-
Notifications
You must be signed in to change notification settings - Fork 548
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
102 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| %global goroot %{_libdir}/golang | ||
| %global gopath %{_datadir}/gocode | ||
| %global ms_go_filename go1.22.7-20240905.3.src.tar.gz | ||
| %global ms_go_filename go1.22.8-20241001.6.src.tar.gz | ||
| %global ms_go_revision 1 | ||
| %ifarch aarch64 | ||
| %global gohostarch arm64 | ||
|
|
@@ -14,7 +14,7 @@ | |
| %define __find_requires %{nil} | ||
| Summary: Go | ||
| Name: msft-golang | ||
| Version: 1.22.7 | ||
| Version: 1.22.8 | ||
| Release: 1%{?dist} | ||
| License: BSD | ||
| Vendor: Microsoft Corporation | ||
|
|
@@ -153,6 +153,9 @@ fi | |
| %{_bindir}/* | ||
|
|
||
| %changelog | ||
| * Thu Oct 24 2024 CBL-Mariner Servicing Account <[email protected]> - 1.22.8-1 | ||
| - Auto-upgrade to 1.22.8 - To fix CVE-2022-41717 | ||
|
|
||
| * Mon Sep 09 2024 Henry Beberman <[email protected]> - 1.22.7-1 | ||
| - Bump version to 1.22.7 to address CVE-2024-34158, CVE-2024-34156, CVE-2024-34155 | ||
|
|
||
|
|
||
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| { | ||
| "Signatures": { | ||
| "mysql-boost-8.0.36.tar.gz": "429c5f69f3722e31807e74119d157a023277af210bfee513443cae60ebd2a86d" | ||
| } | ||
| } | ||
| "Signatures": { | ||
| "mysql-boost-8.0.40.tar.gz": "eb34a23d324584688199b4222242f4623ea7bca457a3191cd7a106c63a7837d9" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| Summary: MySQL. | ||
| Name: mysql | ||
| Version: 8.0.36 | ||
| Version: 8.0.40 | ||
| Release: 1%{?dist} | ||
| License: GPLv2 with exceptions AND LGPLv2 AND BSD | ||
| Vendor: Microsoft Corporation | ||
|
|
@@ -9,7 +9,6 @@ Group: Applications/Databases | |
| URL: https://www.mysql.com | ||
| Source0: https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz | ||
| Patch0: CVE-2012-5627.nopatch | ||
| Patch1: CVE-2023-46218.patch | ||
| BuildRequires: cmake | ||
| BuildRequires: libtirpc-devel | ||
| BuildRequires: openssl-devel | ||
|
|
@@ -98,6 +97,15 @@ fi | |
| %{_libdir}/pkgconfig/mysqlclient.pc | ||
|
|
||
| %changelog | ||
| * Fri Oct 18 2024 Sudipta Pandit <[email protected]> - 8.0.40-1 | ||
| - Upgrade to 8.0.40 to fix multiple CVEs -- CVE-2024-21193, CVE-2024-21194, CVE-2024-21162, CVE-2024-21157, CVE-2024-21130, | ||
| CVE-2024-20996, CVE-2024-21129, CVE-2024-21159, CVE-2024-21135, CVE-2024-21173, CVE-2024-21160, CVE-2024-21125, CVE-2024-21134, | ||
| CVE-2024-21127, CVE-2024-21142, CVE-2024-21166, CVE-2024-21163, CVE-2024-21203, CVE-2024-21219, CVE-2024-21247, CVE-2024-21237, | ||
| CVE-2024-21231, CVE-2024-21213, CVE-2024-21218, CVE-2024-21197, CVE-2024-21230, CVE-2024-21207, CVE-2024-21201, CVE-2024-21198, | ||
| CVE-2024-21238, CVE-2024-21196, CVE-2024-21239, CVE-2024-21199, CVE-2024-21241, CVE-2024-21236, CVE-2024-21212, CVE-2024-21096, | ||
| CVE-2024-21171, CVE-2024-21165, CVE-2023-46219 | ||
| - Remove patch for CVE-2023-46218 (fixed in 8.0.37) | ||
|
|
||
| * Tue Jun 18 2024 Archana Choudhary <[email protected]> - 8.0.36-1 | ||
| - Upgrade to 8.0.36 to fix 10 CVEs | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| From 926c72f641cd122e1e8fc9f92f0fea885d3c8ede Mon Sep 17 00:00:00 2001 | ||
| From: Mykhailo Bykhovtsev <[email protected]> | ||
| Date: Wed, 23 Oct 2024 16:13:23 -0700 | ||
| Subject: [PATCH] patch CVE-2022-25255 | ||
| Patch taken from https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff | ||
|
|
||
| --- | ||
| src/corelib/io/qprocess_unix.cpp | 28 +++++++++++++++------------- | ||
| 1 file changed, 15 insertions(+), 13 deletions(-) | ||
|
|
||
| diff --git a/src/corelib/io/qprocess_unix.cpp b/src/corelib/io/qprocess_unix.cpp | ||
| index 7a2daa2a..29b771a1 100644 | ||
| --- a/src/corelib/io/qprocess_unix.cpp | ||
