Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package amazon-ssm-agent for
openSUSE:Factory checked in at 2025-03-11 20:46:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/amazon-ssm-agent (Old)
and /work/SRC/openSUSE:Factory/.amazon-ssm-agent.new.19136 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "amazon-ssm-agent"
Tue Mar 11 20:46:06 2025 rev:31 rq:1252032 version:3.3.1957.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/amazon-ssm-agent/amazon-ssm-agent.changes
2025-03-06 14:50:57.671056941 +0100
+++
/work/SRC/openSUSE:Factory/.amazon-ssm-agent.new.19136/amazon-ssm-agent.changes
2025-03-11 20:47:17.631147829 +0100
@@ -1,0 +2,6 @@
+Fri Mar 7 15:21:29 UTC 2025 - John Paul Adrian Glaubitz
<adrian.glaub...@suse.com>
+
+- Add patch to fix proxy bypass using IPv6 zone IDs in golang.org/x/net
+ * CVE-2025-22870.patch (bsc#1238702, CVE-2025-22870)
+
+-------------------------------------------------------------------
New:
----
CVE-2025-22870.patch
BETA DEBUG BEGIN:
New:- Add patch to fix proxy bypass using IPv6 zone IDs in golang.org/x/net
* CVE-2025-22870.patch (bsc#1238702, CVE-2025-22870)
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ amazon-ssm-agent.spec ++++++
--- /var/tmp/diff_new_pack.WatOPS/_old 2025-03-11 20:47:18.611188862 +0100
+++ /var/tmp/diff_new_pack.WatOPS/_new 2025-03-11 20:47:18.611188862 +0100
@@ -24,6 +24,9 @@
Group: System/Management
URL: https://github.com/aws/amazon-ssm-agent
Source0:
https://github.com/aws/amazon-ssm-agent/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM - Fix proxy bypass using IPv6 zone IDs in
golang.org/x/net (CVE-2025-22870)
+# Partial patch taken from
https://cs.opensource.google/go/x/net/+/cde1dda944dcf6350753df966bb5bda87a544842
+Patch0: CVE-2025-22870.patch
BuildRequires: go >= 1.21
BuildRequires: pkgconfig(systemd)
Requires: systemd
@@ -95,6 +98,7 @@
%prep
%setup -q
+%patch -P0 -p1
sed -i -e 's#const[ \s]*Version.*#const Version = "%{version}"#g'
agent/version/version.go
sed -i 's#/bin/#/sbin/#' packaging/linux/amazon-ssm-agent.service
sed -i 's#var defaultWorkerPath = "/usr/bin/"#var defaultWorkerPath =
"/usr/sbin/"#' agent/appconfig/constants_unix.go
++++++ CVE-2025-22870.patch ++++++
diff -Nru
amazon-ssm-agent-3.3.1611.0.orig/vendor/golang.org/x/net/proxy/per_host.go
amazon-ssm-agent-3.3.1611.0/vendor/golang.org/x/net/proxy/per_host.go
--- amazon-ssm-agent-3.3.1611.0.orig/vendor/golang.org/x/net/proxy/per_host.go
2025-01-16 22:26:50.000000000 +0100
+++ amazon-ssm-agent-3.3.1611.0/vendor/golang.org/x/net/proxy/per_host.go
2025-03-07 16:16:45.136659872 +0100
@@ -7,6 +7,7 @@
import (
"context"
"net"
+ "net/netip"
"strings"
)
@@ -57,7 +58,8 @@
}
func (p *PerHost) dialerForRequest(host string) Dialer {
- if ip := net.ParseIP(host); ip != nil {
+ if nip, err := netip.ParseAddr(host); err == nil {
+ ip := net.IP(nip.AsSlice())
for _, net := range p.bypassNetworks {
if net.Contains(ip) {
return p.bypass
@@ -108,8 +110,8 @@
}
continue
}
- if ip := net.ParseIP(host); ip != nil {
- p.AddIP(ip)
+ if nip, err := netip.ParseAddr(host); err == nil {
+ p.AddIP(net.IP(nip.AsSlice()))
continue
}
if strings.HasPrefix(host, "*.") {
