From b0ecf47d2a38aa3673506ea0be53f9b402c523c0 Mon Sep 17 00:00:00 2001 From: Harshit Gupta Date: Thu, 27 Nov 2025 11:49:33 -0800 Subject: [PATCH 1/4] Upgrade kubevirt to v1.6.3 Signed-off-by: Harshit Gupta --- SPECS/kubevirt/kubevirt.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index f1723f4f8d1..8d74c4d95b8 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -19,8 +19,8 @@ Summary: Container native virtualization Name: kubevirt -Version: 1.5.3 -Release: 4%{?dist} +Version: 1.6.3 +Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -270,6 +270,9 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt %{_bindir}/virt-tests %changelog +* Tue Dec 30 2025 Harshit Gupta - 1.6.3-1 +- Upgrade to 1.6.3 + * Wed Dec 17 2025 Aditya Singh - 1.5.3-4 - Added patch for CVE-2025-64435 From 963056bf0cd1ccbe581aa34d71401f6fb0099f73 Mon Sep 17 00:00:00 2001 From: Harshit Gupta Date: Fri, 28 Nov 2025 07:28:33 -0800 Subject: [PATCH 2/4] Update signatures Signed-off-by: Harshit Gupta --- SPECS/kubevirt/kubevirt.signatures.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/kubevirt/kubevirt.signatures.json b/SPECS/kubevirt/kubevirt.signatures.json index fccac2ca21c..36fe0943a56 100644 --- a/SPECS/kubevirt/kubevirt.signatures.json +++ b/SPECS/kubevirt/kubevirt.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kubevirt-1.5.3.tar.gz": "93518543f92fa6a9a16e7b6653745d6a2562c52b21af81769bf85ac6e67df5fa" + "kubevirt-1.6.3.tar.gz": "9d41ac421d7af1c25a2b5c370dc597b67e6fc2762ab03ddf4745f71cad5fb4e2" } } From 8135b54b4a0ef28874693d5678ab309640c55933 Mon Sep 17 00:00:00 2001 From: Harshit Gupta Date: Tue, 30 Dec 2025 10:07:07 -0800 Subject: [PATCH 3/4] Remove CVE-2025-64324.patch Signed-off-by: Harshit Gupta --- SPECS/kubevirt/CVE-2025-64324.patch | 174 ---------------------------- SPECS/kubevirt/kubevirt.spec | 4 +- 2 files changed, 2 insertions(+), 176 deletions(-) delete mode 100644 SPECS/kubevirt/CVE-2025-64324.patch diff --git a/SPECS/kubevirt/CVE-2025-64324.patch b/SPECS/kubevirt/CVE-2025-64324.patch deleted file mode 100644 index 0928b691c06..00000000000 --- a/SPECS/kubevirt/CVE-2025-64324.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 2ffeb78c9f8bb39fa2fed114d1887d04ec507523 Mon Sep 17 00:00:00 2001 -From: Jed Lejosne -Date: Wed, 25 Jun 2025 09:19:41 -0400 -Subject: [PATCH 1/2] host-path: only chown files we created - -Signed-off-by: Jed Lejosne -(cherry picked from commit a1d1e58bce65afecdaa59941cf28ac3f0528d926) -Signed-off-by: Jed Lejosne ---- - pkg/ephemeral-disk-utils/utils.go | 19 +++++++++++++++++-- - pkg/host-disk/host-disk.go | 12 ++++++------ - pkg/host-disk/host-disk_test.go | 17 +++++++++++------ - 3 files changed, 34 insertions(+), 14 deletions(-) - -diff --git a/pkg/ephemeral-disk-utils/utils.go b/pkg/ephemeral-disk-utils/utils.go -index fc1a07b..863b267 100644 ---- a/pkg/ephemeral-disk-utils/utils.go -+++ b/pkg/ephemeral-disk-utils/utils.go -@@ -44,14 +44,29 @@ func MockDefaultOwnershipManager() { - type nonOpManager struct { - } - --func (no *nonOpManager) UnsafeSetFileOwnership(file string) error { -+func (no *nonOpManager) UnsafeSetFileOwnership(_ string) error { - return nil - } - --func (no *nonOpManager) SetFileOwnership(file *safepath.Path) error { -+func (no *nonOpManager) SetFileOwnership(_ *safepath.Path) error { - return nil - } - -+func