[AutoPR- Security] Patch kubernetes for CVE-2025-52881 [MEDIUM]

.pipelines/fasttrack/FasttrackMergeNotifier.yml

@@ -15,6 +15,8 @@ extends:
   template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
   parameters:
     featureFlags:
+      LinuxHostVersion:
+        Network: R1
       runOnHost: true
     globalSdl:
       credscan:

.pipelines/prchecks/DevPRCheck.yml

@@ -25,6 +25,9 @@ variables:
 extends:
   template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
   parameters:
+    featureFlags:
+      LinuxHostVersion:
+        Network: R1
     globalSdl:
       credscan:
         suppressionsFile: .config/CredScanSuppressions.json

.pipelines/prchecks/FastTrackPRCheck.yml

@@ -25,6 +25,9 @@ variables:
 extends:
   template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
   parameters:
+    featureFlags:
+      LinuxHostVersion:
+        Network: R1
     globalSdl:
       credscan:
         suppressionsFile: .config/CredScanSuppressions.json

SPECS/ceph/CVE-2024-47866.patch

@@ -0,0 +1,33 @@
+From a22a0dbb1d46322007ac4b4e87854ba2ccc8335a Mon Sep 17 00:00:00 2001
+From: Suyash Dongre <suyashd999@gmail.com>
+Date: Wed, 20 Aug 2025 23:22:41 +0530
+Subject: [PATCH] Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty
+
+The issue was that the `HTTP_X_AMZ_COPY_SOURCE` header could be present but empty (i.e., an empty string rather than NULL). The  code only checked if the pointer was not NULL, but didn't verify that the string had content. When an empty string was passed to RGWCopyObj::parse_copy_location(), it would eventually try to access name_str[0] on an empty string, causing a crash.
+
+Fixes: https://tracker.ceph.com/issues/72669
+
+Signed-off-by: Suyash Dongre <suyashd999@gmail.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://patch-diff.githubusercontent.com/raw/ceph/ceph/pull/65159.patch
+---
+ src/rgw/rgw_op.cc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
+index 71fb198..68f74b7 100644
+--- a/src/rgw/rgw_op.cc
++++ b/src/rgw/rgw_op.cc
+@@ -5240,6 +5240,9 @@ bool RGWCopyObj::parse_copy_location(const std::string_view& url_src,
+     params_str = url_src.substr(pos + 1);
+   }
+
++  if (name_str.empty()) {
++    return false;
++  }
+   if (name_str[0] == '/') // trim leading slash
+     name_str.remove_prefix(1);
+
+-- 
+2.45.4
+

SPECS/ceph/ceph.spec

@@ -5,7 +5,7 @@
 Summary:        User space components of the Ceph file system
 Name:           ceph
 Version:        18.2.2
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0
 URL:            https://ceph.io/
 Vendor:         Microsoft Corporation
@@ -31,6 +31,7 @@ Patch16:        CVE-2020-14378.patch
 Patch17:        CVE-2025-52555.patch
 Patch18:        CVE-2024-48916.patch
 Patch19:        CVE-2025-9648.patch
+Patch20:        CVE-2024-47866.patch
 #
 # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file
 # at the top-level directory of this distribution and at
@@ -2021,6 +2022,9 @@ exit 0
 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
 
 %changelog
+* Thu Nov 13 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 18.2.2-12
+- Patch for CVE-2024-47866
+
 * Fri Oct 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 18.2.2-11
 - Patch for CVE-2025-9648
 
@@ -2030,7 +2034,7 @@ exit 0
 * Tue Jul 01 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 18.2.2-9
 - Patch for CVE-2025-52555
 
-* Wed 16 Apr 2025 Archana Shettigar <v-shettigara@microsoft.com> - 18.2.2-8
+* Wed Apr 16 2025 Archana Shettigar <v-shettigara@microsoft.com> - 18.2.2-8
 - Patch CVE-2020-14378
 
 * Thu Apr 10 2025 Kanishk Bansal <kanbansal@microsoft.com> - 18.2.2-7

SPECS/containerd2/CVE-2024-25621.patch

@@ -0,0 +1,111 @@
+From 46223b256bfb3f42e193d947d1b1ef551260749f Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Mon, 27 Oct 2025 16:42:59 +0900
+Subject: [PATCH] Fix directory permissions
+
+- Create /var/lib/containerd with 0o700 (was: 0o711).
+- Create config.TempDir with 0o700 (was: 0o711).
+- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
+- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
+- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
+  as required by userns-remapped containers.
+  /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
+  - 0o700 for non-userns-remapped containers
+  - 0o710 for userns-remapped containers with the remapped root group as the owner group.
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5.patch
+---
+ cmd/containerd/server/server.go | 14 ++++++++++++--
+ core/runtime/v2/task_manager.go |  2 ++
+ plugins/cri/runtime/plugin.go   |  7 +++++++
+ plugins/sandbox/controller.go   |  6 +++++-
+ 4 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/cmd/containerd/server/server.go b/cmd/containerd/server/server.go
+index 9f38cb3..c9e3698 100644
+--- a/cmd/containerd/server/server.go
++++ b/cmd/containerd/server/server.go
+@@ -81,10 +81,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ 		return errors.New("root and state must be different paths")
+ 	}
+
+-	if err := sys.MkdirAllWithACL(config.Root, 0o711); err != nil {
++	if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil {
++		return err
++	}
++	// chmod is needed for upgrading from an older release that created the dir with 0o711
++	if err := os.Chmod(config.Root, 0o700); err != nil {
+ 		return err
+ 	}
+
++	// For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
++	// Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
+ 	if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil {
+ 		return err
+ 	}
+@@ -99,7 +105,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ 	}
+
+ 	if config.TempDir != "" {
+-		if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil {
++		if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil {
++			return err
++		}
++		// chmod is needed for upgrading from an older release that created the dir with 0o711
++		if err := os.Chmod(config.Root, 0o700); err != nil {
+ 			return err
+ 		}
+ 		if runtime.GOOS == "windows" {
+diff --git a/core/runtime/v2/task_manager.go b/core/runtime/v2/task_manager.go
+index f396ced..024763a 100644
+--- a/core/runtime/v2/task_manager.go
++++ b/core/runtime/v2/task_manager.go
+@@ -74,6 +74,8 @@ func init() {
+ 			shimManager := shimManagerI.(*ShimManager)
+ 			root, state := ic.Properties[plugins.PropertyRootDir], ic.Properties[plugins.PropertyStateDir]
+ 			for _, d := range []string{root, state} {
++				// root:  the parent of this directory is created as 0o700, not 0o711.
++				// state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers.
+ 				if err := os.MkdirAll(d, 0711); err != nil {
+ 					return nil, err
+ 				}
+diff --git a/plugins/cri/runtime/plugin.go b/plugins/cri/runtime/plugin.go
+index adc64d9..07f64a1 100644
+--- a/plugins/cri/runtime/plugin.go
++++ b/plugins/cri/runtime/plugin.go
+@@ -91,6 +91,13 @@ func initCRIRuntime(ic *plugin.InitContext) (interface{}, error) {
+ 	rootDir := filepath.Join(containerdRootDir, "io.containerd.grpc.v1.cri")
+ 	containerdStateDir := filepath.Dir(ic.Properties[plugins.PropertyStateDir])
+ 	stateDir := filepath.Join(containerdStateDir, "io.containerd.grpc.v1.cri")
++	if err := os.MkdirAll(stateDir, 0o700); err != nil {
++		return nil, err
++	}
++	// chmod is needed for upgrading from an older release that created the dir with 0o755
++	if err := os.Chmod(stateDir, 0o700); err != nil {
++		return nil, err
++	}
+ 	c := criconfig.Config{
+ 		RuntimeConfig:      *pluginConfig,
+ 		ContainerdRootDir:  containerdRootDir,
+diff --git a/plugins/sandbox/controller.go b/plugins/sandbox/controller.go
+index aec9cc3..165f2e8 100644
+--- a/plugins/sandbox/controller.go
++++ b/plugins/sandbox/controller.go
+@@ -68,7 +68,11 @@ func init() {
+ 			state := ic.Properties[plugins.PropertyStateDir]
+ 			root := ic.Properties[plugins.PropertyRootDir]
+ 			for _, d := range []string{root, state} {
+-				if err := os.MkdirAll(d, 0711); err != nil {
++				if err := os.MkdirAll(d, 0700); err != nil {
++					return nil, err
++				}
++				// chmod is needed for upgrading from an older release that created the dir with 0o711
++				if err := os.Chmod(d, 0o700); err != nil {
+ 					return nil, err
+ 				}
+ 			}
+-- 
+2.45.4
+