| +++ b/src/corelib/io/qprocess_unix.cpp | ||
| @@ -1,7 +1,7 @@ | ||
| /**************************************************************************** | ||
| ** | ||
| ** Copyright (C) 2016 The Qt Company Ltd. | ||
| -** Copyright (C) 2016 Intel Corporation. | ||
| +** Copyright (C) 2022 Intel Corporation. | ||
| ** Contact: https://www.qt.io/licensing/ | ||
| ** | ||
| ** This file is part of the QtCore module of the Qt Toolkit. | ||
| @@ -422,14 +422,15 @@ void QProcessPrivate::startProcess() | ||
| // Add the program name to the argument list. | ||
| argv[0] = nullptr; | ||
| if (!program.contains(QLatin1Char('/'))) { | ||
| + // findExecutable() returns its argument if it's an absolute path, | ||
| + // otherwise it searches $PATH; returns empty if not found (we handle | ||
| + // that case much later) | ||
| const QString &exeFilePath = QStandardPaths::findExecutable(program); | ||
| - if (!exeFilePath.isEmpty()) { | ||
| - const QByteArray &tmp = QFile::encodeName(exeFilePath); | ||
| - argv[0] = ::strdup(tmp.constData()); | ||
| - } | ||
| - } | ||
| - if (!argv[0]) | ||
| + const QByteArray &tmp = QFile::encodeName(exeFilePath); | ||
| + argv[0] = ::strdup(tmp.constData()); | ||
| + } else { | ||
| argv[0] = ::strdup(encodedProgramName.constData()); | ||
| + } | ||
|
|
||
| // Add every argument to the list | ||
| for (int i = 0; i < arguments.count(); ++i) | ||
| @@ -975,15 +976,16 @@ bool QProcessPrivate::startDetached(qint64 *pid) | ||
| envp = _q_dupEnvironment(environment.d.constData()->vars, &envc); | ||
| } | ||
|
|
||
| - QByteArray tmp; | ||
| if (!program.contains(QLatin1Char('/'))) { | ||
| + // findExecutable() returns its argument if it's an absolute path, | ||
| + // otherwise it searches $PATH; returns empty if not found (we handle | ||
| + // that case much later) | ||
| const QString &exeFilePath = QStandardPaths::findExecutable(program); | ||
| - if (!exeFilePath.isEmpty()) | ||
| - tmp = QFile::encodeName(exeFilePath); | ||
| + const QByteArray &tmp = QFile::encodeName(exeFilePath); | ||
| + argv[0] = ::strdup(tmp.constData()); | ||
| + } else { | ||
| + argv[0] = ::strdup(QFile::encodeName(program)); | ||
| } | ||
| - if (tmp.isEmpty()) | ||
| - tmp = QFile::encodeName(program); | ||
| - argv[0] = tmp.data(); | ||
|
|
||
| if (envp) | ||
| qt_safe_execve(argv[0], argv, envp); | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,7 +33,7 @@ | |
| Name: qt5-qtbase | ||
| Summary: Qt5 - QtBase components | ||
| Version: 5.12.11 | ||
| Release: 13%{?dist} | ||
| Release: 14%{?dist} | ||
| # See LICENSE.GPL3-EXCEPT.txt, for exception details | ||
| License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 | ||
| Vendor: Microsoft Corporation | ||
|
|
@@ -163,6 +163,8 @@ Patch90: CVE-2022-25643.patch | |
| Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch | ||
| Patch92: CVE-2024-39936.patch | ||
|
|
||
| Patch93: CVE-2022-25255.patch | ||
|
|
||
| # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. | ||
| # Those themes are there for platform integration. If the required libraries are | ||
| # not there, the platform to integrate with isn't either. Then Qt will just | ||
|
|
@@ -276,6 +278,7 @@ Qt5 libraries used for drawing widgets and OpenGL items. | |
| %patch90 -p1 | ||
| %patch91 -p1 | ||
| %patch92 -p1 | ||
| %patch93 -p1 | ||
|
|
||
| ## upstream patches | ||
|
|
||
|
|
@@ -781,6 +784,9 @@ fi | |
| %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake | ||
|
|
||
| %changelog | ||
| * Wed Oct 23 2024 Mykhailo Bykhovtsev <[email protected]> - 5.12.11-14 | ||
| - Add patch to resolve CVE-2022-25255. | ||
|
|
||
| * Wed Aug 07 2024 Sumedh Sharma <[email protected]> - 5.12.11-13 | ||
| - Add patch to resolve CVE-2024-39936. | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters