From 4eade122c02328d63690398a2d823834863d386f Mon Sep 17 00:00:00 2001 From: "Unniche, BasavarajX" Date: Fri, 5 Dec 2025 20:40:44 +0530 Subject: [PATCH] Upgrade otelcol-contrib version to fix CVE. - Upgrade version to 0.141.0. - Remove CVE-2025-22872.patch since changes are part of latest version. - Fixes CVE-2025-47913, CVE-2025-47914 and CVE-2025-58181. Signed-off-by: Unniche, BasavarajX --- SPECS/otelcol-contrib/CVE-2025-22872.patch | 58 ------------------- .../otelcol-contrib-poa-manifest.yaml | 16 ++--- .../otelcol-contrib.signatures.json | 4 +- SPECS/otelcol-contrib/otelcol-contrib.spec | 9 ++- cgmanifest.json | 4 +- 5 files changed, 18 insertions(+), 73 deletions(-) delete mode 100644 SPECS/otelcol-contrib/CVE-2025-22872.patch diff --git a/SPECS/otelcol-contrib/CVE-2025-22872.patch b/SPECS/otelcol-contrib/CVE-2025-22872.patch deleted file mode 100644 index 994b3ac39a..0000000000 --- a/SPECS/otelcol-contrib/CVE-2025-22872.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 63b0d2e320023dd3e0425bce79cc6d718b533213 Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Mon, 24 Feb 2025 11:18:31 -0800 -Subject: [PATCH] html: properly handle trailing solidus in unquoted attribute - value in foreign content - -The parser properly treats tags like

as

, but the -tokenizer emits the SelfClosingTagToken token incorrectly. When the -parser is used to parse foreign content, this results in an incorrect -DOM. - -Thanks to Sean Ng (https://ensy.zip) for reporting this issue. - -Fixes golang/go#73070 -Fixes CVE-2025-22872 - -Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f -Reviewed-on: https://go-review.googlesource.com/c/net/+/661256 -Reviewed-by: Neal Patel -Reviewed-by: Roland Shoemaker -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Gopher Robot ---- - _build/vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/_build/vendor/golang.org/x/net/html/token.go b/_build/vendor/golang.org/x/net/html/token.go -index 3c57880..6598c1f 100644 ---- a/_build/vendor/golang.org/x/net/html/token.go -+++ b/_build/vendor/golang.org/x/net/html/token.go -@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { - if raw { - z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) - } -- // Look for a self-closing token like "
". -- if z.err == nil && z.buf[z.raw.end-2] == '/' { -+ // Look for a self-closing token (e.g.
). -+ // -+ // Originally, we did this by just checking that the last character of the -+ // tag (ignoring the closing bracket) was a solidus (/) character, but this -+ // is not always accurate. -+ // -+ // We need to be careful that we don't misinterpret a non-self-closing tag -+ // as self-closing, as can happen if the tag contains unquoted attribute -+ // values (i.e.

