Merge branch '3.0-dev' into 3.0

.github/CODEOWNERS

@@ -1,6 +1,5 @@
-# By default, all files require a review by at least one member of the Azure Linux developers team.
-# See teams here: https://github.com/orgs/microsoft/teams?query=mariner
-* @microsoft/cbl-mariner-devs
+# For stable release branches, ensure stable release maintainers are added as code reviewers
+* @microsoft/cbl-mariner-stable-maintainers
 
 # Modification to this file require admin approval.
 /.github/CODEOWNERS @microsoft/cbl-mariner-admins
@@ -11,83 +10,7 @@
 # Modifications to the CredScan exceptions require admin approval.
 /.config/CredScanSuppressions.json @microsoft/cbl-mariner-admins
 
-# Modification to what is considered "core packages" require admin approval.
-/SPECS/core-packages/* @microsoft/cbl-mariner-admins
-
-# Modification to specific packages go to specific teams
-/SPECS/kernel/* @microsoft/cbl-mariner-kernel
-/SPECS/kernel-headers/* @microsoft/cbl-mariner-kernel
-/SPECS/kernel-mshv/* @microsoft/cbl-mariner-kata-containers
-/SPECS/kernel-uvm/* @microsoft/cbl-mariner-kata-containers
-/SPECS-SIGNED/kernel-signed/* @microsoft/cbl-mariner-kernel
-/SPECS-SIGNED/kernel-mstflint-signed/* @microsoft/cbl-mariner-kernel
-
-/SPECS/grub2/* @microsoft/cbl-mariner-bootloader
-/SPECS/grubby/* @microsoft/cbl-mariner-bootloader
-/SPECS/shim/* @microsoft/cbl-mariner-bootloader
-/SPECS/shim-unsigned/* @microsoft/cbl-mariner-bootloader
-/SPECS/shim-unsigned-x64/* @microsoft/cbl-mariner-bootloader
-/SPECS/shim-unsigned-aarch64/* @microsoft/cbl-mariner-bootloader
-/SPECS-SIGNED/grub2-efi-binary-signed/* @microsoft/cbl-mariner-bootloader
-
-/SPECS/dracut/* @microsoft/cbl-mariner-dracut
-/SPECS/initramfs/* @microsoft/cbl-mariner-dracut
-/SPECS/verity-read-only-root/* @microsoft/cbl-mariner-dracut
-
-/SPECS/systemd/* @microsoft/cbl-mariner-systemd
-
-/SPECS/bcc/* @microsoft/cbl-mariner-debug-tools
-/SPECS/bpftrace/* @microsoft/cbl-mariner-debug-tools
-/SPECS/crash/* @microsoft/cbl-mariner-debug-tools
-/SPECS/gdb/* @microsoft/cbl-mariner-debug-tools
-/SPECS/kexec-tools/* @microsoft/cbl-mariner-debug-tools
-
-/SPECS/openssl/* @microsoft/cbl-mariner-openssl
-/SPECS/SymCrypt-OpenSSL/* @microsoft/cbl-mariner-openssl
-/SPECS/SymCrypt/* @microsoft/cbl-mariner-openssl
-
-/SPECS/dnf/* @microsoft/cbl-mariner-package-managers
-/SPECS/dnf-plugins-core/* @microsoft/cbl-mariner-package-managers
-/SPECS/rpm/* @microsoft/cbl-mariner-package-managers
-/SPECS/tdnf/* @microsoft/cbl-mariner-package-managers
-
-/SPECS/containerd/* @microsoft/cbl-mariner-container-runtime
-/SPECS/docker-buildx/* @microsoft/cbl-mariner-container-runtime
-/SPECS/docker-cli/* @microsoft/cbl-mariner-container-runtime
-/SPECS/kata-containers/* @microsoft/cbl-mariner-kata-containers
-/SPECS/kata-containers-cc/* @microsoft/cbl-mariner-kata-containers
-/SPECS/moby-containerd-cc/* @microsoft/cbl-mariner-kata-containers
-/SPECS/moby-engine/* @microsoft/cbl-mariner-container-runtime
-/SPECS/runc/* @microsoft/cbl-mariner-container-runtime
-/SPECS/virtiofsd/* @microsoft/cbl-mariner-kata-containers
-
-/SPECS/cloud-hypervisor-cvm/* @microsoft/cbl-mariner-kata-containers
-
-/SPECS/cloud-init/* @microsoft/cbl-mariner-provisioning
-/SPECS/walinuxagent/* @microsoft/cbl-mariner-provisioning
-
-# Modifications to the toolkit requires reviews from the toolkit team
-/toolkit/ @microsoft/cbl-mariner-tooling
-
-# Docs to be reviewed by general Azure Linux devs
-/toolkit/docs/ @microsoft/cbl-mariner-devs
-
-# Default image configurations to be reviewed by general Azure Linux devs
-/toolkit/imageconfigs/ @microsoft/cbl-mariner-devs
-
-# Package and toolchain manifests to be reviewed by toolchain team
-/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @microsoft/cbl-mariner-toolchain
-/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @microsoft/cbl-mariner-toolchain
-/toolkit/resources/manifests/package/toolchain_aarch64.txt @microsoft/cbl-mariner-toolchain
-/toolkit/resources/manifests/package/toolchain_x86_64.txt @microsoft/cbl-mariner-toolchain
-
-# Modifications to the raw toolchain require admin approval.
-/toolkit/scripts/toolchain/container/* @microsoft/cbl-mariner-admins
-/toolkit/scripts/toolchain/cgmanifest.json @microsoft/cbl-mariner-admins
-/toolkit/scripts/toolchain/create_toolchain_in_container.sh @microsoft/cbl-mariner-admins
-
-# Modifications to the trusted CA certificates require admin approval.
-/SPECS/*ca-certificates*/* @microsoft/cbl-mariner-admins
+/SPECS-EXTENDED/ @microsoft/cbl-mariner-devs
 
