Merge pull request #3495 from microsoft/anphel/1.0-august-2022-release-2

Merging commits for August 2022 1.0 release (retry)

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.10.123.1
+Version:        5.10.131.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -147,6 +147,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %endif
 
 %changelog
+* Sun Jul 24 2022 Rachel Menge <[email protected]> - 5.10.131.1-1
+- Update source to 5.10.131.1
+
+* Wed Jul 06 2022 Max Brodeur-Urbas <[email protected]> - 5.10.128.1-1
+- Update source to 5.10.128.1
+
 * Mon Jun 20 2022 Rachel Menge <[email protected]> - 5.10.123.1-1
 - Update source to 5.10.123.1
 

SPECS/ca-certificates/ca-certificates.signatures.json

@@ -11,7 +11,7 @@
   "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
   "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
   "certdata.base.txt": "76c4cd1860b9a6f6ee9c2a0dcddcef46f65950b7ec12d2a7eeabeedca4e379f9",
-  "certdata.microsoft.txt": "32789389efd31aa04d9f482bd1132a0661c249fcd5eb9ec92b02ddca6ed35a7d",
+  "certdata.microsoft.txt": "18075612875845029e53c423799e48f974a4e95aaa7b0e4a909ee25094120708",
   "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
   "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
   "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",

SPECS/ca-certificates/ca-certificates.spec

@@ -44,7 +44,7 @@ Name:           ca-certificates
 
 # When updating, "Version" AND "Release" tags must be updated in the "prebuilt-ca-certificates" package as well.
 Version:        20200720
-Release:        25%{?dist}
+Release:        26%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -317,6 +317,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %{_bindir}/bundle2pem.sh
 
 %changelog
+* Wed Aug 03 2022 CBL-Mariner Service Account <[email protected]> - 20200720-26
+- Updating Microsoft trusted root CAs.
+
 * Wed Jun 29 2022 CBL-Mariner Service Account <[email protected]> - 20200720-25
 - Updating Microsoft trusted root CAs.
 

SPECS/clang/clang.spec

@@ -1,29 +1,36 @@
 Summary:        C, C++, Objective C and Objective C++ front-end for the LLVM compiler.
 Name:           clang
 Version:        8.0.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        NCSA
-URL:            https://clang.llvm.org
-Source0:        https://github.com/llvm/llvm-project/releases/download/llvmorg-%{version}/cfe-%{version}.src.tar.xz
-Group:          Development/Tools
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Development/Tools
+URL:            https://clang.llvm.org
+Source0:        https://github.com/llvm/llvm-project/releases/download/llvmorg-%{version}/cfe-%{version}.src.tar.xz
 BuildRequires:  cmake
+BuildRequires:  libxml2-devel
 BuildRequires:  llvm-devel = %{version}
 BuildRequires:  ncurses-devel
-BuildRequires:  zlib-devel
-BuildRequires:  libxml2-devel
 BuildRequires:  python2-devel
+BuildRequires:  zlib-devel
+Requires:       %{name}-libs = %{version}-%{release}
 Requires:       libstdc++-devel
-Requires:       ncurses
-Requires:       llvm
-Requires:       zlib
 Requires:       libxml2
+Requires:       llvm
+Requires:       ncurses
 Requires:       python2
+Requires:       zlib
 
 %description
 The goal of the Clang project is to create a new C based language front-end: C, C++, Objective C/C++, OpenCL C and others for the LLVM compiler. You can get and build the source today.
 
+%package libs
+Summary:        Runtime library for clang
+
+%description libs
+Runtime library for clang.
+
 %package devel
 Summary:        Development headers for clang
 Requires:       %{name} = %{version}-%{release}
@@ -42,7 +49,7 @@ export CXXFLAGS="`echo " %{build_cxxflags} " | sed 's/ -g//'`"
 
 mkdir -p build
 cd build
-cmake -DCMAKE_INSTALL_PREFIX=/usr   \
+cmake -DCMAKE_INSTALL_PREFIX=%{_prefix}   \
       -DCMAKE_BUILD_TYPE=Release    \
       -DLLVM_ENABLE_RTTI=ON         \
       -Wno-dev ..
@@ -61,41 +68,52 @@ make DESTDIR=%{buildroot} install
 cd build
 make clang-check
 
