From 887be7768d9439a59bdd01b32a75c688428a7b41 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Thu, 2 Apr 2026 15:25:21 +0000 Subject: [PATCH 1/3] Patch rubygem-faraday for CVE-2026-25765 --- SPECS/rubygem-faraday/CVE-2026-25765.patch | 89 ++++++++++++++++++++++ SPECS/rubygem-faraday/rubygem-faraday.spec | 7 +- 2 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 SPECS/rubygem-faraday/CVE-2026-25765.patch diff --git a/SPECS/rubygem-faraday/CVE-2026-25765.patch b/SPECS/rubygem-faraday/CVE-2026-25765.patch new file mode 100644 index 00000000000..873de906321 --- /dev/null +++ b/SPECS/rubygem-faraday/CVE-2026-25765.patch @@ -0,0 +1,89 @@ +From e45ae8f935f6f87b91929b2ba48b57e5ba174435 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Thu, 2 Apr 2026 15:18:26 +0000 +Subject: [PATCH] build_exclusive_url: Guard against protocol-relative URLs by + normalising to relative path; update rubocop todo and add specs + (GHSA-33mh-2634-fwr2) + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc.patch +--- + .rubocop_todo.yml | 2 +- + lib/faraday/connection.rb | 3 +++ + spec/faraday/connection_spec.rb | 33 +++++++++++++++++++++++++++++++++ + 3 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml +index fbec6de..3c75338 100644 +--- a/.rubocop_todo.yml ++++ b/.rubocop_todo.yml +@@ -31,7 +31,7 @@ Metrics/AbcSize: + # Offense count: 4 + # Configuration parameters: CountComments, CountAsOne. + Metrics/ClassLength: +- Max: 230 ++ Max: 235 + + # Offense count: 9 + # Configuration parameters: AllowedMethods, AllowedPatterns, IgnoredMethods. +diff --git a/lib/faraday/connection.rb b/lib/faraday/connection.rb +index 1984f87..7056572 100644 +--- a/lib/faraday/connection.rb ++++ b/lib/faraday/connection.rb +@@ -473,6 +473,9 @@ module Faraday + if url && !base.path.end_with?('/') + base.path = "#{base.path}/" # ensure trailing slash + end ++ # Ensure relative url will be parsed correctly (such as `service:search` or `//evil.com`) ++ url = "./#{url}" if url.respond_to?(:start_with?) && ++ (!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//')) + url = url.to_s.gsub(':', '%3A') if URI.parse(url.to_s).opaque + uri = url ? base + url : base + if params +diff --git a/spec/faraday/connection_spec.rb b/spec/faraday/connection_spec.rb +index d4ccb23..51392f1 100644 +--- a/spec/faraday/connection_spec.rb ++++ b/spec/faraday/connection_spec.rb +@@ -309,6 +309,39 @@ RSpec.describe Faraday::Connection do + uri = conn.build_exclusive_url('service:search?limit=400') + expect(uri.to_s).to eq('http://service.com/api/service%3Asearch?limit=400') + end ++ ++ context 'with protocol-relative URL (GHSA-33mh-2634-fwr2)' do ++ it 'does not allow host override with //evil.com/path' do ++ conn.url_prefix = 'http://httpbingo.org/api' ++ uri = conn.build_exclusive_url('//evil.com/path') ++ expect(uri.host).to eq('httpbingo.org') ++ end ++ ++ it 'does not allow host override with //evil.com:8080/path' do ++ conn.url_prefix = 'http://httpbingo.org/api' ++ uri = conn.build_exclusive_url('//evil.com:8080/path') ++ expect(uri.host).to eq('httpbingo.org') ++ end ++ ++ it 'does not allow host override with //user:pass@evil.com/path' do ++ conn.url_prefix = 'http://httpbingo.org/api' ++ uri = conn.build_exclusive_url('//user:pass@evil.com/path') ++ expect(uri.host).to eq('httpbingo.org') ++ end ++ ++ it 'does not allow host override with ///evil.com' do ++ conn.url_prefix = 'http://httpbingo.org/api' ++ uri = conn.build_exclusive_url('///evil.com') ++ expect(uri.host).to eq('httpbingo.org') ++ end ++ ++ it 'still allows single-slash absolute paths' do ++ conn.url_prefix = 'http://httpbingo.org/api' ++ uri = conn.build_exclusive_url('/safe/path') ++ expect(uri.host).to eq('httpbingo.org') ++ expect(uri.path).to eq('/safe/path') ++ end ++ end + end + + context 'with a custom `default_uri_parser`' do +-- +2.45.4 + diff --git a/SPECS/rubygem-faraday/rubygem-faraday.spec b/SPECS/rubygem-faraday/rubygem-faraday.spec index cd3e7e8eee0..b278c8ff511 100644 --- a/SPECS/rubygem-faraday/rubygem-faraday.spec +++ b/SPECS/rubygem-faraday/rubygem-faraday.spec @@ -3,13 +3,14 @@ Summary: HTTP/REST API client library Name: rubygem-faraday Version: 2.7.10 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Languages URL: https://lostisland.github.io/faraday/ Source0: https://github.com/lostisland/faraday/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz +Patch0: CVE-2026-25765.patch BuildRequires: ruby Requires: rubygem-multipart-post < 3 Requires: rubygem-ruby2_keywords @@ -23,6 +24,7 @@ when processing the request/response cycle. %prep %setup -q -n %{gem_name}-%{version} +%patch 0 -p1 %build gem build %{gem_name} @@ -36,6 +38,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %{gemdir} %changelog +* Thu Apr 02 2026 Azure Linux Security Servicing Account - 2.7.10-2 +- Patch for CVE-2026-25765 + * Thu Nov 02 2023 CBL-Mariner Servicing Account - 2.7.10-1 - Auto-upgrade to 2.7.10 - Azure Linux 3.0 - package upgrades From 48c3fe3b24759253952a00fb2ac0d8dad7d9fa3c Mon Sep 17 00:00:00 2001 From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Date: Tue, 7 Apr 2026 23:02:11 +0530 Subject: [PATCH 2/3] Use autosetup for gem preparation Replaced manual setup and patch commands with autosetup. --- SPECS/rubygem-faraday/rubygem-faraday.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/SPECS/rubygem-faraday/rubygem-faraday.spec b/SPECS/rubygem-faraday/rubygem-faraday.spec index b278c8ff511..df795cfee8e 100644 --- a/SPECS/rubygem-faraday/rubygem-faraday.spec +++ b/SPECS/rubygem-faraday/rubygem-faraday.spec @@ -23,8 +23,7 @@ many adapters (such as Net::HTTP) and embraces the concept of Rack middleware when processing the request/response cycle. %prep -%setup -q -n %{gem_name}-%{version} -%patch 0 -p1 +%autosetup -n %{gem_name}-%{version} -p1 %build gem build %{gem_name} From 662d00fa4ee444d7988425264dd09d5ec0a8a61e Mon Sep 17 00:00:00 2001 From: Akarsh Chaudhary Date: Thu, 9 Apr 2026 06:06:16 +0000 Subject: [PATCH 3/3] Reapply "correcting the end placement in sync with upstream patch." This reverts commit 321d8256aeb2b789d587c72677f5204ab3966f73. --- SPECS/rubygem-faraday/CVE-2026-25765.patch | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/SPECS/rubygem-faraday/CVE-2026-25765.patch b/SPECS/rubygem-faraday/CVE-2026-25765.patch index 873de906321..d3ef49d0113 100644 --- a/SPECS/rubygem-faraday/CVE-2026-25765.patch +++ b/SPECS/rubygem-faraday/CVE-2026-25765.patch @@ -44,11 +44,10 @@ diff --git a/spec/faraday/connection_spec.rb b/spec/faraday/connection_spec.rb index d4ccb23..51392f1 100644 --- a/spec/faraday/connection_spec.rb +++ b/spec/faraday/connection_spec.rb -@@ -309,6 +309,39 @@ RSpec.describe Faraday::Connection do - uri = conn.build_exclusive_url('service:search?limit=400') +@@ -310,6 +310,39 @@ expect(uri.to_s).to eq('http://service.com/api/service%3Asearch?limit=400') end -+ + end + context 'with protocol-relative URL (GHSA-33mh-2634-fwr2)' do + it 'does not allow host override with //evil.com/path' do + conn.url_prefix = 'http://httpbingo.org/api' @@ -81,9 +80,9 @@ index d4ccb23..51392f1 100644 + expect(uri.path).to eq('/safe/path') + end + end - end ++ context 'with a custom `default_uri_parser`' do + let(:url) { 'http://httpbingo.org' } -- 2.45.4 -