 # Image Customizer
 /toolkit/tools/imagecustomizer/ @microsoft/cbl-mariner-imagecustomizer

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -1709,6 +1709,7 @@
                 "python-humanize",
                 "python-hwdata",
                 "python-importlib-metadata",
+                "python-iniconfig",
                 "python-inotify",
                 "python-into-dbus-python",
                 "python-IPy",

SPECS-EXTENDED/apache-commons-io/apache-commons-io-build.xml

@@ -10,7 +10,7 @@
 
   <property name="project.groupId" value="commons-io"/>
   <property name="project.artifactId" value="commons-io"/>
-  <property name="project.version" value="2.8.0"/>
+  <property name="project.version" value="2.14.0"/>
   <property name="project.name" value="Apache Commons IO"/>
   <property name="project.description" value="The Apache Commons IO library 
 contains utility classes, stream implementations, file filters, 

SPECS-EXTENDED/apache-commons-io/apache-commons-io.signatures.json

@@ -1,7 +1,7 @@
 {
  "Signatures": {
-  "apache-commons-io-build.xml": "3661f04824b5f93033dfc9f993a97f1435ff467f7e3cf5e2846f2d63a690ad3b",
-  "commons-io-2.8.0-src.tar.gz": "1e44c2b038bf825526305f0320b2e24dce039f399968326aab30c475ab765612",
-  "commons-io-2.8.0-src.tar.gz.asc": "5df617e9034a4e31cf7671af111edae1537dd14dc8d5e2fa4392a038f912df61"
+  "apache-commons-io-build.xml": "d7daa228b59ff41d5917745a77732bd31dc38dc1cea4edf1f65879c8ab82c4a2",
+  "commons-io-2.14.0-src.tar.gz": "306d53e907f491b9ac6b0e74e6ad9d8cbc0cf1b024cfb21df59a0c486fd181bc",
+  "commons-io-2.14.0-src.tar.gz.asc": "e46f87969e7accfa80aa194207c47d213730bc2427fb8ce7affbbfef5c3d1ec5"
  }
 }

SPECS-EXTENDED/apache-commons-io/apache-commons-io.spec

@@ -22,8 +22,8 @@ Distribution:   Azure Linux
 %define short_name      commons-%{base_name}
 %bcond_with tests
 Name:           apache-%{short_name}
-Version:        2.8.0
-Release:        2%{?dist}
+Version:        2.14.0
+Release:        1%{?dist}
 Summary:        Utilities to assist with developing IO functionality
 License:        Apache-2.0
 Group:          Development/Libraries/Java
@@ -93,6 +93,10 @@ cp -pr target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}
 %doc %{_javadocdir}/%{name}
 
 %changelog
+* Mon Oct 7 2024 Bhagyashri Pathak <[email protected]> - 2.14.0-1
+- Upgrade to 2.14.0 to fix the CVE-2024-47554.
+- License verified
+
 * Thu Oct 14 2021 Pawel Winogrodzki <[email protected]> - 2.8.0-2
 - Converting the 'Release' tag to the '[number].[distribution]' format.
 

