-Date: Mon, 24 Feb 2025 11:18:31 -0800
-Subject: [PATCH] html: properly handle trailing solidus in unquoted attribute
- value in foreign content
-
-The parser properly treats tags like as
, but the
-tokenizer emits the SelfClosingTagToken token incorrectly. When the
-parser is used to parse foreign content, this results in an incorrect
-DOM.
-
-Thanks to Sean Ng (https://ensy.zip) for reporting this issue.
-
-Fixes golang/go#73070
-Fixes CVE-2025-22872
-
-Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f
-Reviewed-on: https://go-review.googlesource.com/c/net/+/661256
-Reviewed-by: Neal Patel
-Reviewed-by: Roland Shoemaker
-LUCI-TryBot-Result: Go LUCI
-Auto-Submit: Gopher Robot
----
- vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
-index 3c57880..6598c1f 100644
---- a/vendor/golang.org/x/net/html/token.go
-+++ b/vendor/golang.org/x/net/html/token.go
-@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
- if raw {
- z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
- }
-- // Look for a self-closing token like "
".
-- if z.err == nil && z.buf[z.raw.end-2] == '/' {
-+ // Look for a self-closing token (e.g.
).
-+ //
-+ // Originally, we did this by just checking that the last character of the
-+ // tag (ignoring the closing bracket) was a solidus (/) character, but this
-+ // is not always accurate.
-+ //
-+ // We need to be careful that we don't misinterpret a non-self-closing tag
-+ // as self-closing, as can happen if the tag contains unquoted attribute
-+ // values (i.e. ).
-+ //
-+ // To avoid this, we check that the last non-bracket character of the tag
-+ // (z.raw.end-2) isn't the same character as the last non-quote character of
-+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
-+ // attributes.
-+ nAttrs := len(z.attr)
-+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
- return SelfClosingTagToken
- }
- return StartTagToken
---
-2.34.1
-
diff --git a/SPECS/caddy/CVE-2025-47914.patch b/SPECS/caddy/CVE-2025-47914.patch
deleted file mode 100644
index 11e2027d26..0000000000
--- a/SPECS/caddy/CVE-2025-47914.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From f91f7a7c31bf90b39c1de895ad116a2bacc88748 Mon Sep 17 00:00:00 2001
-From: Neal Patel
-Date: Wed, 10 Sep 2025 14:27:42 -0400
-Subject: [PATCH] ssh/agent: prevent panic on malformed constraint
-
-An attacker could supply a malformed Constraint that
-would trigger a panic in a serving agent, effectively
-causing denial of service.
-
-Thank you to Jakub Ciolek for reporting this issue.
-
-Fixes CVE-2025-47914
-Fixes golang/go#76364
-
-Change-Id: I195bbc68b1560d4f04897722a6a653a7cbf086eb
-Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721960
-LUCI-TryBot-Result: Go LUCI
-Auto-Submit: Roland Shoemaker
-Reviewed-by: Damien Neil
----
- vendor/golang.org/x/crypto/ssh/agent/server.go | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go
-index 88ce4da6c4..4e8ff86b61 100644
---- a/vendor/golang.org/x/crypto/ssh/agent/server.go
-+++ b/vendor/golang.org/x/crypto/ssh/agent/server.go
-@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
- for len(constraints) != 0 {
- switch constraints[0] {
- case agentConstrainLifetime:
-+ if len(constraints) < 5 {
-+ return 0, false, nil, io.ErrUnexpectedEOF
-+ }
- lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
- constraints = constraints[5:]
- case agentConstrainConfirm:
diff --git a/SPECS/caddy/CVE-2025-58181.patch b/SPECS/caddy/CVE-2025-58181.patch
deleted file mode 100644
index 76b17efad6..0000000000
--- a/SPECS/caddy/CVE-2025-58181.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From e79546e28b85ea53dd37afe1c4102746ef553b9c Mon Sep 17 00:00:00 2001
-From: Neal Patel
-Date: Wed, 19 Nov 2025 13:35:12 -0500
-Subject: [PATCH] ssh: curb GSSAPI DoS risk by limiting number of specified
- OIDs
-
-Previously, an attacker could specify an integer up to 0xFFFFFFFF
-that would directly allocate memory despite the observability of
-the rest of the payload. This change places a hard cap on the
-amount of mechanisms that can be specified and encoded in the
-payload. Additionally, it performs a small sanity check to deny
-payloads whose stated size is contradictory to the observed payload.
-
-Thank you to Jakub Ciolek for reporting this issue.
-
-Fixes CVE-2025-58181
-Fixes golang/go#76363
-
-Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485
-Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961
-Auto-Submit: Roland Shoemaker
-Reviewed-by: Damien Neil
-LUCI-TryBot-Result: Go LUCI
----
- vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++-
- 1 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/vendor/golang.org/x/crypto//ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
-index 24bd7c8e83..a6249a1227 100644
---- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
-+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
-@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
- if !ok {
- return nil, errors.New("parse uint32 failed")
- }
-+ // Each ASN.1 encoded OID must have a minimum
-+ // of 2 bytes; 64 maximum mechanisms is an
-+ // arbitrary, but reasonable ceiling.
-+ const maxMechs = 64
-+ if n > maxMechs || int(n)*2 > len(rest) {
-+ return nil, errors.New("invalid mechanism count")
-+ }
- s := &userAuthRequestGSSAPI{
- N: n,
- OIDS: make([]asn1.ObjectIdentifier, n),
-@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
- if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
- return nil, err
- }
--
- }
- return s, nil
- }
diff --git a/SPECS/caddy/caddy.signatures.json b/SPECS/caddy/caddy.signatures.json
index da8730e8a7..d4805ec661 100644
--- a/SPECS/caddy/caddy.signatures.json
+++ b/SPECS/caddy/caddy.signatures.json
@@ -8,7 +8,7 @@
"poweredby-black.png": "4691c0d3bd2156db97b76d12f0c98662fe8869f30fe2c07631ffb43bda09e6a1",
"poweredby-white.png": "e128419a13a91428ea9985fd54c91b8e80061c4d72b4ee913e616b3c823fcdd6",
"0001-Disable-commands-that-can-alter-the-binary.patch": "1ef152b99af5a3a549254c845145ea9142abd571fb92c370acb3604dc77a1415",
- "caddy-2.9.1.tar.gz": "beb52478dfb34ad29407003520d94ee0baccbf210d1af72cebf430d6d7dd7b63",
- "caddy-2.9.1-vendor.tar.gz": "3a7bc2b669f1cc55273d9486fd651473ca5de02131c4de292bffac0aaab82837"
+ "caddy-2.11.2.tar.gz": "ee12f7b5f97308708de5067deebb3d3322fc24f6d54f906a47a0a4e8db799122",
+ "caddy-2.11.2-vendor.tar.gz": "cccbed2afed999aa2eac773968a5d76d1478db44ecb3745df7123b717312a669"
}
}
diff --git a/SPECS/caddy/caddy.spec b/SPECS/caddy/caddy.spec
index 030f76e518..5816f9a7cd 100644
--- a/SPECS/caddy/caddy.spec
+++ b/SPECS/caddy/caddy.spec
@@ -2,8 +2,8 @@
Summary: Web server with automatic HTTPS
Name: caddy
-Version: 2.9.1
-Release: 20%{?dist}
+Version: 2.11.2
+Release: 1%{?dist}
Distribution: Edge Microvisor Toolkit
Vendor: Intel Corporation
# main source code is Apache-2.0
@@ -27,16 +27,8 @@ Source31: poweredby-black.png
# downstream only patch to disable commands that can alter the binary
Patch1: 0001-Disable-commands-that-can-alter-the-binary.patch
-Patch2: CVE-2025-22869.patch
-Patch3: CVE-2024-45339.patch
-Patch4: CVE-2025-22872.patch
-Patch5: CVE-2025-58181.patch
-Patch6: CVE-2025-61727.patch
-Patch7: CVE-2025-61729.patch
-Patch8: CVE-2025-47913.patch
-Patch9: CVE-2025-47914.patch
-Patch10: CVE-2025-58190.patch
-Patch11: CVE-2025-47911.patch
+Patch2: CVE-2025-61727.patch
+Patch3: CVE-2025-61729.patch
# https://github.com/caddyserver/caddy/commit/2028da4e74cd41f0f7f94222c6599da1a371d4b8
BuildRequires: golang >= 1.25.5
# dario.cat/mergo : BSD-3-Clause
@@ -459,6 +451,9 @@ fi
%{_datadir}/fish/vendor_completions.d/caddy.fish
%changelog
+* Fri Mar 20 2026 Shalini Singhal - 2.11.2-1
+- Version upgrade from 2.9.1 to 2.11.2.
+
* Fri Feb 13 2026 Rajesh Shanmugam - 2.9.1-20
- Add patch for CVE-2025-47911 and CVE-2025-58190
diff --git a/SPECS/cert-manager/CVE-2024-45338.patch b/SPECS/cert-manager/CVE-2024-45338.patch
deleted file mode 100644
index ead0b39789..0000000000
--- a/SPECS/cert-manager/CVE-2024-45338.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From bda2595d9dbcd7805b5b78466753b9d1849945d2 Mon Sep 17 00:00:00 2001
-From: Rohit Rawat
-Date: Thu, 2 Jan 2025 10:22:12 +0000
-Subject: [PATCH] Fix CVE CVE-2024-45338 in cert-manager
-
----
- cmd/ctl/vendor/golang.org/x/net/html/doctype.go | 2 +-
- cmd/ctl/vendor/golang.org/x/net/html/foreign.go | 3 +--
- cmd/ctl/vendor/golang.org/x/net/html/parse.go | 4 ++--
- 3 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/cmd/ctl/vendor/golang.org/x/net/html/doctype.go b/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
-index c484e5a..bca3ae9 100644
---- a/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
-+++ b/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
-@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
- }
- }
- if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
-- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
-+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
- quirks = true
- }
- }
-diff --git a/cmd/ctl/vendor/golang.org/x/net/html/foreign.go b/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
-index 9da9e9d..e8515d8 100644
---- a/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
-+++ b/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
-@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
- if n.Data == "annotation-xml" {
- for _, a := range n.Attr {
- if a.Key == "encoding" {
-- val := strings.ToLower(a.Val)
-- if val == "text/html" || val == "application/xhtml+xml" {
-+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
- return true
- }
- }
-diff --git a/cmd/ctl/vendor/golang.org/x/net/html/parse.go b/cmd/ctl/vendor/golang.org/x/net/html/parse.go
-index 46a89ed..5b8374b 100644
---- a/cmd/ctl/vendor/golang.org/x/net/html/parse.go
-+++ b/cmd/ctl/vendor/golang.org/x/net/html/parse.go
-@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
- if p.tok.DataAtom == a.Input {
- for _, t := range p.tok.Attr {
- if t.Key == "type" {
-- if strings.ToLower(t.Val) == "hidden" {
-+ if strings.EqualFold(t.Val, "hidden") {
- // Skip setting framesetOK = false
- return true
- }
-@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
- return inHeadIM(p)
- case a.Input:
- for _, t := range p.tok.Attr {
-- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
-+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
- p.addElement()
- p.oe.pop()
- return true
---
-2.39.4
-
diff --git a/SPECS/cert-manager/CVE-2025-22868.patch b/SPECS/cert-manager/CVE-2025-22868.patch
deleted file mode 100644
index 895a0dba84..0000000000
--- a/SPECS/cert-manager/CVE-2025-22868.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
-From: Neal Patel
-Date: Thu, 30 Jan 2025 14:10:09 -0500
-Subject: [PATCH] jws: split token into fixed number of parts
-
-Thanks to 'jub0bs' for reporting this issue.
-
-Fixes #71490
-Fixes CVE-2025-22868
-
-Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
-Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
-Auto-Submit: Gopher Robot
-Reviewed-by: Damien Neil
-Reviewed-by: Roland Shoemaker
-LUCI-TryBot-Result: Go LUCI
----
- cmd/controller/vendor/golang.org/x/oauth2/jws/jws.go | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/cmd/controller/vendor/golang.org/x/oauth2/jws/jws.go b/cmd/controller/vendor/golang.org/x/oauth2/jws/jws.go
-index 95015648b..6f03a49d3 100644
---- a/cmd/controller/vendor/golang.org/x/oauth2/jws/jws.go
-+++ b/cmd/controller/vendor/golang.org/x/oauth2/jws/jws.go
-@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
- // Verify tests whether the provided JWT token's signature was produced by the private key
- // associated with the supplied public key.
- func Verify(token string, key *rsa.PublicKey) error {
-- parts := strings.Split(token, ".")
-- if len(parts) != 3 {
-+ if strings.Count(token, ".") != 2 {
- return errors.New("jws: invalid token received, token must have 3 parts")
- }
-
-+ parts := strings.SplitN(token, ".", 3)
- signedContent := parts[0] + "." + parts[1]
- signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
- if err != nil {
diff --git a/SPECS/cert-manager/CVE-2025-22869.patch b/SPECS/cert-manager/CVE-2025-22869.patch
deleted file mode 100644
index 738a99080e..0000000000
--- a/SPECS/cert-manager/CVE-2025-22869.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From 041b89a18f81265899e42e6801f830c101a96120 Mon Sep 17 00:00:00 2001
-From: Kanishk-Bansal
-Date: Sun, 2 Mar 2025 13:46:00 +0000
-Subject: [PATCH] CVE-2025-22869
-
-Upstream Reference : https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22
-
-ssh: limit the size of the internal packet queue while waiting for KEX
-
-In the SSH protocol, clients and servers execute the key exchange to
-generate one-time session keys used for encryption and authentication.
-The key exchange is performed initially after the connection is
-established and then periodically after a configurable amount of data.
-While a key exchange is in progress, we add the received packets to an
-internal queue until we receive SSH_MSG_KEXINIT from the other side.
-This can result in high memory usage if the other party is slow to
-respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
-malicious client never responds to an SSH_MSG_KEXINIT packet during a
-large file transfer.
-We now limit the internal queue to 64 packets: this means 2MB with the
-typical 32KB packet size.
-When the internal queue is full we block further writes until the
-pending key exchange is completed or there is a read or write error.
-
-Thanks to Yuichi Watanabe for reporting this issue.
-
-Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec
-Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135
-Reviewed-by: Neal Patel
-Auto-Submit: Gopher Robot
-Reviewed-by: Roland Shoemaker
-LUCI-TryBot-Result: Go LUCI
-
----
- cmd/controller/vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
- 1 file changed, 37 insertions(+), 10 deletions(-)
-
-diff --git a/cmd/controller/vendor/golang.org/x/crypto/ssh/handshake.go b/cmd/controller/vendor/golang.org/x/crypto/ssh/handshake.go
-index 70a7369..e14eb6c 100644
---- a/cmd/controller/vendor/golang.org/x/crypto/ssh/handshake.go
-+++ b/cmd/controller/vendor/golang.org/x/crypto/ssh/handshake.go
-@@ -24,6 +24,11 @@ const debugHandshake = false
- // quickly.
- const chanSize = 16
-
-+// maxPendingPackets sets the maximum number of packets to queue while waiting
-+// for KEX to complete. This limits the total pending data to maxPendingPackets
-+// * maxPacket bytes, which is ~16.8MB.
-+const maxPendingPackets = 64
-+
- // keyingTransport is a packet based transport that supports key
- // changes. It need not be thread-safe. It should pass through
- // msgNewKeys in both directions.
-@@ -58,11 +63,19 @@ type handshakeTransport struct {
- incoming chan []byte
- readError error
-
-- mu sync.Mutex
-- writeError error
-- sentInitPacket []byte
-- sentInitMsg *kexInitMsg
-- pendingPackets [][]byte // Used when a key exchange is in progress.
-+ mu sync.Mutex
-+ // Condition for the above mutex. It is used to notify a completed key
-+ // exchange or a write failure. Writes can wait for this condition while a
-+ // key exchange is in progress.
-+ writeCond *sync.Cond
-+ writeError error
-+ sentInitPacket []byte
-+ sentInitMsg *kexInitMsg
-+ // Used to queue writes when a key exchange is in progress. The length is
-+ // limited by pendingPacketsSize. Once full, writes will block until the key
-+ // exchange is completed or an error occurs. If not empty, it is emptied
-+ // all at once when the key exchange is completed in kexLoop.
-+ pendingPackets [][]byte
- writePacketsLeft uint32
- writeBytesLeft int64
-
-@@ -114,6 +127,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
-
- config: config,
- }
-+ t.writeCond = sync.NewCond(&t.mu)
- t.resetReadThresholds()
- t.resetWriteThresholds()
-
-@@ -236,6 +250,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
- defer t.mu.Unlock()
- if t.writeError == nil && err != nil {
- t.writeError = err
-+ t.writeCond.Broadcast()
- }
- }
-
-@@ -339,6 +354,8 @@ write:
- }
- }
- t.pendingPackets = t.pendingPackets[:0]
-+ // Unblock writePacket if waiting for KEX.
-+ t.writeCond.Broadcast()
- t.mu.Unlock()
- }
-
-@@ -526,11 +543,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
- }
-
- if t.sentInitMsg != nil {
-- // Copy the packet so the writer can reuse the buffer.
-- cp := make([]byte, len(p))
-- copy(cp, p)
-- t.pendingPackets = append(t.pendingPackets, cp)
-- return nil
-+ if len(t.pendingPackets) < maxPendingPackets {
-+ // Copy the packet so the writer can reuse the buffer.
-+ cp := make([]byte, len(p))
-+ copy(cp, p)
-+ t.pendingPackets = append(t.pendingPackets, cp)
-+ return nil
-+ }
-+ for t.sentInitMsg != nil {
-+ // Block and wait for KEX to complete or an error.
-+ t.writeCond.Wait()
-+ if t.writeError != nil {
-+ return t.writeError
-+ }
-+ }
- }
-
- if t.writeBytesLeft > 0 {
-@@ -547,6 +573,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
-
- if err := t.pushPacket(p); err != nil {
- t.writeError = err
-+ t.writeCond.Broadcast()
- }
-
- return nil
---
-2.45.2
-
diff --git a/SPECS/cert-manager/CVE-2025-22872.patch b/SPECS/cert-manager/CVE-2025-22872.patch
deleted file mode 100644
index af3845d83b..0000000000
--- a/SPECS/cert-manager/CVE-2025-22872.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 160cea2aabe42233d5840bcdd246e0232bee0035 Mon Sep 17 00:00:00 2001
-From: Kevin Lockwood
-Date: Thu, 8 May 2025 12:53:56 -0700
-Subject: [PATCH] Patch CVE-2025-22872
-
-Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9.patch
----
- cmd/ctl/vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/cmd/ctl/vendor/golang.org/x/net/html/token.go b/cmd/ctl/vendor/golang.org/x/net/html/token.go
-index 3c57880..6598c1f 100644
---- a/cmd/ctl/vendor/golang.org/x/net/html/token.go
-+++ b/cmd/ctl/vendor/golang.org/x/net/html/token.go
-@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
- if raw {
- z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
- }
-- // Look for a self-closing token like "
".
-- if z.err == nil && z.buf[z.raw.end-2] == '/' {
-+ // Look for a self-closing token (e.g.
).
-+ //
-+ // Originally, we did this by just checking that the last character of the
-+ // tag (ignoring the closing bracket) was a solidus (/) character, but this
-+ // is not always accurate.
-+ //
-+ // We need to be careful that we don't misinterpret a non-self-closing tag
-+ // as self-closing, as can happen if the tag contains unquoted attribute
-+ // values (i.e. ).
-+ //
-+ // To avoid this, we check that the last non-bracket character of the tag
-+ // (z.raw.end-2) isn't the same character as the last non-quote character of
-+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
-+ // attributes.
-+ nAttrs := len(z.attr)
-+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
- return SelfClosingTagToken
- }
- return StartTagToken
---
-2.34.1
-
diff --git a/SPECS/cert-manager/CVE-2025-27144.patch b/SPECS/cert-manager/CVE-2025-27144.patch
deleted file mode 100644
index 89e37594d5..0000000000
--- a/SPECS/cert-manager/CVE-2025-27144.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 46c92791edfab05377ba880024389a356d58ea20 Mon Sep 17 00:00:00 2001
-From: Kanishk-Bansal
-Date: Fri, 28 Feb 2025 09:39:10 +0000
-Subject: [PATCH] CVE-2025-27144
-
----
- cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
- cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go b/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go
-index 4267ac7..1ba4ae0 100644
---- a/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go
-+++ b/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jwe.go
-@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
-
- // parseEncryptedCompact parses a message in compact format.
- func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
-- parts := strings.Split(input, ".")
-- if len(parts) != 5 {
-+ // Five parts is four separators
-+ if strings.Count(input, ".") != 4 {
- return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
- }
-+ parts := strings.SplitN(input, ".", 5)
-
- rawProtected, err := base64URLDecode(parts[0])
- if err != nil {
-diff --git a/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go b/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go
-index e37007d..401fc18 100644
---- a/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go
-+++ b/cmd/controller/vendor/github.com/go-jose/go-jose/v3/jws.go
-@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
-
- // parseSignedCompact parses a message in compact format.
- func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
-- parts := strings.Split(input, ".")
-- if len(parts) != 3 {
-+ // Three parts is two separators
-+ if strings.Count(input, ".") != 2 {
- return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
- }
-+ parts := strings.SplitN(input, ".", 3)
-
- if parts[1] != "" && payload != nil {
- return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
---
-2.45.2
-
diff --git a/SPECS/cert-manager/CVE-2025-30204.patch b/SPECS/cert-manager/CVE-2025-30204.patch
deleted file mode 100644
index cc389d54b3..0000000000
--- a/SPECS/cert-manager/CVE-2025-30204.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 20e897717946a5bb7750e795c245012bddcfa312 Mon Sep 17 00:00:00 2001
-From: Kanishk-Bansal
-Date: Fri, 28 Mar 2025 21:29:08 +0000
-Subject: [PATCH] CVE-2025-30204
-
-Upstream Patch Reference : v4: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84
----
- github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++---
- 1 file changed, 33 insertions(+), 3 deletions(-)
-
-diff --git a/cmd/controller/vendor/github.com/golang-jwt/jwt/v4/parser.go b/cmd/controller/vendor/github.com/golang-jwt/jwt/v4/parser.go
-index 2f61a69..9484f28 100644
---- a/cmd/controller/vendor/github.com/golang-jwt/jwt/v4/parser.go
-+++ b/cmd/controller/vendor/github.com/golang-jwt/jwt/v4/parser.go
-@@ -7,6 +7,8 @@ import (
- "strings"
- )
-
-+const tokenDelimiter = "."
-+
- type Parser struct {
- // If populated, only these methods will be considered valid.
- //
-@@ -116,9 +118,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
- // It's only ever useful in cases where you know the signature is valid (because it has
- // been checked previously in the stack) and you want to extract values from it.
- func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
-- parts = strings.Split(tokenString, ".")
-- if len(parts) != 3 {
-- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
-+ var ok bool
-+ parts, ok = splitToken(tokenString)
-+ if !ok {
-+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
- }
-
- token = &Token{Raw: tokenString}
-@@ -168,3 +171,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
-
- return token, parts, nil
- }
-+
-+// splitToken splits a token string into three parts: header, claims, and signature. It will only
-+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
-+// will return nil parts and false.
-+func splitToken(token string) ([]string, bool) {
-+ parts := make([]string, 3)
-+ header, remain, ok := strings.Cut(token, tokenDelimiter)
-+ if !ok {
-+ return nil, false
-+ }
-+ parts[0] = header
-+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
-+ if !ok {
-+ return nil, false
-+ }
-+ parts[1] = claims
-+ // One more cut to ensure the signature is the last part of the token and there are no more
-+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
-+ // causing unecessary overhead parsing tokens.
-+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
-+ if unexpected {
-+ return nil, false
-+ }
-+ parts[2] = signature
-+
-+ return parts, true
-+}
---
-2.45.2
-
diff --git a/SPECS/cert-manager/CVE-2025-32386.patch b/SPECS/cert-manager/CVE-2025-32386.patch
deleted file mode 100644
index 9f7253f228..0000000000
--- a/SPECS/cert-manager/CVE-2025-32386.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 8374e59e76c401229470d6f3840cdbbdfa1512a8 Mon Sep 17 00:00:00 2001
-From: Kevin Lockwood
-Date: Wed, 21 May 2025 13:29:45 -0700
-Subject: [PATCH] Fix CVE-2025-32387
-
-Upstream Link: https://github.com/helm/helm/commit/d8ca55fc669645c10c0681d49723f4bb8c0b1ce7.patch
----
- .../helm/v3/pkg/chart/loader/archive.go | 32 ++++++++++++++++++-
- .../helm/v3/pkg/chart/loader/directory.go | 4 +++
- 2 files changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
-index 196e5f8..4cb994c 100644
---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
-+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
-@@ -33,6 +33,15 @@ import (
- "helm.sh/helm/v3/pkg/chart"
- )
-
-+// MaxDecompressedChartSize is the maximum size of a chart archive that will be
-+// decompressed. This is the decompressed size of all the files.
-+// The default value is 100 MiB.
-+var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB
-+
-+// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load.
-+// The size of the file is the decompressed version of it when it is stored in an archive.
-+var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB
-+
- var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`)
-
- // FileLoader loads a chart from a file
-@@ -119,6 +128,7 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
-
- files := []*BufferedFile{}
- tr := tar.NewReader(unzipped)
-+ remainingSize := MaxDecompressedChartSize
- for {
- b := bytes.NewBuffer(nil)
- hd, err := tr.Next()
-@@ -178,10 +188,30 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
- return nil, errors.New("chart yaml not in base directory")
- }
-
-- if _, err := io.Copy(b, tr); err != nil {
-+ if hd.Size > remainingSize {
-+ return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize)
-+ }
-+
-+ if hd.Size > MaxDecompressedFileSize {
-+ return nil, fmt.Errorf("decompressed chart file %q is larger than the maximum file size %d", hd.Name, MaxDecompressedFileSize)
-+ }
-+
-+ limitedReader := io.LimitReader(tr, remainingSize)
-+
-+ bytesWritten, err := io.Copy(b, limitedReader)
-+ if err != nil {
- return nil, err
- }
-
-+ remainingSize -= bytesWritten
-+ // When the bytesWritten are less than the file size it means the limit reader ended
-+ // copying early. Here we report that error. This is important if the last file extracted
-+ // is the one that goes over the limit. It assumes the Size stored in the tar header
-+ // is correct, something many applications do.
-+ if bytesWritten < hd.Size || remainingSize <= 0 {
-+ return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize)
-+ }
-+
- data := bytes.TrimPrefix(b.Bytes(), utf8bom)
-
- files = append(files, &BufferedFile{Name: n, Data: data})
-diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
-index 9bcbee6..fd8e02e 100644
---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
-+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
-@@ -101,6 +101,10 @@ func LoadDir(dir string) (*chart.Chart, error) {
- return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name)
- }
-
-+ if fi.Size() > MaxDecompressedFileSize {
-+ return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), MaxDecompressedFileSize)
-+ }
-+
- data, err := os.ReadFile(name)
- if err != nil {
- return errors.Wrapf(err, "error reading %s", n)
---
-2.34.1
-
diff --git a/SPECS/cert-manager/cert-manager.signatures.json b/SPECS/cert-manager/cert-manager.signatures.json
deleted file mode 100644
index 01eaffd161..0000000000
--- a/SPECS/cert-manager/cert-manager.signatures.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- "Signatures": {
- "cert-manager-1.12.15.tar.gz": "2c556e4c47753a5cd48510297bc5cab2b0943b7de1b3898df598a0ee969c8e72",
- "cert-manager-1.12.15-vendor.tar.gz": "20afae660bffb8a636185aa920c1ada8bd345bae773ebe9e277b490ddc1bad49"
- }
-}
diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec
deleted file mode 100644
index e49571240c..0000000000
--- a/SPECS/cert-manager/cert-manager.spec
+++ /dev/null
@@ -1,211 +0,0 @@
-Summary: Automatically provision and manage TLS certificates in Kubernetes
-Name: cert-manager
-Version: 1.12.15
-Release: 5%{?dist}
-License: ASL 2.0
-Vendor: Microsoft Corporation
-Distribution: Azure Linux
-URL: https://github.com/jetstack/cert-manager
-Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-# Below is a manually created tarball, no download link.
-# We're using pre-populated GO dependencies from this tarball, since network is disabled during build time.
-# How to re-build this file:
-# 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
-# 2. /SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version}
-Source1: %{name}-%{version}-vendor.tar.gz
-Patch0: CVE-2024-45338.patch
-Patch1: CVE-2025-27144.patch
-Patch2: CVE-2025-22868.patch
-Patch3: CVE-2025-22869.patch
-Patch4: CVE-2025-30204.patch
-Patch5: CVE-2025-32386.patch
-Patch6: CVE-2025-22872.patch
-
-BuildRequires: golang
-Requires: %{name}-acmesolver
-Requires: %{name}-cainjector
-Requires: %{name}-cmctl
-Requires: %{name}-controller
-Requires: %{name}-webhook
-
-%description
-cert-manager is a Kubernetes add-on to automate the management and issuance
-of TLS certificates from various issuing sources.
-
-%package acmesolver
-Summary: cert-manager's acmesolver binary
-
-%description acmesolver
-HTTP server used to solve ACME challenges.
-
-%package cainjector
-Summary: cert-manager's cainjector binary
-
-%description cainjector
-cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into
-webhooks and APIServices from cert-manager certificates.
-
-%package controller
-Summary: cert-manager's controller binary
-
-%description controller
-cert-manager is a Kubernetes addon to automate the management and issuance of
-TLS certificates from various issuing sources.
-
-%package cmctl
-Summary: cert-manager's cmctl binary
-
-%description cmctl
-cmctl is a CLI tool manage and configure cert-manager resources for Kubernetes
-
-%package webhook
-Summary: cert-manager's webhook binary
-
-%description webhook
-Webhook component providing API validation, mutation and conversion functionality for cert-manager.
-
-%prep
-%autosetup -a 1 -p1
-
-%build
-
-LOCAL_BIN_DIR=$(realpath bin)
-go -C cmd/acmesolver build -mod=vendor -o "${LOCAL_BIN_DIR}"/acmesolver main.go
-go -C cmd/controller build -mod=vendor -o "${LOCAL_BIN_DIR}"/controller main.go
-go -C cmd/cainjector build -mod=vendor -o "${LOCAL_BIN_DIR}"/cainjector main.go
-go -C cmd/ctl build -mod=vendor -o "${LOCAL_BIN_DIR}"/cmctl main.go
-go -C cmd/webhook build -mod=vendor -o "${LOCAL_BIN_DIR}"/webhook main.go
-
-%install
-mkdir -p %{buildroot}%{_bindir}
-install -D -m0755 bin/acmesolver %{buildroot}%{_bindir}/
-install -D -m0755 bin/cainjector %{buildroot}%{_bindir}/
-install -D -m0755 bin/controller %{buildroot}%{_bindir}/
-install -D -m0755 bin/cmctl %{buildroot}%{_bindir}/
-install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
-%files
-
-%files acmesolver
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/acmesolver
-
-%files cainjector
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/cainjector
-
-%files controller
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/controller
-
-%files cmctl
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/cmctl
-
-%files webhook
-%license LICENSE LICENSES
-%doc README.md
-%{_bindir}/webhook
-
-%changelog
-* Mon Sep 8 2025 Lee Chee Yang - 1.12.15-5
-- merge from Azure Linux 3.0.20250910-3.0.
-- Patch CVE-2025-32386 (also fixes CVE-2025-32387)
-- Patch CVE-2025-22872
-
-* Fri Apr 28 2025 Ranjan Dutta - 1.12.15-4
-- merge from Azure Linux 3.0.20250423.
-- Patch CVE-2025-30204
-
-* Fri Mar 21 2025 Anuj Mittal - 1.12.15-3
-- Bump Release to rebuild
-
-* Mon Mar 03 2025 Kanishk Bansal - 1.12.15-2
-- Fix CVE-2025-22868, CVE-2025-22869 & CVE-2025-27144 with an upstream patch
-
-* Mon Jan 27 2025 Rohit Rawat - 1.12.15-1
-- Upgrade to 1.12.15 - to fix CVE-2024-12401
-- Remove CVE-2024-45337.patch as it is fixed in 1.12.15
-
-* Tue Dec 31 2024 Rohit Rawat - 1.12.13-3
-- Add patch for CVE-2024-45338
-
-* Wed Jan 08 2025 Muhammad Falak - 1.12.13-2
-- Patch CVE-2024-45337
-
-* Mon Sep 16 2024 Jiri Appl - 1.12.13-1
-- Upgrade to 1.12.13 which carries helm 3.14.2 to fix CVE-2024-26147 and CVE-2024-25620
-
-* Wed Aug 07 2024 Bhagyashri Pathak - 1.12.12-2
-- Patch for CVE-2024-25620
-
-* Wed Jul 10 2024 Tobias Brick - 1.12.12-1
-- Upgrade to 1.12.12 to fix CVE-2024-26147 and CVE-2023-45142
-
-* Wed May 29 2024 Neha Agarwal - 1.11.2-8
-- Bump release to build with new helm to fix CVE-2024-25620
-
-* Wed May 22 2024 Neha Agarwal - 1.11.2-7
-- Bump release to build with new helm to fix CVE-2024-26147
-
-* Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.11.2-6
-- Bump release to rebuild with go 1.20.10
-
-* Tue Oct 10 2023 Dan Streetman - 1.11.2-5
-- Bump release to rebuild with updated version of Go.
-
-* Mon Aug 07 2023 CBL-Mariner Servicing Account - 1.11.2-4
-- Bump release to rebuild with go 1.19.12
-
-* Thu Jul 13 2023 CBL-Mariner Servicing Account - 1.11.2-3
-- Bump release to rebuild with go 1.19.11
-
-* Thu Jun 15 2023 CBL-Mariner Servicing Account - 1.11.2-2
-- Bump release to rebuild with go 1.19.10
-
-* Mon May 15 2023 Aditya Dubey - 1.11.0-1
-- Upgrade to v1.11.2
-- Removed patch for CVE-2023-25165
-- This version uses helm v3.11.1, which fixes CVE-2023-25165 and thus we do not need the patch file anymore
-
-* Wed Apr 05 2023 CBL-Mariner Servicing Account - 1.7.3-10
-- Bump release to rebuild with go 1.19.8
-
-* Wed Mar 29 2023 CBL-Mariner Servicing Account - 1.7.3-9
-- Add patch for CVE-2023-25165
-
-* Tue Mar 28 2023 CBL-Mariner Servicing Account - 1.7.3-8
-- Bump release to rebuild with go 1.19.7
-
-* Wed Mar 15 2023 CBL-Mariner Servicing Account - 1.7.3-7
-- Bump release to rebuild with go 1.19.6
-
-* Fri Feb 03 2023 CBL-Mariner Servicing Account - 1.7.3-6
-- Bump release to rebuild with go 1.19.5
-
-* Wed Jan 18 2023 CBL-Mariner Servicing Account - 1.7.3-5
-- Bump release to rebuild with go 1.19.4
-
-* Fri Dec 16 2022 Daniel McIlvaney - 1.7.3-4
-- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717
-
-* Tue Nov 01 2022 Olivia Crain - 1.7.3-3
-- Bump release to rebuild with go 1.18.8
-
-* Mon Aug 22 2022 Olivia Crain - 1.7.3-2
-- Bump release to rebuild against Go 1.18.5
-
-* Fri Aug 05 2022 Chris Gunn - 1.7.3-1
-- Update to v1.7.3
-- Split binaries into separate packages.
-
-* Tue Jun 14 2022 Muhammad Falak - 1.5.3-2
-- Add a hard BR on golang <= 1.17.10
-- Bump release to rebuild with golang 1.17.10
-
-* Fri Sep 10 2021 Henry Li - 1.5.3-1
-- Original version for CBL-Mariner
-- License Verified
diff --git a/SPECS/cert-manager/generate_source_tarball.sh b/SPECS/cert-manager/generate_source_tarball.sh
deleted file mode 100755
index 993e831002..0000000000
--- a/SPECS/cert-manager/generate_source_tarball.sh
+++ /dev/null
@@ -1,115 +0,0 @@
-#!/bin/bash
-# Copyright (c) Microsoft Corporation.
-# Licensed under the MIT License.
-
-# Quit on failure
-set -e
-
-PKG_VERSION=""
-SRC_TARBALL=""
-OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# parameters:
-#
-# --srcTarball : src tarball file
-# this file contains the 'initial' source code of the component
-# and should be replaced with the new/modified src code
-# --outFolder : folder where to copy the new tarball(s)
-# --pkgVersion : package version
-#
-PARAMS=""
-while (( "$#" )); do
- case "$1" in
- --srcTarball)
- if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
- SRC_TARBALL=$2
- shift 2
- else
- echo "Error: Argument for $1 is missing" >&2
- exit 1
- fi
- ;;
- --outFolder)
- if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
- OUT_FOLDER=$2
- shift 2
- else
- echo "Error: Argument for $1 is missing" >&2
- exit 1
- fi
- ;;
- --pkgVersion)
- if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
- PKG_VERSION=$2
- shift 2
- else
- echo "Error: Argument for $1 is missing" >&2
- exit 1
- fi
- ;;
- -*|--*=) # unsupported flags
- echo "Error: Unsupported flag $1" >&2
- exit 1
- ;;
- *) # preserve positional arguments
- PARAMS="${PARAMS} $1"
- shift
- ;;
- esac
-done
-
-echo "--srcTarball -> ${SRC_TARBALL}"
-echo "--outFolder -> ${OUT_FOLDER}"
-echo "--pkgVersion -> ${PKG_VERSION}"
-
-if [ -z "${SRC_TARBALL}" ]; then
- echo "--srcTarball parameter cannot be empty"
- exit 1
-fi
-
-SRC_TARBALL=$(realpath "${SRC_TARBALL}")
-
-if [ -z "${PKG_VERSION}" ]; then
- echo "--pkgVersion parameter cannot be empty"
- exit 1
-fi
-
-echo "-- create temp folder"
-tmpdir=$(mktemp -d)
-function cleanup {
- echo "+++ cleanup -> remove ${tmpdir}"
- rm -rf ${tmpdir}
-}
-trap cleanup EXIT
-
-pushd "${tmpdir}" > /dev/null
-
-echo "Unpacking source tarball..."
-tar -xf "${SRC_TARBALL}"
-
-cd "cert-manager-${PKG_VERSION}"
-
-# We need to individually vendor each cmd we will build
-vendor_directories=()
-
-echo "Get vendored modules for each command"
-for dir in cmd/*; do
- if [ -d "${dir}" ]; then
- echo "Vendoring '${dir}'"
- pushd "${dir}" > /dev/null
- go mod vendor
- vendor_directories+=("${dir}/vendor")
- popd > /dev/null
- fi
-done
-
-echo "Tar vendored modules"
-VENDOR_TARBALL="${OUT_FOLDER}/cert-manager-${PKG_VERSION}-vendor.tar.gz"
-tar --sort=name \
- --mtime="2021-04-26 00:00Z" \
- --owner=0 --group=0 --numeric-owner \
- --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
- -cf "${VENDOR_TARBALL}" ${vendor_directories[@]}
-
-popd > /dev/null
-echo "cert-manager vendored modules are available at ${VENDOR_TARBALL}"
diff --git a/SPECS/cf-cli/CVE-2025-47911.patch b/SPECS/cf-cli/CVE-2025-47911.patch
new file mode 100644
index 0000000000..68e2315387
--- /dev/null
+++ b/SPECS/cf-cli/CVE-2025-47911.patch
@@ -0,0 +1,100 @@
+From b5b92bc4e653d8670c03b4d0179c4ac29340ddb1 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker
+Date: Mon, 29 Sep 2025 16:33:18 -0700
+Subject: [PATCH] html: impose open element stack size limit
+
+The HTML specification contains a number of algorithms which are
+quadratic in complexity by design. Instead of adding complicated
+workarounds to prevent these cases from becoming extremely expensive in
+pathological cases, we impose a limit of 512 to the size of the stack of
+open elements. It is extremely unlikely that non-adversarial HTML
+documents will ever hit this limit (but if we see cases of this, we may
+want to make the limit configurable via a ParseOption).
+
+Thanks to Guido Vranken and Jakub Ciolek for both independently
+reporting this issue.
+
+Fixes CVE-2025-47911
+Fixes golang/go#75682
+
+Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
+Reviewed-by: Damien Neil
+LUCI-TryBot-Result: Go LUCI
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
+---
+ vendor/golang.org/x/net/html/escape.go | 2 +-
+ vendor/golang.org/x/net/html/parse.go | 21 +++++++++++++++++----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
+index 04c6bec..12f2273 100644
+--- a/vendor/golang.org/x/net/html/escape.go
++++ b/vendor/golang.org/x/net/html/escape.go
+@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
+ case '\r':
+ esc = "
"
+ default:
+- panic("unrecognized escape character")
++ panic("html: unrecognized escape character")
+ }
+ s = s[i+1:]
+ if _, err := w.WriteString(esc); err != nil {
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 979ef17..4d12a1c 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
+ }
+
+ if n.Type == ElementNode {
+- p.oe = append(p.oe, n)
++ p.insertOpenElement(n)
++ }
++}
++
++func (p *parser) insertOpenElement(n *Node) {
++ p.oe = append(p.oe, n)
++ if len(p.oe) > 512 {
++ panic("html: open stack of elements exceeds 512 nodes")
+ }
+ }
+
+@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
+ p.im = inFramesetIM
+ return true
+ case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
+- p.oe = append(p.oe, p.head)
++ p.insertOpenElement(p.head)
+ defer p.oe.remove(p.head)
+ return inHeadIM(p)
+ case a.Head:
+@@ -2320,9 +2327,13 @@ func (p *parser) parseCurrentToken() {
+ }
+ }
+
+-func (p *parser) parse() error {
++func (p *parser) parse() (err error) {
++ defer func() {
++ if panicErr := recover(); panicErr != nil {
++ err = fmt.Errorf("%s", panicErr)
++ }
++ }()
+ // Iterate until EOF. Any other error will cause an early return.
