diff --git a/SPECS/docker-compose/CVE-2026-39882.patch b/SPECS/docker-compose/CVE-2026-39882.patch new file mode 100644 index 00000000000..3868770f3f0 --- /dev/null +++ b/SPECS/docker-compose/CVE-2026-39882.patch @@ -0,0 +1,61 @@ +From e20101e55c266784ee85ae43bb03f11aa4aca33f Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 20 Apr 2026 06:05:54 +0000 +Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter + (backport of #8108) + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://raw.githubusercontent.com/microsoft/azurelinux/refs/heads/3.0-dev/SPECS/moby-engine/CVE-2026-39882.patch +--- + .../otlp/otlptrace/otlptracehttp/client.go | 21 +++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go +index 3b5f383..08f7331 100644 +--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go ++++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go +@@ -41,6 +41,14 @@ import ( + + const contentTypeProto = "application/x-protobuf" + ++// maxResponseBodySize is the maximum number of bytes to read from a response ++// body. It is set to 4 MiB per the OTLP specification recommendation to ++// mitigate excessive memory usage caused by a misconfigured or malicious ++// server. If exceeded, the response is treated as a not-retryable error. ++// This is a variable to allow tests to override it. ++var maxResponseBodySize int64 = 4 * 1024 * 1024 ++ ++ + var gzPool = sync.Pool{ + New: func() interface{} { + w := gzip.NewWriter(io.Discard) +@@ -174,7 +182,11 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc + // Success, do not retry. + // Read the partial success message, if any. + var respData bytes.Buffer +- if _, err := io.Copy(&respData, resp.Body); err != nil { ++ if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil { ++ var maxBytesErr *http.MaxBytesError ++ if errors.As(err, &maxBytesErr) { ++ return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit) ++ } + return err + } + if respData.Len() == 0 { +@@ -203,7 +215,12 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc + sc == http.StatusServiceUnavailable, + sc == http.StatusGatewayTimeout: + // Retry-able failures. Drain the body to reuse the connection. +- if _, err := io.Copy(io.Discard, resp.Body); err != nil { ++ var respData bytes.Buffer ++ if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil { ++ var maxBytesErr *http.MaxBytesError ++ if errors.As(err, &maxBytesErr) { ++ return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit) ++ } + otel.Handle(err) + } + return newResponseError(resp.Header) +-- +2.45.4 + diff --git a/SPECS/docker-compose/docker-compose.spec b/SPECS/docker-compose/docker-compose.spec index 4890c401119..cc634a9b5a3 100644 --- a/SPECS/docker-compose/docker-compose.spec +++ b/SPECS/docker-compose/docker-compose.spec @@ -1,7 +1,7 @@ Summary: Define and run multi-container applications with Docker Name: docker-compose Version: 2.27.0 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -21,6 +21,7 @@ Patch5: CVE-2025-47913.patch Patch6: CVE-2025-11065.patch Patch7: CVE-2025-47911.patch Patch8: CVE-2025-58190.patch +Patch9: CVE-2026-39882.patch BuildRequires: golang Requires: docker-cli Obsoletes: moby-compose < %{version}-%{release} @@ -53,6 +54,9 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl %{_libexecdir}/docker/cli-plugins/docker-compose %changelog +* Mon Apr 20 2026 Azure Linux Security Servicing Account - 2.27.0-9 +- Patch for CVE-2026-39882 + * Thu Feb 19 2026 Azure Linux Security Servicing Account - 2.27.0-8 - Patch for CVE-2025-58190, CVE-2025-47911