Skip to content

Monthly update 3.0#16111

Merged
jslobodzian merged 95 commits into3.0from
aaruagrawal/monthly-update-merge-3.0
Mar 4, 2026
Merged

Monthly update 3.0#16111
jslobodzian merged 95 commits into3.0from
aaruagrawal/monthly-update-merge-3.0

Conversation

@aaruag
Copy link
Contributor

@aaruag aaruag commented Mar 4, 2026

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?

Change Log
  • Change
  • Change
  • Change
Does this affect the toolchain?

YES/NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Pipeline build id: xxxx

archana25-ms and others added 30 commits February 4, 2026 10:46
@archana25-ms @Kanishk-Bansal
[MEDIUM] Upgrade python-wheel to 0.46.3 for CVE-2026-24049 (#15601)
a4afa0c 
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@rikenm1
Clean up after distroless Container build (#15727)
cac49e5
@chalamalasetty
First iteration fips boot support for 6.12 kernel (#15659)
dfde579 
Co-authored-by: Suresh Babu Chalamalasetty <schalam@microsoft.com>
@chalamalasetty
Retain 6.6 kernel config options in 6.12 for Aquantia AQtion DMA P2P …
4ba66c6 
…DM cache (#15470)

Co-authored-by: Suresh Babu Chalamalasetty <schalam@microsoft.com>
@bot-for-go
(security) golang: bump Go version to 1.24.13-1 (#15728)
726c937 
Co-authored-by: bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com>
@bot-for-go
(security) golang: bump Go version to 1.25.7-1 (#15729)
78d1b46 
Co-authored-by: bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com>
@archana25-ms
[MEDIUM] Patch rust for CVE-2025-68114, CVE-2025-4207, CVE-2025-55159,
840f0f7 
…CVE-2025-12818, CVE-2025-67873, CVE-2026-24116 & CVE-2025-58160 (#15633)
@azurelinux-security
[AutoPR- Security] Patch glib for CVE-2026-1489 [MEDIUM] (#15744)
0f2ee38
@azurelinux-security
[AutoPR- Security] Patch nodejs24 for CVE-2025-69418 [MEDIUM] (#15666)
f993e3c
@BinduSri-6522866
[Medium] Upgrade vim to 9.1.2132 for CVE-2026-25749 (#15764)
49e8a6f
@azurelinux-security
[AutoPR- Security] Patch gh for CVE-2026-23991, CVE-2026-23992 [MEDIU…
e183a42 
…M] (#15576)
@CBL-Mariner-Bot @aadhar-agarwal
Merge PR "[AUTO-CHERRYPICK] Upgrade kubevirt to 1.7.0, libvirt to 10.…
522b8a5 
…10.0 and QEMU to 9.1.0 - branch 3.0-dev" #15788

Signed-off-by: Aadhar Agarwal <aadagarwal@microsoft.com>
Co-authored-by: aadhar-agarwal <108542189+aadhar-agarwal@users.noreply.github.com>
@CBL-Mariner-Bot @AkarshHCL
@Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [High] Upgrade nginx to 1.28.2 for CVE-20…
c51b758 
…26-1642 - branch 3.0-dev" #15802

Co-authored-by: AkarshHCL <v-akarshc@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade libpng to 1.6.…
e11bb84 
…55 for CVE-2026-25646 - branch 3.0-dev" #15803

Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@BinduSri-6522866 @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch protobuf for CVE…
d8fe363 
…-2026-0994 [HIGH] - branch 3.0-dev" #15804

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@azurelinux-security @BinduSri-6522866
[AutoPR- Security] Patch cmake for CVE-2025-10966, CVE-2025-14524 [ME…
571d7b7 
…DIUM] (#15552)

Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
@dmcilvaney
Add stub workflow to trigger toml branch spec reviews (#15832)
a819538
@archana25-ms
[MEDIUM] Upgrade python-virtualenv to 20.36.1 for CVE-2026-22702 (#15507
740a411 
)
@jslobodzian
Revert python-wheel upgrade 15601 (#15849)
1f93eea 
Approving change to fix build break.
@CBL-Mariner-Bot @Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] Upgrade postgresql to 16.12 for CVE-202…
24048bb 
…6-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, CVE-2026-2007 [HIGH] - branch 3.0-dev" #15850

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @durgajagadeesh @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [High] patch pytorch for CVE-2026-0994 - …
dbf01f4 
…branch 3.0-dev" #15851

Co-authored-by: durgajagadeesh <v-dpalli@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @AkarshHCL @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [High] Patch javapackages-bootstrap for C…
071e79d 
…VE-2026-24400 - branch 3.0-dev" #15852

Co-authored-by: AkarshHCL <v-akarshc@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@jykanase @Kanishk-Bansal
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch libsoup for CVE-…
5627d4f 
…2026-1801, CVE-2026-1761, CVE-2026-1536, CVE-2025-32049, CVE-2026-1467 [HIGH] - branch 3.0-dev" #15853

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jykanase <v-jykanase@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@CBL-Mariner-Bot @sandeepkarambelkar
@jslobodzian
[AUTO-CHERRYPICK] Fix npm coexistence with respective nodejs versions…
9805dea 
… - branch 3.0-dev (#15836)