+- var err error
+ for err != io.EOF {
+ // CDATA sections are allowed only in foreign content.
+ n := p.oe.top()
+@@ -2351,6 +2362,8 @@ func (p *parser) parse() error {
+ // s. Conversely, explicit s in r's data can be silently dropped,
+ // with no corresponding node in the resulting tree.
+ //
++// Parse will reject HTML that is nested deeper than 512 elements.
++//
+ // The input is assumed to be UTF-8 encoded.
+ func Parse(r io.Reader) (*Node, error) {
+ return ParseWithOptions(r)
+--
+2.45.4
+
diff --git a/SPECS/cf-cli/CVE-2025-58190.patch b/SPECS/cf-cli/CVE-2025-58190.patch
new file mode 100644
index 0000000000..6100b35874
--- /dev/null
+++ b/SPECS/cf-cli/CVE-2025-58190.patch
@@ -0,0 +1,126 @@
+From f01dfb86be3c18a5a22779a859214884cd77ae04 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker
+Date: Mon, 29 Sep 2025 19:38:24 -0700
+Subject: [PATCH] html: align in row insertion mode with spec
+
+Update inRowIM to match the HTML specification. This fixes an issue
+where a specific HTML document could cause the parser to enter an
+infinite loop when trying to parse a and implied next to
+each other.
+
+Fixes CVE-2025-58190
+Fixes golang/go#70179
+
+Change-Id: Idcb133c87c7d475cc8c7eb1f1550ea21d8bdddea
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709875
+LUCI-TryBot-Result: Go LUCI
+Reviewed-by: Damien Neil
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: https://github.com/golang/net/commit/6ec8895aa5f6594da7356da7d341b98133629009.patch
+---
+ vendor/golang.org/x/net/html/parse.go | 36 ++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 5b8374b..979ef17 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int {
+ return -1
+ }
+ default:
+- panic("unreachable")
++ panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s))
+ }
+ }
+ switch s {
+@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) {
+ return
+ }
+ default:
+- panic("unreachable")
++ panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s))
+ }
+ }
+ }
+@@ -1674,7 +1674,7 @@ func inTableBodyIM(p *parser) bool {
+ return inTableIM(p)
+ }
+
+-// Section 12.2.6.4.14.
++// Section 13.2.6.4.14.
+ func inRowIM(p *parser) bool {
+ switch p.tok.Type {
+ case StartTagToken:
+@@ -1686,7 +1686,9 @@ func inRowIM(p *parser) bool {
+ p.im = inCellIM
+ return true
+ case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr:
+- if p.popUntil(tableScope, a.Tr) {
++ if p.elementInScope(tableScope, a.Tr) {
++ p.clearStackToContext(tableRowScope)
++ p.oe.pop()
+ p.im = inTableBodyIM
+ return false
+ }
+@@ -1696,22 +1698,28 @@ func inRowIM(p *parser) bool {
+ case EndTagToken:
+ switch p.tok.DataAtom {
+ case a.Tr:
+- if p.popUntil(tableScope, a.Tr) {
++ if p.elementInScope(tableScope, a.Tr) {
++ p.clearStackToContext(tableRowScope)
++ p.oe.pop()
+ p.im = inTableBodyIM
+ return true
+ }
+ // Ignore the token.
+ return true
+ case a.Table:
+- if p.popUntil(tableScope, a.Tr) {
++ if p.elementInScope(tableScope, a.Tr) {
++ p.clearStackToContext(tableRowScope)
++ p.oe.pop()
+ p.im = inTableBodyIM
+ return false
+ }
+ // Ignore the token.
+ return true
+ case a.Tbody, a.Tfoot, a.Thead:
+- if p.elementInScope(tableScope, p.tok.DataAtom) {
+- p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String())
++ if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) {
++ p.clearStackToContext(tableRowScope)
++ p.oe.pop()
++ p.im = inTableBodyIM
+ return false
+ }
+ // Ignore the token.
+@@ -2218,16 +2226,20 @@ func parseForeignContent(p *parser) bool {
+ p.acknowledgeSelfClosingTag()
+ }
+ case EndTagToken:
++ if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) {
++ p.oe = p.oe[:len(p.oe)-1]
++ return true
++ }
+ for i := len(p.oe) - 1; i >= 0; i-- {
+- if p.oe[i].Namespace == "" {
+- return p.im(p)
+- }
+ if strings.EqualFold(p.oe[i].Data, p.tok.Data) {
+ p.oe = p.oe[:i]
++ return true
++ }
++ if i > 0 && p.oe[i-1].Namespace == "" {
+ break
+ }
+ }
+- return true
++ return p.im(p)
+ default:
+ // Ignore the token.
+ }
+--
+2.45.4
+
diff --git a/SPECS/cf-cli/cf-cli.spec b/SPECS/cf-cli/cf-cli.spec
index 1a9dca2739..2ba7ba0633 100644
--- a/SPECS/cf-cli/cf-cli.spec
+++ b/SPECS/cf-cli/cf-cli.spec
@@ -5,7 +5,7 @@ Summary: The official command line client for Cloud Foundry.
Name: cf-cli
# Note: Upgrading the package also warrants an upgrade in the CF_BUILD_SHA
Version: 8.7.11
-Release: 5%{?dist}
+Release: 6%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -36,6 +36,8 @@ Patch0: CVE-2024-45337.patch
Patch1: CVE-2024-45338.patch
Patch2: CVE-2025-22869.patch
Patch3: CVE-2025-22872.patch
+Patch4: CVE-2025-47911.patch
+Patch5: CVE-2025-58190.patch
BuildRequires: golang < 1.25
%global debug_package %{nil}
@@ -45,9 +47,7 @@ BuildRequires: golang < 1.25
The official command line client for Cloud Foundry.
%prep
-%setup -q -n cli-%{version}
-tar --no-same-owner -xf %{SOURCE1}
-%autopatch -p1
+%autosetup -p1 -n cli-%{version} -a1
%build
export GOPATH=%{our_gopath}
@@ -64,11 +64,15 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
%files
%defattr(-,root,root)
-%license LICENSE
-%doc NOTICE README.md
+%license LICENSE NOTICE
+%doc README.md
%{_bindir}/cf
%changelog
+* Mon Mar 16 2026 Lee Chee Yang - 8.7.11-6
+- merge from Azure Linux 3.0.20260304-3.0
+- Patch for CVE-2025-47911, CVE-2025-58190
+
* Fri Oct 3 2025 Lee Chee Yang - 8.7.11-5
- merge from Azure Linux 3.0.20250910-3.0
- Set BR for golang to < 1.25
diff --git a/SPECS/cni-plugins/CVE-2024-45338.patch b/SPECS/cni-plugins/CVE-2024-45338.patch
deleted file mode 100644
index c2fb46031c..0000000000
--- a/SPECS/cni-plugins/CVE-2024-45338.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker
-Date: Wed, 04 Dec 2024 09:35:55 -0800
-Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
-
-Instead of using strings.ToLower and == to check case insensitive
-equality, just use strings.EqualFold, even when the strings are only
-ASCII. This prevents us unnecessarily lowering extremely long strings,
-which can be a somewhat expensive operation, even if we're only
-attempting to compare equality with five characters.
-
-Thanks to Guido Vranken for reporting this issue.
-
-Fixes golang/go#70906
-Fixes CVE-2024-45338
-
-Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
-Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
-LUCI-TryBot-Result: Go LUCI
-Auto-Submit: Gopher Robot
-Reviewed-by: Roland Shoemaker
-Reviewed-by: Tatiana Bradley
----
- vendor/golang.org/x/net/html/doctype.go | 2 +-
- vendor/golang.org/x/net/html/foreign.go | 3 +--
- vendor/golang.org/x/net/html/parse.go | 4 ++--
- 3 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
-index c484e5a..bca3ae9 100644
---- a/vendor/golang.org/x/net/html/doctype.go
-+++ b/vendor/golang.org/x/net/html/doctype.go
-@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
- }
- }
- if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
-- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
-+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
- quirks = true
- }
- }
-diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
-index 9da9e9d..e8515d8 100644
---- a/vendor/golang.org/x/net/html/foreign.go
-+++ b/vendor/golang.org/x/net/html/foreign.go
-@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
- if n.Data == "annotation-xml" {
- for _, a := range n.Attr {
- if a.Key == "encoding" {
-- val := strings.ToLower(a.Val)
-- if val == "text/html" || val == "application/xhtml+xml" {
-+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
- return true
- }
- }
-diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
-index 038941d..cb012d8 100644
---- a/vendor/golang.org/x/net/html/parse.go
-+++ b/vendor/golang.org/x/net/html/parse.go
-@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
- if p.tok.DataAtom == a.Input {
- for _, t := range p.tok.Attr {
- if t.Key == "type" {
-- if strings.ToLower(t.Val) == "hidden" {
-+ if strings.EqualFold(t.Val, "hidden") {
- // Skip setting framesetOK = false
- return true
- }
-@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
- return inHeadIM(p)
- case a.Input:
- for _, t := range p.tok.Attr {
-- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
-+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
- p.addElement()
- p.oe.pop()
- return true
---
-2.25.1
-
diff --git a/SPECS/cni-plugins/CVE-2025-22872.patch b/SPECS/cni-plugins/CVE-2025-22872.patch
deleted file mode 100644
index 2d63a81790..0000000000
--- a/SPECS/cni-plugins/CVE-2025-22872.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 1c0308205a333d387cf0ad2ddd9e7bec8d5f21b2 Mon Sep 17 00:00:00 2001
-From: Sreenivasulu Malavathula
-Date: Mon, 28 Apr 2025 17:40:01 -0500
-Subject: [PATCH] Address CVE-2025-22872
-Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
-
----
- vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
-index de67f93..9bbdf7d 100644
---- a/vendor/golang.org/x/net/html/token.go
-+++ b/vendor/golang.org/x/net/html/token.go
-@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
- if raw {
- z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
- }
-- // Look for a self-closing token like "
".
-- if z.err == nil && z.buf[z.raw.end-2] == '/' {
-+ // Look for a self-closing token (e.g.
).
-+ //
-+ // Originally, we did this by just checking that the last character of the
-+ // tag (ignoring the closing bracket) was a solidus (/) character, but this
-+ // is not always accurate.
-+ //
-+ // We need to be careful that we don't misinterpret a non-self-closing tag
-+ // as self-closing, as can happen if the tag contains unquoted attribute
-+ // values (i.e. ).
-+ //
-+ // To avoid this, we check that the last non-bracket character of the tag
-+ // (z.raw.end-2) isn't the same character as the last non-quote character of
-+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
-+ // attributes.
-+ nAttrs := len(z.attr)
-+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
- return SelfClosingTagToken
- }
- return StartTagToken
---
-2.45.2
-
diff --git a/SPECS/cni-plugins/cni-plugins.signatures.json b/SPECS/cni-plugins/cni-plugins.signatures.json
deleted file mode 100644
index 7d28f002cb..0000000000
--- a/SPECS/cni-plugins/cni-plugins.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
- "cni-plugins-1.4.0.tar.gz": "890e00a8ffc71c860e4f09ab4e1c452d85ec18cc4ac8ee3da11bbfc113355f5e"
- }
-}
diff --git a/SPECS/cni-plugins/cni-plugins.spec b/SPECS/cni-plugins/cni-plugins.spec
deleted file mode 100644
index 69de7da7ff..0000000000
--- a/SPECS/cni-plugins/cni-plugins.spec
+++ /dev/null
@@ -1,136 +0,0 @@
-Summary: Container Network Interface (CNI) plugins
-Name: cni-plugins
-Version: 1.4.0
-Release: 4%{?dist}
-License: ASL 2.0
-Vendor: Microsoft Corporation
-Distribution: Azure Linux
-Group: Development/Tools
-# cni moved to https://github.com/containernetworking/cni/issues/667#issuecomment-491693752
-URL: https://github.com/containernetworking/plugins
-#Source0: https://github.com/containernetworking/plugins/archive/v%{version}.tar.gz
-Source0: %{name}-%{version}.tar.gz
-Patch0: CVE-2024-45338.patch
-Patch1: CVE-2025-22872.patch
-
-%define _default_cni_plugins_dir /opt/cni/bin
-BuildRequires: golang >= 1.5
-Provides: kubernetes-cni
-
-%description
-The CNI (Container Network Interface) project consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins.
-
-%prep
-%autosetup -p1 -n plugins-%{version}
-
-%build
-./build_linux.sh -ldflags "-X github.com/containernetworking/plugins/pkg/utils/buildversion.BuildVersion=v%{version}"
-
-%install
-install -vdm 755 %{buildroot}%{_default_cni_plugins_dir}
-install -vpm 0755 -t %{buildroot}%{_default_cni_plugins_dir} bin/*
-
-%check
-make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
-
-%post
-%postun
-
-%files
-%defattr(-,root,root)
-%license LICENSE
-%{_default_cni_plugins_dir}/*
-
-%changelog
-* Fri May 30 2025 Ranjan Dutta - 1.4.0-4
-- merge from Azure Linux 3.0.20250521-3.0
-- Patch CVE-2025-22872
-
-* Fri Mar 21 2025 Anuj Mittal - 1.4.0-3
-- Bump Release to rebuild
-
-* Thu Jan 23 2024 Kavya Sree Kaitepalli - 1.4.0-2
-- Patch CVE-2024-45338
-
-* Mon Feb 12 2024 Betty Lakes - 1.4.0-1
-- Upgrade to version 1.4.0
-
-* Wed Oct 18 2023 Mateusz Gozdek - 1.3.0-1
-- Make plugin binaries correctly print version
-- Upgrade to version 1.3.0
-
-* Mon Oct 16 2023 CBL-Mariner Servicing Account - 0.9.1-16
-- Bump release to rebuild with go 1.20.10
-
-* Tue Oct 10 2023 Dan Streetman - 0.9.1-15
-- Bump release to rebuild with updated version of Go.
-
-* Mon Aug 07 2023 CBL-Mariner Servicing Account - 0.9.1-14
-- Bump release to rebuild with go 1.19.12
-
-* Thu Jul 13 2023 CBL-Mariner Servicing Account - 0.9.1-13
-- Bump release to rebuild with go 1.19.11
-
-* Thu Jun 15 2023 CBL-Mariner Servicing Account - 0.9.1-12
-- Bump release to rebuild with go 1.19.10
-
-* Mon May 22 2023 Betty Lakes - 0.9.1-11
-- Added Provides for kubernetes-cni
-
-* Wed Apr 05 2023 CBL-Mariner Servicing Account - 0.9.1-10
-- Bump release to rebuild with go 1.19.8
-
-* Tue Mar 28 2023 CBL-Mariner Servicing Account - 0.9.1-9
-- Bump release to rebuild with go 1.19.7
-
-* Wed Mar 15 2023 CBL-Mariner Servicing Account - 0.9.1-8
-- Bump release to rebuild with go 1.19.6
-
-* Fri Feb 03 2023 CBL-Mariner Servicing Account - 0.9.1-7
-- Bump release to rebuild with go 1.19.5
-
-* Wed Jan 18 2023 CBL-Mariner Servicing Account - 0.9.1-6
-- Bump release to rebuild with go 1.19.4
-
-* Fri Dec 16 2022 Daniel McIlvaney - 0.9.1-5
-- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717
-
-* Tue Nov 01 2022 Olivia Crain - 0.9.1-4
-- Bump release to rebuild with go 1.18.8
-
-* Mon Aug 22 2022 Olivia Crain - 0.9.1-3
-- Bump release to rebuild against Go 1.18.5
-
-* Tue Jun 14 2022 Muhammad Falak - 0.9.1-2
-- Bump release to rebuild with golang 1.18.3
-
-* Tue Aug 17 2021 Henry Li - 0.8.1-1
-- Rename package name from cni to cni-plugins
-- Upgrade to version 0.9.1
-
-* Thu Dec 10 2020 Andrew Phelps 0.7.5-5
-- Increment release to force republishing using golang 1.15.
-
-* Sat May 09 2020 Nick Samson 0.7.5-4
-- Added %%license line automatically
-
-* Thu Apr 30 2020 Emre Girgin 0.7.5-3
-- Renaming go to golang
-
-* Tue Mar 07 2020 Paul Monson 0.7.5-3
-- Fix Source0. License verified.
-
-* Tue Sep 03 2019 Mateusz Malisz 0.7.5-2
-- Initial CBL-Mariner import from Photon (license: Apache2).
-
-* Tue Apr 02 2019 Ashwin H 0.7.5-1
-- Update cni to v0.7.5
-
-* Tue Dec 05 2017 Vinay Kulkarni 0.6.0-1
-- cni v0.6.0.
-
-* Fri Apr 7 2017 Alexey Makhalov 0.5.1-1
-- Version update
-
-* Thu Feb 16 2017 Vinay Kulkarni 0.4.0-1
-- Add CNI plugins package to PhotonOS.
diff --git a/SPECS/cni/99-loopback.conf b/SPECS/cni/99-loopback.conf
deleted file mode 100644
index 9e0b1aba98..0000000000
--- a/SPECS/cni/99-loopback.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-{
- "cniVersion": "0.4.0",
- "type": "loopback"
-}
diff --git a/SPECS/cni/CVE-2021-38561.patch b/SPECS/cni/CVE-2021-38561.patch
deleted file mode 100644
index 135acb405a..0000000000
--- a/SPECS/cni/CVE-2021-38561.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From 383b2e75a7a4198c42f8f87833eefb772868a56f Mon Sep 17 00:00:00 2001
-From: Russ Cox
-Date: Mon, 9 Aug 2021 15:09:12 -0400
-Subject: [PATCH] language: turn parsing panics into ErrSyntax
-
-We keep finding new panics in the language parser.
-Limit the damage by reporting those inputs as syntax errors.
-
-Change-Id: I786fe127c3df7e4c8e042d15095d3acf3c4e4a50
-Reviewed-on: https://go-review.googlesource.com/c/text/+/340830
-Trust: Russ Cox
-Run-TryBot: Russ Cox
-TryBot-Result: Go Bot
-Reviewed-by: Roland Shoemaker
----
- internal/language/language.go | 43 +++++++++++++++++++++++++++++++----
- internal/language/parse.go | 7 ++++++
- language/parse.go | 22 ++++++++++++++++++
- 3 files changed, 68 insertions(+), 4 deletions(-)
-
-diff --git a/vendor/golang.org/x/text/internal/language/language.go b/vendor/golang.org/x/text/internal/language/language.go
-index f41aedc..6105bc7 100644
---- a/vendor/golang.org/x/text/internal/language/language.go
-+++ b/vendor/golang.org/x/text/internal/language/language.go
-@@ -251,6 +251,13 @@ func (t Tag) Parent() Tag {
-
- // ParseExtension parses s as an extension and returns it on success.
- func ParseExtension(s string) (ext string, err error) {
-+ defer func() {
-+ if recover() != nil {
-+ ext = ""
-+ err = ErrSyntax
-+ }
-+ }()
-+
- scan := makeScannerString(s)
- var end int
- if n := len(scan.token); n != 1 {
-@@ -461,7 +468,14 @@ func (t Tag) findTypeForKey(key string) (start, sep, end int, hasExt bool) {
- // ParseBase parses a 2- or 3-letter ISO 639 code.
- // It returns a ValueError if s is a well-formed but unknown language identifier
- // or another error if another error occurred.
--func ParseBase(s string) (Language, error) {
-+func ParseBase(s string) (l Language, err error) {
-+ defer func() {
-+ if recover() != nil {
-+ l = 0
-+ err = ErrSyntax
-+ }
-+ }()
-+
- if n := len(s); n < 2 || 3 < n {
- return 0, ErrSyntax
- }
-@@ -472,7 +486,14 @@ func ParseBase(s string) (Language, error) {
- // ParseScript parses a 4-letter ISO 15924 code.
- // It returns a ValueError if s is a well-formed but unknown script identifier
- // or another error if another error occurred.
--func ParseScript(s string) (Script, error) {
-+func ParseScript(s string) (scr Script, err error) {
-+ defer func() {
-+ if recover() != nil {
-+ scr = 0
-+ err = ErrSyntax
-+ }
-+ }()
-+
- if len(s) != 4 {
- return 0, ErrSyntax
- }
-@@ -489,7 +510,14 @@ func EncodeM49(r int) (Region, error) {
- // ParseRegion parses a 2- or 3-letter ISO 3166-1 or a UN M.49 code.
- // It returns a ValueError if s is a well-formed but unknown region identifier
- // or another error if another error occurred.
--func ParseRegion(s string) (Region, error) {
-+func ParseRegion(s string) (r Region, err error) {
-+ defer func() {
-+ if recover() != nil {
-+ r = 0
-+ err = ErrSyntax
-+ }
-+ }()
-+
- if n := len(s); n < 2 || 3 < n {
- return 0, ErrSyntax
- }
-@@ -578,7 +606,14 @@ type Variant struct {
-
- // ParseVariant parses and returns a Variant. An error is returned if s is not
- // a valid variant.
--func ParseVariant(s string) (Variant, error) {
-+func ParseVariant(s string) (v Variant, err error) {
-+ defer func() {
-+ if recover() != nil {
-+ v = Variant{}
-+ err = ErrSyntax
-+ }
-+ }()
-+
- s = strings.ToLower(s)
- if id, ok := variantIndex[s]; ok {
- return Variant{id, s}, nil
-diff --git a/vendor/golang.org/x/text/internal/language/parse.go b/vendor/golang.org/x/text/internal/language/parse.go
-index c696fd0..47ee0fe 100644
---- a/vendor/golang.org/x/text/internal/language/parse.go
-+++ b/vendor/golang.org/x/text/internal/language/parse.go
-@@ -232,6 +232,13 @@ func Parse(s string) (t Tag, err error) {
- if s == "" {
- return Und, ErrSyntax
- }
-+ defer func() {
-+ if recover() != nil {
-+ t = Und
-+ err = ErrSyntax
-+ return
-+ }
-+ }()
- if len(s) <= maxAltTaglen {
- b := [maxAltTaglen]byte{}
- for i, c := range s {
-diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
-index 11acfd8..59b0410 100644
---- a/vendor/golang.org/x/text/language/parse.go
-+++ b/vendor/golang.org/x/text/language/parse.go
-@@ -43,6 +43,13 @@ func Parse(s string) (t Tag, err error) {
- // https://www.unicode.org/reports/tr35/#Unicode_Language_and_Locale_Identifiers.
- // The resulting tag is canonicalized using the canonicalization type c.
- func (c CanonType) Parse(s string) (t Tag, err error) {
-+ defer func() {
-+ if recover() != nil {
-+ t = Tag{}
-+ err = language.ErrSyntax
-+ }
-+ }()
-+
- tt, err := language.Parse(s)
- if err != nil {
- return makeTag(tt), err
-@@ -79,6 +86,13 @@ func Compose(part ...interface{}) (t Tag, err error) {
- // tag is returned after canonicalizing using CanonType c. If one or more errors
- // are encountered, one of the errors is returned.
- func (c CanonType) Compose(part ...interface{}) (t Tag, err error) {
-+ defer func() {
-+ if recover() != nil {
-+ t = Tag{}
-+ err = language.ErrSyntax
-+ }
-+ }()
-+
- var b language.Builder
- if err = update(&b, part...); err != nil {
- return und, err
-@@ -142,6 +156,14 @@ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
- // Tags with a weight of zero will be dropped. An error will be returned if the
- // input could not be parsed.
- func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
-+ defer func() {
-+ if recover() != nil {
-+ tag = nil
-+ q = nil
-+ err = language.ErrSyntax
-+ }
-+ }()
-+
- var entry string
- for s != "" {
- if entry, s = split(s, ','); entry == "" {
---
-2.34.1
-
diff --git a/SPECS/cni/CVE-2022-29526.patch b/SPECS/cni/CVE-2022-29526.patch
deleted file mode 100644
index dfba477696..0000000000
--- a/SPECS/cni/CVE-2022-29526.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From e13d51dae376f08ea381869af4880ca312111086 Mon Sep 17 00:00:00 2001
-From: Damien Neil
-Date: Tue, 12 Apr 2022 13:38:17 -0700
-Subject: [PATCH] [release-branch.go1.17] syscall: check correct group in
- Faccessat
-
-The Faccessat call checks the user, group, or other permission bits of a
-file to see if the calling process can access it. The test to see if the
-group permissions should be used was made with the wrong group id, using
-the process's group id rather than the file's group id. Fix this to use
-the correct group id.
-
-No test since we cannot easily change file permissions when not running
-as root and the test is meaningless if running as root.
-
-For #52313
-Fixes #52439
-
-Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee
-Reviewed-on: https://go-review.googlesource.com/c/go/+/399539
-Reviewed-by: Ian Lance Taylor
-Run-TryBot: Ian Lance Taylor
-TryBot-Result: Gopher Robot
-(cherry picked from commit f66925e854e71e0c54b581885380a490d7afa30c)
-Reviewed-on: https://go-review.googlesource.com/c/go/+/401078
-Auto-Submit: Tatiana Bradley
-Run-TryBot: Tatiana Bradley
-Run-TryBot: Damien Neil
-Auto-Submit: Damien Neil
-Reviewed-by: Tatiana Bradley
----
- vendor/golang.org/x/sys/unix/syscall_linux.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/syscall/syscall_linux.go b/src/syscall/syscall_linux.go
-index 3041f6f8fceda7..b2cc53e5c0dbe3 100644
---- a/vendor/golang.org/x/sys/unix/syscall_linux.go
-+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
-@@ -106,7 +106,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
- gid = Getgid()
- }
-
-- if uint32(gid) == st.Gid || isGroupMember(gid) {
-+ if uint32(gid) == st.Gid || isGroupMember(int(st.Gid)) {
- fmode = (st.Mode >> 3) & 7
- } else {
- fmode = st.Mode & 7
diff --git a/SPECS/cni/CVE-2022-32149.patch b/SPECS/cni/CVE-2022-32149.patch
deleted file mode 100644
index 7938e0831b..0000000000
--- a/SPECS/cni/CVE-2022-32149.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From a47ab91255e04dda4ca0d734afef58216c7479a2 Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker
-Date: Fri, 2 Sep 2022 09:35:37 -0700
-Subject: [PATCH] language: reject excessively large Accept-Language strings
-
-Backported to apply on vendor direcotry by @mfrw
-
-The BCP 47 tag parser has quadratic time complexity due to inherent
-aspects of its design. Since the parser is, by design, exposed to
-untrusted user input, this can be leveraged to force a program to
-consume significant time parsing Accept-Language headers.
-
-The parser cannot be easily rewritten to fix this behavior for
-various reasons. Instead the solution implemented in this CL is to
-limit the total complexity of tags passed into ParseAcceptLanguage
-by limiting the number of dashes in the string to 1000. This should
-be more than enough for the majority of real world use cases, where
-the number of tags being sent is likely to be in the single digits.
-
-Thanks to the OSS-Fuzz project for discovering this issue and to Adam
-Korczynski (ADA Logics) for writing the fuzz case and for reporting the
-issue.
-
-Fixes CVE-2022-32149
-Fixes golang/go#56152
-
-Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
-Reviewed-by: Damien Neil
-Reviewed-by: Tatiana Bradley
-Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
-TryBot-Result: Gopher Robot
-Auto-Submit: Roland Shoemaker
-Run-TryBot: Roland Shoemaker
-Signed-off-by: Muhammad Falak R Wani
----
- vendor/golang.org/x/text/language/parse.go | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
-index 59b0410..b982d9e 100644
---- a/vendor/golang.org/x/text/language/parse.go
-+++ b/vendor/golang.org/x/text/language/parse.go
-@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
- }
-
- var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
-+var errTagListTooLarge = errors.New("tag list exceeds max length")
-
- // ParseAcceptLanguage parses the contents of an Accept-Language header as
- // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
-@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
- }
- }()
-
-+ if strings.Count(s, "-") > 1000 {
-+ return nil, nil, errTagListTooLarge
-+ }
-+
- var entry string
- for s != "" {
- if entry, s = split(s, ','); entry == "" {
---
-2.40.1
-
diff --git a/SPECS/cni/CVE-2024-45338.patch b/SPECS/cni/CVE-2024-45338.patch
deleted file mode 100644
index c2fb46031c..0000000000
--- a/SPECS/cni/CVE-2024-45338.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker
-Date: Wed, 04 Dec 2024 09:35:55 -0800
-Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
-
-Instead of using strings.ToLower and == to check case insensitive
-equality, just use strings.EqualFold, even when the strings are only
-ASCII. This prevents us unnecessarily lowering extremely long strings,
-which can be a somewhat expensive operation, even if we're only
-attempting to compare equality with five characters.
-
-Thanks to Guido Vranken for reporting this issue.
-
-Fixes golang/go#70906
-Fixes CVE-2024-45338
-
-Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
-Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
-LUCI-TryBot-Result: Go LUCI
-Auto-Submit: Gopher Robot
-Reviewed-by: Roland Shoemaker
-Reviewed-by: Tatiana Bradley
----
- vendor/golang.org/x/net/html/doctype.go | 2 +-
- vendor/golang.org/x/net/html/foreign.go | 3 +--
- vendor/golang.org/x/net/html/parse.go | 4 ++--
- 3 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
-index c484e5a..bca3ae9 100644
---- a/vendor/golang.org/x/net/html/doctype.go
-+++ b/vendor/golang.org/x/net/html/doctype.go
-@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
- }
- }
- if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
-- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
-+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
- quirks = true
- }
- }
-diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
-index 9da9e9d..e8515d8 100644
---- a/vendor/golang.org/x/net/html/foreign.go
-+++ b/vendor/golang.org/x/net/html/foreign.go
-@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
- if n.Data == "annotation-xml" {
- for _, a := range n.Attr {
- if a.Key == "encoding" {
-- val := strings.ToLower(a.Val)
-- if val == "text/html" || val == "application/xhtml+xml" {
-+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
- return true
- }
- }
-diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
-index 038941d..cb012d8 100644
---- a/vendor/golang.org/x/net/html/parse.go
-+++ b/vendor/golang.org/x/net/html/parse.go
-@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
- if p.tok.DataAtom == a.Input {
- for _, t := range p.tok.Attr {
- if t.Key == "type" {
-- if strings.ToLower(t.Val) == "hidden" {
-+ if strings.EqualFold(t.Val, "hidden") {
- // Skip setting framesetOK = false
- return true
- }
-@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
- return inHeadIM(p)
- case a.Input:
- for _, t := range p.tok.Attr {
-- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
-+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
- p.addElement()
- p.oe.pop()
- return true
---
-2.25.1
-
diff --git a/SPECS/cni/build.sh b/SPECS/cni/build.sh
deleted file mode 100644
index 024b8d7603..0000000000
--- a/SPECS/cni/build.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-ORG_PATH="github.com/containernetworking"
-REPO_PATH="${ORG_PATH}/cni"
-
-if [ ! -h gopath/src/${REPO_PATH} ]; then
- mkdir -p gopath/src/${ORG_PATH}
- ln -s ../../../.. gopath/src/${REPO_PATH} || exit 255
-fi
-
-export GO17VENDOREXPERIMENT=1
-export GOPATH=${PWD}/gopath
-
-echo "Building API"
-go build -mod vendor -v -buildmode=pie "$@" ${REPO_PATH}/libcni
-
-echo "Building reference CLI"
-go build -mod vendor -v -buildmode=pie -o ${PWD}/bin/cnitool "$@" ${REPO_PATH}/cnitool
-
-echo "Building plugins"
-PLUGINS="plugins/test/*"
-for d in $PLUGINS; do
- if [ -d $d ]; then
- plugin=$(basename $d)
- echo " " $plugin
- go build -mod vendor -v -buildmode=pie -o ${PWD}/bin/$plugin "$@" ${REPO_PATH}/$d
- fi
-done
diff --git a/SPECS/cni/cni.signatures.json b/SPECS/cni/cni.signatures.json
deleted file mode 100644
index 78df0b264e..0000000000
--- a/SPECS/cni/cni.signatures.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
- "Signatures": {
- "99-loopback.conf": "82e03a3292ca327bcc86af3664a0d7b110cb1c39bca16d3cc703abd49c3c9a1b",
- "build.sh": "1fc4529fae5bdf52cf6b9e5eb603c7703046f35e76c6c3a525085c63ef55a7ff",
- "cni-1.1.2-vendor.tar.gz": "7a103582845d2a3a8a803f830bb0badf41c2db860a982541aba179f4d5f9ba97",
- "cni-1.1.2.tar.gz": "7d4bcaf83acdd54b3dc216f7aa5b5e1b32cb797d9c6af601a2c26b97470ed743"
- }
-}
diff --git a/SPECS/cni/cni.spec b/SPECS/cni/cni.spec
deleted file mode 100644
index efc2bf927a..0000000000
--- a/SPECS/cni/cni.spec
+++ /dev/null
@@ -1,399 +0,0 @@
-#
-# spec file for package cni
-#
-# Copyright (c) 2021 SUSE LLC
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
-#
-
-
-%define cni_etc_dir %{_sysconfdir}/cni
-%define cni_bin_dir %{_libexecdir}/cni
-%define cni_doc_dir %{_docdir}/cni
-# Remove stripping of Go binaries.
-%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
-Summary: Container Network Interface - networking for Linux containers
-Name: cni
-Version: 1.1.2
-Release: 5%{?dist}
-License: Apache-2.0
-Vendor: Microsoft Corporation
-Distribution: Azure Linux
-Group: System/Management
-URL: https://github.com/containernetworking/cni
-#Source0: https://github.com/containernetworking/cni/archive/refs/tags/v%{version}.tar.gz
-Source0: %{name}-%{version}.tar.gz
-Source1: 99-loopback.conf
-Source2: build.sh
-# Below is a manually created tarball, no download link.
-# We're using pre-populated Go modules from this tarball, since network is disabled during build time.
-# How to re-build this file:
-# 1. wget https://github.com/containernetworking/cni/archive/refs/tags/v1.0.1.tar.gz -o %%{name}-%%{version}.tar.gz
-# 2. tar -xf %%{name}-%%{version}.tar.gz
-# 3. cd %%{name}-%%{version}
-# 4. go mod vendor
-# 5. tar --sort=name \
-# --mtime="2021-04-26 00:00Z" \
-# --owner=0 --group=0 --numeric-owner \
-# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-# -cf %%{name}-%%{version}-vendor.tar.gz vendor
-#
-Source3: %{name}-%{version}-vendor.tar.gz
-Patch0: CVE-2021-38561.patch
-Patch1: CVE-2022-32149.patch
-Patch2: CVE-2024-45338.patch
-Patch3: CVE-2022-29526.patch
-BuildRequires: golang
-BuildRequires: systemd-rpm-macros
-BuildRequires: xz
-Requires: systemd
-Requires(post): %fillup_prereq
-Recommends: cni-plugins
-
-%description
-The CNI (Container Network Interface) project consists of a
-specification and libraries for writing plugins to configure
-network interfaces in Linux containers, along with a number of
-supported plugins. CNI concerns itself only with network
-connectivity of containers and removing allocated resources when
-the container is deleted. Because of this focus, CNI has a wide
-range of support and the specification is simple to implement.
-
-%prep
-%autosetup -N
-cp %{SOURCE2} build.sh
-# create vendor folder from the vendor tarball and set vendor mode
-tar -xf %{SOURCE3} --no-same-owner
-%autopatch -p1
-
-%build
-# go1.16+ default is GO111MODULE=on set to auto temporarily
-# until using upstream release with go.mod
-export GO111MODULE=auto
-sh ./build.sh
-
-%install
-
-# install the plugins
-install -m 755 -d "%{buildroot}%{cni_bin_dir}"
-cp bin/noop "%{buildroot}%{cni_bin_dir}/"
-cp bin/sleep "%{buildroot}%{cni_bin_dir}/"
-
-# undo a copy: cnitool must go to sbin/
-install -m 755 -d "%{buildroot}%{_sbindir}"
-cp bin/cnitool "%{buildroot}%{_sbindir}/"
-
-# config
-install -m 755 -d "%{buildroot}%{cni_etc_dir}"
-install -m 755 -d "%{buildroot}%{cni_etc_dir}/net.d"
-install -D -p -m 0644 %{SOURCE1} %{buildroot}%{cni_etc_dir}/net.d/99-loopback.conf.sample
-
-# documentation
-install -m 755 -d "%{buildroot}%{cni_doc_dir}"
-
-%post
-%{fillup_only -n %{name}}
-
-%files
-%defattr(-,root,root)
-%doc CONTRIBUTING.md README.md DCO
-%license LICENSE
-%dir %{cni_etc_dir}
-%dir %{cni_etc_dir}/net.d
-%config %{cni_etc_dir}/net.d/*
-%dir %{cni_bin_dir}
-%dir %{cni_doc_dir}
-%{cni_bin_dir}/*
-%{cni_etc_dir}/net.d/*
-%{_sbindir}/cnitool
-
-%changelog
-* Fri Mar 21 2025 Anuj Mittal - 1.1.2-5
-- Bump Release to rebuild
-
-* Thu Jan 23 2025 Kavya Sree Kaitepalli - 1.1.2-4
-- Patch CVE-2024-45338 and CVE-2022-29526
-
-* Fri Sep 06 2024 Muhammad Falak R Wani - 1.1.2-3
-- Patch CVE-2022-32149
-
-* Tue Jul 02 2024 Osama Esmail - 1.1.2-2
-- Patching CVE-2021-38561
-
-* Fri Oct 27 2023 CBL-Mariner Servicing Account - 1.1.2-1
-- Auto-upgrade to 1.1.2 - Azure Linux 3.0 - package upgrades
-
-* Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.0.1-15
-- Bump release to rebuild with go 1.20.10
-
-* Tue Oct 10 2023 Dan Streetman - 1.0.1-14
-- Bump release to rebuild with updated version of Go.
-
-* Mon Aug 07 2023 CBL-Mariner Servicing Account - 1.0.1-13
-- Bump release to rebuild with go 1.19.12
-
-* Thu Jul 13 2023 CBL-Mariner Servicing Account - 1.0.1-12
-- Bump release to rebuild with go 1.19.11
-
-* Thu Jun 15 2023 CBL-Mariner Servicing Account - 1.0.1-11
-- Bump release to rebuild with go 1.19.10
-
-* Wed Apr 05 2023 CBL-Mariner Servicing Account - 1.0.1-10
-- Bump release to rebuild with go 1.19.8
-
-* Tue Mar 28 2023 CBL-Mariner Servicing Account - 1.0.1-9
-- Bump release to rebuild with go 1.19.7
-
-* Wed Mar 15 2023 CBL-Mariner Servicing Account - 1.0.1-8
-- Bump release to rebuild with go 1.19.6
-
-* Fri Feb 03 2023 CBL-Mariner Servicing Account - 1.0.1-7
-- Bump release to rebuild with go 1.19.5
-
-* Wed Jan 18 2023 CBL-Mariner Servicing Account - 1.0.1-6
-- Bump release to rebuild with go 1.19.4
-
-* Fri Dec 16 2022 Daniel McIlvaney - 1.0.1-5
-- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717
-
-* Tue Nov 01 2022 Olivia Crain - 1.0.1-4
-- Bump release to rebuild with go 1.18.8
-
-* Mon Aug 22 2022 Olivia Crain - 1.0.1-3
-- Bump release to rebuild against Go 1.18.5
-
-* Tue Jun 14 2022 Muhammad Falak - 1.0.1-2
-- Bump release to rebuild with golang 1.18.3
-
-* Wed Feb 09 2022 Henry Li - 1.0.1-1
-- Upgrade to version 1.0.1
-- Add vendor source, which is required to build
-- Modify build.sh to build using vendor source
-
-* Tue Aug 17 2021 Henry Li - 0.8.1-2
-- Initial CBL-Mariner import from openSUSE Tumbleweed (license: same as "License" tag).
-- License Verified
-- Remove shadow from BR
-- Use systemd and fillup from runtime requirements
-- Manually define fillup-related macros
-- Remove buildroot definition
-
-* Mon May 31 2021 John Paul Adrian Glaubitz
-- Update to version 0.8.1:
- * This is a security release that fixes a single bug:
- - Tighten up plugin-finding logic (#811).
