Merge branch 'puppetlabs:master' into gems

alex501212 · web-flow · commit f9f67d460e5e · 2024-10-17T14:09:21.000+01:00
diff --git a/.github/workflows/component_diff_check.yaml b/.github/workflows/component_diff_check.yaml
@@ -35,7 +35,7 @@ jobs:
           cat ./output/text
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: artifacts
           path: output/
diff --git a/configs/components/_base-rubygem.rb b/configs/components/_base-rubygem.rb
@@ -41,9 +41,11 @@
 # in its component file rubygem-<compoment>, before the instance_eval of this file.
 gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym]
 remove_older_versions = settings["#{pkg.get_name}_remove_older_versions".to_sym]
+# Set a default gem_uninstall
+gem_uninstall = settings[:gem_uninstall] || "#{settings[:host_gem]} uninstall --all --ignore-dependencies"
 pkg.install do
   steps = []
-  steps << "#{settings[:gem_uninstall]} #{name}" if remove_older_versions
+  steps << "#{gem_uninstall} #{name}" if remove_older_versions
   steps << if gem_install_options.nil?
              "#{settings[:gem_install]} #{name}-#{version}.gem"
            else
diff --git a/configs/components/curl.rb b/configs/components/curl.rb
@@ -6,8 +6,8 @@
   case version
   when '7.88.1'
     pkg.sha256sum 'cdb38b72e36bc5d33d5b8810f8018ece1baa29a8f215b4495e495ded82bbf3c7'
-  when '8.9.1'
-    pkg.sha256sum '291124a007ee5111997825940b3876b3048f7d31e73e9caa681b80fe48b2dcd5'
+  when '8.10.1'
+    pkg.sha256sum 'd15ebab765d793e2e96db090f0e172d127859d78ca6f6391d7eafecfd894bbc0'
   else
     raise "curl version #{version} has not been configured; Cannot continue."
   end
@@ -49,10 +49,11 @@
     pkg.apply_patch 'resources/patches/curl/CVE-2024-2004.patch'
     pkg.apply_patch 'resources/patches/curl/CVE-2024-2398.patch'
     pkg.apply_patch 'resources/patches/curl/CVE-2024-7264.patch'
+    pkg.apply_patch 'resources/patches/curl/CVE-2024-8096.patch'
   end
 
   configure_options = []
-  configure_options << "--with-ssl=#{settings[:prefix]}"
+  configure_options << "--with-ssl=#{settings[:prefix]} --without-libpsl"
 
   # OpenSSL version 3.0 & up no longer ships by default the insecure algorithms
   # that curl's ntlm module depends on (md4 & des).
diff --git a/configs/components/libxml2.rb b/configs/components/libxml2.rb
@@ -1,6 +1,6 @@
 component "libxml2" do |pkg, settings, platform|
-  pkg.version '2.12.6'
-  pkg.sha256sum '889c593a881a3db5fdd96cc9318c87df34eb648edfc458272ad46fd607353fbb'
+  pkg.version '2.13.4'
+  pkg.sha256sum '65d042e1c8010243e617efb02afda20b85c2160acdbfbcb5b26b80cec6515650'
 
   libxml2_version_y = pkg.get_version.gsub(/(\d+)\.(\d+)\.(\d+)/, '\1.\2')
   pkg.url "https://download.gnome.org/sources/libxml2/#{libxml2_version_y}/libxml2-#{pkg.get_version}.tar.xz"
diff --git a/configs/components/libxslt.rb b/configs/components/libxslt.rb
@@ -1,6 +1,6 @@
 component "libxslt" do |pkg, settings, platform|
-  pkg.version '1.1.39'
-  pkg.sha256sum '2a20ad621148339b0759c4d4e96719362dee64c9a096dbba625ba053846349f0'
+  pkg.version '1.1.42'
+  pkg.sha256sum '85ca62cac0d41fc77d3f6033da9df6fd73d20ea2fc18b0a3609ffb4110e1baeb'
 
   libxslt_version_y = pkg.get_version.gsub(/(\d+)\.(\d+)\.(\d+)/, '\1.\2')
   pkg.url "https://download.gnome.org/sources/libxslt/#{libxslt_version_y}/libxslt-#{pkg.get_version}.tar.xz"
diff --git a/configs/components/openssl-3.0.rb b/configs/components/openssl-3.0.rb
@@ -1,7 +1,7 @@
 component 'openssl' do |pkg, settings, platform|
-  pkg.version '3.0.14'
-  pkg.sha256sum 'eeca035d4dd4e84fc25846d952da6297484afa0650a6f84c682e39df3a4123ca'
-  pkg.url "https://openssl.org/source/openssl-#{pkg.get_version}.tar.gz"
+  pkg.version '3.0.15'
+  pkg.sha256sum '23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533'
+  pkg.url "https://github.com/openssl/openssl/releases/download/openssl-#{pkg.get_version}/openssl-#{pkg.get_version}.tar.gz"
   pkg.mirror "#{settings[:buildsources_url]}/openssl-#{pkg.get_version}.tar.gz"
 
