Merge branch '3.0-dev' into 3.0

Author: jslobodzian

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        6.6.56.1
-Release:        5%{?dist}
+Version:        6.6.57.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Tue Oct 29 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.57.1-1
+- Auto-upgrade to 6.6.57.1
+
 * Thu Oct 24 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.56.1-5
 - Bump release to match kernel
 

SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec

@@ -5,8 +5,8 @@
 %define kernelver %{version}-%{release}
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
-Version:        6.6.56.1
-Release:        5%{?dist}
+Version:        6.6.57.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -68,6 +68,9 @@ popd
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Tue Oct 29 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.57.1-1
+- Auto-upgrade to 6.6.57.1
+
 * Thu Oct 24 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.56.1-5
 - Bump release to match kernel
 

SPECS/avahi/CVE-2023-1981.patch

@@ -0,0 +1,53 @@
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+---
+ avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687b..406d0b44 100644
+--- a/avahi-daemon/dbus-protocol.c
++++ b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM
+     }
+ 
+     t = avahi_alternative_host_name(n);
+-    avahi_dbus_respond_string(c, m, t);
+-    avahi_free(t);
++    if (t) {
++        avahi_dbus_respond_string(c, m, t);
++        avahi_free(t);
+ 
+-    return DBUS_HANDLER_RESULT_HANDLED;
++        return DBUS_HANDLER_RESULT_HANDLED;
++    } else {
++        return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
++    }
+ }
+ 
+ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) {
+@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB
+     }
+ 
+     t = avahi_alternative_service_name(n);
+-    avahi_dbus_respond_string(c, m, t);
+-    avahi_free(t);
++    if (t) {
++        avahi_dbus_respond_string(c, m, t);
++        avahi_free(t);
+ 
+-    return DBUS_HANDLER_RESULT_HANDLED;
++        return DBUS_HANDLER_RESULT_HANDLED;
++    } else {
++        return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
++    }
+ }
+ 
+ static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) {

SPECS/avahi/avahi.spec

@@ -3,7 +3,7 @@
 Summary:        Local network service discovery
 Name:           avahi
 Version:        0.8
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -12,6 +12,7 @@ Source0:        https://github.com/lathiat/avahi/releases/download/v%{version}/%
 Patch0:         %{name}-libevent-pc-fix.patch
 Patch1:         CVE-2021-3468.patch
 Patch2:         CVE-2021-3502.patch
+Patch3:         CVE-2023-1981.patch
 BuildRequires:  automake
 BuildRequires:  dbus-devel >= 0.90
 BuildRequires:  dbus-glib-devel >= 0.70
@@ -214,6 +215,9 @@ NOCONFIGURE=1 ./autogen.sh
         --disable-gtk \
         --disable-gtk3 \
         --disable-mono \
+%if 0%{?with_check}
+        --enable-tests \
+%endif
 ;
 
 # workaround parallel build issues (aarch64 only so far, bug #1564553)
@@ -258,6 +262,7 @@ rm -fv  %{buildroot}%{_datadir}/avahi/interfaces/avahi-discover.ui
 
 
 %check
+%make_build -k V=1 check || make check V=1
 
 %pre
 getent group avahi >/dev/null || groupadd -f -g 70 -r avahi
@@ -415,6 +420,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 29 2024 Daniel McIlvaney <damcilva@microsoft.com> - 0.8-3
+- Fix CVE-2023-1981 with an upstream patch, enable basic check section
+
 * Wed Aug 14 2024 Chris Co <chrco@microsoft.com> - 0.8-2
 - Remove libssp from build environment to fix avahi-daemon hang
 

SPECS/dracut/0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch

@@ -0,0 +1,57 @@
+From 96d153fe927987ce31a1f876b7eeea6fe9cee06a Mon Sep 17 00:00:00 2001
+From: Laszlo Gombos <laszlo.gombos@gmail.com>
+Date: Thu, 30 May 2024 10:06:04 -0400
+Subject: [PATCH] fix(systemd-pcrphase): in hostonly mode do not try to include
+ systemd-pcrphase
+
+---
+ modules.d/01systemd-pcrphase/module-setup.sh | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/modules.d/01systemd-pcrphase/module-setup.sh b/modules.d/01systemd-pcrphase/module-setup.sh
+index eb8520799..922711709 100755
+--- a/modules.d/01systemd-pcrphase/module-setup.sh
++++ b/modules.d/01systemd-pcrphase/module-setup.sh
+@@ -4,7 +4,6 @@
+ 
+ # Prerequisite check(s) for module.
+ check() {
+-
+     # If the binary(s) requirements are not fulfilled the module can't be installed.
+     # systemd-255 renamed the binary, check for old and new location.
+     if ! require_binaries "$systemdutildir"/systemd-pcrphase \
+@@ -12,23 +11,24 @@ check() {
+         return 1
+     fi
+ 
+-    return 0
++    if [[ $hostonly ]]; then
++        return 255
++    fi
+ 
++    return 0
+ }
+ 
+ # Module dependency requirements.
+ depends() {
+-
+     # This module has external dependency on other module(s).
+     echo systemd tpm2-tss
++
+     # Return 0 to include the dependent module(s) in the initramfs.
+     return 0
+-
+ }
+ 
+ # Install the required file(s) and directories for the module in the initramfs.
+ install() {
+-
+     inst_multiple -o \
+         "$systemdutildir"/systemd-pcrphase \
+         "$systemdutildir"/systemd-pcrextend \
+@@ -43,5 +43,4 @@ install() {
+             "$systemdsystemconfdir/systemd-pcrphase-initrd.service.d/*.conf" \
+             "$systemdsystemconfdir"/initrd.target.wants/systemd-pcrphase-initrd.service
+     fi
+-
+ }