-
-* Sat Apr 24 2021 Dirk Müller
-- use buildmode=pie (cnitool is installed into sbindir)
-
-* Tue Mar 16 2021 Jeff Kowalczyk
-- Set GO111MODULE=auto to build with go1.16+
- * Default changed to GO111MODULE=on in go1.16
- * Set temporarily until using upstream release with go.mod
- * Drop BuildRequires: golang-packaging not currently using macros
- * Add BuildRequires: golang(API) >= 1.13 recommended dependency expression
-
-* Thu Oct 1 2020 John Paul Adrian Glaubitz
-- Update to version 0.8.0:
- * Specification and Conventions changes
- + docs: add ips and mac to well-known capabilities
- + add interface name validation
- + Add GUID to well known Capabilities
- + Add DeviceID attribute to RuntimeConfig
- + Typo fixes for infiniband GUID
- + Fix linting issues in docs, add headers to json example, update errors into table
- * Documentation changes
- + Update cnitool docs
- + Remove extra ',' chars which makes conflist examples invalid.
- * libcni changes
- + Remove Result.String method
- + libcni: add config caching [v2]
- + clean up : fix staticcheck warnings
- + libcni: add InitCNIConfigWithCacheDir() and deprecate RuntimeConfig.CacheDir
- + skel: clean up errors in skel and add some well-known error codes
- + libcni: find plugin in exec
- + validate containerID and networkName
- + skel: remove needless functions and types
- + libcni: also cache IfName
- + libcni: fix cache file 'result' key name
- + Bump Go version to 1.13
- + When CNI version isn't supplied in config, use default.
- + intercept netplugin std error
- + invoke: capture and return stderr if plugin exits unexpectedly
- + Retry exec commands on text file busy
-
-* Mon Jan 13 2020 Sascha Grunert
-- Set correct CNI version for 99-loopback.conf
-
-* Tue Jul 16 2019 John Paul Adrian Glaubitz
-- Update to version 0.7.1 (bsc#1160460):
- * Library changes:
- + invoke : ensure custom envs of CNIArgs are prepended to process envs
- + add GetNetworkListCachedResult to CNI interface
- + delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance
- * Documentation & Convention changes:
- + Update cnitool documentation for spec v0.4.0
- + Add cni-route-override to CNI plugin list
- * Build and test changes:
- + Release: 5%{?dist}
-
-* Fri May 17 2019 John Paul Adrian Glaubitz
-- Update to version 0.7.0:
- * Spec changes:
- + Use more RFC2119 style language in specification (must, should...)
- + add notes about ADD/DEL ordering
- + Make the container ID required and unique.
- + remove the version parameter from ADD and DEL commands.
- + Network interface name matters
- + be explicit about optional and required structure members
- + add CHECK method
- + Add a well-known error for "try again"
- + SPEC.md: clarify meaning of 'routes'
- * Library changes:
- + pkg/types: Makes IPAM concrete type
- + libcni: return error if Type is empty
- + skel: VERSION shouldn't block on stdin
- + non-pointer instances of types.Route now correctly marshal to JSON
- + libcni: add ValidateNetwork and ValidateNetworkList functions
- + pkg/skel: return error if JSON config has no network name
- + skel: add support for plugin version string
- + libcni: make exec handling an interface for better downstream testing
- + libcni: api now takes a Context to allow operations to be timed out or cancelled
- + types/version: add helper to parse PrevResult
- + skel: only print about message, not errors
- + skel,invoke,libcni: implementation of CHECK method
- + cnitool: Honor interface name supplied via CNI_IFNAME environment variable.
- + cnitool: validate correct number of args
- + Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0
- + add PrintTo method to Result interface
- + Return a better error when the plugin returns none
-- Install sleep binary into CNI plugin directory
-- Restore build.sh script which was removed upstream
-
-* Tue Jun 5 2018 dcassany@suse.com
-- Refactor %%license usage to a simpler form
-
-* Mon Jun 4 2018 dcassany@suse.com
-- Make use of %%license macro
-
-* Wed Apr 4 2018 jmassaguerpla@suse.com
-- Remove creating subvolumes. This should be in another package (kubernetes-kubelet)
-
-* Mon Jan 29 2018 kmacinnes@suse.com
-- Use full/absolute path for mksubvolume
-- Change snapper Requires to a Requires(post)
-
-* Thu Jan 18 2018 kmacinnes@suse.com
-- Add snapper as a requirement, to provide mksubvolume
-
-* Mon Jan 15 2018 alvaro.saurin@suse.com
-- Make /var/lib/cni writable
-
-* Tue Dec 19 2017 alvaro.saurin@suse.com
-- Remove the dependency with the cni-plugins
-- Recommend the cni-plugins
-
-* Mon Aug 28 2017 opensuse-packaging@opensuse.org
-- Update to version 0.6.0:
- * Conventions: add convention around chaining interfaces
- * pkg/types: safer typecasting for TextUnmarshaler when loading args
- * pkg/types: modify LoadArgs to return a named error when an unmarshalable condition is detected
- * Update note about next Community Sync, 2017-06-21
- * types: fix marshalling of omitted "interfaces" key in IPConfig JSON
- * Update and document release process
- * scripts/release.sh: Add in s390x architecture
- * cnitool: add support for CNI_ARGS
- * README plugins list: add Linen CNI plugin
-
-* Mon Apr 10 2017 opensuse-packaging@opensuse.org
-- Update to version 0.5.2:
- * Rename build script to avoid conflict with bazel
- * Enable s390x build
- * Update community sync detail
- * Added entry for CNI-Genie
- * travis: shift forward to Go 1.8 and 1.7
- * spec/plugins: fix 'ip'->'ips' in the spec, bump to 0.3.1
- * libcni: Improved error messages.
- * libcni: Fixed tests that were checking error strings.
- * Documentation: Added documentation for `cnitool`.
-
-* Thu Mar 23 2017 opensuse-packaging@opensuse.org
-- Update to version 0.5.1:
- * readme.md: Add link to community sync
- * pkg/ip: do not leak types from vendored netlink package
- * pkg/ip: SetupVeth returns net.Interface
- * pkg/ip: improve docstring for SetupVeth
- * Added Romana to list of CNI providers...
- * plugins/meta/flannel: If net config is missing do not return err on DEL
- * plugins/*: Don't error if the device doesn't exist
-
-* Wed Mar 22 2017 alvaro.saurin@suse.com
-- Update to version 0.5.0:
- * Documentation: Add conventions doc
- * noop: allow specifying debug file in config JSON
- * Spec/Conventions: Update to include plugin config
- * spec: add network configuration list specification
- * api,libcni: add network config list-based plugin chaining
- * Update CONVENTIONS.md
- * skel: adds PluginMainWithError which returns a *types.Error
- * testutils: pass netConf in for version operations; pass raw result out for tests
- * types: make Result an interface and move existing Result to separate package
- * macvlan/ipvlan: use common RenameLink method
- * plugins/flannel: organize test JSON alphabetically
- * pkg/ipam: add testcases
- * spec/plugins: return interface details and multiple IP addresses to runtime
- * spec, libcni, pkg/invoke: Use OS-agnostic separator when parsing CNI_PATH
- * pkg/utils/sysctl/sysctl_linux.go: fix build tag.
- * pkg/utils/sysctl/sysctl_linux.go: fix typo.
- * invoke: Enable plugin file names with extensions
- * CONVENTIONS.md: Update details on port-mappings
- * Update with feedback
- * More markups
- * spec: Remove `routes` from Network Configuration
- * docs: consolidate host-local documentation
- * pkg/ns: refactored so that builds succeed on non-linux platforms
- * Fix grammar
- * plugins/main/ptp: set the Sandbox property on the response
- * README: List multus as 3rd party plugin
- * Replace Michael Bridgen with Bryan Boreham
- * pkg/ns, pkg/types: refactored non linux build fix code to
- * pkg/ip: refactored so that builds succeed on non-linux platforms
- * vendor: Update vishvanana/netlink dependency
- * libcni: up-convert a Config to a ConfigList when no other configs are found.
- * docs: CNI versioning for 0.3.0 upgrade
- * docs: Edits to v0.3.0 upgrade guidance
- * docs: minor improvements to 0.3.0 upgrade guidance
- * docs: add small upgrade instructions
- * docs: minor improvements to spec-upgrades
- * docs: fill-out and correct version conversion table
- * docs: table formatting is hard
- * pkg/testutils: return errors after restoring stdout
- * pkg/types: misc current types testcase cleanups
- * Minor rewording about default config version
- * spec,libcni: add support for injecting runtimeConfig into plugin stdin data
- * Check n.IPAM before use it in LoadIPAMConfig function
- * do not error if last_reserved_ip is missing for host local ipam
- * add test for ensuring initial subnet creation does not contain an error
- * fix unrelated failing tests
-
-* Wed Mar 1 2017 opensuse-packaging@opensuse.org
-- Update to version 0.4.0:
- * plugins/noop: return a helpful message for test authors
- * host-local: trim whitespace from container IDs and disk file contents
- * travis: roll forward the versions of Go that we test
- * MAINTAINERS: hi CaseyC!
- * ipam/host-local: Move allocator and config to backend
- * ipam/host-local: add ResolvConf argument for DNS configuration
- * spec: notice of version
-
-* Thu Feb 23 2017 alvaro.saurin@suse.com
-- Initial version
diff --git a/SPECS/containerd2/CVE-2024-25621.patch b/SPECS/containerd2/CVE-2024-25621.patch
new file mode 100644
index 0000000000..d07a78a129
--- /dev/null
+++ b/SPECS/containerd2/CVE-2024-25621.patch
@@ -0,0 +1,111 @@
+From 46223b256bfb3f42e193d947d1b1ef551260749f Mon Sep 17 00:00:00 2001
+From: Akihiro Suda
+Date: Mon, 27 Oct 2025 16:42:59 +0900
+Subject: [PATCH] Fix directory permissions
+
+- Create /var/lib/containerd with 0o700 (was: 0o711).
+- Create config.TempDir with 0o700 (was: 0o711).
+- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
+- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
+- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
+ as required by userns-remapped containers.
+ /run/containerd/io.containerd.runtime.v2.task// is created with:
+ - 0o700 for non-userns-remapped containers
+ - 0o710 for userns-remapped containers with the remapped root group as the owner group.
+
+Signed-off-by: Akihiro Suda
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5.patch
+---
+ cmd/containerd/server/server.go | 14 ++++++++++++--
+ core/runtime/v2/task_manager.go | 2 ++
+ plugins/cri/runtime/plugin.go | 7 +++++++
+ plugins/sandbox/controller.go | 6 +++++-
+ 4 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/cmd/containerd/server/server.go b/cmd/containerd/server/server.go
+index 9f38cb3..c9e3698 100644
+--- a/cmd/containerd/server/server.go
++++ b/cmd/containerd/server/server.go
+@@ -81,10 +81,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ return errors.New("root and state must be different paths")
+ }
+
+- if err := sys.MkdirAllWithACL(config.Root, 0o711); err != nil {
++ if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil {
++ return err
++ }
++ // chmod is needed for upgrading from an older release that created the dir with 0o711
++ if err := os.Chmod(config.Root, 0o700); err != nil {
+ return err
+ }
+
++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
+ if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil {
+ return err
+ }
+@@ -99,7 +105,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ }
+
+ if config.TempDir != "" {
+- if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil {
++ if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil {
++ return err
++ }
++ // chmod is needed for upgrading from an older release that created the dir with 0o711
++ if err := os.Chmod(config.Root, 0o700); err != nil {
+ return err
+ }
+ if runtime.GOOS == "windows" {
+diff --git a/core/runtime/v2/task_manager.go b/core/runtime/v2/task_manager.go
+index f396ced..024763a 100644
+--- a/core/runtime/v2/task_manager.go
++++ b/core/runtime/v2/task_manager.go
+@@ -74,6 +74,8 @@ func init() {
+ shimManager := shimManagerI.(*ShimManager)
+ root, state := ic.Properties[plugins.PropertyRootDir], ic.Properties[plugins.PropertyStateDir]
+ for _, d := range []string{root, state} {
++ // root: the parent of this directory is created as 0o700, not 0o711.
++ // state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers.
+ if err := os.MkdirAll(d, 0711); err != nil {
+ return nil, err
+ }
+diff --git a/plugins/cri/runtime/plugin.go b/plugins/cri/runtime/plugin.go
+index adc64d9..07f64a1 100644
+--- a/plugins/cri/runtime/plugin.go
++++ b/plugins/cri/runtime/plugin.go
+@@ -91,6 +91,13 @@ func initCRIRuntime(ic *plugin.InitContext) (interface{}, error) {
+ rootDir := filepath.Join(containerdRootDir, "io.containerd.grpc.v1.cri")
+ containerdStateDir := filepath.Dir(ic.Properties[plugins.PropertyStateDir])
+ stateDir := filepath.Join(containerdStateDir, "io.containerd.grpc.v1.cri")
++ if err := os.MkdirAll(stateDir, 0o700); err != nil {
++ return nil, err
++ }
++ // chmod is needed for upgrading from an older release that created the dir with 0o755
++ if err := os.Chmod(stateDir, 0o700); err != nil {
++ return nil, err
++ }
+ c := criconfig.Config{
+ RuntimeConfig: *pluginConfig,
+ ContainerdRootDir: containerdRootDir,
+diff --git a/plugins/sandbox/controller.go b/plugins/sandbox/controller.go
+index aec9cc3..165f2e8 100644
+--- a/plugins/sandbox/controller.go
++++ b/plugins/sandbox/controller.go
+@@ -68,7 +68,11 @@ func init() {
+ state := ic.Properties[plugins.PropertyStateDir]
+ root := ic.Properties[plugins.PropertyRootDir]
+ for _, d := range []string{root, state} {
+- if err := os.MkdirAll(d, 0711); err != nil {
++ if err := os.MkdirAll(d, 0700); err != nil {
++ return nil, err
++ }
++ // chmod is needed for upgrading from an older release that created the dir with 0o711
++ if err := os.Chmod(d, 0o700); err != nil {
+ return nil, err
+ }
+ }
+--
+2.45.4
+
diff --git a/SPECS/containerd2/CVE-2025-47911.patch b/SPECS/containerd2/CVE-2025-47911.patch
new file mode 100644
index 0000000000..2df8cafa55
--- /dev/null
+++ b/SPECS/containerd2/CVE-2025-47911.patch
@@ -0,0 +1,100 @@
+From 532532d877df8bbee095441886578acaf619132c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker
+Date: Mon, 29 Sep 2025 16:33:18 -0700
+Subject: [PATCH] html: impose open element stack size limit
+
+The HTML specification contains a number of algorithms which are
+quadratic in complexity by design. Instead of adding complicated
+workarounds to prevent these cases from becoming extremely expensive in
+pathological cases, we impose a limit of 512 to the size of the stack of
+open elements. It is extremely unlikely that non-adversarial HTML
+documents will ever hit this limit (but if we see cases of this, we may
+want to make the limit configurable via a ParseOption).
+
+Thanks to Guido Vranken and Jakub Ciolek for both independently
+reporting this issue.
+
+Fixes CVE-2025-47911
+Fixes golang/go#75682
+
+Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
+Reviewed-by: Damien Neil
+LUCI-TryBot-Result: Go LUCI
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
+---
+ vendor/golang.org/x/net/html/escape.go | 2 +-
+ vendor/golang.org/x/net/html/parse.go | 21 +++++++++++++++++----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
+index 04c6bec..12f2273 100644
+--- a/vendor/golang.org/x/net/html/escape.go
++++ b/vendor/golang.org/x/net/html/escape.go
+@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
+ case '\r':
+ esc = "
"
+ default:
+- panic("unrecognized escape character")
++ panic("html: unrecognized escape character")
+ }
+ s = s[i+1:]
+ if _, err := w.WriteString(esc); err != nil {
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 979ef17..4d12a1c 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
+ }
+
+ if n.Type == ElementNode {
+- p.oe = append(p.oe, n)
++ p.insertOpenElement(n)
++ }
++}
++
++func (p *parser) insertOpenElement(n *Node) {
++ p.oe = append(p.oe, n)
++ if len(p.oe) > 512 {
++ panic("html: open stack of elements exceeds 512 nodes")
+ }
+ }
+
+@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
+ p.im = inFramesetIM
+ return true
+ case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
+- p.oe = append(p.oe, p.head)
++ p.insertOpenElement(p.head)
+ defer p.oe.remove(p.head)
+ return inHeadIM(p)
+ case a.Head:
+@@ -2320,9 +2327,13 @@ func (p *parser) parseCurrentToken() {
+ }
+ }
+
+-func (p *parser) parse() error {
++func (p *parser) parse() (err error) {
++ defer func() {
++ if panicErr := recover(); panicErr != nil {
++ err = fmt.Errorf("%s", panicErr)
++ }
++ }()
+ // Iterate until EOF. Any other error will cause an early return.
+- var err error
+ for err != io.EOF {
+ // CDATA sections are allowed only in foreign content.
+ n := p.oe.top()
+@@ -2351,6 +2362,8 @@ func (p *parser) parse() error {
+ // s. Conversely, explicit s in r's data can be silently dropped,
+ // with no corresponding node in the resulting tree.
+ //
++// Parse will reject HTML that is nested deeper than 512 elements.
++//
+ // The input is assumed to be UTF-8 encoded.
+ func Parse(r io.Reader) (*Node, error) {
+ return ParseWithOptions(r)
+--
+2.45.4
+
diff --git a/SPECS/containerd2/CVE-2025-58190.patch b/SPECS/containerd2/CVE-2025-58190.patch
new file mode 100644
index 0000000000..89b2b84a02
--- /dev/null
+++ b/SPECS/containerd2/CVE-2025-58190.patch
@@ -0,0 +1,126 @@
+From 582919df8cf0643cd434da7421238628ad5b4cb6 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker
+Date: Mon, 29 Sep 2025 19:38:24 -0700
+Subject: [PATCH] html: align in row insertion mode with spec
+
+Update inRowIM to match the HTML specification. This fixes an issue
+where a specific HTML document could cause the parser to enter an
+infinite loop when trying to parse a and implied next to
+each other.
+
+Fixes CVE-2025-58190
+Fixes golang/go#70179
+
+Change-Id: Idcb133c87c7d475cc8c7eb1f1550ea21d8bdddea
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709875
+LUCI-TryBot-Result: Go LUCI
+Reviewed-by: Damien Neil
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: https://github.com/golang/net/commit/6ec8895aa5f6594da7356da7d341b98133629009.patch
+---
+ vendor/golang.org/x/net/html/parse.go | 36 ++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 5b8374b..979ef17 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int {
+ return -1
+ }
+ default:
+- panic("unreachable")
++ panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s))
+ }
+ }
+ switch s {
+@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) {
+ return
+ }
+ default:
+- panic("unreachable")
++ panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s))
+ }
+ }
+ }
+@@ -1674,7 +1674,7 @@ func inTableBodyIM(p *parser) bool {
+ return inTableIM(p)
+ }
+
+-// Section 12.2.6.4.14.
++// Section 13.2.6.4.14.
+ func inRowIM(p *parser) bool {
+ switch p.tok.Type {
+ case StartTagToken:
+@@ -1686,7 +1686,9 @@ func inRowIM(p *parser) bool {
+ p.im = inCellIM
+ return true
+ case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr:
+- if p.popUntil(tableScope, a.Tr) {
++ if p.elementInScope(tableScope, a.Tr) {
++ p.clearStackToContext(tableRowScope)
++ p.oe.pop()
+ p.im = inTableBodyIM
+ return false
+ }
+@@ -1696,22 +1698,28 @@ func inRowIM(p *parser) bool {
+ case EndTagToken:
+ switch p.tok.DataAtom {
+ case a.Tr:
+- if p.popUntil(tableScope, a.Tr) {
++ if p.elementInScope(tableScope, a.Tr) {
++ p.clearStackToContext(tableRowScope)
++ p.oe.pop()
+ p.im = inTableBodyIM
+ return true
+ }
+ // Ignore the token.
+ return true
+ case a.Table:
+- if p.popUntil(tableScope, a.Tr) {
++ if p.elementInScope(tableScope, a.Tr) {
++ p.clearStackToContext(tableRowScope)
++ p.oe.pop()
+ p.im = inTableBodyIM
+ return false
+ }
+ // Ignore the token.
+ return true
+ case a.Tbody, a.Tfoot, a.Thead:
+- if p.elementInScope(tableScope, p.tok.DataAtom) {
+- p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String())
++ if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) {
++ p.clearStackToContext(tableRowScope)
++ p.oe.pop()
++ p.im = inTableBodyIM
+ return false
+ }
+ // Ignore the token.
