Skip to content

[3.0] Merge changes for Jan 2026 test build#15531

Merged
jslobodzian merged 113 commits into3.0from
anphel/3-prod-merge-jan19
Jan 19, 2026
Merged

[3.0] Merge changes for Jan 2026 test build#15531
jslobodzian merged 113 commits into3.0from
anphel/3-prod-merge-jan19

Conversation

@anphel31
Copy link
Copy Markdown
Member

@anphel31 anphel31 commented Jan 19, 2026

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?

Change Log
  • Change
  • Change
  • Change
Does this affect the toolchain?

YES/NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Pipeline build id: xxxx

sandeepkarambelkar and others added 30 commits December 11, 2025 13:46
@sandeepkarambelkar
Remove qt5-qtconnectivity and add qt6-qtconnectivity (#15197)
aadbc95
@azurelinux-security
[AutoPR- Security] Patch telegraf for CVE-2025-10543 [MEDIUM] (#15275)
d665a99
@xordux
Systemd network/tc: fix stack overflow when dropping tclass or qdisc (#…
a6140cc 
…15165)

Add patch to systemd to fix stack overflow when dropping tclass or qdisc in systemd-networkd. It avoids systemd SEGV crash in certain cases.
@mayankfz
BUG 59454970: Make kexec-tools do not depend on ethtool only, enable …
f4e3c2f 
…user to choose either ethtool or mlnx-ethtool during installation, default is ethtool. (#15014)

Make kexec-tools do not depend on ethtool only, enable user to choose either ethtool or mlnx-ethtool during installation, default is ethtool.

Signed-off-by: Mayank Singh <mayansingh@microsoft.com>
Co-authored-by: Mayank Singh <mayansingh@microsoft.com>
@durgajagadeesh
Upgrade apache-commons-compress to 1.26.1 and address dependency buil…
790852b 
…d warnings (#13854)
@chalamalasetty
Upgrade MOFED 24.10 to DOCA-OFED 25.07 and its dependencies (#15028)
303210c 
Co-authored-by: Suresh Babu Chalamalasetty <schalam@microsoft.com>
@jykanase
upgrade pacemaker to version 3.0.1 (#15046)
fa584c8
@v-aaditya
[Medium] Patch kubevirt for CVE-2025-64435 (#15137)
7750a32
@sandeepkarambelkar
Remove qt5-qtsensors and add qt6-qtsensors (#15205)
3eb9deb
@jykanase @kgodara912
Upgrade hdf5 version to 1.14.6 and patch hdf5 for CVE-2025-2153, CVE-…
49403f7 
…2025-2310, CVE-2025-2914, CVE-2025-2926, CVE-2025-6816, CVE-2025-2925, CVE-2025-2924, CVE-2025-44905,CVE-2025-6269, CVE-2025-6750, CVE-2025-6857, CVE-2025-7067, CVE-2025-7068, CVE-2025-6858, CVE_2025-2923, CVE-2025-2913, CVE-2025-6516, CVE-2025-6818, CVE-2025-6817, CVE-2025-6856, CVE-2025-7069 (#15115)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: kgodara912 <kshigodara@outlook.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@sandeepkarambelkar
Remove qt5-qtserialport and add qt6-qtserialport (#15233)
21b8a73
@akhila-guruju
[Medium] Patch grub2 for CVE-2025-61661, CVE-2025-61662 & CVE-2025-61663
e019d04 
 (#15157)
@AkarshHCL
Upgrade: Jtidy to version 1.0.4 (#15168)
9bd782a
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch cni-plugins for C…
96bb3b2 
…VE-2025-65637 [HIGH] - branch 3.0-dev" #15305

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@akhila-guruju @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch python-urllib3 for
66cd71f 
CVE-2025-66418, CVE-2025-66471 [HIGH] - branch 3.0-dev" #15306

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@BinduSri-6522866 @Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch qtdeclarative for
c4dce60 
…CVE-2025-12385 [HIGH] - branch 3.0-dev" #15307

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @BinduSri-6522866 @jslobodzian
Merge PR "[AUTO-CHERRYPICK] Patch fluent-bit for CVE-2025-12977 [High…
7a1ed75 
…] and CVE-2025-12969 [Medium] - branch 3.0-dev" #15308

Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@archana25-ms @Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch qtbase for CVE-2…
8ed8f9a 
…025-66293 [HIGH] - branch 3.0-dev" #15309

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch influxdb for CVE…
d5ff89e 
…-2025-65637 [HIGH] - branch 3.0-dev" #15310

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch dcos-cli for CVE…
c3bb826 
…-2025-65637 [HIGH] - branch 3.0-dev" #15311

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot
[AUTOPATCHER-CORE] Upgrade tzdata to 2025c upgrade to version 2025c (#…
2c29e73 
…15284)
@AkarshHCL
Upgrade:perl-FFI-CheckLib to version 0.31 (#15144)
51bd173
@v-aaditya
Upgrade xmldb-api to version 1.7.0 (#15290)
2f95523
@azurelinux-security
[AutoPR- Security] Patch influxdb for CVE-2025-10543 [MEDIUM] (#15328)
ad2c514
@v-aaditya
Upgrade xbean to version 4.24 (#15244)
a3d0b8e
@v-aaditya
Upgrade ibus-table version to 1.17.16 (#15302)
be8e809
@CBL-Mariner-Bot @Kanishk-Bansal
Merge PR "[AUTO-CHERRYPICK] Revert "[AutoPR- Security] Patch qtbase f…
1ac3d58 
…or CVE-2025-66293 [HIGH]" - branch 3.0-dev" #15351

