From d02727fd81e8cd7996ef61f1e023290942fe51b6 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 19 Feb 2026 10:51:06 -0800 Subject: [PATCH] [AUTOPATCHER-CORE] Upgrade munge to 0.5.18 for CVE-2026-25506 (#15838) Signed-off-by: Kanishk Bansal Co-authored-by: Kanishk Bansal Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> (cherry picked from commit 62009e17d70f66c854f1dee209cf6d7bb95e8f87) --- SPECS/munge/munge.signatures.json | 10 +++++----- SPECS/munge/munge.spec | 18 +++++++----------- cgmanifest.json | 4 ++-- 3 files changed, 14 insertions(+), 18 deletions(-) diff --git a/SPECS/munge/munge.signatures.json b/SPECS/munge/munge.signatures.json index d9e50b2372e..eb8b3e96ba5 100644 --- a/SPECS/munge/munge.signatures.json +++ b/SPECS/munge/munge.signatures.json @@ -1,7 +1,7 @@ { - "Signatures": { - "create-munge-key": "faf294f275027c9165524daa17e862ae7e28cb32aed5f9c452d9bd37065ccebe", - "munge-0.5.15.tar.xz": "3f979df117a34c74db8fe2835521044bdeb08e3b7d0f168ca97c3547f51da9ba", - "munge.logrotate": "f8443edd07c98e0e3c9178c93a0a35e1c690cf3b6fbdb33508b34871657a9879" - } + "Signatures": { + "create-munge-key": "faf294f275027c9165524daa17e862ae7e28cb32aed5f9c452d9bd37065ccebe", + "munge.logrotate": "f8443edd07c98e0e3c9178c93a0a35e1c690cf3b6fbdb33508b34871657a9879", + "munge-0.5.18.tar.xz": "39c3ec6ef5604bfa206e8aa10fc05d5119040f6de4a554bc0fb98ca1aed838dc" + } } diff --git a/SPECS/munge/munge.spec b/SPECS/munge/munge.spec index f4b6e8c11b8..2d58a9fbc32 100644 --- a/SPECS/munge/munge.spec +++ b/SPECS/munge/munge.spec @@ -1,6 +1,6 @@ Summary: Enables uid & gid authentication across a host cluster Name: munge -Version: 0.5.15 +Version: 0.5.18 Release: 1%{?dist} # The libs and devel package is GPLv3+ and LGPLv3+ where as the main package is GPLv3 only. License: GPLv3+ AND LGPLv3+ @@ -53,7 +53,6 @@ cp -p %{SOURCE2} munge.logrotate %build %configure --disable-static --with-crypto-lib=openssl -echo "d /run/munge 0755 munge munge -" > src/etc/munge.tmpfiles.conf.in # Get rid of some rpaths for /usr/sbin sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool @@ -68,12 +67,6 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool install -p -m 755 create-munge-key %{buildroot}/%{_sbindir}/create-munge-key install -p -D -m 644 munge.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/munge -# Not installed by make -install -p -D -m 0644 src/etc/munge.tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf - -# rm unneeded files. -rm %{buildroot}/%{_sysconfdir}/sysconfig/munge - # Exclude .la files rm %{buildroot}/%{_libdir}/libmunge.la @@ -127,9 +120,9 @@ exit 0 %attr(0700,munge,munge) %dir %{_sysconfdir}/munge %attr(0755,munge,munge) %dir /run/munge/ %attr(0644,munge,munge) %ghost /run/munge/munged.pid - -%config(noreplace) %{_tmpfilesdir}/munge.conf +%config(noreplace) %{_sysconfdir}/sysconfig/munge %config(noreplace) %{_sysconfdir}/logrotate.d/munge +%{_sysusersdir}/munge.conf %license COPYING COPYING.LESSER %doc AUTHORS @@ -138,7 +131,7 @@ exit 0 %files libs %{_libdir}/libmunge.so.2 -%{_libdir}/libmunge.so.2.0.0 +%{_libdir}/libmunge.so.2.0.1 %files devel %{_includedir}/munge.h @@ -161,6 +154,9 @@ exit 0 %{_mandir}/man3/munge_strerror.3.gz %changelog +* Fri Feb 13 2026 CBL-Mariner Servicing Account - 0.5.18-1 +- Auto-upgrade to 0.5.18 - for CVE-2026-25506 + * Wed Jan 31 2024 Mitch Zhu - 0.5.15-1 - Upstream 0.5.15. diff --git a/cgmanifest.json b/cgmanifest.json index 013abd27663..c9d8288d244 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -13862,8 +13862,8 @@ "type": "other", "other": { "name": "munge", - "version": "0.5.15", - "downloadUrl": "https://github.com/dun/munge/releases/download/munge-0.5.15/munge-0.5.15.tar.xz" + "version": "0.5.18", + "downloadUrl": "https://github.com/dun/munge/releases/download/munge-0.5.18/munge-0.5.18.tar.xz" } } },