[AutoPR- Security] Patch telegraf for CVE-2026-33216, CVE-2026-29785 [HIGH] (#16431)

azurelinux-security · akhila-guruju · v-aaditya · CBL-Mariner-Bot · commit 7d044328db0e · 2026-04-15T19:17:09.000Z
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com> Co-authored-by: Aditya Singh <v-aditysing@microsoft.com> (cherry picked from commit 4e6d4cf)
diff --git a/SPECS/telegraf/CVE-2026-29785.patch b/SPECS/telegraf/CVE-2026-29785.patch
@@ -0,0 +1,59 @@
+From 2c1b4d1bf00adcbaf61caf126c74169f8b246d3b Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 2 Apr 2026 15:13:42 +0000
+Subject: [PATCH] Fix panic on LS protocol when compression enabled: guard
+ against LS+ and LS- before CONNECT; close with auth violation
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8.patch
+---
+ .../nats-io/nats-server/v2/server/leafnode.go | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
+index 8f3fe627..652ec5d1 100644
+--- a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
++++ b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go
+@@ -2325,6 +2325,15 @@ func (c *client) processLeafSub(argo []byte) (err error) {
+ 	}
+ 
+ 	acc := c.acc
++	// Guard against LS+ arriving before CONNECT has been processed, which
++	// can happen when compression is enabled.
++	if acc == nil {
++		c.mu.Unlock()
++		c.sendErr("Authorization Violation")
++		c.closeConnection(ProtocolViolation)
++		return nil
++	}
++
+ 	// Check if we have a loop.
+ 	ldsPrefix := bytes.HasPrefix(sub.subject, []byte(leafNodeLoopDetectionSubjectPrefix))
+ 
+@@ -2444,7 +2453,6 @@ func (c *client) processLeafUnsub(arg []byte) error {
+ 	// Indicate any activity, so pub and sub or unsubs.
+ 	c.in.subs++
+ 
+-	acc := c.acc
+ 	srv := c.srv
+ 
+ 	c.mu.Lock()
+@@ -2453,6 +2461,15 @@ func (c *client) processLeafUnsub(arg []byte) error {
+ 		return nil
+ 	}
+ 
++	acc := c.acc
++	// Guard against LS- arriving before CONNECT has been processed.
++	if acc == nil {
++		c.mu.Unlock()
++		c.sendErr("Authorization Violation")
++		c.closeConnection(ProtocolViolation)
++		return nil
++	}
++
+ 	updateGWs := false
+ 	spoke := c.isSpokeLeafNode()
+ 	// We store local subs by account and subject and optionally queue name.
+-- 
+2.45.4
+
diff --git a/SPECS/telegraf/CVE-2026-33216.patch b/SPECS/telegraf/CVE-2026-33216.patch
@@ -0,0 +1,75 @@
+From 5ad836f2e5705b1dbf87437f681c8f9a85b07adf Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 2 Apr 2026 15:18:09 +0000
+Subject: [PATCH] Backport: Fix MQTT password exposed in JWT by deferring
+ setting JWT for MQTT and using local ujwt in auth; remove setting JWT in
+ mqttParseConnect
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099.patch
+---
+ .../nats-io/nats-server/v2/server/auth.go        | 16 ++++++++++++++--
+ .../nats-io/nats-server/v2/server/mqtt.go        |  1 -
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/github.com/nats-io/nats-server/v2/server/auth.go b/vendor/github.com/nats-io/nats-server/v2/server/auth.go
+index 97106343..dc783409 100644
+--- a/vendor/github.com/nats-io/nats-server/v2/server/auth.go
++++ b/vendor/github.com/nats-io/nats-server/v2/server/auth.go
+@@ -586,6 +586,7 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User
+ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (authorized bool) {
+ 	var (
+ 		nkey *NkeyUser
++		ujwt string
+ 		juc  *jwt.UserClaims
+ 		acc  *Account
+ 		user *User
+@@ -729,13 +730,19 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (au
+ 
+ 	// Check if we have trustedKeys defined in the server. If so we require a user jwt.
+ 	if s.trustedKeys != nil {
+-		if c.opts.JWT == _EMPTY_ {
++		ujwt = c.opts.JWT
++		if ujwt == _EMPTY_ && c.isMqtt() {
++			// For MQTT, we pass the password as the JWT too, but do so here so it's not
++			// publicly exposed in the client options if it isn't a JWT.
++			ujwt = c.opts.Password
++		}
++		if ujwt == _EMPTY_ {
+ 			s.mu.Unlock()
+ 			c.Debugf("Authentication requires a user JWT")
+ 			return false
+ 		}
+ 		// So we have a valid user jwt here.
+-		juc, err = jwt.DecodeUserClaims(c.opts.JWT)
++		juc, err = jwt.DecodeUserClaims(ujwt)
+ 		if err != nil {
+ 			s.mu.Unlock()
+ 			c.Debugf("User JWT not valid: %v", err)
+@@ -995,6 +1002,11 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (au
+ 		// Hold onto the user's public key.
+ 		c.mu.Lock()
+ 		c.pubKey = juc.Subject
++		// If this is a MQTT client, we purposefully didn't populate the JWT as it could contain
++		// a password or token. Now we know it's a valid JWT, we can populate it.
++		if c.isMqtt() {
++			c.opts.JWT = ujwt
++		}
+ 		c.tags = juc.Tags
+ 		c.nameTag = juc.Name
+ 		c.mu.Unlock()
+diff --git a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
+index 7ca49081..f5ef29e6 100644
+--- a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
++++ b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go
+@@ -3561,7 +3561,6 @@ func (c *client) mqttParseConnect(r *mqttReader, hasMappings bool) (byte, *mqttC
+ 			return 0, nil, err
+ 		}
+ 		c.opts.Token = c.opts.Password
+-		c.opts.JWT = c.opts.Password
+ 	}
+ 	return 0, cp, nil
+ }
+-- 
+2.45.4
+
diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.31.0
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,6 +35,8 @@ Patch20:        CVE-2026-4645.patch
 # Patch added based on customer request https://microsoft.visualstudio.com/OS/_workitems/edit/61041768
 # Fix was introduced 1.37.2, this patch can be removed once we update to 1.37.2 or later
 Patch21:        cisco_telegraf_bug61041768.patch
+Patch22:        CVE-2026-29785.patch
+Patch23:        CVE-2026-33216.patch
 
 BuildRequires:  golang
 BuildRequires:  systemd-devel
@@ -99,6 +101,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-18
+- Patch for CVE-2026-33216, CVE-2026-29785
+
 * Fri Mar 27 2026 Sindhu Karri <lakarri@microsoft.com> - 1.31.0-17
 - Added patch to fix the issue reported in https://microsoft.visualstudio.com/OS/_workitems/edit/61041768
   Fix in telegraf to support cisco telemetry plugin that collects telemetry data from cisco NXOS switches.