   #############################
@@ -121,9 +121,6 @@
     'no-whirlpool'
   ]
 
-  # Remove this in 3.0.15 or later
-  pkg.apply_patch 'resources/patches/openssl/CVE-2024-5535.patch'
-
   if settings[:use_legacy_openssl_algos]
     pkg.apply_patch 'resources/patches/openssl/openssl-3-activate-legacy-algos.patch'
   else
diff --git a/configs/components/rubygem-faraday-follow_redirects.rb b/configs/components/rubygem-faraday-follow_redirects.rb
@@ -0,0 +1,6 @@
+component 'rubygem-faraday-follow_redirects' do |pkg, settings, platform|
+  pkg.version '0.3.0'
+  pkg.md5sum '75fa678fa40b54a94e51efc1600a6461'
+
+  instance_eval File.read('configs/components/_base-rubygem.rb')
+end
diff --git a/configs/components/rubygem-faraday-net_http.rb b/configs/components/rubygem-faraday-net_http.rb
@@ -1,6 +1,16 @@
 component 'rubygem-faraday-net_http' do |pkg, settings, platform|
-  pkg.version '1.0.2'
-  pkg.md5sum 'b8e560b8cd7c008a7fd1686143428337'
+  version = settings[:rubygem_faraday_net_http_version] || '1.0.2'
+
+  case version
+  when '1.0.2'
+    pkg.version '1.0.2'
+    pkg.md5sum 'b8e560b8cd7c008a7fd1686143428337'
+  when '3.3.0'
+    pkg.version '3.3.0'
+    pkg.md5sum '7e6378aaa271587dd4109795c0a05769'
+  else
+    raise "rubygem-faraday-net_http version #{version} is not supported"
+  end
 
   instance_eval File.read('configs/components/_base-rubygem.rb')
 end
diff --git a/configs/components/rubygem-faraday.rb b/configs/components/rubygem-faraday.rb
@@ -1,6 +1,16 @@
 component 'rubygem-faraday' do |pkg, settings, platform|
-  pkg.version '1.10.3'
-  pkg.md5sum 'c7b56130721c0b055c071bec593e2446'
+  version = settings[:rubygem_faraday_version] || '1.10.3'
+
+  case version
+  when '1.10.3'
+    pkg.version '1.10.3'
+    pkg.md5sum 'c7b56130721c0b055c071bec593e2446'
+  when '2.12.0'
+    pkg.version '2.12.0'
+    pkg.md5sum 'c0248b00a32c46b64cd2a172c96409ec' 
+  else
+    raise "rubygem-faraday version #{version} is not supported"
+  end
 
   instance_eval File.read('configs/components/_base-rubygem.rb')
 end
diff --git a/configs/components/rubygem-puppet_forge.rb b/configs/components/rubygem-puppet_forge.rb
@@ -1,6 +1,17 @@
 component 'rubygem-puppet_forge' do |pkg, settings, platform|
-  pkg.version '3.2.0'
-  pkg.md5sum '501d5f9f742007504d0d60ce6cf0c27f'
+  version = settings[:rubygem_puppet_forge_version] || '3.2.0'
+  pkg.version version
+
+  case version
+  when '3.2.0'
+    pkg.version '3.2.0'
+    pkg.md5sum '501d5f9f742007504d0d60ce6cf0c27f'
+  when '5.0.4'
+    pkg.version '5.0.4'
+    pkg.md5sum '04a2ca2f027ed41d9142ced587b71bd7'
+  else 
+    raise "rubygem-puppet_forge version #{version} is not supported"
+  end
 
   instance_eval File.read('configs/components/_base-rubygem.rb')
 end
diff --git a/configs/projects/_pdk-components.rb b/configs/projects/_pdk-components.rb
@@ -60,6 +60,10 @@
 proj.component 'rubygem-fast_gettext'
 proj.component 'rubygem-gettext-setup'
 proj.component 'rubygem-minitar'
+proj.component 'rubygem-faraday'
+proj.component 'rubygem-faraday-follow_redirects'
+proj.component 'rubygem-semantic_puppet'
+proj.component 'rubygem-faraday-net_http'
 
