diff --git a/SPECS/moby-containerd-cc/CVE-2026-39882.patch b/SPECS/moby-containerd-cc/CVE-2026-39882.patch new file mode 100644 index 00000000000..2347e41fb5b --- /dev/null +++ b/SPECS/moby-containerd-cc/CVE-2026-39882.patch @@ -0,0 +1,68 @@ +From a388b56ed493eeff64fd7aca1333b0974bbd7823 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Wed, 15 Apr 2026 07:25:48 +0000 +Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter + (backport of #8108) + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/open-telemetry/opentelemetry-go/commit/5e363de517dba6db62736b2f5cdef0e0929b4cd0.patch +--- + .../otlp/otlptrace/otlptracehttp/client.go | 21 +++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go +index 9fbe861..088551e 100644 +--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go ++++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go +@@ -18,6 +18,7 @@ import ( + "bytes" + "compress/gzip" + "context" ++ "errors" + "fmt" + "io" + "net" +@@ -40,6 +41,13 @@ import ( + + const contentTypeProto = "application/x-protobuf" + ++// maxResponseBodySize is the maximum number of bytes to read from a response ++// body. It is set to 4 MiB per the OTLP specification recommendation to ++// mitigate excessive memory usage caused by a misconfigured or malicious ++// server. If exceeded, the response is treated as a not-retryable error. ++// This is a variable to allow tests to override it. ++var maxResponseBodySize int64 = 4 * 1024 * 1024 ++ + var gzPool = sync.Pool{ + New: func() interface{} { + w := gzip.NewWriter(io.Discard) +@@ -169,7 +177,11 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc + // Success, do not retry. + // Read the partial success message, if any. + var respData bytes.Buffer +- if _, err := io.Copy(&respData, resp.Body); err != nil { ++ if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil { ++ var maxBytesErr *http.MaxBytesError ++ if errors.As(err, &maxBytesErr) { ++ return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit) ++ } + return err + } + +@@ -192,7 +204,12 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc + + case http.StatusTooManyRequests, http.StatusServiceUnavailable: + // Retry-able failures. Drain the body to reuse the connection. +- if _, err := io.Copy(io.Discard, resp.Body); err != nil { ++ var respData bytes.Buffer ++ if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil { ++ var maxBytesErr *http.MaxBytesError ++ if errors.As(err, &maxBytesErr) { ++ return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit) ++ } + otel.Handle(err) + } + return newResponseError(resp.Header) +-- +2.45.4 + diff --git a/SPECS/moby-containerd-cc/moby-containerd-cc.spec b/SPECS/moby-containerd-cc/moby-containerd-cc.spec index 17ff81af4c1..20b67934387 100644 --- a/SPECS/moby-containerd-cc/moby-containerd-cc.spec +++ b/SPECS/moby-containerd-cc/moby-containerd-cc.spec @@ -6,7 +6,7 @@ Summary: Industry-standard container runtime for confidential containers Name: moby-%{upstream_name} Version: 1.7.7 -Release: 10%{?dist} +Release: 11%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -27,6 +27,7 @@ Patch8: CVE-2025-27144.patch Patch9: CVE-2024-40635.patch Patch10:CVE-2024-25621.patch Patch11:CVE-2025-64329.patch +Patch12:CVE-2026-39882.patch %{?systemd_requires} @@ -84,6 +85,9 @@ fi %config(noreplace) %{_sysconfdir}/containerd/config.toml %changelog +* Mon Apr 20 2026 Azure Linux Security Servicing Account - 1.7.7-11 +- Patch for CVE-2026-39882 + * Mon Nov 10 2025 Azure Linux Security Servicing Account - 1.7.7-10 - Patch for CVE-2025-64329, CVE-2024-25621