SPECS/containerd2/containerd2.spec

@@ -5,7 +5,7 @@
 Summary: Industry-standard container runtime
 Name: %{upstream_name}2
 Version: 2.0.0
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -23,6 +23,7 @@ Patch3:	CVE-2025-22872.patch
 Patch4:	CVE-2025-47291.patch
 Patch5:	multi-snapshotters-support.patch
 Patch6:	tardev-support.patch
+Patch7:	CVE-2024-25621.patch
 %{?systemd_requires}
 
 BuildRequires: golang < 1.25
@@ -98,6 +99,9 @@ fi
 %dir /opt/containerd/lib
 
 %changelog
+* Tue Nov 11 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.0.0-15
+- Patch for CVE-2024-25621
+
 * Sun Aug 31 2025 Andrew Phelps <anphel@microsoft.com> - 2.0.0-14
 - Set BR for golang to < 1.25
 

SPECS/docker-buildx/CVE-2025-47913.patch

@@ -0,0 +1,51 @@
+From e5db42e32d99478b5f123a78f9e93b9a69e32abc Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 18 Nov 2025 15:59:55 +0000
+Subject: [PATCH] ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes golang/go#75178
+
+Reviewed-by: backport
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/golang/crypto/commit/559e062ce8bfd6a39925294620b50906ca2a6f95.patch
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index fecba8e..6dc73e0 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
++	default:
++		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+
+ // unmarshal parses an agent message in packet, returning the parsed
+-- 
+2.45.4
+

SPECS/docker-buildx/docker-buildx.spec

@@ -4,7 +4,7 @@ Summary:        A Docker CLI plugin for extended build capabilities with BuildKi
 Name:           docker-buildx
 # update "commit_hash" above when upgrading version
 Version:        0.14.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Group:          Tools/Container
 Vendor:         Microsoft Corporation
@@ -16,6 +16,7 @@ Patch1:         CVE-2024-45338.patch
 Patch2:         CVE-2025-22869.patch
 Patch3:         CVE-2025-0495.patch
 Patch4:         CVE-2025-22872.patch
+Patch5:         CVE-2025-47913.patch
 
 BuildRequires: bash
 BuildRequires: golang < 1.25
@@ -49,6 +50,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil
 %{_libexecdir}/docker/cli-plugins/docker-buildx
 
 %changelog
+* Tue Nov 18 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.14.0-8
+- Patch for CVE-2025-47913
+
 * Sun Aug 31 2025 Andrew Phelps <anphel@microsoft.com> - 0.14.0-7
 - Set BR for golang to < 1.25
 

SPECS/docker-compose/CVE-2025-47913.patch

@@ -0,0 +1,50 @@
+From 3a083d7126710d186760b49c440ce07bdb9a0f27 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 18 Nov 2025 15:58:07 +0000
+Subject: [PATCH] ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes golang/go#75178
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/golang/crypto/commit/559e062ce8bfd6a39925294620b50906ca2a6f95.patch
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index fecba8e..6dc73e0 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
++	default:
++		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+
+ // unmarshal parses an agent message in packet, returning the parsed
+-- 
+2.45.4
+

SPECS/docker-compose/docker-compose.spec

@@ -1,7 +1,7 @@
 Summary:        Define and run multi-container applications with Docker
 Name:           docker-compose
 Version:        2.27.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,7 @@ Patch1:         CVE-2024-45338.patch
 Patch2:         CVE-2025-22869.patch
 Patch3:         CVE-2024-10846.patch
 Patch4:         CVE-2025-22872.patch
+Patch5:         CVE-2025-47913.patch
 BuildRequires:  golang
 Requires:       docker-cli
 Obsoletes:      moby-compose < %{version}-%{release}
@@ -49,6 +50,9 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl
 %{_libexecdir}/docker/cli-plugins/docker-compose
 
 %changelog
+* Tue Nov 18 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.27.0-6
+- Patch for CVE-2025-47913
+
 * Wed Apr 23 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 2.27.0-5
 - Patch CVE-2025-22872