From 7d044328db0eb50331045a8465443d204ba2ddd7 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Tue, 7 Apr 2026 21:23:49 +0530 Subject: [PATCH] [AutoPR- Security] Patch telegraf for CVE-2026-33216, CVE-2026-29785 [HIGH] (#16431) Co-authored-by: akhila-guruju Co-authored-by: Aditya Singh (cherry picked from commit 4e6d4cf30f44f71b99933ea713f0fc30473dd3dd) --- SPECS/telegraf/CVE-2026-29785.patch | 59 +++++++++++++++++++++++ SPECS/telegraf/CVE-2026-33216.patch | 75 +++++++++++++++++++++++++++++ SPECS/telegraf/telegraf.spec | 7 ++- 3 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 SPECS/telegraf/CVE-2026-29785.patch create mode 100644 SPECS/telegraf/CVE-2026-33216.patch diff --git a/SPECS/telegraf/CVE-2026-29785.patch b/SPECS/telegraf/CVE-2026-29785.patch new file mode 100644 index 00000000000..0166cc4db24 --- /dev/null +++ b/SPECS/telegraf/CVE-2026-29785.patch @@ -0,0 +1,59 @@ +From 2c1b4d1bf00adcbaf61caf126c74169f8b246d3b Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Thu, 2 Apr 2026 15:13:42 +0000 +Subject: [PATCH] Fix panic on LS protocol when compression enabled: guard + against LS+ and LS- before CONNECT; close with auth violation + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8.patch +--- + .../nats-io/nats-server/v2/server/leafnode.go | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go +index 8f3fe627..652ec5d1 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go +@@ -2325,6 +2325,15 @@ func (c *client) processLeafSub(argo []byte) (err error) { + } + + acc := c.acc ++ // Guard against LS+ arriving before CONNECT has been processed, which ++ // can happen when compression is enabled. ++ if acc == nil { ++ c.mu.Unlock() ++ c.sendErr("Authorization Violation") ++ c.closeConnection(ProtocolViolation) ++ return nil ++ } ++ + // Check if we have a loop. + ldsPrefix := bytes.HasPrefix(sub.subject, []byte(leafNodeLoopDetectionSubjectPrefix)) + +@@ -2444,7 +2453,6 @@ func (c *client) processLeafUnsub(arg []byte) error { + // Indicate any activity, so pub and sub or unsubs. + c.in.subs++ + +- acc := c.acc + srv := c.srv + + c.mu.Lock() +@@ -2453,6 +2461,15 @@ func (c *client) processLeafUnsub(arg []byte) error { + return nil + } + ++ acc := c.acc ++ // Guard against LS- arriving before CONNECT has been processed. ++ if acc == nil { ++ c.mu.Unlock() ++ c.sendErr("Authorization Violation") ++ c.closeConnection(ProtocolViolation) ++ return nil ++ } ++ + updateGWs := false + spoke := c.isSpokeLeafNode() + // We store local subs by account and subject and optionally queue name. +-- +2.45.4 + diff --git a/SPECS/telegraf/CVE-2026-33216.patch b/SPECS/telegraf/CVE-2026-33216.patch new file mode 100644 index 00000000000..50aceea7242 --- /dev/null +++ b/SPECS/telegraf/CVE-2026-33216.patch @@ -0,0 +1,75 @@ +From 5ad836f2e5705b1dbf87437f681c8f9a85b07adf Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Thu, 2 Apr 2026 15:18:09 +0000 +Subject: [PATCH] Backport: Fix MQTT password exposed in JWT by deferring + setting JWT for MQTT and using local ujwt in auth; remove setting JWT in + mqttParseConnect + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099.patch +--- + .../nats-io/nats-server/v2/server/auth.go | 16 ++++++++++++++-- + .../nats-io/nats-server/v2/server/mqtt.go | 1 - + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/auth.go b/vendor/github.com/nats-io/nats-server/v2/server/auth.go +index 97106343..dc783409 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/auth.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/auth.go +@@ -586,6 +586,7 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User + func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (authorized bool) { + var ( + nkey *NkeyUser ++ ujwt string + juc *jwt.UserClaims + acc *Account + user *User +@@ -729,13 +730,19 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (au + + // Check if we have trustedKeys defined in the server. If so we require a user jwt. + if s.trustedKeys != nil { +- if c.opts.JWT == _EMPTY_ { ++ ujwt = c.opts.JWT ++ if ujwt == _EMPTY_ && c.isMqtt() { ++ // For MQTT, we pass the password as the JWT too, but do so here so it's not ++ // publicly exposed in the client options if it isn't a JWT. ++ ujwt = c.opts.Password ++ } ++ if ujwt == _EMPTY_ { + s.mu.Unlock() + c.Debugf("Authentication requires a user JWT") + return false + } + // So we have a valid user jwt here. +- juc, err = jwt.DecodeUserClaims(c.opts.JWT) ++ juc, err = jwt.DecodeUserClaims(ujwt) + if err != nil { + s.mu.Unlock() + c.Debugf("User JWT not valid: %v", err) +@@ -995,6 +1002,11 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (au + // Hold onto the user's public key. + c.mu.Lock() + c.pubKey = juc.Subject ++ // If this is a MQTT client, we purposefully didn't populate the JWT as it could contain ++ // a password or token. Now we know it's a valid JWT, we can populate it. ++ if c.isMqtt() { ++ c.opts.JWT = ujwt ++ } + c.tags = juc.Tags + c.nameTag = juc.Name + c.mu.Unlock() +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go +index 7ca49081..f5ef29e6 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go +@@ -3561,7 +3561,6 @@ func (c *client) mqttParseConnect(r *mqttReader, hasMappings bool) (byte, *mqttC + return 0, nil, err + } + c.opts.Token = c.opts.Password +- c.opts.JWT = c.opts.Password + } + return 0, cp, nil + } +-- +2.45.4 + diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index d8cdcb61dd8..fda927d22ab 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.31.0 -Release: 17%{?dist} +Release: 18%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -35,6 +35,8 @@ Patch20: CVE-2026-4645.patch # Patch added based on customer request https://microsoft.visualstudio.com/OS/_workitems/edit/61041768 # Fix was introduced 1.37.2, this patch can be removed once we update to 1.37.2 or later Patch21: cisco_telegraf_bug61041768.patch +Patch22: CVE-2026-29785.patch +Patch23: CVE-2026-33216.patch BuildRequires: golang BuildRequires: systemd-devel @@ -99,6 +101,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Thu Apr 02 2026 Azure Linux Security Servicing Account - 1.31.0-18 +- Patch for CVE-2026-33216, CVE-2026-29785 + * Fri Mar 27 2026 Sindhu Karri - 1.31.0-17 - Added patch to fix the issue reported in https://microsoft.visualstudio.com/OS/_workitems/edit/61041768 Fix in telegraf to support cisco telemetry plugin that collects telemetry data from cisco NXOS switches.