:00:00 2001
-From: Kanishk-Bansal
-Date: Fri, 28 Feb 2025 09:39:10 +0000
-Subject: [PATCH] CVE-2025-27144
-
----
- cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
- cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go b/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go
-index 4267ac7..1ba4ae0 100644
---- a/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go
-+++ b/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go
-@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
-
- // parseEncryptedCompact parses a message in compact format.
- func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
-- parts := strings.Split(input, ".")
-- if len(parts) != 5 {
-+ // Five parts is four separators
-+ if strings.Count(input, ".") != 4 {
- return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
- }
-+ parts := strings.SplitN(input, ".", 5)
-
- rawProtected, err := base64URLDecode(parts[0])
- if err != nil {
-diff --git a/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go b/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go
-index e37007d..401fc18 100644
---- a/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go
-+++ b/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go
-@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
-
- // parseSignedCompact parses a message in compact format.
- func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
-- parts := strings.Split(input, ".")
-- if len(parts) != 3 {
-+ // Three parts is two separators
-+ if strings.Count(input, ".") != 2 {
- return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
- }
-+ parts := strings.SplitN(input, ".", 3)
-
- if parts[1] != "" && payload != nil {
- return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
---
-2.45.2
-
diff --git a/SPECS/cert-manager/CVE-2025-30204.patch b/SPECS/cert-manager/CVE-2025-30204.patch
deleted file mode 100644
index cc389d54b3..0000000000
--- a/SPECS/cert-manager/CVE-2025-30204.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 20e897717946a5bb7750e795c245012bddcfa312 Mon Sep 17 00:00:00 2001
-From: Kanishk-Bansal
-Date: Fri, 28 Mar 2025 21:29:08 +0000
-Subject: [PATCH] CVE-2025-30204
-
-Upstream Patch Reference : v4: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84
----
- github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++---
- 1 file changed, 33 insertions(+), 3 deletions(-)
-
-diff --git a/cmd/controller/vendor/github.com/golang-jwt/jwt/v4/parser.go b/cmd/controller/vendor/github.com/golang-jwt/jwt/v4/parser.go
-index 2f61a69..9484f28 100644
---- a/cmd/controller/vendor/github.com/golang-jwt/jwt/v4/parser.go
-+++ b/cmd/controller/vendor/github.com/golang-jwt/jwt/v4/parser.go
-@@ -7,6 +7,8 @@ import (
- "strings"
- )
-
-+const tokenDelimiter = "."
-+
- type Parser struct {
- // If populated, only these methods will be considered valid.
- //
-@@ -116,9 +118,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
- // It's only ever useful in cases where you know the signature is valid (because it has
- // been checked previously in the stack) and you want to extract values from it.
- func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
-- parts = strings.Split(tokenString, ".")
-- if len(parts) != 3 {
-- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
-+ var ok bool
-+ parts, ok = splitToken(tokenString)
-+ if !ok {
-+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
- }
-
- token = &Token{Raw: tokenString}
-@@ -168,3 +171,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
-
- return token, parts, nil
- }
-+
-+// splitToken splits a token string into three parts: header, claims, and signature. It will only
-+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
-+// will return nil parts and false.
-+func splitToken(token string) ([]string, bool) {
-+ parts := make([]string, 3)
-+ header, remain, ok := strings.Cut(token, tokenDelimiter)
-+ if !ok {
-+ return nil, false
-+ }
-+ parts[0] = header
-+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
-+ if !ok {
-+ return nil, false
-+ }
-+ parts[1] = claims
-+ // One more cut to ensure the signature is the last part of the token and there are no more
-+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
-+ // causing unecessary overhead parsing tokens.
-+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
-+ if unexpected {
-+ return nil, false
-+ }
-+ parts[2] = signature
-+
-+ return parts, true
-+}
---
-2.45.2
-
diff --git a/SPECS/cert-manager/CVE-2025-32386.patch b/SPECS/cert-manager/CVE-2025-32386.patch
deleted file mode 100644
index 9f7253f228..0000000000
--- a/SPECS/cert-manager/CVE-2025-32386.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 8374e59e76c401229470d6f3840cdbbdfa1512a8 Mon Sep 17 00:00:00 2001
-From: Kevin Lockwood
-Date: Wed, 21 May 2025 13:29:45 -0700
-Subject: [PATCH] Fix CVE-2025-32387
-
-Upstream Link: https://github.com/helm/helm/commit/d8ca55fc669645c10c0681d49723f4bb8c0b1ce7.patch
----
- .../helm/v3/pkg/chart/loader/archive.go | 32 ++++++++++++++++++-
- .../helm/v3/pkg/chart/loader/directory.go | 4 +++
- 2 files changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
-index 196e5f8..4cb994c 100644
---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
-+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
-@@ -33,6 +33,15 @@ import (
- "helm.sh/helm/v3/pkg/chart"
- )
-
-+// MaxDecompressedChartSize is the maximum size of a chart archive that will be
-+// decompressed. This is the decompressed size of all the files.
-+// The default value is 100 MiB.
-+var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB
-+
-+// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load.
-+// The size of the file is the decompressed version of it when it is stored in an archive.
-+var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB
-+
- var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`)
-
- // FileLoader loads a chart from a file
-@@ -119,6 +128,7 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
-
- files := []*BufferedFile{}
- tr := tar.NewReader(unzipped)
-+ remainingSize := MaxDecompressedChartSize
- for {
- b := bytes.NewBuffer(nil)
- hd, err := tr.Next()
-@@ -178,10 +188,30 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
- return nil, errors.New("chart yaml not in base directory")
- }
-
-- if _, err := io.Copy(b, tr); err != nil {
-+ if hd.Size > remainingSize {
-+ return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize)
-+ }
-+
-+ if hd.Size > MaxDecompressedFileSize {
-+ return nil, fmt.Errorf("decompressed chart file %q is larger than the maximum file size %d", hd.Name, MaxDecompressedFileSize)
-+ }
-+
-+ limitedReader := io.LimitReader(tr, remainingSize)
-+
-+ bytesWritten, err := io.Copy(b, limitedReader)
-+ if err != nil {
- return nil, err
- }
-
-+ remainingSize -= bytesWritten
-+ // When the bytesWritten are less than the file size it means the limit reader ended
-+ // copying early. Here we report that error. This is important if the last file extracted
-+ // is the one that goes over the limit. It assumes the Size stored in the tar header
-+ // is correct, something many applications do.
-+ if bytesWritten < hd.Size || remainingSize <= 0 {
-+ return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize)
-+ }
-+
- data := bytes.TrimPrefix(b.Bytes(), utf8bom)
-
- files = append(files, &BufferedFile{Name: n, Data: data})
-diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
-index 9bcbee6..fd8e02e 100644
---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
-+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
-@@ -101,6 +101,10 @@ func LoadDir(dir string) (*chart.Chart, error) {
- return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name)
- }
-
-+ if fi.Size() > MaxDecompressedFileSize {
-+ return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), MaxDecompressedFileSize)
-+ }
-+
- data, err := os.ReadFile(name)
- if err != nil {
- return errors.Wrapf(err, "error reading %s", n)
---
-2.34.1
-
diff --git a/SPECS/cert-manager/cert-manager.signatures.json b/SPECS/cert-manager/cert-manager.signatures.json
deleted file mode 100644
index 01eaffd161..0000000000
--- a/SPECS/cert-manager/cert-manager.signatures.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- "Signatures": {
- "cert-manager-1.12.15.tar.gz": "2c556e4c47753a5cd48510297bc5cab2b0943b7de1b3898df598a0ee969c8e72",
- "cert-manager-1.12.15-vendor.tar.gz": "20afae660bffb8a636185aa920c1ada8bd345bae773ebe9e277b490ddc1bad49"
- }
-}
diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec
deleted file mode 100644
index e49571240c..0000000000
--- a/SPECS/cert-manager/cert-manager.spec
+++ /dev/null
@@ -1,211 +0,0 @@
-Summary: Automatically provision and manage TLS certificates in Kubernetes
-Name: cert-manager
-Version: 1.12.15
-Release: 5%{?dist}
-License: ASL 2.0
-Vendor: Microsoft Corporation
-Distribution: Azure Linux
-URL: https://github.com/jetstack/cert-manager
-Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-# Below is a manually created tarball, no download link.
-# We're using pre-populated GO dependencies from this tarball, since network is disabled during build time.
-# How to re-build this file:
-# 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
-# 2. /SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version}
-Source1: %{name}-%{version}-vendor.tar.gz
-Patch0: CVE-2024-45338.patch
-Patch1: CVE-2025-27144.patch
-Patch2: CVE-2025-22868.patch
-Patch3: CVE-2025-22869.patch
-Patch4: CVE-2025-30204.patch
-Patch5: CVE-2025-32386.patch
-Patch6: CVE-2025-22872.patch
-
-BuildRequires: golang
-Requires: %{name}-acmesolver
-Requires: %{name}-cainjector
-Requires: %{name}-cmctl
-Requires: %{name}-controller
-Requires: %{name}-webhook
-
-%description
-cert-manager is a Kubernetes add-on to automate the management and issuance
-of TLS certificates from various issuing sources.
-
-%package acmesolver
-Summary: cert-manager's acmesolver binary
-
-%description acmesolver
-HTTP server used to solve ACME challenges.
-
-%package cainjector
-Summary: cert-manager's cainjector binary
-
-%description cainjector
-cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into
-webhooks and APIServices from cert-manager certificates.
-
-%package controller
-Summary: cert-manager's controller binary
-
-%description controller
-cert-manager is a Kubernetes addon to automate the management and issuance of
-TLS certificates from various issuing sources.
-
-%package cmctl
-Summary: cert-manager's cmctl binary
-
-%description cmctl
-cmctl is a CLI tool manage and configure cert-manager resources for Kubernetes
-
-%package webhook
-Summary: cert-manager's webhook binary
-
-%description webhook
-Webhook component providing API validation, mutation and conversion functionality for cert-manager.
-
-%prep
-%autosetup -a 1 -p1
-
-%build
-
-LOCAL_BIN_DIR=$(realpath bin)
-go -C cmd/acmesolver build -mod=vendor -o "${LOCAL_BIN_DIR}"/acmesolver main.go
-go -C cmd/controller build -mod=vendor -o "${LOCAL_BIN_DIR}"/controller main.go
-go -C cmd/cainjector build -mod=vendor -o "${LOCAL_BIN_DIR}"/cainjector main.go
-go -C cmd/ctl build -mod=vendor -o "${LOCAL_BIN_DIR}"/cmctl main.go
-go -C cmd/webhook build -mod=vendor -o "${LOCAL_BIN_DIR}"/webhook main.go
-
-%install
-mkdir -p %{buildroot}%{_bindir}
-install -D -m0755 bin/acmesolver %{buildroot}%{_bindir}/
-install -D -m0755 bin/cainjector %{buildroot}%{_bindir}/
-install -D -m0755 bin/controller %{buildroot}%{_bindir}/
-install -D -m0755 bin/cmctl %{buildroot}%{_bindir}/
-install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
-%files
-
-%files acmesolver
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/acmesolver
-
-%files cainjector
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/cainjector
-
-%files controller
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/controller
-
-%files cmctl
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/cmctl
-
-%files webhook
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/webhook
-
-%changelog
-* Mon Sep 8 2025 Lee Chee Yang - 1.12.15-5
-- merge from Azure Linux 3.0.20250910-3.0.
-- Patch CVE-2025-32386 (also fixes CVE-2025-32387)
-- Patch CVE-2025-22872
-
-* Fri Apr 28 2025 Ranjan Dutta - 1.12.15-4
-- merge from Azure Linux 3.0.20250423.
