Merge branch 'microsoft:3.0-dev' into 3.0-dev

Author: AkarshHCL

SPECS/golang/golang-1.25.signatures.json

@@ -3,7 +3,7 @@
     "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95",
     "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
     "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7",
-    "go1.25.8-20260306.2.src.tar.gz": "32c83228b338bb31782e8c9e6aee82e160ba679061b728ed2c35a00a8a38d474",
+    "go1.25.9-20260407.1.src.tar.gz": "985777a40244ac7e2b09ec64e226ed5c955018565edc0b80ee9b95f6605ce9d8",
     "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
   }
 }

SPECS/golang/golang-1.25.spec

@@ -1,6 +1,6 @@
 %global goroot          %{_libdir}/golang
 %global gopath          %{_datadir}/gocode
-%global ms_go_filename  go1.25.8-20260306.2.src.tar.gz
+%global ms_go_filename  go1.25.9-20260407.1.src.tar.gz
 %global ms_go_revision  1
 %ifarch aarch64
 %global gohostarch      arm64
@@ -14,7 +14,7 @@
 %define __find_requires %{nil}
 Summary:        Go
 Name:           golang
-Version:        1.25.8
+Version:        1.25.9
 Release:        1%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
@@ -160,6 +160,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Wed Apr 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.9-1
+- Bump version to 1.25.9-1
+
 * Fri Mar 06 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.8-1
 - Bump version to 1.25.8-1
 

SPECS/golang/golang.signatures.json

@@ -4,7 +4,7 @@
     "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
     "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7",
     "go1.24.13-20260204.5.src.tar.gz": "fdf4ec44d7191e59890e988ffba8ab3fd133ec6bd3757955223712f369e2328b",
-    "go1.26.1-20260306.1.src.tar.gz": "51c4ea1d0f5c5e0b5860903bab4c66a1544da62ecaa67ea2fe883bef64a2e863",
+    "go1.26.2-20260407.2.src.tar.gz": "609b097d0482f96fa1b4e7f738638d33df1aa4c7a01ff6da03b881edc8534987",
     "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
   }
 }

SPECS/golang/golang.spec

@@ -1,6 +1,6 @@
 %global goroot          %{_libdir}/golang
 %global gopath          %{_datadir}/gocode
-%global ms_go_filename  go1.26.1-20260306.1.src.tar.gz
+%global ms_go_filename  go1.26.2-20260407.2.src.tar.gz
 %global ms_go_revision  1
 %ifarch aarch64
 %global gohostarch      arm64
@@ -14,7 +14,7 @@
 %define __find_requires %{nil}
 Summary:        Go
 Name:           golang
-Version:        1.26.1
+Version:        1.26.2
 Release:        1%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
@@ -166,6 +166,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Wed Apr 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.26.2-1
+- Bump version to 1.26.2-1
+
 * Fri Mar 06 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.26.1-1
 - Bump version to 1.26.1-1
 

SPECS/libsoup/CVE-2026-2436.patch

@@ -0,0 +1,81 @@
+From 50838ec94696282406d9cee47f41ca7c11f68694 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 14 Jan 2026 11:39:18 -0600
+Subject: [PATCH] server-connection: check for cancellation in handshake
+ callback
+
+If the SoupServerConnection is destroyed before the TLS handshake
+completes, then we have a use after free of the SoupServerConnection in
+tls_connection_handshake_ready_cb().
+
+Spotted in #YWH-PGM9867-161. (I have not created a libsoup issue report
+for -161 because it was rejected by our triagers due to errors.)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/495.patch
+---
+ libsoup/server/soup-server-connection.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/libsoup/server/soup-server-connection.c b/libsoup/server/soup-server-connection.c
+index cac4eaa..7d4064a 100644
+--- a/libsoup/server/soup-server-connection.c
++++ b/libsoup/server/soup-server-connection.c
+@@ -62,6 +62,7 @@ typedef struct {
+         gboolean advertise_http2;
+         SoupHTTPVersion http_version;
+         SoupServerMessageIO *io_data;
++        GCancellable *cancellable;
+ 
+         GSocketAddress *local_addr;
+         GSocketAddress *remote_addr;
+@@ -86,6 +87,7 @@ soup_server_connection_init (SoupServerConnection *conn)
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
+ 
+         priv->http_version = SOUP_HTTP_1_1;
++        priv->cancellable = g_cancellable_new ();
+ }
+ 
+ static void
+@@ -109,6 +111,9 @@ soup_server_connection_finalize (GObject *object)
+         SoupServerConnection *conn = SOUP_SERVER_CONNECTION (object);
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
+ 
++        g_cancellable_cancel (priv->cancellable);
++        g_clear_object (&priv->cancellable);
++
+         if (priv->conn) {
+                 disconnect_internal (conn);
+         } else {
+@@ -428,8 +433,9 @@ tls_connection_handshake_ready_cb (GTlsConnection       *tls_conn,
+                                    SoupServerConnection *conn)
+ {
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
++        GError *error = NULL;
+ 
+-        if (g_tls_connection_handshake_finish (tls_conn, result, NULL)) {
++        if (g_tls_connection_handshake_finish (tls_conn, result, &error)) {
+                 const char *protocol = g_tls_connection_get_negotiated_protocol (tls_conn);
+ 
+                 if (g_strcmp0 (protocol, "h2") == 0)
+@@ -440,7 +446,7 @@ tls_connection_handshake_ready_cb (GTlsConnection       *tls_conn,
+                         priv->http_version = SOUP_HTTP_1_1;
+ 
+                 soup_server_connection_connected (conn);
+-        } else {
++        } else if (!g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) {
+                 soup_server_connection_disconnect (conn);
+         }
+ }
+@@ -518,7 +524,7 @@ soup_server_connection_accepted (SoupServerConnection *conn)
+                                          conn, G_CONNECT_SWAPPED);
+ 
+                 g_tls_connection_handshake_async (G_TLS_CONNECTION (priv->conn),
+-                                                  G_PRIORITY_DEFAULT, NULL,
++                                                  G_PRIORITY_DEFAULT, priv->cancellable,
+                                                   (GAsyncReadyCallback)tls_connection_handshake_ready_cb,
+                                                   conn);
+                 return;
+-- 
+2.45.4
+