). -+ // -+ // To avoid this, we check that the last non-bracket character of the tag -+ // (z.raw.end-2) isn't the same character as the last non-quote character of -+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has -+ // attributes. -+ nAttrs := len(z.attr) -+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { - return SelfClosingTagToken - } - return StartTagToken --- -2.34.1 - diff --git a/SPECS/otelcol-contrib/otelcol-contrib-poa-manifest.yaml b/SPECS/otelcol-contrib/otelcol-contrib-poa-manifest.yaml index c60c4f7416..d8d78c5c46 100644 --- a/SPECS/otelcol-contrib/otelcol-contrib-poa-manifest.yaml +++ b/SPECS/otelcol-contrib/otelcol-contrib-poa-manifest.yaml @@ -1,20 +1,20 @@ dist: name: poa-otelcol description: Platform Observability Agent OpenTelemetry Collector - version: 0.117.0 + version: 0.141.0 output_path: ./_build extensions: - - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension v0.117.0 + - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension v0.141.0 exporters: - - gomod: go.opentelemetry.io/collector/exporter/otlphttpexporter v0.117.0 + - gomod: go.opentelemetry.io/collector/exporter/otlphttpexporter v0.141.0 processors: - - gomod: go.opentelemetry.io/collector/processor/batchprocessor v0.117.0 - - gomod: go.opentelemetry.io/collector/processor/memorylimiterprocessor v0.117.0 - - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/processor/attributesprocessor v0.117.0 + - gomod: go.opentelemetry.io/collector/processor/batchprocessor v0.141.0 + - gomod: go.opentelemetry.io/collector/processor/memorylimiterprocessor v0.141.0 + - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/processor/attributesprocessor v0.141.0 receivers: - - gomod: go.opentelemetry.io/collector/receiver/otlpreceiver v0.117.0 - - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/fluentforwardreceiver v0.117.0 + - gomod: go.opentelemetry.io/collector/receiver/otlpreceiver v0.141.0 + - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/fluentforwardreceiver v0.141.0 diff --git a/SPECS/otelcol-contrib/otelcol-contrib.signatures.json b/SPECS/otelcol-contrib/otelcol-contrib.signatures.json index 55dacca39f..e1db2c3a45 100644 --- a/SPECS/otelcol-contrib/otelcol-contrib.signatures.json +++ b/SPECS/otelcol-contrib/otelcol-contrib.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "create-vendor-tarball.sh": "b8875c80081b63d1d9d63d809a44cc001cfacb40eca96d93044c0a3f8f518b8b", - "otelcol-contrib-poa-manifest.yaml": "745dd5a9970b2bc11b3439f09a5269adebe5bb0ebd0531490c95e32e76e72442", - "otelcol-contrib-0.117.0-vendored.tar.gz": "e3a1e4688387bb32b056d6aec9d88350ca42603c4acfca70a8a3370c3ad60c6d", + "otelcol-contrib-poa-manifest.yaml": "20e56d170dfdb7868315eaf5ddf90247e97419ff758286610dfa18779ea34f95", + "otelcol-contrib-0.141.0-vendored.tar.gz": "a6f9a4f375edb80a11d4736e4610ac21aff8e6db5b4f2f0f97f6ec8bcf17d682", "otelcol_contrib.fc": "a02d63f63d80f6c080faaf3040ecacc8efcec8bb270a51a10872db7ab4173ac7", "otelcol_contrib.te": "33cff519aa6415c56c19870e254628f871618e99774f7785d8d61dd46de4489b" } diff --git a/SPECS/otelcol-contrib/otelcol-contrib.spec b/SPECS/otelcol-contrib/otelcol-contrib.spec index d3d8bbad69..77da5c7635 100644 --- a/SPECS/otelcol-contrib/otelcol-contrib.spec +++ b/SPECS/otelcol-contrib/otelcol-contrib.spec @@ -1,7 +1,7 @@ Summary: OpenTelemetry Collector Contrib Name: otelcol-contrib -Version: 0.117.0 -Release: 5%{?dist} +Version: 0.141.0 +Release: 1%{?dist} License: Apache-2.0 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -11,7 +11,6 @@ URL: https://github.com/open-telemetry/opentelemetry-collector-releas Source0: %{url}/releases/download/v%{version}/%{name}_%{version}_linux_amd64.tar.gz#/%{name}-%{version}-vendored.tar.gz Source1: otelcol_contrib.te Source2: otelcol_contrib.fc -Patch0: CVE-2025-22872.patch BuildRequires: golang >= 1.24.4 BuildRequires: make BuildRequires: systemd-rpm-macros @@ -68,6 +67,10 @@ install -m 644 %{modulename}.pp %{buildroot}%{_datadir}/selinux/packages/%{modul %selinux_modules_uninstall -s %{selinuxtype} %{modulename} %changelog +* Mon Dec 5 2025 Basavarajx unniche - 0.141.0-1 +- Upgrade to version 0.141.0. +- Fixes CVE-2025-47913,CVE-2025-47914,CVE-2025-58181 and CVE-2025-22872 + * Tue Sep 2 2025 Polmoorx shiva kumar - 0.117.0-5 - Update go version to use above 1.24.4 diff --git a/cgmanifest.json b/cgmanifest.json index 0df520d565..4728f7ad1a 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -16073,8 +16073,8 @@ "type": "other", "other": { "name": "otelcol-contrib", - "version": "0.117.0", - "downloadUrl": "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v0.117.0/otelcol-contrib_0.117.0_linux_amd64.tar.gz" + "version": "0.141.0", + "downloadUrl": "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v0.141.0/otelcol-contrib_0.141.0_linux_amd64.tar.gz" } } },