Skip to content

Merge 3.0-dev into 3.0#15715

Merged
jslobodzian merged 46 commits into3.0from
3.0-dev
Feb 4, 2026
Merged

Merge 3.0-dev into 3.0#15715
jslobodzian merged 46 commits into3.0from
3.0-dev

Conversation

@dmcilvaney
Copy link
Contributor

@dmcilvaney dmcilvaney commented Feb 4, 2026

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?

Change Log
  • Change
  • Change
  • Change
Does this affect the toolchain?

YES/NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Pipeline build id: xxxx

azurelinux-security and others added 30 commits January 20, 2026 10:14
@azurelinux-security @BinduSri-6522866
[AutoPR- Security] Patch cmake for CVE-2025-14017 [MEDIUM] (#15475)
56841b5 
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch strongswan for C…
2bb5064 
…VE-2025-62291 [HIGH] - branch 3.0-dev" #15541

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
@CBL-Mariner-Bot
[AUTOPATCHER-CORE] Upgrade libpng to 1.6.54 for CVE-2026-22695, CVE…
c643f2b 
…-2026-22801 [Medium] (#15492)
@Kanishk-Bansal @CBL-Mariner-Bot
Upgrade python-filelock to 3.20.3 for CVE-2026-22701 [Medium] (#15495)
391c4df 
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
@azurelinux-security @Kanishk-Bansal
[AutoPR- Security] Patch glibc for CVE-2026-0861, CVE-2026-0915 [MEDI…
fc2b496 
…UM] (#15522)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@azurelinux-security @Kanishk-Bansal
[AutoPR- Security] Patch libarchive for CVE-2025-60753 [MEDIUM] (#15528)
a2c4e7d 
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@bot-for-go
(security) golang: bump Go version to 1.24.12-1 (#15542)
d2ce31c 
Co-authored-by: bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com>
@Kanishk-Bansal
Upgrade mysql to 8.0.45 for CVE-2026-21948, CVE-2026-21968, CVE-202…
6bac2f5 
…6-21941, CVE-2026-21964, CVE-2026-21936, CVE-2026-21937 [Medium] (#15551)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@bot-for-go
(security) golang: bump Go version to 1.25.6-1 (#15543)
77f6295 
Co-authored-by: bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com>
@azurelinux-security @archana25-ms
[AutoPR- Security] Patch ruby for CVE-2025-61594 [LOW] (#15436)
cabd233 
Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch krb5 for CVE-2025-24528 [MEDIUM] (#15545)
6c17b96
@azurelinux-security @BinduSri-6522866
[AutoPR- Security] Patch curl for CVE-2025-14017 [MEDIUM] (#15474)
b60d955 
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch gnutls for CVE-2025-13151 [LOW] (#15483)
669544d
@azurelinux-security @akhila-guruju @Kanishk-Bansal
[AutoPR- Security] Patch edk2 for CVE-2025-2295 [LOW] (#15442)
48e633c 
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch keras for CVE-20…
fe04658 
…26-0897 [HIGH] - branch 3.0-dev" #15568

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @archana25-ms
Merge PR "[AUTO-CHERRYPICK] [HIGH] Patch frr for CVE-2025-61099,CVE-2…
b72129d 
…025-61100,CVE-2025-61101,CVE-2025-61102,CVE-2025-61103,CVE-2025-61104,CVE-2025-61105,CVE-2025-61106 & CVE-2025-61107 - branch 3.0-dev" #15569

Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>
@chalamalasetty
Enable aarch64 HWE kernel configs for performance improvements (#15534)
dd62567 
Co-authored-by: Suresh Babu Chalamalasetty <schalam@microsoft.com>
@CBL-Mariner-Bot
[AUTOPATCHER-CORE] Upgrade bind to 9.20.18 for CVE-2025-13878 (#15554)
b6662b8 
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch libsndfile for CVE-2025-56226 [MEDIUM] (#15572)
7ebb2ef
@azurelinux-security
[AutoPR- Security] Patch glibc for CVE-2025-15281 [MEDIUM] (#15561)
c326e08 
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch avahi for CVE-2026-24401 [MEDIUM] (#15580)
ad816f6
@Redent0r @CBL-Mariner-Bot
cloud-hypervisor: upgrade to 48.0.246 (#15573)
affeb9f 
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@BinduSri-6522866 @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch nodejs for CVE-2…
4154787 
…026-21637, CVE-2025-59466, CVE-2025-59465, CVE-2025-55132, CVE-2025-55131 [HIGH] - branch 3.0-dev" #15624

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @sprt @jslobodzian
[AUTO-CHERRYPICK] [AUTO-PR] azure-core/azurelinux:sprt/CVE-2026-24054…
34e1e83 
…-kata-containerd - branch 3.0-dev (#15623)

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Signed-off-by: Aurélien Bombo <aurelien.bombo@microsoft.com>
Co-authored-by: Aurélien Bombo <aurelien.bombo@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch pytorch for CVE-…
0fc626c 
…2026-24747 [HIGH] - branch 3.0-dev" #15625

