[AUTO-CHERRYPICK] Patch to go related modules to address CVE-2021-44716 - branch main (#7839)

Co-authored-by: nicolas guibourge <nicogbg@gmail.com>
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Nan Liu <liunan@microsoft.com>
Co-authored-by: Nan Liu <108544011+liunan-ms@users.noreply.github.com>
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>

Author: 6 people

SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec

@@ -25,11 +25,10 @@ Source0:        %{name}-%{version}.tar.gz
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
 
-# patches for vendored code >= 1000
 # If upstream ever upgrades client_goland to 1.11.1, we can get rid of this patch.
-Patch1000:      CVE-2022-21698.patch
-Patch1001:      CVE-2023-44487.patch
-Patch1002:      CVE-2021-44716.patch
+Patch0:         CVE-2022-21698.patch
+Patch1:         CVE-2023-44487.patch
+Patch2:         CVE-2021-44716.patch
 
 BuildRequires:  golang >= 1.13
 %if %{with_check}

SPECS/cf-cli/cf-cli.spec

@@ -27,10 +27,8 @@ Source0:        https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        cli-%{version}-vendor.tar.gz
-
-# patches for vendored code >= 1000
-Patch1000:      CVE-2023-44487.patch
-Patch1001:      CVE-2021-44716.patch
+Patch0:         CVE-2023-44487.patch
+Patch1:         CVE-2021-44716.patch
 
 BuildRequires:  golang >= 1.18.3
 %global debug_package %{nil}

SPECS/csi-driver-lvm/csi-driver-lvm.spec

@@ -20,8 +20,7 @@ Source0:        https://github.com/metal-stack/%{name}/archive/refs/tags/v%{vers
 #           -cf %%{name}-%%{version}-govendor.tar.gz vendor
 Source1:        %{name}-%{version}-govendor.tar.gz
 
-# patches for vendored code >= 1000
-Patch1000:      CVE-2021-44716.patch
+Patch0:         CVE-2021-44716.patch
 
 BuildRequires:  golang
 Requires:       %{name}-csi-lvmplugin-provisioner

SPECS/git-lfs/git-lfs.spec

@@ -28,10 +28,8 @@ Source0:       https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:       %{name}-%{version}-vendor.tar.gz
-
-# patches for vendored code >= 1000
-Patch1000:     CVE-2023-44487.patch
-Patch1001:     CVE-2021-44716.patch
+Patch0:        CVE-2023-44487.patch
+Patch1:        CVE-2021-44716.patch
 
 BuildRequires: golang
 BuildRequires: which

SPECS/jx/jx.spec

@@ -27,10 +27,8 @@ Source0:        https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        %{name}-%{version}-vendor.tar.gz
-
-# patches for vendored code >= 1000
-Patch1000:      CVE-2023-44487.patch
-Patch1001:      CVE-2021-44716.patch
+Patch0:         CVE-2023-44487.patch
+Patch1:         CVE-2021-44716.patch
 
 BuildRequires:  golang >= 1.17.1
 %global debug_package %{nil}

SPECS/keda/keda.spec

@@ -29,10 +29,8 @@ Source1:        %{name}-%{version}-vendor-v2.tar.gz
 # Patches the version of client_golang used in the vendored source. Should be applied before creating the vendored tarball.
 # Can be removed if we upgrade keda to 2.6.0 or later.
 Patch0:         CVE-2022-21698.patch
-
-# patches for vendored code >= 1000
-Patch1000:         CVE-2023-44487.patch
-Patch1001:         CVE-2021-44716.patch
+Patch1:         CVE-2023-44487.patch
+Patch2:         CVE-2021-44716.patch
 
 BuildRequires:  golang >= 1.15