SPECS/dracut/0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch

@@ -0,0 +1,32 @@
+From a2193b71f7be75f719eec29faacae36ab25e9147 Mon Sep 17 00:00:00 2001
+From: Laszlo Gombos <laszlo.gombos@gmail.com>
+Date: Fri, 5 Jul 2024 14:17:00 -0400
+Subject: [PATCH] fix(systemd-pcrphase): make tpm2-tss an optional dependency
+
+---
+ modules.d/01systemd-pcrphase/module-setup.sh | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/modules.d/01systemd-pcrphase/module-setup.sh b/modules.d/01systemd-pcrphase/module-setup.sh
+index 922711709..3016d7e44 100755
+--- a/modules.d/01systemd-pcrphase/module-setup.sh
++++ b/modules.d/01systemd-pcrphase/module-setup.sh
+@@ -21,7 +21,17 @@ check() {
+ # Module dependency requirements.
+ depends() {
+     # This module has external dependency on other module(s).
+-    echo systemd tpm2-tss
++
++    local deps
++    deps="systemd"
++
++    # optional dependencies
++    module="tpm2-tss"
++    module_check $module > /dev/null 2>&1
++    if [[ $? == 255 ]]; then
++        deps+=" $module"
++    fi
++    echo "$deps"
+ 
+     # Return 0 to include the dependent module(s) in the initramfs.
+     return 0

SPECS/dracut/dracut.spec

@@ -4,7 +4,7 @@
 Summary:        dracut to create initramfs
 Name:           dracut
 Version:        102
-Release:        5%{?dist}
+Release:        6%{?dist}
 # The entire source code is GPLv2+
 # except install/* which is LGPLv2+
 License:        GPLv2+ AND LGPLv2+
@@ -34,6 +34,8 @@ Patch:          0006-dracut.sh-validate-instmods-calls.patch
 Patch:          0011-Remove-reference-to-kernel-module-zlib-in-fips-module.patch
 Patch:          0012-fix-dracut-functions-avoid-awk-in-get_maj_min.patch
 Patch:          0013-revert-fix-crypt-unlock-encrypted-devices-by-default.patch
+Patch:          0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch
+Patch:          0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch
 
 BuildRequires:  bash
 BuildRequires:  kmod-devel
@@ -288,6 +290,9 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name}
 %dir %{_sharedstatedir}/%{name}/overlay
 
 %changelog
+* Thu Oct 10 2024 Thien Trung Vuong <tvuong@microsoft.com> - 102-6
+- Add patch to make tpm2-tss an optional dependency for systemd-pcrphase
+
 * Sun Oct 06 2024 Jon Slobodzian <joslobo@microsoft.com> - 102-5
 - Bump version to build with latest systemd
 

SPECS/ebtables/ebtables.spec

@@ -2,7 +2,7 @@
 
 Name:          ebtables
 Version:		   2.0.11
-Release:		   9%{?dist}
+Release:		   8%{?dist}
 Summary:		   Ethernet Bridge frame table administration tool
 License:		   GPLv2+
 URL:           http://ebtables.sourceforge.net/
@@ -35,9 +35,6 @@ like iptables. There are no known incompatibility issues.
 
 %package legacy
 Summary: Legacy user space tool to configure bridge netfilter rules in kernel
-Requires(post):   %{_sbindir}/update-alternatives
-Requires(post):   %{_bindir}/readlink
-Requires(postun): %{_sbindir}/update-alternatives
 Provides: ebtables
 
 %description legacy
@@ -93,22 +90,10 @@ rm %{buildroot}/%{_libdir}/libebtc.la
 # Drop these binaries (for now at least)
 rm %{buildroot}/%{_sbindir}/ebtables{d,u}
 
-# Prepare for Alternatives system
-touch %{buildroot}%{_sbindir}/ebtables
-touch %{buildroot}%{_sbindir}/ebtables-save
-touch %{buildroot}%{_sbindir}/ebtables-restore
-
-%post legacy
-pfx=%{_sbindir}/ebtables
-%{_sbindir}/update-alternatives --install %{_sbindir}/%{name} %{name} %{_sbindir}/%{name}-legacy 10000 \
-  --slave %{_sbindir}/%{name}-save %{name}-save %{_sbindir}/%{name}-legacy-save \
-  --slave %{_sbindir}/%{name}-restore %{name}-restore %{_sbindir}/%{name}-legacy-restore
-
-%postun legacy
-if [ $1 -eq 0 ]; then
-	%{_sbindir}/update-alternatives --remove \
-		%{name} %{_sbindir}/%{name}-legacy
-fi
+# Symlink ebtables-legacy to ebtables
+ln -sf ebtables-legacy %{buildroot}%{_sbindir}/ebtables
+ln -sf ebtables-legacy-save %{buildroot}%{_sbindir}/ebtables-save
+ln -sf ebtables-legacy-restore %{buildroot}%{_sbindir}/ebtables-restore
 
 %post services
 %systemd_post ebtables.service
@@ -123,10 +108,10 @@ fi
 %license COPYING
 %doc ChangeLog THANKS
 %{_sbindir}/ebtables-legacy*
+%{_sbindir}/ebtables*
 %{_mandir}/*/ebtables-legacy*
 %{_libdir}/libebtc.so*
 %{_sysconfdir}/ethertypes
-%ghost %{_sbindir}/ebtables{,-save,-restore}
 
 %files services
 %{_unitdir}/ebtables.service
@@ -135,9 +120,6 @@ fi
 %ghost %{_sysconfdir}/sysconfig/ebtables
 
 %changelog
-* Mon Oct 21 2024 Sumedh Sharma <sumsharma@microsoft.com> - 2.0.11-9
-- introduce alternatives for legacy
-
 * Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.0.11-8
 - Add missing Vendor and Distribution tags.