microsoft · kgodara912 · Apr 22, 2026 · Apr 20, 2026 · Apr 20, 2026
@@ -0,0 +1,68 @@
+From a388b56ed493eeff64fd7aca1333b0974bbd7823 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Wed, 15 Apr 2026 07:25:48 +0000
+Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter
+ (backport of #8108)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/open-telemetry/opentelemetry-go/commit/5e363de517dba6db62736b2f5cdef0e0929b4cd0.patch
+---
+ .../otlp/otlptrace/otlptracehttp/client.go    | 21 +++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+index 9fbe861..088551e 100644
+--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
++++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+@@ -18,6 +18,7 @@ import (
+ 	"bytes"
+ 	"compress/gzip"
+ 	"context"
++	"errors"
+ 	"fmt"
+ 	"io"
+ 	"net"
+@@ -40,6 +41,13 @@ import (
+
+ const contentTypeProto = "application/x-protobuf"
+
++// maxResponseBodySize is the maximum number of bytes to read from a response
++// body. It is set to 4 MiB per the OTLP specification recommendation to
++// mitigate excessive memory usage caused by a misconfigured or malicious
++// server. If exceeded, the response is treated as a not-retryable error.
++// This is a variable to allow tests to override it.
++var maxResponseBodySize int64 = 4 * 1024 * 1024
++
+ var gzPool = sync.Pool{
+ 	New: func() interface{} {
+ 		w := gzip.NewWriter(io.Discard)
+@@ -169,7 +177,11 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
+ 			// Success, do not retry.
+ 			// Read the partial success message, if any.
+ 			var respData bytes.Buffer
+-			if _, err := io.Copy(&respData, resp.Body); err != nil {
++			if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
++				var maxBytesErr *http.MaxBytesError
++				if errors.As(err, &maxBytesErr) {
++					return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
++				}
+ 				return err
+ 			}
+
+@@ -192,7 +204,12 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
+
+ 		case http.StatusTooManyRequests, http.StatusServiceUnavailable:
+ 			// Retry-able failures.  Drain the body to reuse the connection.
+-			if _, err := io.Copy(io.Discard, resp.Body); err != nil {
++			var respData bytes.Buffer
++			if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
++			        var maxBytesErr *http.MaxBytesError
++			        if errors.As(err, &maxBytesErr) {
++				        return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
++			        }
+ 				otel.Handle(err)
+ 			}
+ 			return newResponseError(resp.Header)
+-- 
+2.45.4
+
@@ -6,7 +6,7 @@
 Summary: Industry-standard container runtime for confidential containers
 Name: moby-%{upstream_name}
 Version: 1.7.7
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -27,6 +27,7 @@ Patch8: CVE-2025-27144.patch
 Patch9: CVE-2024-40635.patch
 Patch10:CVE-2024-25621.patch
 Patch11:CVE-2025-64329.patch
+Patch12:CVE-2026-39882.patch
 
 %{?systemd_requires}
 
@@ -84,6 +85,9 @@ fi
 %config(noreplace) %{_sysconfdir}/containerd/config.toml
 
 %changelog
+* Mon Apr 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.7.7-11
+- Patch for CVE-2026-39882
+
 * Mon Nov 10 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.7.7-10
 - Patch for CVE-2025-64329, CVE-2024-25621