SPECS-EXTENDED/apache-commons-io/commons-io-2.14.0-src.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEELbTx7w+nYezE6pNchv3H4qESYssFAmURZkQACgkQhv3H4qES
+YssmAAf+Opr906UCvufO2/ncd3Q2RuJDC24WoUlK8t18yNLTXcG1ZhxtqHn0ms/l
+D59OwQQaerBr2f/Y4dB1WLTg/XIrgtbmjImKk0iOXwVirb5etdXdnLUXf3oRvJG+
+C98BB26kY4QPYmRzQMFdf6AVRMZvva51c+u7zrKDOC0/VlxYPY8UlYQfCJ6Uyxqu
+TMUwQ1/cfSr65DIQui/X/RM09tGcyItb2wScZlGSq7FqtYNUj6GYAEZqhPeG74pq
+5xC19viyCGnTLO8LRaqmzmqidMPcYc95GqO9BiQDcI393qZJsq9GSxMwvIPcVJNp
+l6oNdUcPRxIf0yFJm47dmFtEeM4KXg==
+=+Thz
+-----END PGP SIGNATURE-----

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        6.6.51.1
+Version:        6.6.56.1
 Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -145,6 +145,21 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Thu Oct 24 2024 Rachel Menge <[email protected]> - 6.6.56.1-5
+- Bump release to match kernel
+
+* Wed Oct 23 2024 Rachel Menge <[email protected]> - 6.6.56.1-4
+- Bump release to match kernel
+
+* Wed Oct 23 2024 Rachel Menge <[email protected]> - 6.6.56.1-3
+- Bump release to match kernel
+
+* Tue Oct 22 2024 Rachel Menge <[email protected]> - 6.6.56.1-2
+- Bump release to match kernel
+
+* Thu Oct 17 2024 CBL-Mariner Servicing Account <[email protected]> - 6.6.56.1-1
+- Auto-upgrade to 6.6.56.1
+
 * Thu Oct 03 2024 Rachel Menge <[email protected]> - 6.6.51.1-5
 - Bump release to match kernel
 

SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec

@@ -5,7 +5,7 @@
 %define kernelver %{version}-%{release}
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
-Version:        6.6.51.1
+Version:        6.6.56.1
 Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -68,6 +68,21 @@ popd
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Thu Oct 24 2024 Rachel Menge <[email protected]> - 6.6.56.1-5
+- Bump release to match kernel
+
+* Wed Oct 23 2024 Rachel Menge <[email protected]> - 6.6.56.1-4
+- Bump release to match kernel
+
+* Wed Oct 23 2024 Rachel Menge <[email protected]> - 6.6.56.1-3
+- Bump release to match kernel
+
+* Tue Oct 22 2024 Rachel Menge <[email protected]> - 6.6.56.1-2
+- Bump release to match kernel
+
+* Thu Oct 17 2024 CBL-Mariner Servicing Account <[email protected]> - 6.6.56.1-1
+- Auto-upgrade to 6.6.56.1
+
 * Thu Oct 03 2024 Rachel Menge <[email protected]> - 6.6.51.1-5
 - Bump release to match kernel
 

SPECS/OpenIPMI/OpenIPMI.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "OpenIPMI-2.0.33.tar.gz": "fb53e9ea5e2681cf8af7cda024b1a0044c675f84116ca27ae9616c8b7ad95b49",
+  "OpenIPMI-2.0.36.tar.gz": "a0403148fa5f7bed930c958a4d1c558047e273763a408b3a0368edc137cc55d9",
   "ipmi.service": "7f55866340569bfbb4bcce32a6218667d0e8dbba99d9aac4ef8e192d3952fa71",
   "openipmi-helper": "e646bf49b3962dd0cd6261d5a7c44240261c856e0bc47d70bdc2720a2ea7d530"
  }