+@@ -2218,16 +2226,20 @@ func parseForeignContent(p *parser) bool {
+ p.acknowledgeSelfClosingTag()
+ }
+ case EndTagToken:
++ if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) {
++ p.oe = p.oe[:len(p.oe)-1]
++ return true
++ }
+ for i := len(p.oe) - 1; i >= 0; i-- {
+- if p.oe[i].Namespace == "" {
+- return p.im(p)
+- }
+ if strings.EqualFold(p.oe[i].Data, p.tok.Data) {
+ p.oe = p.oe[:i]
++ return true
++ }
++ if i > 0 && p.oe[i-1].Namespace == "" {
+ break
+ }
+ }
+- return true
++ return p.im(p)
+ default:
+ // Ignore the token.
+ }
+--
+2.45.4
+
diff --git a/SPECS/containerd2/CVE-2025-64329.patch b/SPECS/containerd2/CVE-2025-64329.patch
new file mode 100644
index 0000000000..b742c82c32
--- /dev/null
+++ b/SPECS/containerd2/CVE-2025-64329.patch
@@ -0,0 +1,73 @@
+From b9beeef78a6fd90ece5801780c45f550caf71b3d Mon Sep 17 00:00:00 2001
+From: wheat2018 <1151937289@qq.com>
+Date: Tue, 13 Aug 2024 15:56:31 +0800
+Subject: [PATCH] fix goroutine leak of container Attach
+
+The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
+never finish if it attaches to a container without any stdout or stderr
+output. Wait for http context cancel and break the pipe actively to
+address the issue.
+
+Signed-off-by: wheat2018 <1151937289@qq.com>
+Signed-off-by: Akihiro Suda
+Signed-off-by: Azure Linux Security Servicing Account
+Upstream-reference: https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df.patch
+---
+ internal/cri/io/container_io.go | 14 +++++++++++---
+ internal/cri/server/container_attach.go | 2 +-
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/internal/cri/io/container_io.go b/internal/cri/io/container_io.go
+index 9fc5545..194634e 100644
+--- a/internal/cri/io/container_io.go
++++ b/internal/cri/io/container_io.go
+@@ -17,6 +17,7 @@
+ package io
+
+ import (
++ "context"
+ "errors"
+ "fmt"
+ "io"
+@@ -160,7 +161,7 @@ func (c *ContainerIO) Pipe() {
+
+ // Attach attaches container stdio.
+ // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
+-func (c *ContainerIO) Attach(opts AttachOptions) {
++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
+ var wg sync.WaitGroup
+ key := util.GenerateID()
+ stdinKey := streamKey(c.id, "attach-"+key, Stdin)
+@@ -201,8 +202,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
+ }
+
+ attachStream := func(key string, close <-chan struct{}) {
+- <-close
+- log.L.Infof("Attach stream %q closed", key)
++ select {
++ case <-close:
++ log.L.Infof("Attach stream %q closed", key)
++ case <-ctx.Done():
++ log.L.Infof("Attach client of %q cancelled", key)
++ // Avoid writeGroup heap up
++ c.stdoutGroup.Remove(key)
++ c.stderrGroup.Remove(key)
++ }
+ // Make sure stdin gets closed.
+ if stdinStreamRC != nil {
+ stdinStreamRC.Close()
+diff --git a/internal/cri/server/container_attach.go b/internal/cri/server/container_attach.go
+index 0147859..f4c3322 100644
+--- a/internal/cri/server/container_attach.go
++++ b/internal/cri/server/container_attach.go
+@@ -82,6 +82,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
+ },
+ }
+ // TODO(random-liu): Figure out whether we need to support historical output.
+- cntr.IO.Attach(opts)
++ cntr.IO.Attach(ctx, opts)
+ return nil
+ }
+--
+2.45.4
+
diff --git a/SPECS/containerd2/containerd2.spec b/SPECS/containerd2/containerd2.spec
index 6fe25c1a33..c67bff5732 100644
--- a/SPECS/containerd2/containerd2.spec
+++ b/SPECS/containerd2/containerd2.spec
@@ -5,7 +5,7 @@
Summary: Industry-standard container runtime
Name: %{upstream_name}2
Version: 2.0.0
-Release: 14%{?dist}
+Release: 18%{?dist}
License: ASL 2.0
Group: Tools/Container
URL: https://www.containerd.io
@@ -23,6 +23,11 @@ Patch3: CVE-2025-22872.patch
Patch4: CVE-2025-47291.patch
Patch5: multi-snapshotters-support.patch
Patch6: tardev-support.patch
+Patch7: CVE-2024-25621.patch
+Patch8: CVE-2025-64329.patch
+Patch9: fix-credential-leak-in-cri-errors.patch
+Patch10:CVE-2025-47911.patch
+Patch11:CVE-2025-58190.patch
%{?systemd_requires}
BuildRequires: golang < 1.25
@@ -132,6 +137,13 @@ fi
%{_bindir}/containerd-stress
%changelog
+* Thu Mar 12 2026 Lee Chee Yang - 2.0.0-18
+- merge from Azure Linux 3.0.20260304-3.0
+- Patch for CVE-2025-64329
+- Patch for CVE-2024-25621
+- Backport fix for credential leak in CRI error logs
+- Patch for CVE-2025-58190, CVE-2025-47911
+
* Fri Oct 3 2025 Lee Chee Yang - 2.0.0-14
- merge from Azure Linux 3.0.20250910-3.0
- Set BR for golang to < 1.25
diff --git a/SPECS/containerd2/fix-credential-leak-in-cri-errors.patch b/SPECS/containerd2/fix-credential-leak-in-cri-errors.patch
new file mode 100644
index 0000000000..909c179c25
--- /dev/null
+++ b/SPECS/containerd2/fix-credential-leak-in-cri-errors.patch
@@ -0,0 +1,401 @@
+From a34e45d0fa2a7ddefff1a0871c9bf9e3c62bda17 Mon Sep 17 00:00:00 2001
+From: Andrey Noskov
+Date: Thu, 6 Nov 2025 13:34:38 +0100
+Subject: [PATCH 1/2] fix: redact all query parameters in CRI error logs
+
+Signed-off-by: Andrey Noskov
+---
+ .../cri/instrument/instrumented_service.go | 8 ++
+ internal/cri/util/sanitize.go | 93 +++++++++++++
+ internal/cri/util/sanitize_test.go | 128 ++++++++++++++++++
+ 3 files changed, 229 insertions(+)
+ create mode 100644 internal/cri/util/sanitize.go
+ create mode 100644 internal/cri/util/sanitize_test.go
+
+diff --git a/internal/cri/instrument/instrumented_service.go b/internal/cri/instrument/instrumented_service.go
+index c2f5c8de99..f06315a6bd 100644
+--- a/internal/cri/instrument/instrumented_service.go
++++ b/internal/cri/instrument/instrumented_service.go
+@@ -351,6 +351,8 @@ func (in *instrumentedService) PullImage(ctx context.Context, r *runtime.PullIma
+ log.G(ctx).Infof("PullImage %q", r.GetImage().GetImage())
+ defer func() {
+ if err != nil {
++ // Sanitize error to remove sensitive information
++ err = ctrdutil.SanitizeError(err)
+ log.G(ctx).WithError(err).Errorf("PullImage %q failed", r.GetImage().GetImage())
+ } else {
+ log.G(ctx).Infof("PullImage %q returns image reference %q",
+@@ -369,6 +371,8 @@ func (in *instrumentedService) ListImages(ctx context.Context, r *runtime.ListIm
+ log.G(ctx).Tracef("ListImages with filter %+v", r.GetFilter())
+ defer func() {
+ if err != nil {
++ // Sanitize error to remove sensitive information
++ err = ctrdutil.SanitizeError(err)
+ log.G(ctx).WithError(err).Errorf("ListImages with filter %+v failed", r.GetFilter())
+ } else {
+ log.G(ctx).Tracef("ListImages with filter %+v returns image list %+v",
+@@ -386,6 +390,8 @@ func (in *instrumentedService) ImageStatus(ctx context.Context, r *runtime.Image
+ log.G(ctx).Tracef("ImageStatus for %q", r.GetImage().GetImage())
+ defer func() {
+ if err != nil {
++ // Sanitize error to remove sensitive information
++ err = ctrdutil.SanitizeError(err)
+ log.G(ctx).WithError(err).Errorf("ImageStatus for %q failed", r.GetImage().GetImage())
+ } else {
+ log.G(ctx).Tracef("ImageStatus for %q returns image status %+v",
+@@ -404,6 +410,8 @@ func (in *instrumentedService) RemoveImage(ctx context.Context, r *runtime.Remov
+ log.G(ctx).Infof("RemoveImage %q", r.GetImage().GetImage())
+ defer func() {
+ if err != nil {
++ // Sanitize error to remove sensitive information
++ err = ctrdutil.SanitizeError(err)
+ log.G(ctx).WithError(err).Errorf("RemoveImage %q failed", r.GetImage().GetImage())
+ } else {
+ log.G(ctx).Infof("RemoveImage %q returns successfully", r.GetImage().GetImage())
+diff --git a/internal/cri/util/sanitize.go b/internal/cri/util/sanitize.go
+new file mode 100644
+index 0000000000..d50a15ebf6
+--- /dev/null
++++ b/internal/cri/util/sanitize.go
+@@ -0,0 +1,93 @@
++/*
++ Copyright The containerd Authors.
++
++ Licensed under the Apache License, Version 2.0 (the "License");
++ you may not use this file except in compliance with the License.
++ You may obtain a copy of the License at
++
++ http://www.apache.org/licenses/LICENSE-2.0
++
++ Unless required by applicable law or agreed to in writing, software
++ distributed under the License is distributed on an "AS IS" BASIS,
++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ See the License for the specific language governing permissions and
++ limitations under the License.
++*/
++
++package util
++
++import (
++ "errors"
++ "net/url"
++ "strings"
++)
++
++// SanitizeError sanitizes an error by redacting sensitive information in URLs.
++// If the error contains a *url.Error, it parses and sanitizes the URL.
++// Otherwise, it returns the error unchanged.
++func SanitizeError(err error) error {
++ if err == nil {
++ return nil
++ }
++
++ // Check if the error is or contains a *url.Error
++ var urlErr *url.Error
++ if errors.As(err, &urlErr) {
++ // Parse and sanitize the URL
++ sanitizedURL := sanitizeURL(urlErr.URL)
++ if sanitizedURL != urlErr.URL {
++ // Wrap with sanitized url.Error
++ return &sanitizedError{
++ original: err,
++ sanitizedURL: sanitizedURL,
++ urlError: urlErr,
++ }
++ }
++ return err
++ }
++
++ // No sanitization needed for non-URL errors
++ return err
++}
++
++// sanitizeURL properly parses a URL and redacts all query parameters.
++func sanitizeURL(rawURL string) string {
++ parsed, err := url.Parse(rawURL)
++ if err != nil {
++ // If URL parsing fails, return original (malformed URLs shouldn't leak tokens)
++ return rawURL
++ }
++
++ // Check if URL has query parameters
++ query := parsed.Query()
++ if len(query) == 0 {
++ return rawURL
++ }
++
++ // Redact all query parameters
++ for param := range query {
++ query.Set(param, "[REDACTED]")
++ }
++
++ // Reconstruct URL with sanitized query
++ parsed.RawQuery = query.Encode()
++ return parsed.String()
++}
++
++// sanitizedError wraps an error containing a *url.Error with a sanitized URL.
++type sanitizedError struct {
++ original error
++ sanitizedURL string
++ urlError *url.Error
++}
++
++// Error returns the error message with the sanitized URL.
++func (e *sanitizedError) Error() string {
++ // Replace all occurrences of the original URL with the sanitized version
++ return strings.ReplaceAll(e.original.Error(), e.urlError.URL, e.sanitizedURL)
++}
++
++// Unwrap returns the original error for error chain traversal.
++func (e *sanitizedError) Unwrap() error {
++ return e.original
++}
+diff --git a/internal/cri/util/sanitize_test.go b/internal/cri/util/sanitize_test.go
+new file mode 100644
+index 0000000000..03e4fb2694
+--- /dev/null
++++ b/internal/cri/util/sanitize_test.go
+@@ -0,0 +1,128 @@
++/*
++ Copyright The containerd Authors.
++
++ Licensed under the Apache License, Version 2.0 (the "License");
++ you may not use this file except in compliance with the License.
++ You may obtain a copy of the License at
++
++ http://www.apache.org/licenses/LICENSE-2.0
++
++ Unless required by applicable law or agreed to in writing, software
++ distributed under the License is distributed on an "AS IS" BASIS,
++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ See the License for the specific language governing permissions and
++ limitations under the License.
++*/
++
++package util
++
++import (
++ "errors"
++ "fmt"
++ "net/url"
++ "testing"
++
++ "github.com/stretchr/testify/assert"
++ "github.com/stretchr/testify/require"
++)
++
++func TestSanitizeError_SimpleURLError(t *testing.T) {
++ // Create a url.Error with sensitive info
++ originalURL := "https://storage.blob.core.windows.net/container/blob?sig=SECRET&sv=2020"
++ urlErr := &url.Error{
++ Op: "Get",
++ URL: originalURL,
++ Err: fmt.Errorf("connection timeout"),
++ }
++
++ // Sanitize
++ sanitized := SanitizeError(urlErr)
++ require.NotNil(t, sanitized)
++
++ // Check it's a sanitizedError with correct properties
++ sanitizedErr, ok := sanitized.(*sanitizedError)
++ require.True(t, ok, "Should return *sanitizedError type")
++ assert.Equal(t, urlErr, sanitizedErr.original)
++ assert.Equal(t, urlErr, sanitizedErr.urlError)
++ assert.Equal(t, "https://storage.blob.core.windows.net/container/blob?sig=%5BREDACTED%5D&sv=%5BREDACTED%5D", sanitizedErr.sanitizedURL)
++
++ // Test Error() method - verifies ReplaceAll functionality
++ expected := "Get \"https://storage.blob.core.windows.net/container/blob?sig=%5BREDACTED%5D&sv=%5BREDACTED%5D\": connection timeout"
++ assert.Equal(t, expected, sanitized.Error())
++}
++
++func TestSanitizeError_WrappedError(t *testing.T) {
++ originalURL := "https://storage.blob.core.windows.net/blob?sig=SECRET&sv=2020"
++ urlErr := &url.Error{
++ Op: "Get",
++ URL: originalURL,
++ Err: fmt.Errorf("timeout"),
++ }
++
++ wrappedErr := fmt.Errorf("image pull failed: %w", urlErr)
++
++ // Sanitize
++ sanitized := SanitizeError(wrappedErr)
++
++ // Test Error() method with wrapped error - verifies ReplaceAll works in wrapped context
++ sanitizedMsg := sanitized.Error()
++ assert.NotContains(t, sanitizedMsg, "SECRET", "Secret should be sanitized")
++ assert.Contains(t, sanitizedMsg, "image pull failed", "Wrapper message should be preserved")
++ assert.Contains(t, sanitizedMsg, "%5BREDACTED%5D", "Should contain sanitized marker")
++
++ // Should still be able to unwrap to url.Error
++ var targetURLErr *url.Error
++ assert.True(t, errors.As(sanitized, &targetURLErr),
++ "Should be able to find *url.Error in sanitized error chain")
++
++ // Verify url.Error properties are preserved
++ assert.Equal(t, "Get", targetURLErr.Op)
++ assert.Contains(t, targetURLErr.Err.Error(), "timeout")
++}
++
++func TestSanitizeError_NonURLError(t *testing.T) {
++ // Regular error without url.Error
++ regularErr := fmt.Errorf("some error occurred")
++
++ sanitized := SanitizeError(regularErr)
++
++ // Should return the exact same error object
++ assert.Equal(t, regularErr, sanitized,
++ "Non-URL errors should pass through unchanged")
++}
++
++func TestSanitizeError_NilError(t *testing.T) {
++ sanitized := SanitizeError(nil)
++ assert.Nil(t, sanitized, "nil error should return nil")
++}
++
++func TestSanitizeError_NoQueryParams(t *testing.T) {
++ // URL without any query parameters
++ urlErr := &url.Error{
++ Op: "Get",
++ URL: "https://registry.example.com/v2/image/manifests/latest",
++ Err: fmt.Errorf("not found"),
++ }
++
++ sanitized := SanitizeError(urlErr)
++
++ // Should return the same error object (no sanitization needed)
++ assert.Equal(t, urlErr, sanitized,
++ "Errors without query params should pass through unchanged")
++}
++
++func TestSanitizedError_Unwrap(t *testing.T) {
++ originalURL := "https://storage.blob.core.windows.net/blob?sig=SECRET"
++ urlErr := &url.Error{
++ Op: "Get",
++ URL: originalURL,
++ Err: fmt.Errorf("timeout"),
++ }
++
++ sanitized := SanitizeError(urlErr)
++
++ // Should be able to unwrap
++ unwrapped := errors.Unwrap(sanitized)
++ assert.NotNil(t, unwrapped, "Should be able to unwrap sanitized error")
++ assert.Equal(t, urlErr, unwrapped, "Unwrapped should be the original error")
++}
+--
+2.45.4
+
+
+From 50e383e3907d04aeaec85853edfaa9ab34be1006 Mon Sep 17 00:00:00 2001
+From: Aadhar Agarwal
+Date: Tue, 20 Jan 2026 22:16:30 +0000
+Subject: [PATCH 2/2] fix: sanitize error before gRPC return to prevent
+ credential leak in pod events
+
+PR #12491 fixed credential leaks in containerd logs but the gRPC error
+returned to kubelet still contained sensitive information. This was
+visible in Kubernetes pod events via `kubectl describe pod`.
+
+The issue was that SanitizeError was called inside the defer block,
+but errgrpc.ToGRPC(err) was evaluated before the defer ran, so the
+gRPC message contained the original unsanitized error.
+
+Move SanitizeError before the return statement so both the logged
+error and the gRPC error are sanitized.
+
+Ref: #5453
+Signed-off-by: Aadhar Agarwal
+---
+ .../cri/instrument/instrumented_service.go | 24 ++++++++++++-------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/internal/cri/instrument/instrumented_service.go b/internal/cri/instrument/instrumented_service.go
+index f06315a6bd..4379f95997 100644
+--- a/internal/cri/instrument/instrumented_service.go
++++ b/internal/cri/instrument/instrumented_service.go
+@@ -351,8 +351,6 @@ func (in *instrumentedService) PullImage(ctx context.Context, r *runtime.PullIma
+ log.G(ctx).Infof("PullImage %q", r.GetImage().GetImage())
+ defer func() {
+ if err != nil {
+- // Sanitize error to remove sensitive information
+- err = ctrdutil.SanitizeError(err)
+ log.G(ctx).WithError(err).Errorf("PullImage %q failed", r.GetImage().GetImage())
+ } else {
+ log.G(ctx).Infof("PullImage %q returns image reference %q",
+@@ -361,6 +359,10 @@ func (in *instrumentedService) PullImage(ctx context.Context, r *runtime.PullIma
+ span.RecordError(err)
+ }()
+ res, err = in.c.PullImage(ctrdutil.WithNamespace(ctx), r)
++ // Sanitize error to remove sensitive information from both logs and returned gRPC error
++ if err != nil {
++ err = ctrdutil.SanitizeError(err)
++ }
+ return res, errgrpc.ToGRPC(err)
+ }
+
+@@ -371,8 +373,6 @@ func (in *instrumentedService) ListImages(ctx context.Context, r *runtime.ListIm
+ log.G(ctx).Tracef("ListImages with filter %+v", r.GetFilter())
+ defer func() {
+ if err != nil {
+- // Sanitize error to remove sensitive information
+- err = ctrdutil.SanitizeError(err)
+ log.G(ctx).WithError(err).Errorf("ListImages with filter %+v failed", r.GetFilter())
+ } else {
+ log.G(ctx).Tracef("ListImages with filter %+v returns image list %+v",
+@@ -380,6 +380,10 @@ func (in *instrumentedService) ListImages(ctx context.Context, r *runtime.ListIm
+ }
+ }()
+ res, err = in.c.ListImages(ctrdutil.WithNamespace(ctx), r)
++ // Sanitize error to remove sensitive information from both logs and returned gRPC error
++ if err != nil {
++ err = ctrdutil.SanitizeError(err)
++ }
+ return res, errgrpc.ToGRPC(err)
+ }
+
+@@ -390,8 +394,6 @@ func (in *instrumentedService) ImageStatus(ctx context.Context, r *runtime.Image
+ log.G(ctx).Tracef("ImageStatus for %q", r.GetImage().GetImage())
+ defer func() {
+ if err != nil {
+- // Sanitize error to remove sensitive information
+- err = ctrdutil.SanitizeError(err)
+ log.G(ctx).WithError(err).Errorf("ImageStatus for %q failed", r.GetImage().GetImage())
+ } else {
+ log.G(ctx).Tracef("ImageStatus for %q returns image status %+v",
+@@ -399,6 +401,10 @@ func (in *instrumentedService) ImageStatus(ctx context.Context, r *runtime.Image
+ }
+ }()
+ res, err = in.c.ImageStatus(ctrdutil.WithNamespace(ctx), r)
++ // Sanitize error to remove sensitive information from both logs and returned gRPC error
++ if err != nil {
++ err = ctrdutil.SanitizeError(err)
++ }
+ return res, errgrpc.ToGRPC(err)
+ }
+
+@@ -410,8 +416,6 @@ func (in *instrumentedService) RemoveImage(ctx context.Context, r *runtime.Remov
+ log.G(ctx).Infof("RemoveImage %q", r.GetImage().GetImage())
+ defer func() {
+ if err != nil {
+- // Sanitize error to remove sensitive information
+- err = ctrdutil.SanitizeError(err)
+ log.G(ctx).WithError(err).Errorf("RemoveImage %q failed", r.GetImage().GetImage())
+ } else {
+ log.G(ctx).Infof("RemoveImage %q returns successfully", r.GetImage().GetImage())
+@@ -419,6 +423,10 @@ func (in *instrumentedService) RemoveImage(ctx context.Context, r *runtime.Remov
+ span.RecordError(err)
+ }()
+ res, err := in.c.RemoveImage(ctrdutil.WithNamespace(ctx), r)
++ // Sanitize error to remove sensitive information from both logs and returned gRPC error
++ if err != nil {
++ err = ctrdutil.SanitizeError(err)
++ }
+ return res, errgrpc.ToGRPC(err)
+ }
+
+--
+2.45.4
+
diff --git a/SPECS/containerized-data-importer/CVE-2022-2879.patch b/SPECS/containerized-data-importer/CVE-2022-2879.patch
deleted file mode 100644
index c24bd58e3a..0000000000
--- a/SPECS/containerized-data-importer/CVE-2022-2879.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 042465900fcbb246c602c856ccd924ddf093947e Mon Sep 17 00:00:00 2001
-From: Muhammad Falak R Wani
-Date: Tue, 9 Jul 2024 19:27:30 +0530
-Subject: [PATCH] archive/tar: limit size of headers
-
-Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
-GNU link names), to avoid reading arbitrarily large amounts of data
-into memory.