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@azurelinux-security
[AutoPR- Security] Patch glib for CVE-2025-14087, CVE-2025-14512 [MED…
8f5adbe 
…IUM] (#15294)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch flannel for CVE-…
868bb3a 
…2025-65637 [HIGH] - branch 3.0-dev" #15352

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @azurelinux-security
@Kanishk-Bansal @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch containerized-da…
3b84639 
…ta-importer for CVE-2025-65637 [HIGH] - branch 3.0-dev" #15353

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
CBL-Mariner-Bot and others added 15 commits January 15, 2026 10:09
@CBL-Mariner-Bot @v-aaditya @Kanishk-Bansal
Merge PR "[AUTO-CHERRYPICK] Patch tensorflow for CVE-2026-21441 - bra…
f3e9c08 
…nch 3.0-dev" #15513

Co-authored-by: Aditya Singh <v-aditysing@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@CBL-Mariner-Bot @azurelinux-security
@akhila-guruju @jslobodzian
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch python-urllib3 for
76034c8 
CVE-2026-21441 [HIGH] - branch 3.0-dev" #15514

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@rlmenge
kernel: enable CONFIG_INET_DIAG_DESTROY (#15465)
581b773 
Enable inet_diag_destroy in the Azure Linux kernel. This config will allow for proactive tear down of stale UDP connections. It is also commonly used by Cilium.
@romoh
Enable CONFIG_FTRACE_SYSCALLS for kernel-mshv (#15451)
955bb43 
Signed-off-by: Roaa Sakr <romoh@microsoft.com>
@miz060
Reduce OSGuard OS disk size to 30 GB to align with AKS minimum requir…
3a73707 
…ement (#15206)

Reduce OSGuard OS disk size to 30 GB to match AKS requirements. Reference: https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools. It mentions "You can also reduce the default size of the OS disk using --node-osdisk-size, but keep in mind the minimum size for AKS images is 30 GB."
@dmcilvaney
fix: Add useful debug message when files are missing from config (#15499
5027dba 
)

Improve error messages when image config files reference missing files (PackageLists, scripts, AdditionalFiles, etc.).

Previously, if a referenced file was missing, Make would fail with a confusing message about having no rule to build the validation flag. If the missing file was in a non-existent directory, realpath would also print unhelpful errors before the actual failure.

This was caused by Make's pattern rule matching behavior. The validation rules is $(STATUS_FLAGS_DIR)/validate-image-config%.flag:, which matches the variable validate-config = $(STATUS_FLAGS_DIR)/validate-image-config-$(config_name).flag

The rule had config_other_files = $(if $(CONFIG_FILE),$(call shell_real_build_only, $(SCRIPTS_DIR)/get_config_deps.sh $(CONFIG_FILE)),) as a dependency. If one of those calculated files was missing, then make would consider the pattern matched rule un-usable, and would try to find an alternate rule that did have all its dependencies. Unfortunately, we only have one pattern match rule, so we must ensure that all the dependencies we list are either real files, or valid make targets, so make won't skip it.
@rlmenge
kernel: enable xfrm_interface (#15463)
5e5723d 
This PR enables Linux XFRM interfaces to allow creating xfrmN devices for IPsec policy routing and namespace/VRF separation. It turns on CONFIG_XFRM_INTERFACE in the kernel config (module autoloads on use). No behavior change by default; it simply unlocks IPsec scenarios that require if_id steering.

Impact: none for existing users; new capability for per-tenant/VRF IPsec paths
@azurelinux-security @Kanishk-Bansal
[AutoPR- Security] Patch avahi for CVE-2025-68471, CVE-2025-68276, CV…
5dd7995 
…E-2025-68468 [MEDIUM] (#15502)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@SumitJenaHCL
Upgrade: libreport version to 2.17.15 (#11242)
112374e
@durgajagadeesh
Upgrade: python-debtcollector version to 3.0.0 (#13604)
6fc41d0
@KavyaSree2610
rust: Upgrade to 1.90.0 (#14819)
101af2e 
Co-authored-by: Kavya Sree Kaitepalli <kkaitepalli@microsoft.com>
@azurelinux-security @Kanishk-Bansal
[AutoPR- Security] Patch libtasn1 for CVE-2025-13151 [LOW] (#15485)
2cbbe9e 
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
@SumitJenaHCL @aninda-al
Upgrades lasso to version 2.9.0 (#14622)
4016ca1 
Co-authored-by: Aninda <v-anipradhan@microsoft.com>
@dmcilvaney
Add option to require explicit gpg key verification for image builds (#…
e3c975d 
…15462)

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
@anphel31
Merge branch '3.0-dev' into anphel/3-prod-merge-jan19
fbd12ff
@anphel31 anphel31 requested review from a team as code owners January 19, 2026 16:29
@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging specs-extended PR to fix SPECS-EXTENDED documentation Improvements or additions to documentation Tools Schema Changes to image configurations 3.0 PRs Destined for 3.0 labels Jan 19, 2026
@jslobodzian jslobodzian reopened this Jan 19, 2026
@jslobodzian jslobodzian merged commit 77368bb into 3.0 Jan 19, 2026
54 of 58 checks passed
@jslobodzian jslobodzian deleted the anphel/3-prod-merge-jan19 branch January 19, 2026 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jslobodzian jslobodzian jslobodzian approved these changes

Assignees

No one assigned

Labels

3.0 PRs Destined for 3.0 documentation Improvements or additions to documentation Packaging Schema Changes to image configurations specs-extended PR to fix SPECS-EXTENDED Tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.