-%clean
-rm -rf %{buildroot}/*
-
 %files
 %defattr(-,root,root)
-%license LICENSE.TXT
 %{_bindir}/*
 %{_libexecdir}/*
-%{_libdir}/*.so.*
 %{_datadir}/*
 
+%files libs
+%defattr(-,root,root)
+%license LICENSE.TXT
+%{_libdir}/clang/*
+%{_libdir}/*.so.*
+
 %files devel
 %defattr(-,root,root)
 %{_libdir}/*.so
 %{_libdir}/*.a
 %{_libdir}/cmake/*
-%{_libdir}/clang/*
 %{_includedir}/*
 
 %changelog
-*   Tue Feb 09 2021 Henry Beberman <[email protected]> 8.0.1-4
--   Enable RTTI (runtime type information) so other packages can depend on it.
-*   Fri Jun 12 2020 Henry Beberman <[email protected]> 8.0.1-3
--   Temporarily disable generation of debug symbols.
-*   Sat May 09 2020 Nick Samson <[email protected]> - 8.0.1-2
--   Added %%license line automatically
-*   Tue Mar 17 2020 Henry Beberman <[email protected]> 8.0.1-1
--   Update to 8.0.1. Fix Source0 URL. License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <[email protected]> 6.0.1-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Aug 09 2018 Srivatsa S. Bhat <[email protected]> 6.0.1-1
--   Update to version 6.0.1 to get it to build with gcc 7.3
-*   Wed Jun 28 2017 Chang Lee <[email protected]> 4.0.0-2
--   Updated %check
-*   Fri Apr 7 2017 Alexey Makhalov <[email protected]> 4.0.0-1
--   Version update
-*   Wed Jan 11 2017 Xiaolin Li <[email protected]>  3.9.1-1
--   Initial build.
+* Sun Jul 10 2022 onalante-msft <[email protected]> - 8.0.1-5
+- Include runtime libraries in base package.
+
+* Tue Feb 09 2021 Henry Beberman <[email protected]> - 8.0.1-4
+- Enable RTTI (runtime type information) so other packages can depend on it.
+
+* Fri Jun 12 2020 Henry Beberman <[email protected]> - 8.0.1-3
+- Temporarily disable generation of debug symbols.
+
+* Sat May 09 2020 Nick Samson <[email protected]> - 8.0.1-2
+- Added %%license line automatically
+
+* Tue Mar 17 2020 Henry Beberman <[email protected]> - 8.0.1-1
+- Update to 8.0.1. Fix Source0 URL. License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <[email protected]> - 6.0.1-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Aug 09 2018 Srivatsa S. Bhat <[email protected]> - 6.0.1-1
+- Update to version 6.0.1 to get it to build with gcc 7.3
+
+* Wed Jun 28 2017 Chang Lee <[email protected]> - 4.0.0-2
+- Updated %check
+
+* Fri Apr 7 2017 Alexey Makhalov <[email protected]> - 4.0.0-1
+- Version update
+
+* Wed Jan 11 2017 Xiaolin Li <[email protected]> - 3.9.1-1
+- Initial build.

SPECS/hyperv-daemons/hyperv-daemons.signatures.json

@@ -7,6 +7,6 @@
   "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1",
   "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
   "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-  "kernel-5.10.123.1.tar.gz": "480ecf777d684ba029397bfb21b7617e68275180c433ec48c4f45e5629ad4bc1"
+  "kernel-5.10.131.1.tar.gz": "648e92ed6c42730054c3c147b52169003dee23b00b0ee2612a48ab4202ebcb35"
  }
 }

SPECS/hyperv-daemons/hyperv-daemons.spec

@@ -8,7 +8,7 @@
 %global udev_prefix 70
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        5.10.123.1
+Version:        5.10.131.1
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@@ -221,6 +221,12 @@ fi
 %{_sbindir}/lsvmbus
 
 %changelog
+* Sun Jul 24 2022 Rachel Menge <[email protected]> - 5.10.131.1-1
+- Update source to 5.10.131.1
+
+* Wed Jul 06 2022 Max Brodeur-Urbas <[email protected]> - 5.10.128.1-1
+- Update source to 5.10.128.1
+
 * Mon Jun 20 2022 Rachel Menge <[email protected]> - 5.10.123.1-1
 - Update source to 5.10.123.1
 

