Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch telegraf for CVE-2026-4645 [HIGH] - branch main" #16328

CBL-Mariner-Bot · azurelinux-security · web-flow · commit 742fd10b394c · 2026-03-27T07:53:23.000-07:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
diff --git a/SPECS/telegraf/CVE-2026-4645.patch b/SPECS/telegraf/CVE-2026-4645.patch
@@ -0,0 +1,34 @@
+From b4b9caff8bff240da63db2ea2994e21fe9f65396 Mon Sep 17 00:00:00 2001
+From: zhengchun <zhengchunster@gmail.com>
+Date: Sat, 21 Feb 2026 21:32:17 +0800
+Subject: [PATCH] fix #121
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494.patch
+---
+ vendor/github.com/antchfx/xpath/query.go | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/vendor/github.com/antchfx/xpath/query.go b/vendor/github.com/antchfx/xpath/query.go
+index 4e6c6348..43fb4c24 100644
+--- a/vendor/github.com/antchfx/xpath/query.go
++++ b/vendor/github.com/antchfx/xpath/query.go
+@@ -704,15 +704,6 @@ type logicalQuery struct {
+ }
+ 
+ func (l *logicalQuery) Select(t iterator) NodeNavigator {
+-	// When a XPath expr is logical expression.
+-	node := t.Current().Copy()
+-	val := l.Evaluate(t)
+-	switch val.(type) {
+-	case bool:
+-		if val.(bool) == true {
+-			return node
+-		}
+-	}
+ 	return nil
+ }
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.29.4
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -34,6 +34,7 @@ Patch20:        CVE-2025-58190.patch
 Patch21:        CVE-2026-2303.patch
 Patch22:        CVE-2026-26014.patch
 Patch23:        CVE-2025-11065.patch
+Patch24:        CVE-2026-4645.patch
 BuildRequires:  golang
 BuildRequires:  iana-etc
 BuildRequires:  systemd-devel
@@ -104,6 +105,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Fri Mar 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.29.4-22
+- Patch for CVE-2026-4645
+
 * Tue Feb 17 2026 Akhila Guruju <v-guakhila@microsoft.com> - 1.29.4-21
 - Patch CVE-2025-11065
 
