[AUTO-CHERRYPICK] Upgrade expat to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 - branch main (#10401)

Co-authored-by: Gary Swalling <31018813+gjswalling@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/expat/expat.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "expat-2.6.2.tar.bz2": "9c7c1b5dcbc3c237c500a8fb1493e14d9582146dd9b42aa8d3ffb856a3b927e0"
+    "expat-2.6.3.tar.bz2": "b8baef92f328eebcf731f4d18103951c61fa8c8ec21d5ff4202fb6f2198aeb2d"
   }
 }

SPECS/expat/expat.spec

@@ -1,8 +1,8 @@
 %define         underscore_version %(echo %{version} | cut -d. -f1-3 --output-delimiter="_")
 Summary:        An XML parser library
 Name:           expat
-Version:        2.6.2
-Release:        2%{?dist}
+Version:        2.6.3
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -67,6 +67,9 @@ rm -rf %{buildroot}/%{_docdir}/%{name}
 %{_libdir}/libexpat.so.1*
 
 %changelog
+* Mon Sep 09 2024 Gary Swalling <gaswal@microsoft.com> - 2.6.3-1
+- Upgrade to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
+
 * Thu Mar 28 2024 Aditya Dubey <adityadubey@microsoft.com> - 2.6.2-2
 - Removed unnecessary "-p2" argument in "%%autosetup".
 

cgmanifest.json

@@ -3418,8 +3418,8 @@
         "type": "other",
         "other": {
           "name": "expat",
-          "version": "2.6.2",
-          "downloadUrl": "https://github.com/libexpat/libexpat/releases/download/R_2_6_2/expat-2.6.2.tar.bz2"
+          "version": "2.6.3",
+          "downloadUrl": "https://github.com/libexpat/libexpat/releases/download/R_2_6_3/expat-2.6.3.tar.bz2"
         }
       }
     },

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -95,9 +95,9 @@ elfutils-libelf-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-lang-0.186-2.cm2.aarch64.rpm
-expat-2.6.2-2.cm2.aarch64.rpm
-expat-devel-2.6.2-2.cm2.aarch64.rpm
-expat-libs-2.6.2-2.cm2.aarch64.rpm
+expat-2.6.3-1.cm2.aarch64.rpm
+expat-devel-2.6.3-1.cm2.aarch64.rpm
+expat-libs-2.6.3-1.cm2.aarch64.rpm
 libpipeline-1.5.5-3.cm2.aarch64.rpm
 libpipeline-devel-1.5.5-3.cm2.aarch64.rpm
 gdbm-1.21-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -95,9 +95,9 @@ elfutils-libelf-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-lang-0.186-2.cm2.x86_64.rpm
-expat-2.6.2-2.cm2.x86_64.rpm
-expat-devel-2.6.2-2.cm2.x86_64.rpm
-expat-libs-2.6.2-2.cm2.x86_64.rpm
+expat-2.6.3-1.cm2.x86_64.rpm
+expat-devel-2.6.3-1.cm2.x86_64.rpm
+expat-libs-2.6.3-1.cm2.x86_64.rpm
 libpipeline-1.5.5-3.cm2.x86_64.rpm
 libpipeline-devel-1.5.5-3.cm2.x86_64.rpm
 gdbm-1.21-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -73,10 +73,10 @@ elfutils-libelf-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-lang-0.186-2.cm2.aarch64.rpm
-expat-2.6.2-2.cm2.aarch64.rpm
-expat-debuginfo-2.6.2-2.cm2.aarch64.rpm
-expat-devel-2.6.2-2.cm2.aarch64.rpm
-expat-libs-2.6.2-2.cm2.aarch64.rpm
+expat-2.6.3-1.cm2.aarch64.rpm
+expat-debuginfo-2.6.3-1.cm2.aarch64.rpm
+expat-devel-2.6.3-1.cm2.aarch64.rpm
+expat-libs-2.6.3-1.cm2.aarch64.rpm
 file-5.40-2.cm2.aarch64.rpm
 file-debuginfo-5.40-2.cm2.aarch64.rpm
 file-devel-5.40-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -76,10 +76,10 @@ elfutils-libelf-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-lang-0.186-2.cm2.x86_64.rpm
-expat-2.6.2-2.cm2.x86_64.rpm
-expat-debuginfo-2.6.2-2.cm2.x86_64.rpm
-expat-devel-2.6.2-2.cm2.x86_64.rpm
-expat-libs-2.6.2-2.cm2.x86_64.rpm
+expat-2.6.3-1.cm2.x86_64.rpm
+expat-debuginfo-2.6.3-1.cm2.x86_64.rpm
+expat-devel-2.6.3-1.cm2.x86_64.rpm
+expat-libs-2.6.3-1.cm2.x86_64.rpm
 file-5.40-2.cm2.x86_64.rpm
 file-debuginfo-5.40-2.cm2.x86_64.rpm
 file-devel-5.40-2.cm2.x86_64.rpm