[Manual Cherry Pick CVEs] golang, nodejs and python-wheel (#16543)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>
Co-authored-by: Ratiranjan5 <v-ratbehera@microsoft.com>
Co-authored-by: bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com>

Author: 5 people

SPECS/golang/golang-1.25.signatures.json

@@ -3,7 +3,7 @@
     "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95",
     "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
     "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7",
-    "go1.25.8-20260306.2.src.tar.gz": "32c83228b338bb31782e8c9e6aee82e160ba679061b728ed2c35a00a8a38d474",
+    "go1.25.9-20260407.1.src.tar.gz": "985777a40244ac7e2b09ec64e226ed5c955018565edc0b80ee9b95f6605ce9d8",
     "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
   }
 }

SPECS/golang/golang-1.25.spec

@@ -1,6 +1,6 @@
 %global goroot          %{_libdir}/golang
 %global gopath          %{_datadir}/gocode
-%global ms_go_filename  go1.25.8-20260306.2.src.tar.gz
+%global ms_go_filename  go1.25.9-20260407.1.src.tar.gz
 %global ms_go_revision  1
 %ifarch aarch64
 %global gohostarch      arm64
@@ -14,7 +14,7 @@
 %define __find_requires %{nil}
 Summary:        Go
 Name:           golang
-Version:        1.25.8
+Version:        1.25.9
 Release:        1%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
@@ -160,6 +160,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Wed Apr 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.9-1
+- Bump version to 1.25.9-1
+
 * Fri Mar 06 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.8-1
 - Bump version to 1.25.8-1
 

SPECS/golang/golang.signatures.json

@@ -4,7 +4,7 @@
     "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
     "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7",
     "go1.24.13-20260204.5.src.tar.gz": "fdf4ec44d7191e59890e988ffba8ab3fd133ec6bd3757955223712f369e2328b",
-    "go1.26.1-20260306.1.src.tar.gz": "51c4ea1d0f5c5e0b5860903bab4c66a1544da62ecaa67ea2fe883bef64a2e863",
+    "go1.26.2-20260407.2.src.tar.gz": "609b097d0482f96fa1b4e7f738638d33df1aa4c7a01ff6da03b881edc8534987",
     "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
   }
 }

SPECS/golang/golang.spec

@@ -1,6 +1,6 @@
 %global goroot          %{_libdir}/golang
 %global gopath          %{_datadir}/gocode
-%global ms_go_filename  go1.26.1-20260306.1.src.tar.gz
+%global ms_go_filename  go1.26.2-20260407.2.src.tar.gz
 %global ms_go_revision  1
 %ifarch aarch64
 %global gohostarch      arm64
@@ -14,7 +14,7 @@
 %define __find_requires %{nil}
 Summary:        Go
 Name:           golang
-Version:        1.26.1
+Version:        1.26.2
 Release:        1%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
@@ -166,6 +166,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Wed Apr 08 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.26.2-1
+- Bump version to 1.26.2-1
+
 * Fri Mar 06 2026 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.26.1-1
 - Bump version to 1.26.1-1
 

SPECS/nodejs24/CVE-2025-69418.patch

@@ -3,6 +3,6 @@
   "btest402.js": "fabaf4dacc13e93d54f825b87ffde18573214b149388a5f96176236dd31d7768",
   "icu4c-77_1-data-bin-b.zip": "d8be12e03f782da350508b15354738ed97a3289008a787b6bd2a85434374bff4",
   "icu4c-77_1-data-bin-l.zip": "0913674ff673c585f8bc08370916b6a6ccc30ffb6408a5c1bc3edbf5a687fd96",
-  "node-v24.13.0.tar.xz": "320fe909cbb347dcf516201e4964ef177b8138df9a7f810d0d54950481b3158b"
+  "node-v24.14.1.tar.xz": "7822507713f202cf2a551899d250259643f477b671706db421a6fb55c4aa0991"
  }
-}
+}

SPECS/nodejs24/nodejs24.signatures.json

@@ -15,8 +15,8 @@ Summary:        A JavaScript runtime built on Chrome's V8 JavaScript engine.
 Name:           nodejs24
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
-Version:        24.13.0
-Release:        3%{?dist}
+Version:        24.14.1
+Release:        1%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,7 +35,6 @@ Patch2:         CVE-2024-22195.patch
 Patch3:         CVE-2020-28493.patch
 Patch4:         CVE-2024-34064.patch
 Patch5:         CVE-2025-27516.patch
-Patch6:         CVE-2025-69418.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -46,6 +45,7 @@ BuildRequires:  openssl-devel >= 1.1.1
 BuildRequires:  python3
 BuildRequires:  which
 BuildRequires:  zlib-devel
+BuildRequires:  perl-WWW-Curl
 Requires:       brotli
 Requires:       c-ares
 Requires:       coreutils >= 8.22
@@ -180,6 +180,18 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Wed Apr 01 2026 Ratiranjan Behera <v-ratbehera@microsoft.com> - 24.14.1-1
+- Upgrade to 24.14.1
+- Security fixes included:
+  CVE-2026-21710: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
+  CVE-2026-21637: wrap SNICallback invocation in try/catch (Matteo Collina) - High
+  CVE-2026-21717: test array index hash collision (Joyee Cheung) - Medium
+  CVE-2026-21713: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
+  CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
+  CVE-2026-21712: handle url crash on different url formats (RafaelGSS) - Medium
+  CVE-2026-21716: include permission check on lib/fs/promises (RafaelGSS) - Low
+  CVE-2026-21715: add permission check to realpath.native (RafaelGSS) - Low
+
 * Fri Feb 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 24.13.0-3
 - Patch for CVE-2025-69418
 

SPECS/nodejs24/nodejs24.spec

@@ -0,0 +1,69 @@
+From 5d21b0f9ba9d397f45bb9003635be81df846f894 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
+Date: Thu, 22 Jan 2026 01:41:14 +0200
+Subject: [PATCH] Fixed security issue around wheel unpack (#675)
+
+A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
+
+Fixes CVE-2026-24049.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef.patch
+---
+ src/wheel/cli/unpack.py  |  4 ++--
+ tests/cli/test_unpack.py | 23 +++++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py
+index d48840e..83dc742 100644
+--- a/src/wheel/cli/unpack.py
++++ b/src/wheel/cli/unpack.py
+@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
+         destination = Path(dest) / namever
+         print(f"Unpacking to: {destination}...", end="", flush=True)
+         for zinfo in wf.filelist:
+-            wf.extract(zinfo, destination)
++            target_path = Path(wf.extract(zinfo, destination))
+ 
+             # Set permissions to the same values as they were set in the archive
+             # We have to do this manually due to
+             # https://github.com/python/cpython/issues/59999
+             permissions = zinfo.external_attr >> 16 & 0o777
+-            destination.joinpath(zinfo.filename).chmod(permissions)
++            target_path.chmod(permissions)
+ 
+     print("OK")
+diff --git a/tests/cli/test_unpack.py b/tests/cli/test_unpack.py
+index ae584af..75fe193 100644
+--- a/tests/cli/test_unpack.py
++++ b/tests/cli/test_unpack.py
+@@ -34,3 +34,26 @@ def test_unpack_executable_bit(tmp_path):
+     unpack(str(wheel_path), str(tmp_path))
+     assert not script_path.is_dir()
+     assert stat.S_IMODE(script_path.stat().st_mode) == 0o755
++
++
++@pytest.mark.skipif(
++    platform.system() == "Windows", reason="Windows does not support chmod()"
++)
++def test_chmod_outside_unpack_tree(tmp_path_factory: TempPathFactory) -> None:
++    wheel_path = tmp_path_factory.mktemp("build") / "test-1.0-py3-none-any.whl"
++    with WheelFile(wheel_path, "w") as wf:
++        wf.writestr(
++            "test-1.0.dist-info/METADATA",
++            "Metadata-Version: 2.4\nName: test\nVersion: 1.0\n",
++        )
++        wf.writestr("../../system-file", b"malicious data")
++
++    extract_root_path = tmp_path_factory.mktemp("extract")
++    system_file = extract_root_path / "system-file"
++    extract_path = extract_root_path / "subdir"
++    system_file.write_bytes(b"important data")
++    system_file.chmod(0o755)
++    unpack(str(wheel_path), str(extract_path))
++
++    assert system_file.read_bytes() == b"important data"
++    assert stat.S_IMODE(system_file.stat().st_mode) == 0o755
+-- 
+2.45.4
+

SPECS/python-wheel/CVE-2026-24049.patch

@@ -4,12 +4,13 @@
 Summary:        Built-package format for Python
 Name:           python-%{pypi_name}
 Version:        0.43.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://github.com/pypa/wheel
 Source0:        %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz
+Patch0:         CVE-2026-24049.patch
 %global pypi_name wheel
 %global python_wheel_name %{pypi_name}-%{version}-py3-none-any.whl
 %global python_wheeldir %{_datadir}/python-wheels
@@ -115,6 +116,9 @@ pip3 install iniconfig
 %endif
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.43.0-2
+- Patch for CVE-2026-24049
+
 * Fri May 10 2024 Betty Lakes <bettylakes@microsoft.com> - 0.43.0-1
 - Updated to 0.43.0
 

SPECS/python-wheel/python-wheel.spec

@@ -4730,8 +4730,8 @@
         "type": "other",
         "other": {
           "name": "golang",
-          "version": "1.26.1",
-          "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.26.1-1/go1.26.1-20260306.1.src.tar.gz"
+          "version": "1.26.2",
+          "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.26.2-1/go1.26.2-20260407.2.src.tar.gz"
         }
       }
     },
@@ -4740,8 +4740,8 @@
         "type": "other",
         "other": {
           "name": "golang",
-          "version": "1.25.8",
-          "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.25.8-1/go1.25.8-20260306.2.src.tar.gz"
+          "version": "1.25.9",
+          "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.25.9-1/go1.25.9-20260407.1.src.tar.gz"
         }
       }
     },
@@ -14542,8 +14542,8 @@
         "type": "other",
         "other": {
           "name": "nodejs24",
-          "version": "24.13.0",
-          "downloadUrl": "https://nodejs.org/download/release/v24.13.0/node-v24.13.0.tar.xz"
+          "version": "24.14.1",
+          "downloadUrl": "https://nodejs.org/download/release/v24.14.1/node-v24.14.1.tar.xz"
         }
       }
     },