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@aadhar-agarwal
containerd2: Backport fix for credential leak in CRI error logs (#15579)
cbc9f97 
Backports a fix for a credential leak vulnerability in containerd2's CRI error handling. When image pulls fail from private registries using URL-based authentication (e.g., Azure Blob Storage with SAS tokens), sensitive query parameters were being exposed in both containerd logs and Kubernetes pod events (visible via kubectl describe pod).
@sandeepkarambelkar
Add nodejs24 to coexist with nodejs 20, add fix for runtime internati…
ec35977 
…onalization support in nodejs24 (#15385)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@azurelinux-security
[AutoPR- Security] Patch python3 for CVE-2026-0865, CVE-2025-11468, C…
0e55d09 
…VE-2026-0672 [MEDIUM] (#15595)
@azurelinux-security
[AutoPR- Security] Patch memcached for CVE-2026-24809 [MEDIUM] (#15615)
693cb87
@v-aaditya
[Medium] Patch coredns for CVE-2025-68151 (#15515)
153b4cb
sandeepkarambelkar and others added 16 commits January 30, 2026 08:58
@sandeepkarambelkar
Upgrade nginx to latest stable version 1.28.1 (#14919)
2045810
@Camelron
Update kernel-uvm config to support extended attributes with CIFS (#1…
cc2b238 
…5498)
@SeanDougherty @jiria
kernel: Enable CONFIG_SQUASHFS_ZSTD and CONFIG_FW_CFG_SYSFS (#15612)
a5bd3e3 
CONFIG_SQUASHFS_ZSTD

With this a better compression algo (zstd) becomes available to users, this is a read-only kernel feature with minimal overhead when not in use. Already enabled in our ARM kernel.

CONFIG_FW_CFG_SYSFS

Enables module that permits firmware config injection. Minimal overhead, not loaded when not in use. Already enabled in our ARM kernel

Co-authored-by: Jiri Appl <jiria@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch expat for CVE-2026-24515 [LOW] (#15585)
9819417
@akhila-guruju
[Medium] Patch gnutls for CVE-2025-9820 (#15603)
884e179
@azurelinux-security @archana25-ms
[AutoPR- Security] Patch nmap for CVE-2025-11961 [LOW] (#15435)
4cdf058 
Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch glib for CVE-2026-1484 [LOW] (#15650)
004e03d
@azurelinux-security
[AutoPR- Security] Patch expat for CVE-2026-25210 [MEDIUM] (#15651)
be30df0
@CBL-Mariner-Bot @corvus-callidus @jslobodzian
[AUTO-CHERRYPICK] Patch openssl for CVE-2025-15467, CVE-2025-15468, C…
3efa245 
…VE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69420, CVE-2025-69421 - branch 3.0-dev (#15627)

Co-authored-by: corvus-callidus <lyrydber@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot
[AUTO-CHERRYPICK] [AutoPR- Security] Patch edk2 for CVE-2025-15467 [C…
bc393da 
…RITICAL] - branch 3.0-dev (#15646)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

approving PR.  Buddy build and expected tests passed.
@Kanishk-Bansal
edk2 : Fix merge conflict and changelog (#15701)
950b256 
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@CBL-Mariner-Bot @corvus-callidus @jslobodzian
[AUTO-CHERRYPICK] Patch openssl for CVE-2025-69419, CVE-2026-22795, and
347a49c 
CVE-2026-22796 - branch 3.0-dev (#15698)

Co-authored-by: corvus-callidus <lyrydber@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch edk2 for CVE-2026-22796, CVE-2025-69421, CVE…
d5206d3 
…-2025-69420, CVE-2025-69418, CVE-2025-68160 [HIGH] (#15702)

Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@CBL-Mariner-Bot @rlmenge
[AUTOPATCHER-kernel] Kernel upgrade to version 6.6.121.1 - branch 3.0…
0083585 
…-dev (#15660)

Co-authored-by: Rachel Menge <rachelmenge@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
[AUTO-CHERRYPICK] [AutoPR- Security] Patch nodejs for CVE-2025-55130
82d82f0 
…[HIGH] - branch 3.0-dev (#15703)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch gnupg2 for CVE-2…
9021815 
…026-24882 [HIGH] - branch 3.0-dev" #15713

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
@dmcilvaney dmcilvaney requested review from a team as code owners February 4, 2026 03:00
@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging specs-extended PR to fix SPECS-EXTENDED Tools 3.0 PRs Destined for 3.0 labels Feb 4, 2026
@jslobodzian jslobodzian merged commit 52dfbf6 into 3.0 Feb 4, 2026
34 of 39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jslobodzian jslobodzian jslobodzian approved these changes

Assignees

No one assigned

Labels

3.0 PRs Destined for 3.0 Packaging specs-extended PR to fix SPECS-EXTENDED Tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.