diff --git a/SPECS/ignition-flatcar/CVE-2026-27141.patch b/SPECS/ignition-flatcar/CVE-2026-27141.patch new file mode 100644 index 00000000000..b291608448b --- /dev/null +++ b/SPECS/ignition-flatcar/CVE-2026-27141.patch @@ -0,0 +1,46 @@ +From db9b39ea4a35a9367797791c4da2d2f0bf700775 Mon Sep 17 00:00:00 2001 +From: Konnyaku +Date: Tue, 17 Feb 2026 21:23:54 +0800 +Subject: [PATCH] http2: fix nil panic in typeFrameParser for unassigned frame + types + +The addition of FramePriorityUpdate (0x10) in RFC 9218 introduced a gap +in the frameParsers array indices (0x0a-0x0f). These indices were +initialized to nil, causing a panic when typeFrameParser accessed them +for unassigned frame types (e.g., ALTSVC 0x0a). + +This change adds a nil check in typeFrameParser to safely fallback to +parseUnknownFrame for these unassigned types, preventing the crash. + +Fixes golang/go#77652 + +Change-Id: I14d7ad85afc1eafabc46417a9fff10f9e0a22446 +Reviewed-on: https://go-review.googlesource.com/c/net/+/746180 +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Damien Neil +Auto-Submit: Damien Neil +Reviewed-by: Mark Freeman +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/golang/net/commit/19f580fd686a6bb31d4af15febe789827169bc26.patch +--- + vendor/golang.org/x/net/http2/frame.go | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go +index db3264d..4642564 100644 +--- a/vendor/golang.org/x/net/http2/frame.go ++++ b/vendor/golang.org/x/net/http2/frame.go +@@ -139,7 +139,9 @@ var frameParsers = [...]frameParser{ + + func typeFrameParser(t FrameType) frameParser { + if int(t) < len(frameParsers) { +- return frameParsers[t] ++ if f := frameParsers[t]; f != nil { ++ return f ++ } + } + return parseUnknownFrame + } +-- +2.45.4 + diff --git a/SPECS/ignition-flatcar/ignition-flatcar.spec b/SPECS/ignition-flatcar/ignition-flatcar.spec index 64534bb3f63..64f07a7314a 100644 --- a/SPECS/ignition-flatcar/ignition-flatcar.spec +++ b/SPECS/ignition-flatcar/ignition-flatcar.spec @@ -24,7 +24,7 @@ Version: 2.22.0 %global dracutlibdir %{_prefix}/lib/dracut Name: ignition-flatcar -Release: 1%{?dist} +Release: 2%{?dist} Vendor: Microsoft Corporation Distribution: Azure Linux Summary: First boot installer and configuration tool @@ -53,6 +53,7 @@ Patch16: 0017-revert-internal-oem-drop-noop-OEMs.patch Patch17: 0018-docs-Add-re-added-platforms-to-docs-to-pass-tests.patch Patch18: 0019-usr-share-oem-oem.patch Patch19: 0020-internal-exec-stages-mount-Mount-oem.patch +Patch20: CVE-2026-27141.patch BuildRequires: libblkid-devel BuildRequires: systemd-rpm-macros @@ -201,6 +202,9 @@ VERSION=%{version} GOARCH=%{goarch} ./test %endif %changelog +* Wed Apr 29 2026 Azure Linux Security Servicing Account - 2.22.0-2 +- Patch for CVE-2026-27141 + * Fri Jan 16 2026 Sumit Jena - 2.22.0-1 - Initial Azure Linux import from the source project (license: same as "License" tag). - License verified.