-
-Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
-this issue.
-
-Fixes CVE-2022-2879
-Updates #54853
-Fixes #55925
-
-Signed-off-by: Muhammad Falak R Wani
-Signed-off-by: Thien Trung Vuong
----
- .../vbatts/tar-split/archive/tar/format.go | 4 ++++
- .../vbatts/tar-split/archive/tar/reader.go | 14 ++++++++++++--
- .../vbatts/tar-split/archive/tar/writer.go | 3 +++
- 3 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/format.go b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
-index 1f89d0c..6097798 100644
---- a/vendor/github.com/vbatts/tar-split/archive/tar/format.go
-+++ b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
-@@ -143,6 +143,10 @@ const (
- blockSize = 512 // Size of each block in a tar stream
- nameSize = 100 // Max length of the name field in USTAR format
- prefixSize = 155 // Max length of the prefix field in USTAR format
-+
-+ // Max length of a special file (PAX header, GNU long name or link).
-+ // This matches the limit used by libarchive.
-+ maxSpecialFileSize = 1 << 20
- )
-
- // blockPadding computes the number of bytes needed to pad offset up to the
-diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
-index af006fc..2baa0d5 100644
---- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
-+++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
-@@ -139,7 +139,7 @@ func (tr *Reader) next() (*Header, error) {
- continue // This is a meta header affecting the next header
- case TypeGNULongName, TypeGNULongLink:
- format.mayOnlyBe(FormatGNU)
-- realname, err := ioutil.ReadAll(tr)
-+ realname, err := readSpecialFile(tr)
- if err != nil {
- return nil, err
- }
-@@ -333,7 +333,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) {
- // parsePAX parses PAX headers.
- // If an extended header (type 'x') is invalid, ErrHeader is returned
- func parsePAX(r io.Reader) (map[string]string, error) {
-- buf, err := ioutil.ReadAll(r)
-+ buf, err := readSpecialFile(r)
- if err != nil {
- return nil, err
- }
-@@ -884,6 +884,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) {
- return n, err
- }
-
-+// readSpecialFile is like io.ReadAll except it returns
-+// ErrFieldTooLong if more than maxSpecialFileSize is read.
-+func readSpecialFile(r io.Reader) ([]byte, error) {
-+ buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1))
-+ if len(buf) > maxSpecialFileSize {
-+ return nil, ErrFieldTooLong
-+ }
-+ return buf, err
-+}
-+
- // discard skips n bytes in r, reporting an error if unable to do so.
- func discard(tr *Reader, n int64) error {
- var seekSkipped, copySkipped int64
-diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/writer.go b/vendor/github.com/vbatts/tar-split/archive/tar/writer.go
-index e80498d..893eac0 100644
---- a/vendor/github.com/vbatts/tar-split/archive/tar/writer.go
-+++ b/vendor/github.com/vbatts/tar-split/archive/tar/writer.go
-@@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error {
- flag = TypeXHeader
- }
- data := buf.String()
-+ if len(data) > maxSpecialFileSize {
-+ return ErrFieldTooLong
-+ }
- if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal {
- return err // Global headers return here
- }
---
-2.40.1
-
diff --git a/SPECS/containerized-data-importer/CVE-2023-39325.patch b/SPECS/containerized-data-importer/CVE-2023-39325.patch
deleted file mode 100644
index e0085e416d..0000000000
--- a/SPECS/containerized-data-importer/CVE-2023-39325.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
-index 8cb14f3..6000140 100644
---- a/vendor/golang.org/x/net/http2/server.go
-+++ b/vendor/golang.org/x/net/http2/server.go
-@@ -581,9 +581,11 @@ type serverConn struct {
- advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
- curClientStreams uint32 // number of open streams initiated by the client
- curPushedStreams uint32 // number of open streams initiated by server push
-+ curHandlers uint32 // number of running handler goroutines
- maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests
- maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes
- streams map[uint32]*stream
-+ unstartedHandlers []unstartedHandler
- initialStreamSendWindowSize int32
- maxFrameSize int32
- peerMaxHeaderListSize uint32 // zero means unknown (default)
-@@ -981,6 +983,8 @@ func (sc *serverConn) serve() {
- return
- case gracefulShutdownMsg:
- sc.startGracefulShutdownInternal()
-+ case handlerDoneMsg:
-+ sc.handlerDone()
- default:
- panic("unknown timer")
- }
-@@ -1028,6 +1032,7 @@ var (
- idleTimerMsg = new(serverMessage)
- shutdownTimerMsg = new(serverMessage)
- gracefulShutdownMsg = new(serverMessage)
-+ handlerDoneMsg = new(serverMessage)
- )
-
- func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
-@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
- }
- }
-
-- go sc.runHandler(rw, req, handler)
-- return nil
-+ return sc.scheduleHandler(id, rw, req, handler)
- }
-
- func (sc *serverConn) upgradeRequest(req *http.Request) {
-@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) {
- sc.conn.SetReadDeadline(time.Time{})
- }
-
-+ // This is the first request on the connection,
-+ // so start the handler directly rather than going
-+ // through scheduleHandler.
-+ sc.curHandlers++
- go sc.runHandler(rw, req, sc.handler.ServeHTTP)
- }
-
-@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response
- return &responseWriter{rws: rws}
- }
-
-+type unstartedHandler struct {
-+ streamID uint32
-+ rw *responseWriter
-+ req *http.Request
-+ handler func(http.ResponseWriter, *http.Request)
-+}
-+
-+// scheduleHandler starts a handler goroutine,
-+// or schedules one to start as soon as an existing handler finishes.
-+func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
-+ sc.serveG.check()
-+ maxHandlers := sc.advMaxStreams
-+ if sc.curHandlers < maxHandlers {
-+ sc.curHandlers++
-+ go sc.runHandler(rw, req, handler)
-+ return nil
-+ }
-+ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
-+ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm))
-+ }
-+ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
-+ streamID: streamID,
-+ rw: rw,
-+ req: req,
-+ handler: handler,
-+ })
-+ return nil
-+}
-+
-+func (sc *serverConn) handlerDone() {
-+ sc.serveG.check()
-+ sc.curHandlers--
-+ i := 0
-+ maxHandlers := sc.advMaxStreams
-+ for ; i < len(sc.unstartedHandlers); i++ {
-+ u := sc.unstartedHandlers[i]
-+ if sc.streams[u.streamID] == nil {
-+ // This stream was reset before its goroutine had a chance to start.
-+ continue
-+ }
-+ if sc.curHandlers >= maxHandlers {
-+ break
-+ }
-+ sc.curHandlers++
-+ go sc.runHandler(u.rw, u.req, u.handler)
-+ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
-+ }
-+ sc.unstartedHandlers = sc.unstartedHandlers[i:]
-+ if len(sc.unstartedHandlers) == 0 {
-+ sc.unstartedHandlers = nil
-+ }
-+}
-+
- // Run on its own goroutine.
- func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
-+ defer sc.sendServeMsg(handlerDoneMsg)
- didPanic := true
- defer func() {
- rw.rws.stream.cancelCtx()
diff --git a/SPECS/containerized-data-importer/CVE-2023-3978.patch b/SPECS/containerized-data-importer/CVE-2023-3978.patch
deleted file mode 100644
index 6a3c1192b1..0000000000
--- a/SPECS/containerized-data-importer/CVE-2023-3978.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 5abbff46d6a70d0e31b41ce98cddaa08cc911e3f Mon Sep 17 00:00:00 2001
-From: Sudipta Pandit
-Date: Wed, 5 Feb 2025 20:58:22 +0530
-Subject: [PATCH] Backport fix for CVE-2023-3978
-
-Reference: https://go-review.googlesource.com/c/net/+/514896
----
- vendor/golang.org/x/net/html/render.go | 28 ++++++++++++++++++++++----
- 1 file changed, 24 insertions(+), 4 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go
-index 497e132..1da09c8 100644
---- a/vendor/golang.org/x/net/html/render.go
-+++ b/vendor/golang.org/x/net/html/render.go
-@@ -194,9 +194,8 @@ func render1(w writer, n *Node) error {
- }
- }
-
-- // Render any child nodes.
-- switch n.Data {
-- case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
-+ // Render any child nodes
-+ if childTextNodesAreLiteral(n) {
- for c := n.FirstChild; c != nil; c = c.NextSibling {
- if c.Type == TextNode {
- if _, err := w.WriteString(c.Data); err != nil {
-@@ -213,7 +212,7 @@ func render1(w writer, n *Node) error {
- // last element in the file, with no closing tag.
- return plaintextAbort
- }
-- default:
-+ } else {
- for c := n.FirstChild; c != nil; c = c.NextSibling {
- if err := render1(w, c); err != nil {
- return err
-@@ -231,6 +230,27 @@ func render1(w writer, n *Node) error {
- return w.WriteByte('>')
- }
-
-+func childTextNodesAreLiteral(n *Node) bool {
-+ // Per WHATWG HTML 13.3, if the parent of the current node is a style,
-+ // script, xmp, iframe, noembed, noframes, or plaintext element, and the
-+ // current node is a text node, append the value of the node's data
-+ // literally. The specification is not explicit about it, but we only
-+ // enforce this if we are in the HTML namespace (i.e. when the namespace is
-+ // "").
-+ // NOTE: we also always include noscript elements, although the
-+ // specification states that they should only be rendered as such if
-+ // scripting is enabled for the node (which is not something we track).
-+ if n.Namespace != "" {
-+ return false
-+ }
-+ switch n.Data {
-+ case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
-+ return true
-+ default:
-+ return false
-+ }
-+}
-+
- // writeQuoted writes s to w surrounded by quotes. Normally it will use double
- // quotes, but if s contains a double quote, it will use single quotes.
- // It is used for writing the identifiers in a doctype declaration.
---
-2.34.1
-
diff --git a/SPECS/containerized-data-importer/CVE-2023-44487.patch b/SPECS/containerized-data-importer/CVE-2023-44487.patch
deleted file mode 100644
index ee2a818f28..0000000000
--- a/SPECS/containerized-data-importer/CVE-2023-44487.patch
+++ /dev/null
@@ -1,258 +0,0 @@
-diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
-index 3dd1564..9d9a3fd 100644
---- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
-+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
-@@ -165,15 +165,10 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
- ID: http2.SettingMaxFrameSize,
- Val: http2MaxFrameLen,
- }}
-- // TODO(zhaoq): Have a better way to signal "no limit" because 0 is
-- // permitted in the HTTP2 spec.
-- maxStreams := config.MaxStreams
-- if maxStreams == 0 {
-- maxStreams = math.MaxUint32
-- } else {
-+ if config.MaxStreams != math.MaxUint32 {
- isettings = append(isettings, http2.Setting{
- ID: http2.SettingMaxConcurrentStreams,
-- Val: maxStreams,
-+ Val: config.MaxStreams,
- })
- }
- dynamicWindow := true
-@@ -252,7 +247,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
- framer: framer,
- readerDone: make(chan struct{}),
- writerDone: make(chan struct{}),
-- maxStreams: maxStreams,
-+ maxStreams: config.MaxStreams,
- inTapHandle: config.InTapHandle,
- fc: &trInFlow{limit: uint32(icwz)},
- state: reachable,
-diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
-index f4dde72..98839ad 100644
---- a/vendor/google.golang.org/grpc/server.go
-+++ b/vendor/google.golang.org/grpc/server.go
-@@ -43,7 +43,6 @@ import (
- "google.golang.org/grpc/internal"
- "google.golang.org/grpc/internal/binarylog"
- "google.golang.org/grpc/internal/channelz"
-- "google.golang.org/grpc/internal/grpcrand"
- "google.golang.org/grpc/internal/grpcsync"
- "google.golang.org/grpc/internal/transport"
- "google.golang.org/grpc/keepalive"
-@@ -74,10 +73,10 @@ func init() {
- srv.drainServerTransports(addr)
- }
- internal.AddGlobalServerOptions = func(opt ...ServerOption) {
-- extraServerOptions = append(extraServerOptions, opt...)
-+ globalServerOptions = append(globalServerOptions, opt...)
- }
- internal.ClearGlobalServerOptions = func() {
-- extraServerOptions = nil
-+ globalServerOptions = nil
- }
- internal.BinaryLogger = binaryLogger
- internal.JoinServerOptions = newJoinServerOption
-@@ -115,12 +114,6 @@ type serviceInfo struct {
- mdata interface{}
- }
-
--type serverWorkerData struct {
-- st transport.ServerTransport
-- wg *sync.WaitGroup
-- stream *transport.Stream
--}
--
- // Server is a gRPC server to serve RPC requests.
- type Server struct {
- opts serverOptions
-@@ -145,7 +138,7 @@ type Server struct {
- channelzID *channelz.Identifier
- czData *channelzData
-
-- serverWorkerChannels []chan *serverWorkerData
-+ serverWorkerChannel chan func()
- }
-
- type serverOptions struct {
-@@ -177,13 +170,14 @@ type serverOptions struct {
- }
-
- var defaultServerOptions = serverOptions{
-+ maxConcurrentStreams: math.MaxUint32,
- maxReceiveMessageSize: defaultServerMaxReceiveMessageSize,
- maxSendMessageSize: defaultServerMaxSendMessageSize,
- connectionTimeout: 120 * time.Second,
- writeBufferSize: defaultWriteBufSize,
- readBufferSize: defaultReadBufSize,
- }
--var extraServerOptions []ServerOption
-+var globalServerOptions []ServerOption
-
- // A ServerOption sets options such as credentials, codec and keepalive parameters, etc.
- type ServerOption interface {
-@@ -387,6 +381,9 @@ func MaxSendMsgSize(m int) ServerOption {
- // MaxConcurrentStreams returns a ServerOption that will apply a limit on the number
- // of concurrent streams to each ServerTransport.
- func MaxConcurrentStreams(n uint32) ServerOption {
-+ if n == 0 {
-+ n = math.MaxUint32
-+ }
- return newFuncServerOption(func(o *serverOptions) {
- o.maxConcurrentStreams = n
- })
-@@ -565,42 +562,35 @@ const serverWorkerResetThreshold = 1 << 16
- // re-allocations (see the runtime.morestack problem [1]).
- //
- // [1] https://github.com/golang/go/issues/18138
--func (s *Server) serverWorker(ch chan *serverWorkerData) {
-- // To make sure all server workers don't reset at the same time, choose a
-- // random number of iterations before resetting.
-- threshold := serverWorkerResetThreshold + grpcrand.Intn(serverWorkerResetThreshold)
-- for completed := 0; completed < threshold; completed++ {
-- data, ok := <-ch
-+func (s *Server) serverWorker() {
-+ for completed := 0; completed < serverWorkerResetThreshold; completed++ {
-+ f, ok := <-s.serverWorkerChannel
- if !ok {
- return
- }
-- s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream))
-- data.wg.Done()
-+ f()
- }
-- go s.serverWorker(ch)
-+ go s.serverWorker()
- }
-
- // initServerWorkers creates worker goroutines and channels to process incoming
- // connections to reduce the time spent overall on runtime.morestack.
- func (s *Server) initServerWorkers() {
-- s.serverWorkerChannels = make([]chan *serverWorkerData, s.opts.numServerWorkers)
-+ s.serverWorkerChannel = make(chan func())
- for i := uint32(0); i < s.opts.numServerWorkers; i++ {
-- s.serverWorkerChannels[i] = make(chan *serverWorkerData)
-- go s.serverWorker(s.serverWorkerChannels[i])
-+ go s.serverWorker()
- }
- }
-
- func (s *Server) stopServerWorkers() {
-- for i := uint32(0); i < s.opts.numServerWorkers; i++ {
-- close(s.serverWorkerChannels[i])
-- }
-+ close(s.serverWorkerChannel)
- }
-
- // NewServer creates a gRPC server which has no service registered and has not
- // started to accept requests yet.
- func NewServer(opt ...ServerOption) *Server {
- opts := defaultServerOptions
-- for _, o := range extraServerOptions {
-+ for _, o := range globalServerOptions {
- o.apply(&opts)
- }
- for _, o := range opt {
-@@ -945,25 +935,26 @@ func (s *Server) serveStreams(st transport.ServerTransport) {
- defer st.Close()
- var wg sync.WaitGroup
-
-- var roundRobinCounter uint32
-+ streamQuota := newHandlerQuota(s.opts.maxConcurrentStreams)
- st.HandleStreams(func(stream *transport.Stream) {
- wg.Add(1)
-+
-+ streamQuota.acquire()
-+ f := func() {
-+ defer streamQuota.release()
-+ defer wg.Done()
-+ s.handleStream(st, stream, s.traceInfo(st, stream))
-+ }
-+
- if s.opts.numServerWorkers > 0 {
-- data := &serverWorkerData{st: st, wg: &wg, stream: stream}
- select {
-- case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data:
-+ case s.serverWorkerChannel <- f:
-+ return
- default:
- // If all stream workers are busy, fallback to the default code path.
-- go func() {
-- s.handleStream(st, stream, s.traceInfo(st, stream))
-- wg.Done()
-- }()
- }
- } else {
-- go func() {
-- defer wg.Done()
-- s.handleStream(st, stream, s.traceInfo(st, stream))
-- }()
-+ go f()
- }
- }, func(ctx context.Context, method string) context.Context {
- if !EnableTracing {
-@@ -1978,3 +1969,34 @@ type channelzServer struct {
- func (c *channelzServer) ChannelzMetric() *channelz.ServerInternalMetric {
- return c.s.channelzMetric()
- }
-+
-+// atomicSemaphore implements a blocking, counting semaphore. acquire should be
-+// called synchronously; release may be called asynchronously.
-+type atomicSemaphore struct {
-+ n atomic.Int64
-+ wait chan struct{}
-+}
-+
-+func (q *atomicSemaphore) acquire() {
-+ if q.n.Add(-1) < 0 {
-+ // We ran out of quota. Block until a release happens.
-+ <-q.wait
-+ }
-+}
-+
-+func (q *atomicSemaphore) release() {
-+ // N.B. the "<= 0" check below should allow for this to work with multiple
-+ // concurrent calls to acquire, but also note that with synchronous calls to
-+ // acquire, as our system does, n will never be less than -1. There are
-+ // fairness issues (queuing) to consider if this was to be generalized.
-+ if q.n.Add(1) <= 0 {
-+ // An acquire was waiting on us. Unblock it.
-+ q.wait <- struct{}{}
-+ }
-+}
-+
-+func newHandlerQuota(n uint32) *atomicSemaphore {
-+ a := &atomicSemaphore{wait: make(chan struct{}, 1)}
-+ a.n.Store(int64(n))
-+ return a
-+}
-\ No newline at end of file
-diff --git a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
-index d738725..3674914 100644
---- a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
-+++ b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
-@@ -126,14 +126,17 @@ type rudimentaryErrorBackoff struct {
- // OnError will block if it is called more often than the embedded period time.
