diff --git a/SPECS/cert-manager/CVE-2024-25620.patch b/SPECS/cert-manager/CVE-2024-25620.patch deleted file mode 100644 index cf31fc0371c..00000000000 --- a/SPECS/cert-manager/CVE-2024-25620.patch +++ /dev/null @@ -1,110 +0,0 @@ -From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001 -From: Bhagyashri Pathak -Date: Thu, 8 Aug 2024 10:27:21 +0530 -Subject: [PATCH] CVE-2024-25620 patch - ---- - cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go | 4 ++++ - .../helm.sh/helm/v3/pkg/chartutil/errors.go | 8 ++++++++ - cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go | 20 +++++++++++++++++++ - .../helm/v3/pkg/lint/rules/chartfile.go | 4 ++++ - 4 files changed, 36 insertions(+) - -diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go -index ae572ab..3834b4c 100644 ---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go -+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go -@@ -16,6 +16,7 @@ limitations under the License. - package chart - - import ( -+ "path/filepath" - "strings" - "unicode" - -@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error { - if md.Name == "" { - return ValidationError("chart.metadata.name is required") - } -+ if md.Name != filepath.Base(md.Name) { -+ return ValidationErrorf("chart.metadata.name %q is invalid", md.Name) -+ } - if md.Version == "" { - return ValidationError("chart.metadata.version is required") - } -diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go -index fcdcc27..0a4046d 100644 ---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go -+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go -@@ -33,3 +33,11 @@ type ErrNoValue struct { - } - - func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) } -+ -+type ErrInvalidChartName struct { -+ Name string -+} -+ -+func (e ErrInvalidChartName) Error() string { -+ return fmt.Sprintf("%q is not a valid chart name", e.Name) -+} -diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go -index 2ce4edd..4ee9070 100644 ---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go -+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go -@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=") - // directory, writing the chart's contents to that subdirectory. - func SaveDir(c *chart.Chart, dest string) error { - // Create the chart directory -+ err := validateName(c.Name()) -+ if err != nil { -+ return err -+ } - outdir := filepath.Join(dest, c.Name()) - if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() { - return errors.Errorf("file %s already exists and is not a directory", outdir) -@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) { - } - - func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error { -+ err := validateName(c.Name()) -+ if err != nil { -+ return err -+ } - base := filepath.Join(prefix, c.Name()) - - // Pull out the dependencies of a v1 Chart, since there's no way -@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error { - _, err := out.Write(body) - return err - } -+ -+// If the name has directory name has characters which would change the location -+// they need to be removed. -+func validateName(name string) error { -+ nname := filepath.Base(name) -+ -+ if nname != name { -+ return ErrInvalidChartName{name} -+ } -+ -+ return nil -+} -diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go -index b49f2ce..f8f033c 100644 ---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go -+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go -@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error { - if cf.Name == "" { - return errors.New("name is required") - } -+ name := filepath.Base(cf.Name) -+ if name != cf.Name { -+ return fmt.Errorf("chart name %q is invalid", cf.Name) -+ } - return nil - } - --- -2.34.1 - diff --git a/SPECS/cert-manager/CVE-2024-6104.patch b/SPECS/cert-manager/CVE-2024-6104.patch deleted file mode 100644 index ff411d8e729..00000000000 --- a/SPECS/cert-manager/CVE-2024-6104.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 002323062ceaa0e3a46f72bc7598c8f144b18bd5 Mon Sep 17 00:00:00 2001 -From: Balakumaran Kannan -Date: Tue, 27 Aug 2024 08:31:02 +0000 -Subject: [PATCH] Fix CVE-2024-6104 by patching vendor go module - ---- - .../hashicorp/go-retryablehttp/client.go | 27 ++++++++++++++----- - 1 file changed, 20 insertions(+), 7 deletions(-) - -diff --git a/cmd/controller/vendor/github.com/hashicorp/go-retryablehttp/client.go b/cmd/controller/vendor/github.com/hashicorp/go-retryablehttp/client.go -index f40d241..7a7d5f1 100644 ---- a/cmd/controller/vendor/github.com/hashicorp/go-retryablehttp/client.go -+++ b/cmd/controller/vendor/github.com/hashicorp/go-retryablehttp/client.go -@@ -584,9 +584,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - if logger != nil { - switch v := logger.(type) { - case LeveledLogger: -- v.Debug("performing request", "method", req.Method, "url", req.URL) -+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) - case Logger: -- v.Printf("[DEBUG] %s %s", req.Method, req.URL) -+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) - } - } - -@@ -641,9 +641,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - if err != nil { - switch v := logger.(type) { - case LeveledLogger: -- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) -+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) - case Logger: -- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) -+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) - } - } else { - // Call this here to maintain the behavior of logging all requests, -@@ -679,7 +679,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - - wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) - if logger != nil { -- desc := fmt.Sprintf("%s %s", req.Method, req.URL) -+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) - if resp != nil { - desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode) - } -@@ -735,11 +735,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - // communicate why - if err == nil { - return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", -- req.Method, req.URL, attempt) -+ req.Method, redactURL(req.URL), attempt) - } - - return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w", -- req.Method, req.URL, attempt, err) -+ req.Method, redactURL(req.URL), attempt, err) - } - - // Try to read the response body so we can reuse this connection. -@@ -820,3 +820,16 @@ func (c *Client) StandardClient() *http.Client { - Transport: &RoundTripper{Client: c}, - } - } -+ -+// Taken from url.URL#Redacted() which was introduced in go 1.15. -+func redactURL(u *url.URL) string { -+ if u == nil { -+ return "" -+ } -+ -+ ru := *u -+ if _, has := ru.User.Password(); has { -+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") -+ } -+ return ru.String() -+} --- -2.33.8 - diff --git a/SPECS/cert-manager/cert-manager.signatures.json b/SPECS/cert-manager/cert-manager.signatures.json index 5623d96b025..c5eac87f0e1 100644 --- a/SPECS/cert-manager/cert-manager.signatures.json +++ b/SPECS/cert-manager/cert-manager.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "cert-manager-1.12.12-vendor.tar.gz": "eb2c70859fb2b73880f682e0c69eaeeec523481f94386b7d0150440799d7eecc", - "cert-manager-1.12.12.tar.gz": "2bdcc466ed77457616ea8732d002c4985524998da2c3dcc579d6e8f2af708484" + "cert-manager-1.12.13-vendor.tar.gz": "18894907e56205351f148a1aae828db6752d1189557d618720d782295abe4f84", + "cert-manager-1.12.13.tar.gz": "1bd650f7d066f98e2566397787caf938737c64ef4ab41284246acaffcdac7eb1" } -} +} \ No newline at end of file diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index c9eaf233b73..777e932403a 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager -Version: 1.12.12 -Release: 3%{?dist} +Version: 1.12.13 +Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,8 +13,6 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version # 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz # 2. /SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version} Source1: %{name}-%{version}-vendor.tar.gz -Patch0: CVE-2024-25620.patch -Patch1: CVE-2024-6104.patch BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -60,8 +58,6 @@ Webhook component providing API validation, mutation and conversion functionalit %prep %setup -q -a 1 -%autopatch -p1 - %build @@ -107,8 +103,8 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog -* Thu Aug 01 2024 Bala - 1.12.12-3 -- Patch for CVE-2024-6104 +* Mon Sep 16 2024 Jiri Appl - 1.12.13-1 +- Upgrade to 1.12.13 which carries helm 3.14.2 to fix CVE-2024-26147 and CVE-2024-25620 * Wed Aug 07 2024 Bhagyashri Pathak - 1.12.12-2 - Patch for CVE-2024-25620 diff --git a/cgmanifest.json b/cgmanifest.json index bc6270d28d5..3f318d62f7d 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1547,8 +1547,8 @@ "type": "other", "other": { "name": "cert-manager", - "version": "1.12.12", - "downloadUrl": "https://github.com/jetstack/cert-manager/archive/refs/tags/v1.12.12.tar.gz" + "version": "1.12.13", + "downloadUrl": "https://github.com/jetstack/cert-manager/archive/refs/tags/v1.12.13.tar.gz" } } },