Skip to content

Commit 80402a7

Browse files
azurelinux-securityKanishk-Bansalkgodara912
authored
[AutoPR- Security] Patch kata-containers for CVE-2026-33814 [MEDIUM] (microsoft#17219)
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Co-authored-by: kgodara912 <kshigodara@outlook.com>
1 parent f67e9ae commit 80402a7

2 files changed

Lines changed: 55 additions & 3 deletions

File tree

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
From 201f31cfd144c43a8bc5a88ab25892ab7363c788 Mon Sep 17 00:00:00 2001
2+
From: "Nicholas S. Husin" <nsh@golang.org>
3+
Date: Tue, 31 Mar 2026 15:15:30 -0400
4+
Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame
5+
6+
This CL backports https://go.dev/cl/761581 to x/net.
7+
8+
Fixes golang/go#78476
9+
Fixes CVE-2026-33814
10+
11+
Change-Id: Ied435a51fdd8664d41dae14d082c39c76a6a6964
12+
Reviewed-on: https://go-review.googlesource.com/c/net/+/761640
13+
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
14+
Reviewed-by: Nicholas Husin <husin@google.com>
15+
Reviewed-by: Damien Neil <dneil@google.com>
16+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
17+
Upstream-reference: https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49.patch
18+
---
19+
src/runtime/vendor/golang.org/x/net/http2/transport.go | 6 +++---
20+
1 file changed, 3 insertions(+), 3 deletions(-)
21+
22+
diff --git a/src/runtime/vendor/golang.org/x/net/http2/transport.go b/src/runtime/vendor/golang.org/x/net/http2/transport.go
23+
index f26356b9..a401b27b 100644
24+
--- a/src/runtime/vendor/golang.org/x/net/http2/transport.go
25+
+++ b/src/runtime/vendor/golang.org/x/net/http2/transport.go
26+
@@ -2858,6 +2858,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
27+
28+
var seenMaxConcurrentStreams bool
29+
err := f.ForeachSetting(func(s Setting) error {
30+
+ if err := s.Valid(); err != nil {
31+
+ return err
32+
+ }
33+
switch s.ID {
34+
case SettingMaxFrameSize:
35+
cc.maxFrameSize = s.Val
36+
@@ -2889,9 +2892,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
37+
cc.henc.SetMaxDynamicTableSize(s.Val)
38+
cc.peerMaxHeaderTableSize = s.Val
39+
case SettingEnableConnectProtocol:
40+
- if err := s.Valid(); err != nil {
41+
- return err
42+
- }
43+
// If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL,
44+
// we require that it do so in the first SETTINGS frame.
45+
//
46+
--
47+
2.45.4
48+

SPECS/kata-containers/kata-containers.spec

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
Name: kata-containers
44
Version: 3.19.1.kata3
5-
Release: 2%{?dist}
5+
Release: 3%{?dist}
66

77
Summary: Kata Containers package developed for Pod Sandboxing on AKS
88
License: ASL 2.0
@@ -18,6 +18,7 @@ Patch3: CVE-2026-25727.patch
1818
Patch4: CVE-2026-25541.patch
1919
Patch5: CVE-2025-11065.patch
2020
Patch6: CVE-2026-41602.patch
21+
Patch7: CVE-2026-33814.patch
2122
BuildRequires: azurelinux-release
2223
BuildRequires: golang
2324
BuildRequires: protobuf-compiler
@@ -117,10 +118,13 @@ popd
117118
%{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service
118119

119120
%changelog
121+
* Thu May 14 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.19.1.kata3-3
122+
- Patch for CVE-2026-33814
123+
120124
* Mon May 04 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.19.1.kata3-2
121125
- Patch for CVE-2026-41602
122126

123-
* Mon Apr 16 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.19.1.kata3-1
127+
* Thu Apr 16 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.19.1.kata3-1
124128
- Auto-upgrade to 3.19.1.kata3
125129
- Remove CVE-2025-65637.patch that no longer applies
126130

@@ -136,7 +140,7 @@ popd
136140
* Mon Feb 23 2026 Archana Shettigar <v-shettigara@microsoft.com> - 3.19.1.kata2-5
137141
- Patch CVE-2026-24834, CVE-2026-25727, CVE-2026-25541, CVE-2025-65637 and CVE-2025-11065
138142

139-
* Fri Jan 29 2026 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 3.19.1.kata2-4
143+
* Thu Jan 29 2026 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 3.19.1.kata2-4
140144
- Bump release to rebuild with rust
141145
- Add patch to suppress dead_code warnings and add explicit lifetime for U32Set iterator
142146

0 commit comments

Comments
 (0)