Merge PR "[AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade munge to 0.5.18 for CVE-2026-25506 - branch main" #15927

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 4 people

SPECS/munge/munge.signatures.json

@@ -1,7 +1,7 @@
 {
- "Signatures": {
-  "create-munge-key": "faf294f275027c9165524daa17e862ae7e28cb32aed5f9c452d9bd37065ccebe",
-  "munge-0.5.13.tar.xz": "99753dfd06a4f063c36f3fb0eb1964f394feb649937d94c4734d85b7964144da",
-  "munge.logrotate": "f8443edd07c98e0e3c9178c93a0a35e1c690cf3b6fbdb33508b34871657a9879"
- }
-}
+  "Signatures": {
+    "create-munge-key": "faf294f275027c9165524daa17e862ae7e28cb32aed5f9c452d9bd37065ccebe",
+    "munge.logrotate": "f8443edd07c98e0e3c9178c93a0a35e1c690cf3b6fbdb33508b34871657a9879",
+    "munge-0.5.18.tar.xz": "39c3ec6ef5604bfa206e8aa10fc05d5119040f6de4a554bc0fb98ca1aed838dc"
+  }
+}

SPECS/munge/munge.spec

@@ -1,7 +1,7 @@
 Summary:        Enables uid & gid authentication across a host cluster
 Name:           munge
-Version:        0.5.13
-Release:        9%{?dist}
+Version:        0.5.18
+Release:        1%{?dist}
 # The libs and devel package is GPLv3+ and LGPLv3+ where as the main package is GPLv3 only.
 License:        GPLv3+ AND LGPLv3+
 Vendor:         Microsoft Corporation
@@ -53,7 +53,6 @@ cp -p %{SOURCE2} munge.logrotate
 
 %build
 %configure  --disable-static --with-crypto-lib=openssl
-echo "d /run/munge 0755 munge munge -" > src/etc/munge.tmpfiles.conf.in
 # Get rid of some rpaths for /usr/sbin
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@@ -68,21 +67,17 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 install -p -m 755 create-munge-key %{buildroot}/%{_sbindir}/create-munge-key
 install -p -D -m 644 munge.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/munge
 
-# rm unneeded files.
-rm %{buildroot}/%{_sysconfdir}/sysconfig/munge
-rm %{buildroot}/%{_initddir}/munge
-
 # Exclude .la files
 rm %{buildroot}/%{_libdir}/libmunge.la
 
-
 # Fix a few permissions
 chmod 700 %{buildroot}%{_sharedstatedir}/munge %{buildroot}%{_var}/log/munge
 chmod 700 %{buildroot}%{_sysconfdir}/munge
 
 # Create and empty key file and pid file to be marked as a ghost file below.
 # i.e it is not actually included in the rpm, only the record
 # of it is.
+mkdir -p  %{buildroot}%{_var}/run/munge/
 touch %{buildroot}%{_var}/run/munge/munged.pid
 mv %{buildroot}%{_var}/run %{buildroot}
 
@@ -110,30 +105,32 @@ exit 0
 %{_bindir}/unmunge
 %{_sbindir}/munged
 %{_sbindir}/create-munge-key
+%{_sbindir}/mungekey
 %{_mandir}/man1/munge.1.gz
 %{_mandir}/man1/remunge.1.gz
 %{_mandir}/man1/unmunge.1.gz
 %{_mandir}/man7/munge.7.gz
 %{_mandir}/man8/munged.8.gz
+%{_mandir}/man8/mungekey.8.gz
 %{_unitdir}/munge.service
 
 %attr(0700,munge,munge) %dir %{_var}/log/munge
 %attr(0700,munge,munge) %dir %{_sharedstatedir}/munge
 %attr(0700,munge,munge) %dir %{_sysconfdir}/munge
 %attr(0755,munge,munge) %dir /run/munge/
 %attr(0644,munge,munge) %ghost /run/munge/munged.pid
-
-%config(noreplace) %{_tmpfilesdir}/munge.conf
+%config(noreplace) %{_sysconfdir}/sysconfig/munge
 %config(noreplace) %{_sysconfdir}/logrotate.d/munge
+%{_sysusersdir}/munge.conf
 
 %license COPYING COPYING.LESSER
 %doc AUTHORS
-%doc JARGON META NEWS QUICKSTART README
+%doc JARGON NEWS QUICKSTART README
 %doc doc
 
 %files libs
 %{_libdir}/libmunge.so.2
-%{_libdir}/libmunge.so.2.0.0
+%{_libdir}/libmunge.so.2.0.1
 
 %files devel
 %{_includedir}/munge.h
@@ -156,6 +153,9 @@ exit 0
 %{_mandir}/man3/munge_strerror.3.gz
 
 %changelog
+* Fri Feb 13 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.5.18-1
+- Auto-upgrade to 0.5.18 - for CVE-2026-25506
+
 * Mon Feb 06 2023 Riken Maharjan <rmaharjan@microsoft.com> - 0.5.13-9
 - Move from Extended to Core.
 - License verified.

cgmanifest.json

@@ -13773,8 +13773,8 @@
         "type": "other",
         "other": {
           "name": "munge",
-          "version": "0.5.13",
-          "downloadUrl": "https://github.com/dun/munge/releases/download/munge-0.5.13/munge-0.5.13.tar.xz"
+          "version": "0.5.18",
+          "downloadUrl": "https://github.com/dun/munge/releases/download/munge-0.5.18/munge-0.5.18.tar.xz"
         }
       }
     },