SPECS/libsoup/libsoup.spec

@@ -4,7 +4,7 @@
 Summary:        libsoup HTTP client/server library
 Name:           libsoup
 Version:        3.4.4
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -78,6 +78,7 @@ Patch28:         fix-ssl-test.patch
 Patch29:         CVE-2026-0716.patch
 Patch30:         CVE-2026-2443.patch
 Patch31:         CVE-2026-2369.patch
+Patch32:         CVE-2026-2436.patch
 
 %description
 libsoup is HTTP client/server library for GNOME
@@ -153,6 +154,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %defattr(-,root,root)
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-15
+- Patch for CVE-2026-2436
+
 * Wed Mar 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-14
 - Patch for CVE-2026-2369
 

SPECS/nodejs24/CVE-2025-69418.patch

@@ -3,6 +3,6 @@
   "btest402.js": "fabaf4dacc13e93d54f825b87ffde18573214b149388a5f96176236dd31d7768",
   "icu4c-77_1-data-bin-b.zip": "d8be12e03f782da350508b15354738ed97a3289008a787b6bd2a85434374bff4",
   "icu4c-77_1-data-bin-l.zip": "0913674ff673c585f8bc08370916b6a6ccc30ffb6408a5c1bc3edbf5a687fd96",
-  "node-v24.13.0.tar.xz": "320fe909cbb347dcf516201e4964ef177b8138df9a7f810d0d54950481b3158b"
+  "node-v24.14.1.tar.xz": "7822507713f202cf2a551899d250259643f477b671706db421a6fb55c4aa0991"
  }
-}
+}

SPECS/nodejs24/nodejs24.signatures.json

@@ -15,8 +15,8 @@ Summary:        A JavaScript runtime built on Chrome's V8 JavaScript engine.
 Name:           nodejs24
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
-Version:        24.13.0
-Release:        3%{?dist}
+Version:        24.14.1
+Release:        1%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,7 +35,6 @@ Patch2:         CVE-2024-22195.patch
 Patch3:         CVE-2020-28493.patch
 Patch4:         CVE-2024-34064.patch
 Patch5:         CVE-2025-27516.patch
-Patch6:         CVE-2025-69418.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -46,6 +45,7 @@ BuildRequires:  openssl-devel >= 1.1.1
 BuildRequires:  python3
 BuildRequires:  which
 BuildRequires:  zlib-devel
+BuildRequires:  perl-WWW-Curl
 Requires:       brotli
 Requires:       c-ares
 Requires:       coreutils >= 8.22
@@ -180,6 +180,18 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Wed Apr 01 2026 Ratiranjan Behera <v-ratbehera@microsoft.com> - 24.14.1-1
+- Upgrade to 24.14.1
+- Security fixes included:
+  CVE-2026-21710: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
+  CVE-2026-21637: wrap SNICallback invocation in try/catch (Matteo Collina) - High
+  CVE-2026-21717: test array index hash collision (Joyee Cheung) - Medium
+  CVE-2026-21713: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
+  CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
+  CVE-2026-21712: handle url crash on different url formats (RafaelGSS) - Medium
+  CVE-2026-21716: include permission check on lib/fs/promises (RafaelGSS) - Low
+  CVE-2026-21715: add permission check to realpath.native (RafaelGSS) - Low
+
 * Fri Feb 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 24.13.0-3
 - Patch for CVE-2025-69418
 

SPECS/nodejs24/nodejs24.spec

@@ -1,6 +1,6 @@
 {
   "Signatures": {
     "opensc.module": "0dee4b20c6ccae90f01c4b9fc503971f9f963a01a91de3a9da29f9a62a4cbfe1",
-    "opensc-0.26.1.tar.gz": "f16291a031d86e570394762e9f35eaf2fcbc2337a49910f3feae42d54e1688cb"
+    "opensc-0.27.1.tar.gz": "976f4a23eaf3397a1a2c3a7aac80bf971a8c3d829c9a79f06145bfaeeae5eca7"
   }
 }