From 4f09a160406800675cc65c911e8e922bab1444cf Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Wed, 15 Apr 2026 07:37:00 +0000
Subject: [PATCH 1/3] Patch moby-engine for CVE-2026-39882

---
 SPECS/moby-engine/CVE-2026-39882.patch | 54 ++++++++++++++++++++++++++
 SPECS/moby-engine/moby-engine.spec     |  6 ++-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/moby-engine/CVE-2026-39882.patch

diff --git a/SPECS/moby-engine/CVE-2026-39882.patch b/SPECS/moby-engine/CVE-2026-39882.patch
new file mode 100644
index 00000000000..6969b6b9d18
--- /dev/null
+++ b/SPECS/moby-engine/CVE-2026-39882.patch
@@ -0,0 +1,54 @@
+From 7f1cb3338a73160ce9e13abc7c2ba1324e5e6dd6 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Wed, 15 Apr 2026 07:25:48 +0000
+Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter
+ (backport of #8108)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/open-telemetry/opentelemetry-go/commit/5e363de517dba6db62736b2f5cdef0e0929b4cd0.patch
+---
+ .../otlp/otlptrace/otlptracehttp/client.go         | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+index 3a3cfec..05fc139 100644
+--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
++++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+@@ -18,6 +18,7 @@ import (
+ 	"bytes"
+ 	"compress/gzip"
+ 	"context"
++	"errors"
+ 	"fmt"
+ 	"io"
+ 	"net"
+@@ -40,6 +41,13 @@ import (
+ 
+ const contentTypeProto = "application/x-protobuf"
+ 
++// maxResponseBodySize is the maximum number of bytes to read from a response
++// body. It is set to 4 MiB per the OTLP specification recommendation to
++// mitigate excessive memory usage caused by a misconfigured or malicious
++// server. If exceeded, the response is treated as a not-retryable error.
++// This is a variable to allow tests to override it.
++var maxResponseBodySize int64 = 4 * 1024 * 1024
++
+ var gzPool = sync.Pool{
+ 	New: func() interface{} {
+ 		w := gzip.NewWriter(io.Discard)
+@@ -169,7 +177,11 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
+ 			// Success, do not retry.
+ 			// Read the partial success message, if any.
+ 			var respData bytes.Buffer
+-			if _, err := io.Copy(&respData, resp.Body); err != nil {
++			if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
++				var maxBytesErr *http.MaxBytesError
++				if errors.As(err, &maxBytesErr) {
++					return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
++				}
+ 				return err
+ 			}
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec
index 1a3e19b8aa9..23417b76f63 100644
--- a/SPECS/moby-engine/moby-engine.spec
+++ b/SPECS/moby-engine/moby-engine.spec
@@ -3,7 +3,7 @@
 Summary: The open-source application container engine
 Name:    moby-engine
 Version: 25.0.3
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
@@ -31,6 +31,7 @@ Patch13: CVE-2024-51744.patch
 Patch14: CVE-2025-58183.patch
 #This can be removed when upgraded to v25.0.15
 Patch15: fix-multiarch-image-push-tag.patch
+Patch16: CVE-2026-39882.patch
 
 %{?systemd_requires}
 
@@ -126,6 +127,9 @@ fi
 %{_unitdir}/*
 
 %changelog
+* Wed Apr 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 25.0.3-16
+- Patch for CVE-2026-39882
+
 * Wed Jan 21 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 25.0.3-15
 - Fix multiarch image push tag
 

From 657d2d03f655bbb8a7735b0f0778b604d2dca995 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Date: Wed, 15 Apr 2026 17:06:46 +0530
Subject: [PATCH 2/3] Fix formatting in changelog for consistency

---
 SPECS/moby-engine/moby-engine.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec
index 23417b76f63..3420285308b 100644
--- a/SPECS/moby-engine/moby-engine.spec
+++ b/SPECS/moby-engine/moby-engine.spec
@@ -130,7 +130,7 @@ fi
 * Wed Apr 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 25.0.3-16
 - Patch for CVE-2026-39882
 
-* Wed Jan 21 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 25.0.3-15
+* Tue Jan 21 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 25.0.3-15
 - Fix multiarch image push tag
 
 * Sat Nov 15 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 25.0.3-14

From 5269395284d334a76e5e3c2d79600ba3ff97dc14 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <kanbansal@microsoft.com>
Date: Fri, 17 Apr 2026 18:14:43 +0000
Subject: [PATCH 3/3] fix patch

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
---
 SPECS/moby-engine/CVE-2026-39882.patch | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/SPECS/moby-engine/CVE-2026-39882.patch b/SPECS/moby-engine/CVE-2026-39882.patch
index 6969b6b9d18..5782d2ca3f9 100644
--- a/SPECS/moby-engine/CVE-2026-39882.patch
+++ b/SPECS/moby-engine/CVE-2026-39882.patch
@@ -7,11 +7,11 @@ Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter
 Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
 Upstream-reference: AI Backport of https://github.com/open-telemetry/opentelemetry-go/commit/5e363de517dba6db62736b2f5cdef0e0929b4cd0.patch
 ---
- .../otlp/otlptrace/otlptracehttp/client.go         | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
+ .../otlp/otlptrace/otlptracehttp/client.go    | 21 +++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
 
 diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
-index 3a3cfec..05fc139 100644
+index 3a3cfec..33d0923 100644
 --- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
 +++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
 @@ -18,6 +18,7 @@ import (
@@ -49,6 +49,20 @@ index 3a3cfec..05fc139 100644
  				return err
  			}
  
+@@ -192,7 +204,12 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
+ 
+ 		case sc == http.StatusTooManyRequests, sc == http.StatusServiceUnavailable:
+ 			// Retry-able failures.  Drain the body to reuse the connection.
+-			if _, err := io.Copy(io.Discard, resp.Body); err != nil {
++			var respData bytes.Buffer
++			if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
++			        var maxBytesErr *http.MaxBytesError
++			        if errors.As(err, &maxBytesErr) {
++				        return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
++			        }
+ 				otel.Handle(err)
+ 			}
+ 			return newResponseError(resp.Header)
 -- 
-2.45.4
+2.43.0