 # Bundler
 proj.component 'rubygem-bundler'
@@ -99,5 +103,6 @@
 proj.component 'rubygem-json_pure'
 proj.component 'rubygem-diff-lcs'
 proj.component 'rubygem-pathspec'
+proj.component 'rubygem-puppet_forge'
 
 proj.component 'ansicon' if platform.is_windows?
diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb
@@ -14,7 +14,7 @@
     proj.setting :augeas_version, '1.14.1'
   end
 
-  proj.setting :curl_version, '8.9.1'
+  proj.setting :curl_version, '8.10.1'
 
   ########
   # Load shared agent settings
diff --git a/configs/projects/client-tools-runtime-2023.8.x.rb b/configs/projects/client-tools-runtime-2023.8.x.rb
@@ -0,0 +1,6 @@
+project 'client-tools-runtime-2023.8.x' do |proj|
+  proj.setting(:openssl_version, '3.0')
+
+  # Common settings
+  instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-client-tools-runtime.rb'))
+end
diff --git a/configs/projects/pdk-runtime.rb b/configs/projects/pdk-runtime.rb
@@ -5,6 +5,9 @@
   proj.setting(:rubygem_fast_gettext_version, '1.1.2')
   proj.setting(:rubygem_gettext_version, '3.2.2')
   proj.setting(:rubygem_gettext_setup_version, '0.34')
+  proj.setting(:rubygem_puppet_forge_version, '5.0.4')
+  proj.setting(:rubygem_faraday_version, '2.12.0')
+  proj.setting(:rubygem_faraday_net_http_version, '3.3.0')
 
   platform = proj.get_platform
 
diff --git a/configs/projects/pe-bolt-server-runtime-2023.8.x.rb b/configs/projects/pe-bolt-server-runtime-2023.8.x.rb
@@ -0,0 +1,28 @@
+project 'pe-bolt-server-runtime-2023.8.x' do |proj|
+  proj.setting(:pe_version, '2023.8')
+  proj.setting(:rubygem_puppet_version, '8.8.1')
+  # We build bolt server with the ruby installed in the puppet-agent dep. For ruby 2.7 we need to use a --no-document flag
+  # for gem installs instead of --no-ri --no-rdoc. This setting allows us to use this while we support both ruby 2.5 and 2.7
+  # Once we are no longer using ruby 2.5 we can update.
+  proj.setting(:no_doc, true)
+
+  proj.setting(:ruby_version, '3.2.5')
+  proj.setting(:openssl_version, '3.0')
+
+  # We enable legacy algorithms for winrm transport. Currently the winrm transport
+  # does not work on FIPS, so in order to stay compliant we do not enable legacy algorithms
+  # on fips builds.
+  if proj.get_platform.name =~ /^redhatfips/
+    proj.setting(:use_legacy_openssl_algos, false)
+  else 
+    proj.setting(:use_legacy_openssl_algos, true)
+  end
+
+  instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-pe-bolt-server_with_ruby.rb'))
+  # These are ruby 3/puppet 8 specific gems. Some of them are "default/standard" gems. There
+  # is a very annoying issue where default gems can be loaded by MRI but not jruby. 
+  # We explicitly pacakge up some default gems where we have explicit dependencies for jruby
+  proj.component 'rubygem-prime'
+  proj.component 'rubygem-rexml'
+  proj.component 'rubygem-getoptlong'
+end
diff --git a/configs/projects/pe-installer-runtime-2023.8.x.rb b/configs/projects/pe-installer-runtime-2023.8.x.rb
@@ -0,0 +1,13 @@
+project 'pe-installer-runtime-2023.8.x' do |proj|
+  proj.setting(:ruby_version, '3.2.5')
+  proj.setting(:openssl_version, '3.0')
+  # NLTM uses MD4 unconditionally in its protocol, so legacy algos must be
+  # enabled in OpenSSL >= 3.0 for Bolt's WinRM transport to work.
+  # We DO NOT WANT legacy algos enabled for the Puppet Agent runtime.
+  proj.setting(:use_legacy_openssl_algos, true)
+
+  # rubygem-net-ssh included in shared-agent-components
+  proj.setting(:rubygem_net_ssh_version, '7.2.3')
+  proj.setting(:rubygem_puppet_version, '8.8.1')
+  instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-pe-installer-runtime.rb'))
+end
diff --git a/resources/patches/curl/CVE-2024-8096.patch b/resources/patches/curl/CVE-2024-8096.patch
diff --git a/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch b/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch
