Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kubernetes1.30 for openSUSE:Factory checked in at 2025-06-11 16:23:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kubernetes1.30 (Old) and /work/SRC/openSUSE:Factory/.kubernetes1.30.new.19631 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kubernetes1.30" Wed Jun 11 16:23:13 2025 rev:15 rq:1284469 version:1.30.13 Changes: -------- --- /work/SRC/openSUSE:Factory/kubernetes1.30/kubernetes1.30.changes 2025-05-20 12:20:18.614616532 +0200 +++ /work/SRC/openSUSE:Factory/.kubernetes1.30.new.19631/kubernetes1.30.changes 2025-06-11 16:24:13.030692770 +0200 @@ -1,0 +2,7 @@ +Tue Jun 10 12:44:24 UTC 2025 - Priyanka Saggu <priyanka.sa...@suse.com> + +- add patch file: cve-2025-22872-x-net-html-properly-handle-trailing-solidus.patch + * fixes CVE-2025-22872, bsc#1241781 + * Ref: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 + +------------------------------------------------------------------- New: ---- cve-2025-22872-x-net-html-properly-handle-trailing-solidus.patch BETA DEBUG BEGIN: New: - add patch file: cve-2025-22872-x-net-html-properly-handle-trailing-solidus.patch * fixes CVE-2025-22872, bsc#1241781 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kubernetes1.30.spec ++++++ --- /var/tmp/diff_new_pack.6tvDRy/_old 2025-06-11 16:24:13.874727991 +0200 +++ /var/tmp/diff_new_pack.6tvDRy/_new 2025-06-11 16:24:13.874727991 +0200 @@ -49,6 +49,9 @@ Patch4: kubeadm-opensuse-flexvolume.patch # Patch to revert renaming of coredns image location to match how it's done on download.opensuse.org Patch5: revert-coredns-image-renaming.patch +# Patch to fix CVE-2025-22872, properly handle trailing solidus in unquoted attribute value in foreign content +# Ref: https://go.googlesource.com/net/+/e1fcd82abba34df74614020343be8eb1fe85f0d9 +Patch6: cve-2025-22872-x-net-html-properly-handle-trailing-solidus.patch BuildRequires: fdupes BuildRequires: git BuildRequires: go >= 1.23.8 @@ -72,6 +75,7 @@ # packages to build containerized control plane + %package apiserver Summary: Kubernetes apiserver for container image Group: System/Management @@ -215,6 +219,7 @@ %patch -P 3 -p1 %patch -P 4 -p0 %patch -P 5 -p1 +%patch -P 6 -p1 %build # This is fixing bug bsc#1065972 ++++++ cve-2025-22872-x-net-html-properly-handle-trailing-solidus.patch ++++++ >From e1fcd82abba34df74614020343be8eb1fe85f0d9 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker <rol...@golang.org> Date: Mon, 24 Feb 2025 11:18:31 -0800 Subject: [PATCH] html: properly handle trailing solidus in unquoted attribute value in foreign content The parser properly treats tags like <p a=/> as <p a="/">, but the tokenizer emits the SelfClosingTagToken token incorrectly. When the parser is used to parse foreign content, this results in an incorrect DOM. Thanks to Sean Ng (https://ensy.zip) for reporting this issue. Fixes golang/go#73070 Fixes CVE-2025-22872 Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f Reviewed-on: https://go-review.googlesource.com/c/net/+/661256 Reviewed-by: Neal Patel <nealpa...@google.com> Reviewed-by: Roland Shoemaker <rol...@golang.org> LUCI-TryBot-Result: Go LUCI <golang-sco...@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <go...@golang.org> --- Index: kubernetes-1.30.13/vendor/golang.org/x/net/html/token.go =================================================================== --- kubernetes-1.30.13.orig/vendor/golang.org/x/net/html/token.go +++ kubernetes-1.30.13/vendor/golang.org/x/net/html/token.go @@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() Token if raw { z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) } - // Look for a self-closing token like "<br/>". - if z.err == nil && z.buf[z.raw.end-2] == '/' { + // Look for a self-closing token (e.g. <br/>). + // + // Originally, we did this by just checking that the last character of the + // tag (ignoring the closing bracket) was a solidus (/) character, but this + // is not always accurate. + // + // We need to be careful that we don't misinterpret a non-self-closing tag + // as self-closing, as can happen if the tag contains unquoted attribute + // values (i.e. <p a=/>). + // + // To avoid this, we check that the last non-bracket character of the tag + // (z.raw.end-2) isn't the same character as the last non-quote character of + // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has + // attributes. + nAttrs := len(z.attr) + if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { return SelfClosingTagToken } return StartTagToken