SPECS/OpenIPMI/OpenIPMI.spec

@@ -1,13 +1,13 @@
 Summary:        A shared library implementation of IPMI and the basic tools
 Name:           OpenIPMI
-Version:        2.0.33
+Version:        2.0.36
 Release:        1%{?dist}
 License:        LGPLv2+ AND GPLv2+ OR BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/Base
 URL:            https://sourceforge.net/projects/openipmi/
-Source0:        https://downloads.sourceforge.net/openipmi/OpenIPMI-2.0.33.tar.gz
+Source0:        https://downloads.sourceforge.net/openipmi/%{name}-%{version}.tar.gz
 Source1:        openipmi-helper
 Source2:        ipmi.service
 BuildRequires:  ncurses-devel
@@ -190,6 +190,9 @@ echo "disable ipmi.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-ip
 %{_mandir}/man5/ipmi_sim_cmd.5.gz
 
 %changelog
+* Mon Oct 14 2024 Suresh Thelkar <[email protected]> - 2.0.36-1
+- Upgrade to 2.0.36
+
 * Thu Mar 28 2024 Xiaohong Deng <[email protected]> - 2.0.33-1
 - Upgrade to 2.0.33
 

SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch

@@ -0,0 +1,123 @@
+From 997c3bdf24749edbdb562af15f9d95be35f062de Mon Sep 17 00:00:00 2001
+From: Tobias Brick <[email protected]>
+Date: Tue, 15 Oct 2024 16:21:27 +0000
+Subject: [PATCH] Merged PR 11601893: add build flags to prevent stripping and
+ post processing
+
+## Description:
+Add build flags to prevent stripping and post processing of binary after building. This is useful to fit in to different package build systems.
+
+----
+#### AI description  (iteration 1)
+#### PR Classification
+New feature
+
+#### PR Summary
+This pull request introduces build flags to control binary stripping and FIPS postprocessing.
+- `CMakeLists.txt`: Added options `SYMCRYPT_STRIP_BINARY` and `SYMCRYPT_FIPS_POSTPROCESS` with default values set to `ON`.
+- `scripts/build.py`: Added command-line arguments `--no-strip-binary` and `--no-fips-postprocess` to control the new build options.
+- `BUILD.md`: Updated documentation to include the new build options.
+- `modules/linux/common/ModuleCommon.cmake`: Modified conditions to respect the new build flags for stripping and FIPS postprocessing.
+---
+ BUILD.md                                |  2 ++
+ CMakeLists.txt                          | 14 ++++++++++++++
+ modules/linux/common/ModuleCommon.cmake |  4 ++--
+ scripts/build.py                        |  8 ++++++++
+ 4 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/BUILD.md b/BUILD.md
+index f6c781d..e8eaa88 100644
+--- a/BUILD.md
++++ b/BUILD.md
+@@ -74,6 +74,8 @@ and building the Linux modules with FIPS integrity checks.
+       * To cross-compile for Linux ARM64, you must also use `--toolchain=cmake-configs/Toolchain-Clang-ARM64.cmake`
+     * `-DSYMCRYPT_USE_ASM=<ON|OFF>` to choose whether to use assembly optimizations. Defaults to `ON`.
+     * `-DSYMCRYPT_FIPS_BUILD=<ON|OFF>` to choose whether to enable FIPS self-tests in the SymCrypt shared object module. Defaults to `ON`. Currently only affects Linux builds.
++    * `-DSYMCRYPT_STRIP_BINARY=<ON|OFF>` to choose whether to strip the binary. Defaults to `ON`.
++    * `-DSYMCRYPT_FIPS_POSTPROCESS=<ON|OFF>` to choose whether to run the FIPS postprocess script. Defaults to `ON`.
+     * For a release build, specify `-DCMAKE_BUILD_TYPE=RelWithDebInfo`
+ 1. `cmake --build bin`
+     * Optionally, for a release build on Windows, specify `--config Release`
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index cd9aa15..9e0c599 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -56,6 +56,18 @@ if(SYMCRYPT_FIPS_BUILD)
+     add_compile_definitions(SYMCRYPT_DO_FIPS_SELFTESTS=1)
