Update dnf5 to 5.1.17 for CVE-2024-1929, CVE-2024-1930, CVE-2024-2746 [High]

[Kanishk-Bansal]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Update dnf5 to 5.1.17 for CVE-2024-1929, CVE-2024-1930, CVE-2024-2746

Change Log

• CVE-2024-1929
• CVE-2024-1930
• CVE-2024-2746

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2024-1929
• https://nvd.nist.gov/vuln/detail/CVE-2024-1930
• https://nvd.nist.gov/vuln/detail/CVE-2024-2746

Test Methodology

• Pipeline build id: Buddy Build

[Kanishk-Bansal]

Reference:
CVE-2024-1929 , CVE-2024-2746 -> https://security.opensuse.org/2024/04/03/dnf5daemon-resposdir-followup.html

CVE-2024-1930-> rpm-software-management/dnf5@c090ffe

[Kanishk-Bansal]

flux on arm64 is a known failure.

[sameluch]

@Kanishk-Bansal is there a reason why we are choosing not to patch these CVEs and upgrade instead?

Looking through the patches, they seem pretty small and inert when compared to the jump from 5.1.11 -> 5.1.17 when looking at the compare.
CVE-2024-1929: rpm-software-management/dnf5@6e51bf2
CVE-2024-2746: rpm-software-management/dnf5@07c5770

CVE-2024-1930: rpm-software-management/dnf5@c090ffe

dnf5 more recently made a change to their versioning to have truer to form patch releases starting with 5.2.0.0 for better granularity on things like this. Though unfortunately we are a bit stuck for now...

[sameluch]

This is a new plugin that dnf5 added in 5.1.13 which we likely don't want on by default and should be packaged separately (as we do with dnf and tdnf). In the upstream repo, there is an included spec file which we would want to align with for any new features added to keep packages consistent as we have in the past.
See change here: rpm-software-management/dnf5@9cf4ebd#diff-3764aa091c8d6fcbde25e8587620de2d599df9a8a2897c372975ecfa4d6b4980
Spec file here: https://github.com/rpm-software-management/dnf5/blob/5.1.17/dnf5.spec

[Kanishk-Bansal]

Hey @sameluch, after seeing that the upgrade is having substantial changes, I have raised a PR with Patches, Take a look at it, #13646

[Kanishk-Bansal]

closing in favour of #13646