MockDefaultOwnershipManagerWithFailure() { -+ DefaultOwnershipManager = &failureManager{} -+} -+ -+type failureManager struct { -+} -+ -+func (no *failureManager) UnsafeSetFileOwnership(_ string) error { -+ panic("unexpected call to UnsafeSetFileOwnership") -+} -+ -+func (no *failureManager) SetFileOwnership(_ *safepath.Path) error { -+ panic("unexpected call to SetFileOwnership") -+} -+ - type OwnershipManager struct { - user string - } -diff --git a/pkg/host-disk/host-disk.go b/pkg/host-disk/host-disk.go -index 3575005..416b700 100644 ---- a/pkg/host-disk/host-disk.go -+++ b/pkg/host-disk/host-disk.go -@@ -235,7 +235,7 @@ func (hdc *DiskImgCreator) setlessPVCSpaceToleration(toleration int) { - hdc.lessPVCSpaceToleration = toleration - } - --func (hdc DiskImgCreator) Create(vmi *v1.VirtualMachineInstance) error { -+func (hdc *DiskImgCreator) Create(vmi *v1.VirtualMachineInstance) error { - for _, volume := range vmi.Spec.Volumes { - if hostDisk := volume.VolumeSource.HostDisk; shouldMountHostDisk(hostDisk) { - if err := hdc.mountHostDiskAndSetOwnership(vmi, volume.Name, hostDisk); err != nil { -@@ -271,11 +271,11 @@ func (hdc *DiskImgCreator) mountHostDiskAndSetOwnership(vmi *v1.VirtualMachineIn - if err != nil { - return err - } -- } -- // Change file ownership to the qemu user. -- if err := ephemeraldiskutils.DefaultOwnershipManager.SetFileOwnership(diskPath); err != nil { -- log.Log.Reason(err).Errorf("Couldn't set Ownership on %s: %v", diskPath, err) -- return err -+ // Change file ownership to the qemu user. -+ if err := ephemeraldiskutils.DefaultOwnershipManager.SetFileOwnership(diskPath); err != nil { -+ log.Log.Reason(err).Errorf("Couldn't set Ownership on %s: %v", diskPath, err) -+ return err -+ } - } - return nil - } -diff --git a/pkg/host-disk/host-disk_test.go b/pkg/host-disk/host-disk_test.go -index 8b8f3da..4ca6aff 100644 ---- a/pkg/host-disk/host-disk_test.go -+++ b/pkg/host-disk/host-disk_test.go -@@ -34,15 +34,13 @@ import ( - "k8s.io/apimachinery/pkg/api/resource" - "k8s.io/client-go/kubernetes/fake" - "k8s.io/client-go/tools/record" -- -- "kubevirt.io/kubevirt/pkg/libvmi" -- "kubevirt.io/kubevirt/pkg/safepath" -- - v1 "kubevirt.io/api/core/v1" - "kubevirt.io/client-go/kubecli" - -+ ephemeraldiskutils "kubevirt.io/kubevirt/pkg/ephemeral-disk-utils" -+ "kubevirt.io/kubevirt/pkg/libvmi" - libvmistatus "kubevirt.io/kubevirt/pkg/libvmi/status" -- -+ "kubevirt.io/kubevirt/pkg/safepath" - "kubevirt.io/kubevirt/pkg/testutils" - ) - -@@ -300,7 +298,14 @@ var _ = Describe("HostDisk", func() { - }) - }) - Context("With existing disk.img", func() { -- It("Should not re-create disk.img", func() { -+ AfterEach(func() { -+ By("Switching back to the regular mock ownership manager") -+ ephemeraldiskutils.MockDefaultOwnershipManager() -+ }) -+ -+ It("Should not re-create or chown disk.img", func() { -+ By("Switching to an ownership manager that panics when called") -+ ephemeraldiskutils.MockDefaultOwnershipManagerWithFailure() - By("Creating a disk.img before adding a HostDisk volume") - tmpDiskImg := createTempDiskImg("volume1") - By("Creating a new VMI with a HostDisk volumes") --- -2.45.4 - - -From 279812e35d9d2bb91c34db48566f05208d19edf4 Mon Sep 17 00:00:00 2001 -From: Jed Lejosne -Date: Tue, 1 Jul 2025 09:09:14 -0400 -Subject: [PATCH 2/2] tests: adjust host-path test according to previous fix - -Signed-off-by: Jed Lejosne -(cherry picked from commit 7fbfe8a2e2d422472ce6b80bd75ed1e5532a0934) -Signed-off-by: Jed Lejosne -Signed-off-by: Azure Linux Security Servicing Account -Upstream-reference: https://patch-diff.githubusercontent.com/raw/kubevirt/kubevirt/pull/15990.patch ---- - tests/storage/storage.go | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/tests/storage/storage.go b/tests/storage/storage.go -index dfec79f..974c724 100644 ---- a/tests/storage/storage.go -+++ b/tests/storage/storage.go -@@ -254,14 +254,25 @@ var _ = SIGDescribe("Storage", func() { - // Start the VirtualMachineInstance with the PVC attached - vmi = newVMI(pvcName) - -- vmi = libvmops.RunVMIAndExpectLaunch(vmi, 180) -+ if imageOwnedByQEMU { -+ vmi = libvmops.RunVMIAndExpectLaunch(vmi, 180) - -- By(checkingVMInstanceConsoleOut) -- Expect(console.LoginToAlpine(vmi)).To(Succeed()) -+ By(checkingVMInstanceConsoleOut) -+ Expect(console.LoginToAlpine(vmi)).To(Succeed()) -+ } else { -+ By("Starting a VirtualMachineInstance") -+ createdVMI := libvmops.RunVMIAndExpectScheduling(vmi, 60) -+ -+ By(fmt.Sprintf("Checking that VirtualMachineInstance start failed: starting at %v", time.Now())) -+ ctx, cancel := context.WithCancel(context.Background()) -+ defer cancel() -+ event := watcher.New(createdVMI).Timeout(60*time.Second).SinceWatchedObjectResourceVersion().WaitFor(ctx, watcher.WarningEvent, "SyncFailed") -+ Expect(event.Message).To(ContainSubstring("Could not open '/var/run/kubevirt-private/vmi-disks/disk0/disk.img': Permission denied"), "VMI should not be started") -+ } - }, - Entry("[test_id:3130]with Disk PVC", newRandomVMIWithPVC, true), - Entry("[test_id:3131]with CDRom PVC", newRandomVMIWithCDRom, true), -- Entry("hostpath disk image file not owned by qemu", newRandomVMIWithPVC, false), -+ Entry("unless hostpath disk image file not owned by qemu", newRandomVMIWithPVC, false), - ) - }) - --- -2.45.4 - diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index 8d74c4d95b8..429aa0dcafe 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -31,8 +31,7 @@ Source0: https://github.com/kubevirt/kubevirt/archive/refs/tags/v%{versio # Nexus team needs these to-be-upstreamed patches for the operator Edge to work # correctly. Patch0: CVE-2025-47913.patch -Patch1: CVE-2025-64324.patch -Patch2: CVE-2025-64435.patch +Patch1: CVE-2025-64435.patch %global debug_package %{nil} BuildRequires: swtpm-tools @@ -272,6 +271,7 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt %changelog * Tue Dec 30 2025 Harshit Gupta - 1.6.3-1 - Upgrade to 1.6.3 +- Remove CVE-2025-64324.patch * Wed Dec 17 2025 Aditya Singh - 1.5.3-4 - Added patch for CVE-2025-64435 From 2818f4e27c710c14d4c48a55b16ed758ed33f58b Mon Sep 17 00:00:00 2001 From: Harshit Gupta Date: Mon, 5 Jan 2026 13:40:46 -0500 Subject: [PATCH 4/4] Update kubevirt version to 1.6.3 in cgmanifest.json --- cgmanifest.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cgmanifest.json b/cgmanifest.json index cb25d0e3d91..030013fbb7f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8541,8 +8541,8 @@ "type": "other", "other": { "name": "kubevirt", - "version": "1.5.3", - "downloadUrl": "https://github.com/kubevirt/kubevirt/archive/refs/tags/v1.5.3.tar.gz" + "version": "1.6.3", + "downloadUrl": "https://github.com/kubevirt/kubevirt/archive/refs/tags/v1.6.3.tar.gz" } } },