Skip to content

[AUTO-CHERRYPICK] [High] Patch docker-buildx for CVE-2026-39833 - branch 3.0-dev#17641

Merged
jslobodzian merged 3 commits into
3.0-devfrom
cblmargh/cherry-pick-pr-17590-to-3.0-dev
Jun 26, 2026
Merged

[AUTO-CHERRYPICK] [High] Patch docker-buildx for CVE-2026-39833 - branch 3.0-dev#17641
jslobodzian merged 3 commits into
3.0-devfrom
cblmargh/cherry-pick-pr-17590-to-3.0-dev

Conversation

@CBL-Mariner-Bot

Copy link
Copy Markdown
Collaborator

This is an auto-generated pull request to cherry-pick commit a983093 to 3.0-dev. Original PR: #17590
In case of no merge conflicts, the PR is merged without approval because it's an automated cherry-pick of an already approved PR.
In case of merge conflicts, an AI-based conflict resolver will attempt to resolve conflicts and might make mistakes. The reviewer must check AI's work before approving.

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
(cherry picked from commit a983093)
@CBL-Mariner-Bot CBL-Mariner-Bot added the Auto Fast-track Cherry-pick Automatic cherry-pick from fast-track branch label Jun 8, 2026
@CBL-Mariner-Bot
CBL-Mariner-Bot marked this pull request as ready for review June 8, 2026 14:16
@CBL-Mariner-Bot
CBL-Mariner-Bot requested a review from a team as a code owner June 8, 2026 14:16
@CBL-Mariner-Bot

Copy link
Copy Markdown
Collaborator Author

All conflicts resolved.

@CBL-Mariner-Bot

Copy link
Copy Markdown
Collaborator Author

Auto Cherry-Pick SPEC Validation Summary

docker-buildx SPEC summary

Source (fasttrack) Target (3.0-dev) Resolved
Version 0.14.0 0.14.0 None
Release 15 14 15
Patches 26 25 26
Conflict Yes

⚠️ Validation issues:

  • Version-release None-15 is not higher than Source 0.14.0-15
  • Version-release None-15 is not higher than Target 0.14.0-14
  • Duplicate changelog entry for 0.14.0-11 (appears 2 times)
  • Changelog out of order: 0.14.0-11 appears before 0.14.0-13
  • Directive present in both Source and Target was dropped: BuildRequires: bash
  • Directive present in both Source and Target was dropped: BuildRequires: golang < 1.25

⚠️ Manual review required — validation found issues that may need correction.

The auto cherry-pick resolver dropped the preamble (Name, Version, License, Group, Vendor, BuildRequires) and reordered the changelog incorrectly (-11 above -13, -12 missing entirely). Since 3.0-dev had no unique changes vs fasttrack pre-merge, the correct merge result is identical to fasttrack/3.0's spec.

Flagged by cherrypick-health check.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This is an auto-generated cherry-pick of PR #17590 to the 3.0-dev branch, patching docker-buildx for CVE-2026-39833 and completing the partial fix for CVE-2026-39832 in the vendored golang.org/x/crypto/ssh/agent code. It adds a new patch that makes the in-memory keyring reject keys with the unsupported ConfirmBeforeUse constraint, and reworks the existing CVE-2026-39832 patch to carry the full two-commit upstream fix (client-side constraint-extension serialization plus keyring rejection of unsupported constraint extensions).

Changes:

  • Add CVE-2026-39833.patch and register it as Patch25, bumping Release to 15 with a corresponding changelog entry.
  • Replace the partial CVE-2026-39832 patch with the complete fix combining upstream commits e3d1254 and a1ce0fe.
  • The keyring.go patch chain remains consistent and applies in numeric order via %autosetup -p1.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
SPECS/docker-buildx/docker-buildx.spec Bumps Release to 15, registers Patch25 for CVE-2026-39833, and adds the changelog entry.
SPECS/docker-buildx/CVE-2026-39833.patch New patch making the in-memory keyring reject the unsupported ConfirmBeforeUse constraint.
SPECS/docker-buildx/CVE-2026-39832.patch Reworked to carry the complete two-commit upstream fix (client.go serialization + keyring.go rejection of constraint extensions).

@jslobodzian

Copy link
Copy Markdown
Collaborator

/azurepipelines run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@jslobodzian
jslobodzian merged commit dda93b1 into 3.0-dev Jun 26, 2026
36 checks passed
@jslobodzian
jslobodzian deleted the cblmargh/cherry-pick-pr-17590-to-3.0-dev branch June 26, 2026 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Auto Fast-track Cherry-pick Automatic cherry-pick from fast-track branch Automatic PR Packaging

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants