[AUTO-CHERRYPICK] [AutoPR- Security] Patch telegraf for CVE-2026-27571 [HIGH] - branch main (#16036)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/telegraf/CVE-2026-27571.patch

@@ -0,0 +1,97 @@
+From f5b9b962927afe19af3266201b1ebdf12611af11 Mon Sep 17 00:00:00 2001
+From: Ivan Kozlovic <ivan@synadia.com>
+Date: Mon, 8 Dec 2025 10:25:20 -0700
+Subject: [PATCH] Websocket: limit buffer size during decompression of a frame
+
+When the server would decompress a compressed websocket frame, it would
+not limit the resulting size of the uncompressed buffer. Once uncompressed
+the maximum payload size would still be used to reject messages that
+are too big, but the server would have already uncompressed a possibly
+very big buffer (if the frame contained highly compressed data).
+
+This PR limits the number of bytes that are being decompressed using
+the maximum payload size as a limit.
+
+Credit goes to:
+Pavel Kohout, Aisle Research (www.aisle.com) for reporting the issue
+and providing a path.
+
+The propose patched as been updated a bit (need to use atomic to
+use the connection's max payload value) and some tweaks around
+the use of the `io.LimitedReader`.
+
+Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/nats-io/nats-server/commit/f77fb7c4535e6727cc1a2899cd8e6bbdd8ba2017.patch
+---
+ .../nats-server/v2/server/websocket.go        | 26 ++++++++++++++++---
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/github.com/nats-io/nats-server/v2/server/websocket.go b/vendor/github.com/nats-io/nats-server/v2/server/websocket.go
+index e026674d..1804b4de 100644
+--- a/vendor/github.com/nats-io/nats-server/v2/server/websocket.go
++++ b/vendor/github.com/nats-io/nats-server/v2/server/websocket.go
+@@ -31,6 +31,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 	"sync"
++	"sync/atomic"
+ 	"time"
+ 	"unicode/utf8"
+ 
+@@ -203,6 +204,7 @@ func (c *client) wsRead(r *wsReadInfo, ior io.Reader, buf []byte) ([][]byte, err
+ 		err    error
+ 		pos    int
+ 		max    = len(buf)
++		mpay   = int(atomic.LoadInt32(&c.mpay))
+ 	)
+ 	for pos != max {
+ 		if r.fs {
+@@ -316,7 +318,7 @@ func (c *client) wsRead(r *wsReadInfo, ior io.Reader, buf []byte) ([][]byte, err
+ 				// When we have the final frame and we have read the full payload,
+ 				// we can decompress it.
+ 				if r.ff && r.rem == 0 {
+-					b, err = r.decompress()
++					b, err = r.decompress(mpay)
+ 					if err != nil {
+ 						return bufs, err
+ 					}
+@@ -390,7 +392,16 @@ func (r *wsReadInfo) ReadByte() (byte, error) {
+ 	return b, nil
+ }
+ 
+-func (r *wsReadInfo) decompress() ([]byte, error) {
++// decompress decompresses the collected buffers.
++// The size of the decompressed buffer will be limited to the `mpay` value.
++// If, while decompressing, the resulting uncompressed buffer exceeds this
++// limit, the decompression stops and an empty buffer and the ErrMaxPayload
++// error are returned.
++func (r *wsReadInfo) decompress(mpay int) ([]byte, error) {
++	// If not limit is specified, use the default maximum payload size.
++	if mpay <= 0 {
++		mpay = MAX_PAYLOAD_SIZE
++	}
+ 	r.coff = 0
+ 	// As per https://tools.ietf.org/html/rfc7692#section-7.2.2
+ 	// add 0x00, 0x00, 0xff, 0xff and then a final block so that flate reader
+@@ -405,8 +416,15 @@ func (r *wsReadInfo) decompress() ([]byte, error) {
+ 	} else {
+ 		d.(flate.Resetter).Reset(r, nil)
+ 	}
+-	// This will do the decompression.
+-	b, err := io.ReadAll(d)
++	// Use a LimitedReader to limit the decompressed size.
++	// We use "limit+1" bytes for "N" so we can detect if the limit is exceeded.
++	lr := io.LimitedReader{R: d, N: int64(mpay + 1)}
++	b, err := io.ReadAll(&lr)
++	if err == nil && len(b) > mpay {
++		// Decompressed data exceeds the maximum payload size.
++		b, err = nil, ErrMaxPayload
++	}
++	lr.R = nil
+ 	decompressorPool.Put(d)
+ 	// Now reset the compressed buffers list.
+ 	r.cbufs = nil
+-- 
+2.45.4
+

SPECS/telegraf/telegraf.spec

@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.29.4
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -28,11 +28,12 @@ Patch14:        CVE-2024-51744.patch
 Patch15:        CVE-2025-30215.patch
 Patch16:        CVE-2025-22872.patch
 Patch17:        CVE-2025-10543.patch
-Patch18:        CVE-2025-47911.patch
-Patch19:        CVE-2025-58190.patch
-Patch20:        CVE-2026-2303.patch
-Patch21:        CVE-2026-26014.patch
-Patch22:        CVE-2025-11065.patch
+Patch18:        CVE-2026-27571.patch
+Patch19:        CVE-2025-47911.patch
+Patch20:        CVE-2025-58190.patch
+Patch21:        CVE-2026-2303.patch
+Patch22:        CVE-2026-26014.patch
+Patch23:        CVE-2025-11065.patch
 BuildRequires:  golang
 BuildRequires:  iana-etc
 BuildRequires:  systemd-devel
@@ -103,12 +104,15 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
-* Tue Feb 17 2026 Akhila Guruju <v-guakhila@microsoft.com> - 1.29.4-20
+* Tue Feb 17 2026 Akhila Guruju <v-guakhila@microsoft.com> - 1.29.4-21
 - Patch CVE-2025-11065
 
-* Mon Feb 16 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.29.4-19
+* Mon Feb 16 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.29.4-20
 - Patch for CVE-2026-26014, CVE-2026-2303, CVE-2025-58190, CVE-2025-47911
 
+* Fri Feb 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.29.4-19
+- Patch for CVE-2026-27571
+
 * Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.29.4-18
 - Patch for CVE-2025-10543