Co-authored-by: Sandeep Karambelkar <skarambelkar@microsoft.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@azurelinux-security
[AutoPR- Security] Patch skopeo for CVE-2025-11065 [MEDIUM] (#15672)
6c4d110
@azurelinux-security @Kanishk-Bansal
[AutoPR- Security] Patch vitess for CVE-2025-11065 [MEDIUM] (#15673)
3f4e7f7 
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@azurelinux-security
[AutoPR- Security] Patch opa for CVE-2025-11065 [MEDIUM] (#15674)
0d4b9cd
@azurelinux-security
[AutoPR- Security] Patch packer for CVE-2025-11065 [MEDIUM] (#15676)
ff6d7b8
@azurelinux-security
[AutoPR- Security] Patch cert-manager for CVE-2025-11065 [MEDIUM] (#1…
6146834 
…5677)
@azurelinux-security
[AutoPR- Security] Patch docker-compose for CVE-2025-11065 [MEDIUM] (#…
25770d3 
…15679)
CBL-Mariner-Bot and others added 20 commits February 25, 2026 15:06
@CBL-Mariner-Bot
Merge PR "[AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade valkey to 8.…
e106481 
…0.7 for CVE-2026-21863, CVE-2025-67733 [HIGH] - branch 3.0-dev" #15996
@rlmenge
feat(kernel-hwe): Enable lwtunnel,lwtunnel_bpf,sched_core (#15973)
2f41682
@CBL-Mariner-Bot
[AUTOPATCHER-CORE] Upgrade erlang to 26.2.5.17 for CVE-2026-21620 (#1…
08dd928 
…5982)
@Kanishk-Bansal
Revert "[MEDIUM] Upgrade python-wheel to 0.46.3 for CVE-2026-24049" (#…
34f0c70 
…16013)
@romoh
Enable additional tracing in kernel-mshv (#15833)
bf11b18 
Signed-off-by: Roaa Sakr <romoh@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@akhila-guruju @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch tensorflow for C…
7c1df70 
…VE-2026-2492 [HIGH] - branch 3.0-dev" #16038

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Akhila Guruju <v-guakhila@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot
[AUTOPATCHER-kernel] Kernel upgrade to version 6.6.126.1 - branch 3.0…
2d24d44 
…-dev (#15922)
@Redent0r
kernel-mshv: upgrade to 6.6.121.mshv1 (#16016)
372fa39 
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
@CBL-Mariner-Bot
[AUTOPATCHER-CORE] Upgrade vim to 9.2.0088 for CVE-2026-28417, CVE-…
efe2485 
…2026-28418, CVE-2026-28419, CVE-2026-28420, CVE-2026-28421, CVE-2026-28422 (#16065)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@azurelinux-security @Kanishk-Bansal @v-aaditya
[AutoPR- Security] Patch alsa-lib for CVE-2026-25068 [MEDIUM] (#15757)
b203dd8 
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: Aditya Singh <v-aditysing@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
[AUTO-CHERRYPICK] [AutoPR- Security] Patch telegraf for CVE-2026-27571
ab626c9 
…[HIGH] - branch 3.0-dev (#16037)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@corvus-callidus @tobiasb-ms
Add OpenSSL FIPS provider (#15153)
687924a 
This adds a new package named openssl-fips-provider which will install the OpenSSL 3.1.2 FIPS provider and associated config file. This package has a mutual conflict with the SymCrypt-OpenSSL package. This change also updates the OpenSSL provider loading patch to allow loading one or the other of the FIPS-certified providers.

Co-authored-by: Tobias Brick <tobiasb@microsoft.com>
@bfjelds
Create Trident RPM for 0.21.0 and update ImageCustomizer RPM for 1.2.0 (
20df47c 
#15450)
@CBL-Mariner-Bot @azurelinux-security
@Kanishk-Bansal @jslobodzian
[AUTO-CHERRYPICK] [AutoPR- Security] Patch cloud-hypervisor for CVE-2…
15c43ca 
…026-27211 [CRITICAL] - branch 3.0-dev (#15995)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @archana25-ms @jslobodzian
[AUTO-CHERRYPICK] [CRITICAL] Patch kata-containers for CVE-2026-24834
90d2ba6 
…, [MEDIUM] CVE-2026-25727, CVE-2025-65637, CVE-2026-25541 and CVE-2025-11065 - branch 3.0-dev (#15991)

Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@ddstreet
systemd: add patches for ipc issue (#16098)
06c5757 
Fixes issue relating to dbus-based ipc communication
@bfjelds
SPECS/trident: set TRIDENT_VERSION correctly for azl build (#16099)
27597f5
@CBL-Mariner-Bot @azurelinux-security
@Kanishk-Bansal @akhila-guruju @jslobodzian
[AUTO-CHERRYPICK] [AutoPR- Security] Patch vitess for CVE-2026-27969, C…
43c03fe 
…VE-2026-27965 [CRITICAL] - branch 3.0-dev (#16085)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot
Prepare Mar 2026 Update (#16108)
5f462e7
@aaruag
merge branch '3.0-dev' into aaruagrawal/monthly-update-merge-3.0
8f6aae8
@aaruag aaruag requested review from a team as code owners March 4, 2026 00:26
@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging specs-extended PR to fix SPECS-EXTENDED Tools Schema Changes to image configurations 3.0 PRs Destined for 3.0 labels Mar 4, 2026
@jslobodzian jslobodzian merged commit 25bde1f into 3.0 Mar 4, 2026
27 of 31 checks passed
@jslobodzian jslobodzian deleted the aaruagrawal/monthly-update-merge-3.0 branch March 4, 2026 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jslobodzian jslobodzian jslobodzian approved these changes

Assignees

No one assigned

Labels

3.0 PRs Destined for 3.0 Packaging Schema Changes to image configurations specs-extended PR to fix SPECS-EXTENDED Tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.