Merge pull request #4438 from microsoft/sammeluch/merge-crit-high-cve-fixes

Merge High or Critical CVE Fixes to 2.0 for sqlite, python3, kernel, and nodejs and an update to k3s Vendor Tarball for Dependencies.

Author: sameluch

SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec

@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.80.1
+Version:        5.15.82.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -149,6 +149,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Dec 13 2022 CBL-Mariner Servicing Account <[email protected]> - 5.15.82.1-1
+- Auto-upgrade to 5.15.82.1
+
+* Wed Dec 07 2022 CBL-Mariner Servicing Account <[email protected]> - 5.15.81.1-1
+- Auto-upgrade to 5.15.81.1
+
 * Tue Nov 29 2022 Vince Perri <[email protected]> - 5.15.80.1-1
 - Original version for CBL-Mariner.
 - License verified

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.80.1
+Version:        5.15.82.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,15 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Dec 13 2022 CBL-Mariner Servicing Account <[email protected]> - 5.15.82.1-1
+- Auto-upgrade to 5.15.82.1
+
+* Wed Dec 07 2022 CBL-Mariner Servicing Account <[email protected]> - 5.15.81.1-1
+- Auto-upgrade to 5.15.81.1
+
+* Mon Dec 05 2022 Betty Lakes <[email protected]> - 5.15.80.1-2
+- Bump release to match kernel
+
 * Tue Nov 29 2022 CBL-Mariner Servicing Account <[email protected]> - 5.15.80.1-1
 - Auto-upgrade to 5.15.80.1
 

SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md

@@ -2047,6 +2047,8 @@
                 "livepatch-5.15.77.1-1.cm2-signed",
                 "livepatch-5.15.79.1-1.cm2",
                 "livepatch-5.15.80.1-1.cm2",
+                "livepatch-5.15.81.1-1.cm2",
+                "livepatch-5.15.82.1-1.cm2",
                 "livepatching",
                 "lld",
                 "local-path-provisioner",

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -7,6 +7,6 @@
     "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f",
     "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
     "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-    "kernel-5.15.80.1.tar.gz": "690c866bf52eb1afa660820d24893d799372b887963b3a6653551dea7a5466b5"
+    "kernel-5.15.82.1.tar.gz": "30a0059b18ea04469340c6e9e21d27786692faf05b3947e3eb13d62e25632b15"
   }
 }

SPECS/hyperv-daemons/hyperv-daemons.signatures.json

@@ -8,7 +8,7 @@
 %global udev_prefix 70
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        5.15.80.1
+Version:        5.15.82.1
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@@ -219,6 +219,12 @@ fi
 %{_sbindir}/lsvmbus
 
 %changelog
+* Tue Dec 13 2022 CBL-Mariner Servicing Account <[email protected]> - 5.15.82.1-1
+- Auto-upgrade to 5.15.82.1
+
+* Wed Dec 07 2022 CBL-Mariner Servicing Account <[email protected]> - 5.15.81.1-1
+- Auto-upgrade to 5.15.81.1
+
 * Tue Nov 29 2022 CBL-Mariner Servicing Account <[email protected]> - 5.15.80.1-1
 - Auto-upgrade to 5.15.80.1
 

SPECS/hyperv-daemons/hyperv-daemons.spec

@@ -1,6 +1,6 @@
 {
     "Signatures": {
-     "k3s-1.23.8-vendor.tar.gz": "3c96e864d0e89e318ecdd62e1750f787d1b622feeb240f7b86d9f3280447aeda",
+     "k3s-1.23.8-vendor.tar.gz": "f6a8ca7fac181a606cf2ef0f09947160ab6037885c08fc8855249c7976762d11",
      "k3s-1.23.8.tar.gz": "35ff7b3819cf9ff3b33497e335ccfd892a642acd4c5e4223585d225f11fe4b64"
     }
 }