-- Patch CVE-2025-30204
-
-* Fri Mar 21 2025 Anuj Mittal - 1.12.15-3
-- Bump Release to rebuild
-
-* Mon Mar 03 2025 Kanishk Bansal - 1.12.15-2
-- Fix CVE-2025-22868, CVE-2025-22869 & CVE-2025-27144 with an upstream patch
-
-* Mon Jan 27 2025 Rohit Rawat - 1.12.15-1
-- Upgrade to 1.12.15 - to fix CVE-2024-12401
-- Remove CVE-2024-45337.patch as it is fixed in 1.12.15
-
-* Tue Dec 31 2024 Rohit Rawat - 1.12.13-3
-- Add patch for CVE-2024-45338
-
-* Wed Jan 08 2025 Muhammad Falak - 1.12.13-2
-- Patch CVE-2024-45337
-
-* Mon Sep 16 2024 Jiri Appl - 1.12.13-1
-- Upgrade to 1.12.13 which carries helm 3.14.2 to fix CVE-2024-26147 and CVE-2024-25620
-
-* Wed Aug 07 2024 Bhagyashri Pathak - 1.12.12-2
-- Patch for CVE-2024-25620
-
-* Wed Jul 10 2024 Tobias Brick - 1.12.12-1
-- Upgrade to 1.12.12 to fix CVE-2024-26147 and CVE-2023-45142
-
-* Wed May 29 2024 Neha Agarwal - 1.11.2-8
-- Bump release to build with new helm to fix CVE-2024-25620
-
-* Wed May 22 2024 Neha Agarwal - 1.11.2-7
-- Bump release to build with new helm to fix CVE-2024-26147
-
-* Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.11.2-6
-- Bump release to rebuild with go 1.20.10
-
-* Tue Oct 10 2023 Dan Streetman - 1.11.2-5
-- Bump release to rebuild with updated version of Go.
-
-* Mon Aug 07 2023 CBL-Mariner Servicing Account - 1.11.2-4
-- Bump release to rebuild with go 1.19.12
-
-* Thu Jul 13 2023 CBL-Mariner Servicing Account - 1.11.2-3
-- Bump release to rebuild with go 1.19.11
-
-* Thu Jun 15 2023 CBL-Mariner Servicing Account - 1.11.2-2
-- Bump release to rebuild with go 1.19.10
-
-* Mon May 15 2023 Aditya Dubey - 1.11.0-1
-- Upgrade to v1.11.2
-- Removed patch for CVE-2023-25165
-- This version uses helm v3.11.1, which fixes CVE-2023-25165 and thus we do not need the patch file anymore
-
-* Wed Apr 05 2023 CBL-Mariner Servicing Account - 1.7.3-10
-- Bump release to rebuild with go 1.19.8
-
-* Wed Mar 29 2023 CBL-Mariner Servicing Account - 1.7.3-9
-- Add patch for CVE-2023-25165
-
-* Tue Mar 28 2023 CBL-Mariner Servicing Account - 1.7.3-8
-- Bump release to rebuild with go 1.19.7
-
-* Wed Mar 15 2023 CBL-Mariner Servicing Account - 1.7.3-7
-- Bump release to rebuild with go 1.19.6
-
-* Fri Feb 03 2023 CBL-Mariner Servicing Account - 1.7.3-6
-- Bump release to rebuild with go 1.19.5
-
-* Wed Jan 18 2023 CBL-Mariner Servicing Account - 1.7.3-5
-- Bump release to rebuild with go 1.19.4
-
-* Fri Dec 16 2022 Daniel McIlvaney - 1.7.3-4
-- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717
-
-* Tue Nov 01 2022 Olivia Crain - 1.7.3-3
-- Bump release to rebuild with go 1.18.8
-
-* Mon Aug 22 2022 Olivia Crain - 1.7.3-2
-- Bump release to rebuild against Go 1.18.5
-
-* Fri Aug 05 2022 Chris Gunn - 1.7.3-1
-- Update to v1.7.3
-- Split binaries into separate packages.
