[AUTO-CHERRYPICK] Patch telegraf for CVE-2025-30215 [CRITICAL] - branch main (#13490)

Co-authored-by: Sudipta Pandit <sudpandit@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/telegraf/CVE-2025-30215.patch

@@ -0,0 +1,59 @@
+From 34400b7d4b30ab6320de6e860cba5fef7ef5ef98 Mon Sep 17 00:00:00 2001
+From: Sudipta Pandit <sudpandit@microsoft.com>
+Date: Thu, 17 Apr 2025 19:50:26 +0530
+Subject: [PATCH] Fix CVE-2025-30215
+
+Upstream reference: https://github.com/nats-io/nats-server/commit/406f83666cc5e6ec1259684b2f883b2e30ffa147
+---
+ .../nats-io/nats-server/v2/server/jetstream_api.go | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/vendor/github.com/nats-io/nats-server/v2/server/jetstream_api.go b/vendor/github.com/nats-io/nats-server/v2/server/jetstream_api.go
+index 99dd719f..b43b0f0d 100644
+--- a/vendor/github.com/nats-io/nats-server/v2/server/jetstream_api.go
++++ b/vendor/github.com/nats-io/nats-server/v2/server/jetstream_api.go
+@@ -2297,6 +2297,9 @@ func (s *Server) jsLeaderServerRemoveRequest(sub *subscription, c *client, _ *Ac
+ 		s.Warnf(badAPIRequestT, msg)
+ 		return
+ 	}
++	if acc != s.SystemAccount() {
++		return
++	}
+ 
+ 	js, cc := s.getJetStreamCluster()
+ 	if js == nil || cc == nil || cc.meta == nil {
+@@ -2421,6 +2424,10 @@ func (s *Server) jsLeaderServerStreamMoveRequest(sub *subscription, c *client, _
+ 	accName := tokenAt(subject, 6)
+ 	streamName := tokenAt(subject, 7)
+ 
++	if acc.GetName() != accName && acc != s.SystemAccount() {
++		return
++	}
++
+ 	var resp = JSApiStreamUpdateResponse{ApiResponse: ApiResponse{Type: JSApiStreamUpdateResponseType}}
+ 
+ 	var req JSApiMetaServerStreamMoveRequest
+@@ -2577,6 +2584,10 @@ func (s *Server) jsLeaderServerStreamCancelMoveRequest(sub *subscription, c *cli
+ 	accName := tokenAt(subject, 6)
+ 	streamName := tokenAt(subject, 7)
+ 
++	if acc.GetName() != accName && acc != s.SystemAccount() {
++		return
++	}
++
+ 	targetAcc, ok := s.accounts.Load(accName)
+ 	if !ok {
+ 		resp.Error = NewJSNoAccountError()
+@@ -2663,6 +2674,9 @@ func (s *Server) jsLeaderAccountPurgeRequest(sub *subscription, c *client, _ *Ac
+ 		s.Warnf(badAPIRequestT, msg)
+ 		return
+ 	}
++	if acc != s.SystemAccount() {
++		return
++	}
+ 
+ 	js := s.getJetStream()
+ 	if js == nil {
+-- 
+2.34.1
+

SPECS/telegraf/telegraf.spec

@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.29.4
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -25,6 +25,7 @@ Patch11:        CVE-2025-27144.patch
 Patch12:        CVE-2025-30204.patch
 Patch13:        CVE-2025-22870.patch
 Patch14:        CVE-2024-51744.patch
+Patch15:        CVE-2025-30215.patch
 BuildRequires:  golang
 BuildRequires:  iana-etc
 BuildRequires:  systemd-devel
@@ -48,7 +49,7 @@ the community can easily add support for collecting metrics from well known serv
 Postgres, or Redis) and third party APIs (like Mailchimp, AWS CloudWatch, or Google Analytics).
 
 %prep
-%autosetup -a 1 -p1
+%autosetup -a1 -p1
 
 %build
 go build -buildvcs=false -mod=vendor ./cmd/telegraf
@@ -95,6 +96,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Thu Apr 17 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.29.4-15
+- Patch CVE-2025-30215
+
 * Mon Mar 31 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 1.29.4-14
 - Patch to fix CVE-2025-22870, CVE-2024-51744 with an upstream patch