Sync from SUSE:SLFO:Main velociraptor revision 4ecb2f6af2e84e53716ecd0de2e0d5d8

2024-06-12 16:08:34 +02:00 · 2024-06-12 16:08:34 +02:00 · 9cf4de03e2
commit 9cf4de03e2
parent e6f8bcc6c0
7 changed files with 20326 additions and 829 deletions
--- a/CVE-2022-25883-npm-watch-semver-deps.patch
+++ b/CVE-2022-25883-npm-watch-semver-deps.patch
@ -0,0 +1,24 @@
 From 76e999d0976ad6559574c92b79fe7432596d2d6c Mon Sep 17 00:00:00 2001
 From: snyk-bot <snyk-bot@snyk.io>
 Date: Sat, 27 Apr 2024 00:20:54 +0000
 Subject: [PATCH] fix: gui/velociraptor/package.json to reduce vulnerabilities
 The following vulnerabilities are fixed with an upgrade:
 - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
 ---
 gui/velociraptor/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 Index: b/gui/velociraptor/package.json
 ===================================================================
 --- a/gui/velociraptor/package.json
 +++ b/gui/velociraptor/package.json
@@ -31,7 +31,7 @@
         "lodash": "^4.17.21",
         "moment": "^2.29.4",
         "moment-timezone": "0.5.43",
 -        "npm-watch": "^0.11.0",
 +        "npm-watch": "^0.12.0",
         "prop-types": "^15.8.1",
         "qs": "^6.11.2",
         "query-string": "^6.14.1",
--- a/CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
+++ b/CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
@ -1,23 +1,30 @@
-From c4f847f85176991f95ab9c88af63b1294de8649b Mon Sep 17 00:00:00 2001
+diff --git a/gui/velociraptor/package-lock.json b/gui/velociraptor/package-lock.json
-From: Ruben Verborgh <ruben@verborgh.org>
+index e6c46c00..2a6c8114 100644
-Date: Thu, 14 Mar 2024 17:36:10 +0100
+--- a/gui/velociraptor/package-lock.json
-Subject: [PATCH] Drop Proxy-Authorization across hosts.
+++ b/gui/velociraptor/package-lock.json
-
+@@ -4750,9 +4750,9 @@
 ---
 index.js     | 2 +-
 1 files changed, 1 insertions(+), 1 deletion(-)
 diff --git a/gui/velociraptor/node_modules/follow-redirects/index.js b/gui/velociraptor/node_modules/follow-redirects/index.js
 index f58b933..c649cab 100644
 --- a/gui/velociraptor/node_modules/follow-redirects/index.js
 +++ b/gui/velociraptor/node_modules/follow-redirects/index.js
@@ -430,7 +430,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
      redirectUrlParts.protocol !== "https:" ||
      redirectUrlParts.host !== currentHost &&
      !isSubdomain(redirectUrlParts.host, currentHost)) {
 -    removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
 +    removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
             }
- 
+         },
-   // Evaluate the beforeRedirect callback
+         "node_modules/follow-redirects": {
-
+-            "version": "1.15.2",
 -            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz",
 -            "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==",
 +            "version": "1.15.6",
 +            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz",
 +            "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==",
             "funding": [
                 {
                     "type": "individual",
@@ -14720,9 +14720,9 @@
             }
         },
         "follow-redirects": {
 -            "version": "1.15.2",
 -            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz",
 -            "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA=="
 +            "version": "1.15.6",
 +            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz",
 +            "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA=="
         },
         "for-each": {
             "version": "0.3.3",
--- a/package-lock.json
+++ b/package-lock.json
--- a/velociraptor-node_modules.obscpio
+++ b/velociraptor-node_modules.obscpio
--- a/velociraptor-nodejs.spec.inc
+++ b/velociraptor-nodejs.spec.inc
--- a/velociraptor.changes
+++ b/velociraptor.changes
@ -1,3 +1,22 @@
 -------------------------------------------------------------------
 Tue May 28 16:45:51 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
 - Patches changes:
  * Change CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
    to update the follow-redirects package instead of patching directly.
  * Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572)
 - Add a package-lock.json to the package
 -------------------------------------------------------------------
 Sat Apr 27 16:11:14 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
 - Fix group(velociraptor) dependency for SLE 15 SP3
 -------------------------------------------------------------------
 Tue Apr 23 10:28:10 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
 - Change system-user-velociraptor to noarch
 -------------------------------------------------------------------
 Wed Apr 17 21:53:20 UTC 2024 - Jeff Mahoney <jeffm@suse.com>
--- a/velociraptor.spec
+++ b/velociraptor.spec
@ -93,14 +93,17 @@ Source8:        sysconfig.velociraptor-client
 Source9:        %{projname}.obsinfo
 Source10:       system-user-velociraptor.sysusers
 Source11:       velociraptor-nodejs.spec.inc
 Source12:       package-lock.json
 %include %{_sourcedir}/velociraptor-nodejs.spec.inc
 Patch1:         vendor-build-fixes-for-SLE12.patch
 Patch2:         sdjournal-build-fix-for-SLE12.patch
 Patch3:         velociraptor-reproducible-timestamp.diff
-# CVE-2024-28849 - bsc#1221456 - follow-redirects: Drop Proxy-Athorization across hosts
+# PATCH-FIX-UPSTREAM CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch bsc#1221456 -- follow-redirects: Drop Proxy-Athorization across hosts
 Patch4:         CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
 # PATCH-FIX-UPSTREAM CVE-2022-25883-npm-watch-semver-deps.patch bsc#1212572 -- upgrade npm-watch
 Patch5:         CVE-2022-25883-npm-watch-semver-deps.patch
 BuildRequires:  fileb0x
 %if 0%{?suse_version}
 BuildRequires:  systemd-rpm-macros
@ -163,8 +166,8 @@ Obsoletes:      velociraptor-kafka-humio-gateway < %{version}
 %endif
 %if 0%{?suse_version}
-# SLE12 doesn't support sysusers
+# SLE12 doesn't support sysusers and releases lower than SP4 don't build the server flavor which includes the system-user-velociraptor package.
-%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
+%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150400
 Requires(pre):  pwdutils
 %define pre_create_group 1
 %else
@ -218,6 +221,7 @@ License:        Apache-2.0
 Group:          System/Monitoring
 Provides:       group(velociraptor)
 Provides:       user(velociraptor)
 BuildArch:      noarch
 %description -n system-user-velociraptor
 This package provides a shared system user for all velociraptor components
@ -242,6 +246,8 @@ console, please install the 'velociraptor' package.
 %patch -P 1 -p1
 %patch -P 2 -p1
 %patch -P 3 -p1
 %patch -P 4 -p1
 %patch -P 5 -p1
 # Set the version to something more specific than <next-tag>-dev
 sed -ie "s/\([[:space:]]VERSION *= \).*/\1 \"%{VERSION}\"/" constants/constants.go
@ -262,13 +268,11 @@ cp vmlinux.h-%{vmlinux_h_version}/vmlinux-${arch}.h \
 # Note: There are dependencies on these that need to be resolved before
 # removing them outright.
 # rm -rf artifacts/definitions/Windows
 %if %{build_server}
 pushd gui/velociraptor
 rm -f package-lock.json
-local-npm-registry %{_sourcedir} install
+local-npm-registry %{_sourcedir} install --include=dev --legacy-peer-deps
 popd
 %patch -P 4 -p1
 %endif
 %build