-
-* Tue Jun 14 2022 Muhammad Falak - 1.5.3-2
-- Add a hard BR on golang <= 1.17.10
-- Bump release to rebuild with golang 1.17.10
-
-* Fri Sep 10 2021 Henry Li - 1.5.3-1
-- Original version for CBL-Mariner
-- License Verified
diff --git a/SPECS/cert-manager/generate_source_tarball.sh b/SPECS/cert-manager/generate_source_tarball.sh
deleted file mode 100755
index 993e831002..0000000000
--- a/SPECS/cert-manager/generate_source_tarball.sh
+++ /dev/null
@@ -1,115 +0,0 @@
-#!/bin/bash
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-
-# Quit on failure
-set -e
-
-PKG_VERSION=""
-SRC_TARBALL=""
-OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# parameters:
-#
-# --srcTarball : src tarball file
-# this file contains the 'initial' source code of the component
-# and should be replaced with the new/modified src code
-# --outFolder : folder where to copy the new tarball(s)
-# --pkgVersion : package version
-#
-PARAMS=""
-while (( "$#" )); do
- case "$1" in
- --srcTarball)
- if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
- SRC_TARBALL=$2
- shift 2
- else
- echo "Error: Argument for $1 is missing" >&2
- exit 1
- fi
- ;;
- --outFolder)
- if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
- OUT_FOLDER=$2
- shift 2
- else
- echo "Error: Argument for $1 is missing" >&2
- exit 1
- fi
- ;;
- --pkgVersion)
- if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
- PKG_VERSION=$2
- shift 2
- else
- echo "Error: Argument for $1 is missing" >&2
- exit 1
- fi
- ;;
- -*|--*=) # unsupported flags
- echo "Error: Unsupported flag $1" >&2
- exit 1
- ;;
- *) # preserve positional arguments
- PARAMS="${PARAMS} $1"
- shift
- ;;
- esac
-done
-
-echo "--srcTarball -> ${SRC_TARBALL}"
-echo "--outFolder -> ${OUT_FOLDER}"
-echo "--pkgVersion -> ${PKG_VERSION}"
-
-if [ -z "${SRC_TARBALL}" ]; then
- echo "--srcTarball parameter cannot be empty"
- exit 1
-fi
-
-SRC_TARBALL=$(realpath "${SRC_TARBALL}")
-
-if [ -z "${PKG_VERSION}" ]; then
- echo "--pkgVersion parameter cannot be empty"
- exit 1
-fi
-
-echo "-- create temp folder"
-tmpdir=$(mktemp -d)
-function cleanup {
- echo "+++ cleanup -> remove ${tmpdir}"
- rm -rf ${tmpdir}
-}
-trap cleanup EXIT
-
-pushd "${tmpdir}" > /dev/null
-
-echo "Unpacking source tarball..."
-tar -xf "${SRC_TARBALL}"
-
-cd "cert-manager-${PKG_VERSION}"
-
-# We need to individually vendor each cmd we will build
-vendor_directories=()
-
-echo "Get vendored modules for each command"
-for dir in cmd/*; do
- if [ -d "${dir}" ]; then
- echo "Vendoring '${dir}'"
- pushd "${dir}" > /dev/null
- go mod vendor
- vendor_directories+=("${dir}/vendor")
- popd > /dev/null
- fi
-done
-
-echo "Tar vendored modules"
-VENDOR_TARBALL="${OUT_FOLDER}/cert-manager-${PKG_VERSION}-vendor.tar.gz"
-tar --sort=name \
- --mtime="2021-04-26 00:00Z" \
- --owner=0 --group=0 --numeric-owner \
- --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
- -cf "${VENDOR_TARBALL}" ${vendor_directories[@]}
-
-popd > /dev/null
-echo "cert-manager vendored modules are available at ${VENDOR_TARBALL}"
diff --git a/SPECS/cf-cli/CVE-2024-45337.patch b/SPECS/cf-cli/CVE-2024-45337.patch
deleted file mode 100644
index f7d2f6a672..0000000000
--- a/SPECS/cf-cli/CVE-2024-45337.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch
-
-From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker
-Date: Tue, 3 Dec 2024 09:03:03 -0800
-Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache
-
-Users of the the ssh package seem to extremely commonly misuse the
-PublicKeyCallback API, assuming that the key passed in the last call
-before a connection is established is the key used for authentication.
-Some users then make authorization decisions based on this key. This
-property is not documented, and may not be correct, due to the caching
-behavior of the package, resulting in users making incorrect
-authorization decisions about the connection.
-
-This change makes the cache a one entry FIFO cache, making the assumed
-property, that the last call to PublicKeyCallback represents the key
-actually used for authentication, actually hold.
-
-Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and
-Jules Duvivier from the Platform.sh / Upsun engineering team
-for reporting this issue.
-
-Fixes golang/go#70779
-Fixes CVE-2024-45337
-
-Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f
-Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315
-Reviewed-by: Roland Shoemaker
-Auto-Submit: Gopher Robot