SPECS/kernel-headers/kernel-headers.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "kernel-5.10.123.1.tar.gz": "480ecf777d684ba029397bfb21b7617e68275180c433ec48c4f45e5629ad4bc1"
+  "kernel-5.10.131.1.tar.gz": "648e92ed6c42730054c3c147b52169003dee23b00b0ee2612a48ab4202ebcb35"
  }
 }

SPECS/kernel-headers/kernel-headers.spec

@@ -1,6 +1,6 @@
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        5.10.123.1
+Version:        5.10.131.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -36,6 +36,12 @@ cp -rv usr/include/* /%{buildroot}%{_includedir}
 %{_includedir}/*
 
 %changelog
+* Sun Jul 24 2022 Rachel Menge <[email protected]> - 5.10.131.1-1
+- Update source to 5.10.131.1
+
+* Wed Jul 06 2022 Max Brodeur-Urbas <[email protected]> - 5.10.128.1-1
+- Update source to 5.10.128.1
+
 * Mon Jun 20 2022 Rachel Menge <[email protected]> - 5.10.123.1-1
 - Update source to 5.10.123.1
 - Remove make headers_check

SPECS/kernel-hyperv/config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.123.1 Kernel Configuration
+# Linux/x86_64 5.10.131.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0"
 CONFIG_CC_IS_GCC=y
@@ -2462,10 +2462,9 @@ CONFIG_TCG_CRB=m
 # CONFIG_TCG_TIS_ST33ZP24_I2C is not set
 # CONFIG_TELCLOCK is not set
 # CONFIG_XILLYBUS is not set
-# end of Character devices
-
 CONFIG_RANDOM_TRUST_CPU=y
 # CONFIG_RANDOM_TRUST_BOOTLOADER is not set
+# end of Character devices
 
 #
 # I2C support
@@ -4135,6 +4134,7 @@ CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
 CONFIG_CRYPTO_LIB_SHA256=y
 # end of Crypto library routines
 
+CONFIG_LIB_MEMNEQ=y
 CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y

SPECS/kernel-hyperv/kernel-hyperv.signatures.json

@@ -1,8 +1,8 @@
 {
  "Signatures": {
   "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "167401f509d4888c7218ba0a76ad0dcf6f34f49e9caca9ebbdda07a3118828dc",
-  "kernel-5.10.123.1.tar.gz": "480ecf777d684ba029397bfb21b7617e68275180c433ec48c4f45e5629ad4bc1",
+  "config": "507770a71732585438925f2ca0c5b17753e1698a1fd91c948a63b41abb6a42c9",
+  "kernel-5.10.131.1.tar.gz": "648e92ed6c42730054c3c147b52169003dee23b00b0ee2612a48ab4202ebcb35",
   "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
  }
 }

SPECS/kernel-hyperv/kernel-hyperv.spec

@@ -3,7 +3,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Linux Kernel optimized for Hyper-V
 Name:           kernel-hyperv
-Version:        5.10.123.1
+Version:        5.10.131.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -270,6 +270,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_libdir}/perf/include/bpf/*
 
 %changelog
+* Sun Jul 24 2022 Rachel Menge <[email protected]> - 5.10.131.1-1
+- Update source to 5.10.131.1
+
+* Wed Jul 06 2022 Max Brodeur-Urbas <[email protected]> - 5.10.128.1-1
+- Update source to 5.10.128.1
+
 * Mon Jun 20 2022 Rachel Menge <[email protected]> - 5.10.123.1-1
 - Update source to 5.10.123.1
 

SPECS/kernel/CVE-2021-20194.nopatch

@@ -0,0 +1 @@
+CVE-2021-20194 - mariner is not exposed to this vulnerability (we set CONFIG_HARDENED_USERCOPY=y).

SPECS/kernel/CVE-2021-32078.nopatch

@@ -0,0 +1,2 @@
+CVE-2021-32078 - mariner does not support ARM Footbridge personal servers
+upstream 298a58e165e447ccfaae35fe9f651f9d7e15166f

SPECS/kernel/CVE-2021-37159.nopatch

@@ -0,0 +1 @@
+CVE-2021-37159 - patch not applied/disputed in upstream

SPECS/kernel/CVE-2022-0854.nopatch

@@ -0,0 +1,3 @@
+CVE-2022-0854 - already patched in 5.10.128.1 stable kernel
+Upstream: 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544
+Stable: f3f2247ac31cb71d1f05f56536df5946c6652f4a

SPECS/kernel/CVE-2022-1652.nopatch

@@ -0,0 +1,3 @@
+CVE-2022-1652 - Fix already backported into 5.10.128.1
+Upstream: f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8
+Stable: 3ca44c16b0dcc764b641ee4ac226909f5c421aa3

SPECS/kernel/CVE-2022-1786.nopatch

@@ -0,0 +1,4 @@
+CVE-2022-1786 - already patched in 5.10.128.1 stable kernel
+Upstream: No upstream patch exists for this issue, as only older kernels with
+the non-native workers have this problem.
+Stable: 29f077d070519a88a793fbc70f1e6484dc6d9e35

SPECS/kernel/CVE-2022-1852.nopatch

@@ -0,0 +1,3 @@
+CVE-2022-1852 - patched in 5.10.120 - (generated by autopatch tool)
+upstream fee060cd52d69c114b62d1a2948ea9648b5131f9 - stable 3d8fc6e28f321d753ab727e3c3e740daf36a8fa3
+

SPECS/kernel/CVE-2022-2078.nopatch

@@ -0,0 +1,3 @@
+CVE-2022-2078 - patched in 5.10.120 - (generated by autopatch tool)
+upstream fecf31ee395b0295f2d7260aa29946b7605f7c85 - stable c0aff1faf66b6b7a19103f83e6a5d0fdc64b9048
+

SPECS/kernel/CVE-2022-2318.nopatch

@@ -0,0 +1,2 @@
+CVE-2022-2318 - patched in 5.10.129 - (generated by autopatch tool)
+upstream 9cc02ede696272c5271a401e4f27c262359bc2f6 - stable 8f74cb27c2b4872fd14bf046201fa7b36a46885e

SPECS/kernel/CVE-2022-32296.nopatch

@@ -0,0 +1,3 @@
+CVE-2022-32296 - Fix already backported into 5.10.128.1
+Upstream: 4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5
+Stable: 9429b75bc271b6f29e50dbb0ee0751800ff87dd9

SPECS/kernel/CVE-2022-34494.nopatch

@@ -0,0 +1,3 @@
+CVE-2022-34494 - Introducing commit not in stable tree. No fix necessary at this time.
+Upstream introducing commit: c486682ae1e2b149add22f44cf413b3103e3ef39
+Upstream fix commit: 1680939e9ecf7764fba8689cfb3429c2fe2bb23c

SPECS/kernel/CVE-2022-34495.nopatch

@@ -0,0 +1,3 @@
+CVE-2022-34495 - Introducing commit not in stable tree. No fix necessary at this time.
+Upstream introducing commit: c486682ae1e2b149add22f44cf413b3103e3ef39
+Upstream fix commit: c2eecefec5df1306eafce28ccdf1ca159a552ecc

SPECS/kernel/CVE-2022-34918.nopatch

@@ -0,0 +1,2 @@
+CVE-2022-34918 - patched in 5.10.130 - (generated by autopatch tool)
+upstream 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 - stable 0a5e36dbcb448a7a8ba63d1d4b6ade2c9d3cc8bf

SPECS/kernel/config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.10.123.1 Kernel Configuration
+# Linux/x86_64 5.10.131.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0"
 CONFIG_CC_IS_GCC=y
@@ -3072,10 +3072,9 @@ CONFIG_TCG_CRB=y
 # CONFIG_TCG_TIS_ST33ZP24_I2C is not set
 # CONFIG_TELCLOCK is not set
 # CONFIG_XILLYBUS is not set
-# end of Character devices
-
 CONFIG_RANDOM_TRUST_CPU=y
 # CONFIG_RANDOM_TRUST_BOOTLOADER is not set
+# end of Character devices
 
 #
 # I2C support
@@ -6876,6 +6875,7 @@ CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
 CONFIG_CRYPTO_LIB_SHA256=y
 # end of Crypto library routines
 
+CONFIG_LIB_MEMNEQ=y
 CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y