microsoft · kgodara912 · Apr 22, 2026 · Apr 20, 2026
@@ -0,0 +1,61 @@
+From 73f8654381783347fb91175d4e0b39017dc09011 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 20 Apr 2026 06:06:54 +0000
+Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter
+ (backport of #8108)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://raw.githubusercontent.com/microsoft/azurelinux/refs/heads/3.0-dev/SPECS/moby-engine/CVE-2026-39882.patch
+---
+ .../otlp/otlptrace/otlptracehttp/client.go    | 21 +++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+index 3b5f383..08f7331 100644
+--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
++++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+@@ -41,6 +41,14 @@ import (
+
+ const contentTypeProto = "application/x-protobuf"
+
++// maxResponseBodySize is the maximum number of bytes to read from a response
++// body. It is set to 4 MiB per the OTLP specification recommendation to
++// mitigate excessive memory usage caused by a misconfigured or malicious
++// server. If exceeded, the response is treated as a not-retryable error.
++// This is a variable to allow tests to override it.
++var maxResponseBodySize int64 = 4 * 1024 * 1024
++
++
+ var gzPool = sync.Pool{
+ 	New: func() interface{} {
+ 		w := gzip.NewWriter(io.Discard)
+@@ -174,7 +182,11 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
+ 			// Success, do not retry.
+ 			// Read the partial success message, if any.
+ 			var respData bytes.Buffer
+-			if _, err := io.Copy(&respData, resp.Body); err != nil {
++			if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
++				var maxBytesErr *http.MaxBytesError
++				if errors.As(err, &maxBytesErr) {
++					return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
++				}
+ 				return err
+ 			}
+ 			if respData.Len() == 0 {
+@@ -203,7 +215,12 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
+ 			sc == http.StatusServiceUnavailable,
+ 			sc == http.StatusGatewayTimeout:
+ 			// Retry-able failures.  Drain the body to reuse the connection.
+-			if _, err := io.Copy(io.Discard, resp.Body); err != nil {
++			var respData bytes.Buffer
++			if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
++			        var maxBytesErr *http.MaxBytesError
++			        if errors.As(err, &maxBytesErr) {
++				        return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
++			        }
+ 				otel.Handle(err)
+ 			}
+ 			return newResponseError(resp.Header)
+-- 
+2.45.4
+
@@ -4,7 +4,7 @@ Summary:        A Docker CLI plugin for extended build capabilities with BuildKi
 Name:           docker-buildx
 # update "commit_hash" above when upgrading version
 Version:        0.14.0
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        ASL 2.0
 Group:          Tools/Container
 Vendor:         Microsoft Corporation
@@ -20,6 +20,7 @@ Patch5:         CVE-2025-47913.patch
 Patch6:         CVE-2025-11065.patch
 Patch7:         CVE-2025-47911.patch
 Patch8:         CVE-2025-58190.patch
+Patch9:         CVE-2026-39882.patch
 
 BuildRequires: bash
 BuildRequires: golang < 1.25
@@ -53,6 +54,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil
 %{_libexecdir}/docker/cli-plugins/docker-buildx
 
 %changelog
+* Mon Apr 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.14.0-11
+- Patch for CVE-2026-39882
+
 * Thu Feb 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.14.0-10
 - Patch for CVE-2025-58190, CVE-2025-47911