SPECS/k3s/k3s-1.23.8.signatures.json

@@ -1,23 +1,23 @@
 Summary:        Lightweight Kubernetes
 Name:           k3s
 Version:        1.23.8
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 Group:          System Environment/Base
 URL:            http://k3s.io
-Source0:        https://github.com/k3s-io/%{name}/archive/refs/tags/v%{version}+k3s1.tar.gz#/%{name}-%{version}.tar.gz
+Source0:        https://github.com/k3s-io/%{name}/archive/refs/tags/v%{version}+k3s2.tar.gz#/%{name}-%{version}.tar.gz
 # Below is a manually created tarball, no download link.
 # We're using pre-populated Go modules from this tarball, since network is disabled during build time.
 # We are also pre-cloning 3 git repositories
 # How to re-build this file:
-# 1. wget https://github.com/k3s-io/%%{name}/archive/refs/tags/v%%{version}+k3s1.tar.gz -O %%{name}-%%{version}.tar.gz
+# 1. wget https://github.com/k3s-io/%%{name}/archive/refs/tags/v%%{version}+k3s2.tar.gz -O %%{name}-%%{version}.tar.gz
 # 2. tar -xf %%{name}-%%{version}.tar.gz
-# 3. cd %%{name}-%%{version}-k3s1
+# 3. cd %%{name}-%%{version}-k3s2
 # 4. go mod vendor
 # 5. pushd vendor
-# 6. git clone https://github.com/k3s-io/containerd -b v1.5.13-k3s1
-# 7. git clone https://github.com/rancher/plugins.git -b k3s-v1.1.1
-# 8. git clone https://github.com/opencontainers/runc.git -b v1.1.2
+# 6. git clone --single-branch --branch="v1.5.13-k3s1" --depth=1 https://github.com/k3s-io/containerd
+# 7. git clone -b "v1.1.1-k3s1" https://github.com/rancher/plugins.git
+# 8. git clone --single-branch --branch="v1.1.2" --depth=1 https://github.com/opencontainers/runc
 # 9. popd
 # 10. tar -cf %%{name}-%%{version}-vendor.tar.gz vendor
 Source1:        %{name}-%{version}-vendor.tar.gz
@@ -79,6 +79,9 @@ exit 0
 %{install_sh}
 
 %changelog
+* Thu Dec 08 2022 Vinayak Gupta <[email protected]> - 1.23.8-3
+- Update the vendor tarball with the corrected versions of the dependencies
+
 * Tue Nov 01 2022 Olivia Crain <[email protected]> - 1.23.8-2
 - Bump release to rebuild with go 1.18.8
 
@@ -104,4 +107,4 @@ exit 0
 - Initial CBL-Mariner import from Rancher (license: ASL 2.0).
 
 * Mon Mar 2 2020 Erik Wilson <[email protected]> 0.1-1
-- Initial version
+- Initial version

SPECS/k3s/k3s-1.23.8.spec

@@ -1,6 +1,6 @@
 {
     "Signatures": {
-     "k3s-1.24.3-vendor.tar.gz": "af12595259cf8a732b687f8341526b680fbc9266c05e4d095f80c75d891a230f",
+     "k3s-1.24.3-vendor.tar.gz": "5a4b75cb7bcedc96900126e16df985c0c2c7e4e45ea759dd11d487ddcaf71c32",
      "k3s-1.24.3.tar.gz": "002fd919452e8fbc61182e1cbf90997a1f8b16a7b835e05e7c40bb52bf830f56"
     }
 }

SPECS/k3s/k3s-1.24.3.signatures.json

@@ -1,7 +1,7 @@
 Summary:        Lightweight Kubernetes
 Name:           k3s
 Version:        1.24.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 Group:          System Environment/Base
 URL:            http://k3s.io
@@ -15,9 +15,9 @@ Source0:        https://github.com/k3s-io/%{name}/archive/refs/tags/v%{version}+
 # 3. cd %%{name}-%%{version}-k3s1
 # 4. go mod vendor
 # 5. pushd vendor
-# 6. git clone https://github.com/k3s.io/containerd.git -b 1.5.13-k3s1
-# 7. git clone https://github.com/rancher/plugins.git -b k3s-v1.1.1
-# 8. git clone https://github.com/opencontainers/runc.git -b v1.1.3
+# 6. git clone --single-branch --branch="v1.6.6-k3s1" --depth=1 https://github.com/k3s-io/containerd
+# 7. git clone -b "v1.1.1-k3s1" https://github.com/rancher/plugins.git
+# 8. git clone --single-branch --branch="v1.1.3" --depth=1 https://github.com/opencontainers/runc
 # 9. popd
 # 10. tar -cf %%{name}-%%{version}-vendor.tar.gz vendor
 Source1:        %{name}-%{version}-vendor.tar.gz
@@ -79,6 +79,9 @@ exit 0
 %{install_sh}
 
 %changelog
+* Thu Dec 08 2022 Vinayak Gupta <[email protected]> - 1.24.3-3
+- Update the vendor tarball with the corrected versions of the dependencies
+
 * Tue Nov 01 2022 Olivia Crain <[email protected]> - 1.24.3-2
 - Bump release to rebuild with go 1.18.8
 
@@ -107,4 +110,4 @@ exit 0
 - Initial CBL-Mariner import from Rancher (license: ASL 2.0).
 
 * Mon Mar 2 2020 Erik Wilson <[email protected]> 0.1-1
-- Initial version
+- Initial version