+ endif()
+
++option(
++    SYMCRYPT_STRIP_BINARY
++    "When enabled, SymCrypt will strip the binary in release mode."
++    ON
++)
++
++option(
++    SYMCRYPT_FIPS_POSTPROCESS
++    "When enabled, SymCrypt will do postprocessing the binary for FIPS integrity verification."
++    ON
++)
++
+ option(
+     SYMCRYPT_TEST_LEGACY_IMPL
+     "When enabled, the SymCrypt unit tests will be linked against and configured to run compatibility and performance tests on the legacy
+@@ -104,6 +116,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}")
+ message(STATUS "Target: ${CMAKE_SYSTEM_NAME} ${SYMCRYPT_TARGET_ARCH} ${SYMCRYPT_TARGET_ENV}")
+ message(STATUS "ASM optimizations: ${SYMCRYPT_USE_ASM}")
+ message(STATUS "FIPS build: ${SYMCRYPT_FIPS_BUILD}")
++message(STATUS "Strip binary: ${SYMCRYPT_STRIP_BINARY}")
++message(STATUS "FIPS postprocess: ${SYMCRYPT_FIPS_POSTPROCESS}")
+
+ # Validate compiler versions
+ if("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU")
+diff --git a/modules/linux/common/ModuleCommon.cmake b/modules/linux/common/ModuleCommon.cmake
+index e6db214..fbe1421 100644
+--- a/modules/linux/common/ModuleCommon.cmake
++++ b/modules/linux/common/ModuleCommon.cmake
+@@ -61,7 +61,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION})
+ set_target_properties(${TARGET_NAME} PROPERTIES SOVERSION ${PROJECT_VERSION_MAJOR})
+
+
+-if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo")
++if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo" AND SYMCRYPT_STRIP_BINARY)
+     add_custom_command(
+         TARGET ${TARGET_NAME}
+         POST_BUILD
+@@ -73,7 +73,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo")
+     )
+ endif()
+
+-if(SYMCRYPT_FIPS_BUILD)
++if(SYMCRYPT_FIPS_BUILD AND SYMCRYPT_FIPS_POSTPROCESS)
+     add_custom_command(
+         TARGET ${TARGET_NAME}
+         POST_BUILD
+diff --git a/scripts/build.py b/scripts/build.py
+index af9b0bc..3a70b84 100755
+--- a/scripts/build.py
++++ b/scripts/build.py
+@@ -101,6 +101,12 @@ def configure_cmake(args : argparse.Namespace) -> None:
+     if not args.fips:
+         cmake_args.append("-DSYMCRYPT_FIPS_BUILD=OFF")
+
++    if not args.strip_binary:
++        cmake_args.append("-DSYMCRYPT_STRIP_BINARY=OFF")
++
++    if not args.fips_postprocess:
++        cmake_args.append("-DSYMCRYPT_FIPS_POSTPROCESS=OFF")
++
+     if args.test_legacy_impl:
+         cmake_args.append("-DSYMCRYPT_TEST_LEGACY_IMPL=ON")
+
+@@ -218,6 +224,8 @@ def main() -> None:
+     parser_cmake.add_argument("--cxx", type = str, help = "Specify the C++ compiler to use. If not provided, uses platform default.")
+     parser_cmake.add_argument("--no-asm", action = "store_false", dest = "asm", help = "Disable handwritten ASM optimizations.", default = True)
+     parser_cmake.add_argument("--no-fips", action = "store_false", dest = "fips", help = "Disable FIPS selftests and postprocessing of binary. Currently only affects Linux targets.", default = True)
++    parser_cmake.add_argument("--no-strip-binary", action = "store_false", dest = "strip_binary", help = "Disable stripping of binary.", default = True)
++    parser_cmake.add_argument("--no-fips-postprocess", action = "store_false", dest = "fips_postprocess", help = "Disable FIPS postprocessing of binary.", default = True)
+     parser_cmake.add_argument("--test-legacy-impl", action = "store_true",
+         help = "Build unit tests with support for legacy Windows cryptographic implementations. Requires access to private static libraries.",
+         default = False)
+-- 
+2.39.4
+