- // This will prevent overly tight hot error loops.
- func (r *rudimentaryErrorBackoff) OnError(error) {
-+ now := time.Now() // start the timer before acquiring the lock
- r.lastErrorTimeLock.Lock()
-- defer r.lastErrorTimeLock.Unlock()
-- d := time.Since(r.lastErrorTime)
-- if d < r.minPeriod {
-- // If the time moves backwards for any reason, do nothing
-- time.Sleep(r.minPeriod - d)
-- }
-+ d := now.Sub(r.lastErrorTime)
- r.lastErrorTime = time.Now()
-+ r.lastErrorTimeLock.Unlock()
-+
-+ // Do not sleep with the lock held because that causes all callers of HandleError to block.
-+ // We only want the current goroutine to block.
-+ // A negative or zero duration causes time.Sleep to return immediately.
-+ // If the time moves backwards for any reason, do nothing.
-+ time.Sleep(r.minPeriod - d)
- }
-
- // GetCaller returns the caller of the function that calls it.
diff --git a/SPECS/containerized-data-importer/CVE-2023-45288.patch b/SPECS/containerized-data-importer/CVE-2023-45288.patch
deleted file mode 100644
index 80eaa40216..0000000000
--- a/SPECS/containerized-data-importer/CVE-2023-45288.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-Author: Damien Neil
-AuthorDate: 2024-01-10 13:41:39 -0800
-Commit: Gopher Robot
-CommitDate: 2024-04-03 17:06:00 +0000
-
-[internal-branch.go1.21-vendor] http2: close connections when receiving too many headers
-
-Maintaining HPACK state requires that we parse and process
-all HEADERS and CONTINUATION frames on a connection.
-When a request's headers exceed MaxHeaderBytes, we don't
-allocate memory to store the excess headers but we do
-parse them. This permits an attacker to cause an HTTP/2
-endpoint to read arbitrary amounts of data, all associated
-with a request which is going to be rejected.
-
-Set a limit on the amount of excess header frames we
-will process before closing a connection.
-
-Thanks to Bartek Nowotarski for reporting this issue.
-
-Fixes CVE-2023-45288
-For golang/go#65051
-
-Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
-Reviewed-by: Roland Shoemaker
-Reviewed-by: Tatiana Bradley
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197243
-Run-TryBot: Damien Neil
-Reviewed-by: Dmitri Shuralyov
-Reviewed-on: https://go-review.googlesource.com/c/net/+/576057
-LUCI-TryBot-Result: Go LUCI
-Auto-Submit: Dmitri Shuralyov
-
-diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
-index c1f6b90..175c154 100644
---- a/vendor/golang.org/x/net/http2/frame.go
-+++ b/vendor/golang.org/x/net/http2/frame.go
-@@ -1565,6 +1565,7 @@
- if size > remainSize {
- hdec.SetEmitEnabled(false)
- mh.Truncated = true
-+ remainSize = 0
- return
- }
- remainSize -= size
-@@ -1577,6 +1578,36 @@
- var hc headersOrContinuation = hf
- for {
- frag := hc.HeaderBlockFragment()
-+
-+ // Avoid parsing large amounts of headers that we will then discard.
-+ // If the sender exceeds the max header list size by too much,
-+ // skip parsing the fragment and close the connection.
-+ //
-+ // "Too much" is either any CONTINUATION frame after we've already
-+ // exceeded the max header list size (in which case remainSize is 0),
-+ // or a frame whose encoded size is more than twice the remaining
-+ // header list bytes we're willing to accept.
-+ if int64(len(frag)) > int64(2*remainSize) {
-+ if VerboseLogs {
-+ log.Printf("http2: header list too large")
-+ }
-+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
-+ // but the struture of the server's frame writer makes this difficult.
-+ return nil, ConnectionError(ErrCodeProtocol)
-+ }
-+
-+ // Also close the connection after any CONTINUATION frame following an
-+ // invalid header, since we stop tracking the size of the headers after
-+ // an invalid one.
-+ if invalid != nil {
-+ if VerboseLogs {
-+ log.Printf("http2: invalid header: %v", invalid)
-+ }
-+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
-+ // but the struture of the server's frame writer makes this difficult.
-+ return nil, ConnectionError(ErrCodeProtocol)
-+ }
-+
- if _, err := hdec.Write(frag); err != nil {
- return nil, ConnectionError(ErrCodeCompression)
- }
diff --git a/SPECS/containerized-data-importer/CVE-2024-24786.patch b/SPECS/containerized-data-importer/CVE-2024-24786.patch
deleted file mode 100644
index 6c80204f5b..0000000000
--- a/SPECS/containerized-data-importer/CVE-2024-24786.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001
-From: bala
-Date: Mon, 25 Nov 2024 16:47:53 +0000
-Subject: [PATCH] Vendor patch applied
-
----
- .../protobuf/encoding/protojson/decode.go | 12 ++++
- .../encoding/protojson/well_known_types.go | 59 +++++++------------
- .../protobuf/internal/encoding/json/decode.go | 2 +-
- 3 files changed, 33 insertions(+), 40 deletions(-)
-
-diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
-index 5f28148..67fe4e7 100644
---- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
-+++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
-@@ -11,6 +11,7 @@ import (
- "strconv"
- "strings"
-
-+ "google.golang.org/protobuf/encoding/protowire"
- "google.golang.org/protobuf/internal/encoding/json"
- "google.golang.org/protobuf/internal/encoding/messageset"
- "google.golang.org/protobuf/internal/errors"
-@@ -47,6 +48,10 @@ type UnmarshalOptions struct {
- protoregistry.MessageTypeResolver
- protoregistry.ExtensionTypeResolver
- }
-+
-+ // RecursionLimit limits how deeply messages may be nested.
-+ // If zero, a default limit is applied.
-+ RecursionLimit int
- }
-
- // Unmarshal reads the given []byte and populates the given proto.Message
-@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error {
- if o.Resolver == nil {
- o.Resolver = protoregistry.GlobalTypes
- }
-+ if o.RecursionLimit == 0 {
-+ o.RecursionLimit = protowire.DefaultRecursionLimit
-+ }
-
- dec := decoder{json.NewDecoder(b), o}
- if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil {
-@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error {
-
- // unmarshalMessage unmarshals a message into the given protoreflect.Message.
- func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error {
-+ d.opts.RecursionLimit--
-+ if d.opts.RecursionLimit < 0 {
-+ return errors.New("exceeded max recursion depth")
-+ }
- if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil {
- return unmarshal(d, m)
- }
-diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
-index 6c37d41..4b177c8 100644
---- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
-+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
-@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error {
- // Use another decoder to parse the unread bytes for @type field. This
- // avoids advancing a read from current decoder because the current JSON
- // object may contain the fields of the embedded type.
-- dec := decoder{d.Clone(), UnmarshalOptions{}}
-+ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}}
- tok, err := findTypeURL(dec)
- switch err {
- case errEmptyObject:
-@@ -308,48 +308,29 @@ Loop:
- // array) in order to advance the read to the next JSON value. It relies on
- // the decoder returning an error if the types are not in valid sequence.
- func (d decoder) skipJSONValue() error {
-- tok, err := d.Read()
-- if err != nil {
-- return err
-- }
-- // Only need to continue reading for objects and arrays.
-- switch tok.Kind() {
-- case json.ObjectOpen:
-- for {
-- tok, err := d.Read()
-- if err != nil {
-- return err
-- }
-- switch tok.Kind() {
-- case json.ObjectClose:
-- return nil
-- case json.Name:
-- // Skip object field value.
-- if err := d.skipJSONValue(); err != nil {
-- return err
-- }
-- }
-+ var open int
-+ for {
-+ tok, err := d.Read()
-+ if err != nil {
-+ return err
- }
--
-- case json.ArrayOpen:
-- for {
-- tok, err := d.Peek()
-- if err != nil {
-- return err
-- }
-- switch tok.Kind() {
-- case json.ArrayClose:
-- d.Read()
-- return nil
-- default:
-- // Skip array item.
-- if err := d.skipJSONValue(); err != nil {
-- return err
-- }
-+ switch tok.Kind() {
-+ case json.ObjectClose, json.ArrayClose:
-+ open--
-+ case json.ObjectOpen, json.ArrayOpen:
-+ open++
-+ if open > d.opts.RecursionLimit {
-+ return errors.New("exceeded max recursion depth")
- }
-+ case json.EOF:
-+ // This can only happen if there's a bug in Decoder.Read.
-+ // Avoid an infinite loop if this does happen.
-+ return errors.New("unexpected EOF")
-+ }
-+ if open == 0 {
-+ return nil
- }
- }
-- return nil
- }
-
- // unmarshalAnyValue unmarshals the given custom-type message from the JSON
-diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
-index d043a6e..d2b3ac0 100644
---- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
-+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
-@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
-
- case ObjectClose:
- if len(d.openStack) == 0 ||
-- d.lastToken.kind == comma ||
-+ d.lastToken.kind&(Name|comma) != 0 ||
- d.openStack[len(d.openStack)-1] != ObjectOpen {
- return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
- }
---
-2.39.4
-
diff --git a/SPECS/containerized-data-importer/CVE-2024-28180.patch b/SPECS/containerized-data-importer/CVE-2024-28180.patch
deleted file mode 100644
index 45d7246373..0000000000
--- a/SPECS/containerized-data-importer/CVE-2024-28180.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 886860405f81160c23e8e9e8c80694f094f0e104 Mon Sep 17 00:00:00 2001
-From: Kanishk Bansal
-Date: Wed, 29 Jan 2025 14:11:18 +0000
-Subject: [PATCH] Address CVE-2024-28180
-
----
- vendor/gopkg.in/square/go-jose.v2/crypter.go | 6 ++++++
- vendor/gopkg.in/square/go-jose.v2/encoding.go | 20 +++++++++++++++----
- 2 files changed, 22 insertions(+), 4 deletions(-)
-
-diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go
-index d24cabf..a628386 100644
---- a/vendor/gopkg.in/square/go-jose.v2/crypter.go
-+++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go
-@@ -405,6 +405,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
- // Decrypt and validate the object and return the plaintext. Note that this
- // function does not support multi-recipient, if you desire multi-recipient
- // decryption use DecryptMulti instead.
-+//
-+// Automatically decompresses plaintext, but returns an error if the decompressed
-+// data would be >250kB or >10x the size of the compressed data, whichever is larger.
- func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
- headers := obj.mergedHeaders(nil)
-
-@@ -469,6 +472,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
- // with support for multiple recipients. It returns the index of the recipient
- // for which the decryption was successful, the merged headers for that recipient,
- // and the plaintext.
-+//
-+// Automatically decompresses plaintext, but returns an error if the decompressed
-+// data would be >250kB or >3x the size of the compressed data, whichever is larger.
- func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
- globalHeaders := obj.mergedHeaders(nil)
-
-diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
-index 70f7385..2b92116 100644
---- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
-+++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
-@@ -21,6 +21,7 @@ import (
- "compress/flate"
- "encoding/base64"
- "encoding/binary"
-+ "fmt"
- "io"
- "math/big"
- "strings"
-@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
- }
- }
-
--// Compress with DEFLATE
-+// deflate compresses the input.
- func deflate(input []byte) ([]byte, error) {
- output := new(bytes.Buffer)
-
-@@ -97,15 +98,26 @@ func deflate(input []byte) ([]byte, error) {
- return output.Bytes(), err
- }
-
--// Decompress with DEFLATE
-+// inflate decompresses the input.
-+//
-+// Errors if the decompressed data would be >250kB or >10x the size of the
-+// compressed data, whichever is larger.
- func inflate(input []byte) ([]byte, error) {
- output := new(bytes.Buffer)
- reader := flate.NewReader(bytes.NewBuffer(input))
-
-- _, err := io.Copy(output, reader)
-- if err != nil {
-+ maxCompressedSize := 10 * int64(len(input))
-+ if maxCompressedSize < 250000 {
-+ maxCompressedSize = 250000
-+ }
-+ limit := maxCompressedSize + 1
-+ n, err := io.CopyN(output, reader, limit)
-+ if err != nil && err != io.EOF {
- return nil, err
- }
-+ if n == limit {
-+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
-+ }
-
- err = reader.Close()
- return output.Bytes(), err
---
-2.43.0
-
diff --git a/SPECS/containerized-data-importer/CVE-2024-3727.patch b/SPECS/containerized-data-importer/CVE-2024-3727.patch
deleted file mode 100644
index 92f882851e..0000000000
--- a/SPECS/containerized-data-importer/CVE-2024-3727.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-From ea14d57b98cc37decad0c39ccbafb27994274b47 Mon Sep 17 00:00:00 2001
-From: Brian Fjeldstad
-Date: Thu, 6 Jun 2024 21:13:36 +0000
-Subject: [PATCH] apply CVE-2024-3727 fix to v5.19.1
-
----
- vendor/github.com/containers/image/v5/docker/docker_client.go | 3 +++
- vendor/github.com/containers/image/v5/docker/docker_image.go | 8 ++++++--
- vendor/github.com/containers/image/v5/docker/docker_image_dest.go | 15 ++++++++++++---
- vendor/github.com/containers/image/v5/docker/docker_image_src.go | 19 +++++++++++++++++--
- vendor/github.com/containers/image/v5/docker/lookaside.go | 7 +++++--
- 5 files changed, 43 insertions(+), 9 deletions(-)
-
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
-index 833323b4..99bde923 100644
---- a/vendor/github.com/containers/image/v5/docker/docker_client.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
-@@ -796,6 +796,9 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
- // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension,
- // using the original data structures.
- func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) {
-+ if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters
-+ return nil, err
-+ }
- path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest)
- res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil)
- if err != nil {
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
-index c84bb37d..0076d229 100644
---- a/vendor/github.com/containers/image/v5/docker/docker_image.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
-@@ -83,8 +83,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
- if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil {
- return nil, err
- }
-- tags = append(tags, tagsHolder.Tags...)
--
-+ for _, tag := range tagsHolder.Tags {
-+ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
-+ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
-+ }
-+ tags = append(tags, tag)
-+ }
- link := res.Header.Get("Link")
- if link == "" {
- break
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-index e7af8f93..1096c56f 100644
---- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-@@ -226,6 +226,9 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader,
- // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil);
- // it returns a non-nil error only on an unexpected failure.
- func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) {
-+ if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters
-+ return false, -1, err
-+ }
- checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String())
- logrus.Debugf("Checking %s", checkPath)
- res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope)
-@@ -558,8 +561,11 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m
-
- // NOTE: Keep this in sync with docs/signature-protocols.md!
- for i, signature := range signatures {
-- url := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
-- err := d.putOneSignature(url, signature)
-+ url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
-+ if err != nil {
-+ return err
-+ }
-+ err = d.putOneSignature(url, signature)
- if err != nil {
- return err
- }
-@@ -570,7 +576,10 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m
- // is enough for dockerImageSource to stop looking for other signatures, so that
- // is sufficient.
- for i := len(signatures); ; i++ {
-- url := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
-+ url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
-+ if err != nil {
-+ return err
-+ }
- missing, err := d.c.deleteOneSignature(url)
- if err != nil {
- return err
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-index 314e9b39..43ca0c4f 100644
---- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-@@ -178,6 +178,9 @@ func simplifyContentType(contentType string) string {
- // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
- func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
- if instanceDigest != nil {
-+ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters
-+ return nil, "", err
-+ }
- return s.fetchManifest(ctx, instanceDigest.String())
- }
- err := s.ensureManifestIsLoaded(ctx)
-@@ -373,6 +376,9 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo,
- return nil, nil, fmt.Errorf("external URLs not supported with GetBlobAt")
- }
-
-+ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters
-+ return nil, nil, err
-+ }
- path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String())
- logrus.Debugf("Downloading %s", path)
- res, err := s.c.makeRequest(ctx, http.MethodGet, path, headers, nil, v2Auth, nil)
-@@ -425,6 +431,9 @@ func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
- }
- }
-
-+ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters
-+ return nil, 0, err
-+ }
- path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String())
- logrus.Debugf("Downloading %s", path)
- res, err := s.c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil)
-@@ -486,7 +495,10 @@ func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context, inst
- // NOTE: Keep this in sync with docs/signature-protocols.md!
- signatures := [][]byte{}
- for i := 0; ; i++ {
-- url := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
-+ url, err := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
-+ if err != nil {
-+ return nil, err
-+ }
- signature, missing, err := s.getOneSignature(ctx, url)
- if err != nil {
- return nil, err
-@@ -627,7 +639,10 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
- }
-
- for i := 0; ; i++ {
-- url := signatureStorageURL(c.signatureBase, manifestDigest, i)
-+ url, err := signatureStorageURL(c.signatureBase, manifestDigest, i)
-+ if err != nil {
-+ return err
-+ }
- missing, err := c.deleteOneSignature(url)
- if err != nil {
- return err
-diff --git a/vendor/github.com/containers/image/v5/docker/lookaside.go b/vendor/github.com/containers/image/v5/docker/lookaside.go
-index 515e5932..2e400c09 100644
---- a/vendor/github.com/containers/image/v5/docker/lookaside.go
-+++ b/vendor/github.com/containers/image/v5/docker/lookaside.go
-@@ -229,8 +229,11 @@ func (ns registryNamespace) signatureTopLevel(write bool) string {
- // signatureStorageURL returns an URL usable for accessing signature index in base with known manifestDigest.
- // base is not nil from the caller
- // NOTE: Keep this in sync with docs/signature-protocols.md!
--func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) *url.URL {
-+func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) (*url.URL, error) {
-+ if err := manifestDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in a path with ../, so validate explicitly.
-+ return nil, err
-+ }
- url := *base
- url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1)
-- return &url
-+ return &url, nil
- }
---
-2.34.1
-
diff --git a/SPECS/containerized-data-importer/CVE-2024-45338.patch b/SPECS/containerized-data-importer/CVE-2024-45338.patch
deleted file mode 100644
index b1a7b33304..0000000000
--- a/SPECS/containerized-data-importer/CVE-2024-45338.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 0c0cb82a7671b2aa12c5136ab9368245e3803985 Mon Sep 17 00:00:00 2001
-From: Rohit Rawat
-Date: Thu, 2 Jan 2025 10:22:13 +0000
-Subject: [PATCH] Fix CVE CVE-2024-45338 in containerized-data-importer
-
----
- .../vendor/golang.org/x/net/html/doctype.go | 2 +-
- .../vendor/golang.org/x/net/html/foreign.go | 3 +--
- .../vendor/golang.org/x/net/html/parse.go | 4 ++--
- 3 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
-index c484e5a..bca3ae9 100644
---- a/vendor/golang.org/x/net/html/doctype.go
-+++ b/vendor/golang.org/x/net/html/doctype.go
-@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
- }
- }
- if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
-- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
-+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
- quirks = true
- }
- }
-diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
-index 9da9e9d..e8515d8 100644
---- a/vendor/golang.org/x/net/html/foreign.go
-+++ b/vendor/golang.org/x/net/html/foreign.go
-@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
- if n.Data == "annotation-xml" {
- for _, a := range n.Attr {
- if a.Key == "encoding" {
-- val := strings.ToLower(a.Val)
-- if val == "text/html" || val == "application/xhtml+xml" {
-+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
- return true
- }
- }
-diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
-index 46a89ed..5b8374b 100644
---- a/vendor/golang.org/x/net/html/parse.go
-+++ b/vendor/golang.org/x/net/html/parse.go
-@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
- if p.tok.DataAtom == a.Input {
- for _, t := range p.tok.Attr {
- if t.Key == "type" {
-- if strings.ToLower(t.Val) == "hidden" {
-+ if strings.EqualFold(t.Val, "hidden") {
- // Skip setting framesetOK = false
- return true
- }
-@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
- return inHeadIM(p)
- case a.Input:
- for _, t := range p.tok.Attr {
-- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
-+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
- p.addElement()
- p.oe.pop()
- return true
---
-2.39.4
-
diff --git a/SPECS/containerized-data-importer/CVE-2025-22868.patch b/SPECS/containerized-data-importer/CVE-2025-22868.patch
deleted file mode 100644
index c4f136f3ca..0000000000
--- a/SPECS/containerized-data-importer/CVE-2025-22868.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
-From: Neal Patel
-Date: Thu, 30 Jan 2025 14:10:09 -0500
-Subject: [PATCH] jws: split token into fixed number of parts
-
-Thanks to 'jub0bs' for reporting this issue.
-
-Fixes #71490
-Fixes CVE-2025-22868
-
-Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
-Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
-Auto-Submit: Gopher Robot
-Reviewed-by: Damien Neil
-Reviewed-by: Roland Shoemaker