[AUTO-CHERRYPICK] [High] Patch docker-buildx for CVE-2026-39833 - branch 3.0-dev#17641
Conversation
Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> (cherry picked from commit a983093)
|
All conflicts resolved. |
Auto Cherry-Pick SPEC Validation Summary
|
| Source (fasttrack) | Target (3.0-dev) | Resolved | |
|---|---|---|---|
| Version | 0.14.0 | 0.14.0 | None |
| Release | 15 | 14 | 15 |
| Patches | 26 | 25 | 26 |
| Conflict | Yes |
- Version-release None-15 is not higher than Source 0.14.0-15
- Version-release None-15 is not higher than Target 0.14.0-14
- Duplicate changelog entry for 0.14.0-11 (appears 2 times)
- Changelog out of order: 0.14.0-11 appears before 0.14.0-13
- Directive present in both Source and Target was dropped: BuildRequires: bash
- Directive present in both Source and Target was dropped: BuildRequires: golang < 1.25
The auto cherry-pick resolver dropped the preamble (Name, Version, License, Group, Vendor, BuildRequires) and reordered the changelog incorrectly (-11 above -13, -12 missing entirely). Since 3.0-dev had no unique changes vs fasttrack pre-merge, the correct merge result is identical to fasttrack/3.0's spec. Flagged by cherrypick-health check.
There was a problem hiding this comment.
Pull request overview
This is an auto-generated cherry-pick of PR #17590 to the 3.0-dev branch, patching docker-buildx for CVE-2026-39833 and completing the partial fix for CVE-2026-39832 in the vendored golang.org/x/crypto/ssh/agent code. It adds a new patch that makes the in-memory keyring reject keys with the unsupported ConfirmBeforeUse constraint, and reworks the existing CVE-2026-39832 patch to carry the full two-commit upstream fix (client-side constraint-extension serialization plus keyring rejection of unsupported constraint extensions).
Changes:
- Add
CVE-2026-39833.patchand register it asPatch25, bumpingReleaseto 15 with a corresponding changelog entry. - Replace the partial CVE-2026-39832 patch with the complete fix combining upstream commits
e3d1254anda1ce0fe. - The keyring.go patch chain remains consistent and applies in numeric order via
%autosetup -p1.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| SPECS/docker-buildx/docker-buildx.spec | Bumps Release to 15, registers Patch25 for CVE-2026-39833, and adds the changelog entry. |
| SPECS/docker-buildx/CVE-2026-39833.patch | New patch making the in-memory keyring reject the unsupported ConfirmBeforeUse constraint. |
| SPECS/docker-buildx/CVE-2026-39832.patch | Reworked to carry the complete two-commit upstream fix (client.go serialization + keyring.go rejection of constraint extensions). |
|
/azurepipelines run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This is an auto-generated pull request to cherry-pick commit a983093 to 3.0-dev. Original PR: #17590
In case of no merge conflicts, the PR is merged without approval because it's an automated cherry-pick of an already approved PR.
In case of merge conflicts, an AI-based conflict resolver will attempt to resolve conflicts and might make mistakes. The reviewer must check AI's work before approving.