Accepting request 1253945 from Virtualization:containers

- update to 0.52.1: * Make resctrl optional/pluggable - update to 0.52.0: * bump containerd related deps: api v1.8.0; errdefs v1.0.0; ttrpc v1.2.6 * chore: Update Prometheus libraries * ci: golangci-lint bump, fixes, and cleanups * bump runc to v1.2.4 * Add Pressure Stall Information Metrics * Switch to opencontainers/cgroups repository (includes update from golang 1.22 to 1.24) * Bump to newer opencontainers/image-spec @ v1.1.1 - update to 0.49.2: * Cp fix test * Revert "reduce_logs_for_kubelet_use_crio" - add CVE-2025-22868.patch (CVE-2025-22868, bsc#1239291) OBS-URL: https://build.opensuse.org/request/show/1253945 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cadvisor?expand=0&rev=4
- add CVE-2025-22868.patch (CVE-2025-22868, bsc#1239291)
2025-03-18 16:41:47 +00:00 · 2025-03-17 21:57:22 +00:00 · 2025-03-17 21:51:05 +00:00
9 changed files with 67 additions and 14 deletions
--- a/CVE-2025-22868.patch
+++ b/CVE-2025-22868.patch
@@ -0,0 +1,28 @@
+diff --git a/cmd/go.mod b/cmd/go.mod
+index 7a3835c..9701405 100644
+--- a/cmd/go.mod
+++ b/cmd/go.mod
+@@ -26,7 +26,7 @@ require (
+ 	github.com/pquerna/ffjson v0.0.0-20190930134022-aa0246cd15f7 // indirect
+ 	github.com/prometheus/client_golang v1.20.5
+ 	github.com/stretchr/testify v1.10.0
+-	golang.org/x/oauth2 v0.24.0
+	golang.org/x/oauth2 v0.27.0
+ 	google.golang.org/api v0.169.0
+ 	gopkg.in/olivere/elastic.v2 v2.0.61
+ 	k8s.io/klog/v2 v2.100.1
+diff --git a/cmd/go.sum b/cmd/go.sum
+index 02c2121..224bc0e 100644
+--- a/cmd/go.sum
+++ b/cmd/go.sum
+@@ -310,8 +310,8 @@ golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY
+ golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+ golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+-golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
+-golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
--- a/6
+++ b/6
@@ -2,7 +2,7 @@
  <service name="tar_scm" mode="manual">
    <param name="url">https://github.com/google/cadvisor.git</param>
    <param name="scm">git</param>
-    <param name="revision">v0.49.1</param>
+    <param name="revision">v0.52.1</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(.*)</param>
    <param name="changesgenerate">enable</param>
@@ -11,6 +11,10 @@
    <param name="file">cadvisor-*.tar</param>
    <param name="compression">zst</param>
  </service>
+  <service name="go_modules" mode="manual">
+    <param name="subdir">cmd</param>
+    <param name="compression">zst</param>
+  </service>
  <service name="set_version" mode="manual">
    <param name="basename">cadvisor</param>
  </service>
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/google/cadvisor.git</param>
-              <param name="changesrevision">6f3f25bac19f9f485935a19a28bdcf4edb507d80</param></service></servicedata>
+              <param name="changesrevision">0b675defd46277198f7c15c1053301421a4b733e</param></service></servicedata>
--- a/cadvisor-0.49.1.tar.zst
+++ b/cadvisor-0.49.1.tar.zst
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:39fe993889a95eef834d40b6f44897e10915bb92cece5305b8a2432a3170a58b
-size 950457
--- a/cadvisor-0.52.1.tar.zst
+++ b/cadvisor-0.52.1.tar.zst
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f795f9be5f7e5ac6e043914a2a5fd08ed3567cdecd1fbbfb2e38ad5a6950e12b
+size 841920
--- a/cadvisor.changes
+++ b/cadvisor.changes
@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Mon Mar 17 21:46:43 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.52.1:
+  * Make resctrl optional/pluggable
+- update to 0.52.0:
+  * bump containerd related deps: api v1.8.0; errdefs v1.0.0;
+    ttrpc v1.2.6
+  * chore: Update Prometheus libraries
+  * ci: golangci-lint bump, fixes, and cleanups
+  * bump runc to v1.2.4
+  * Add Pressure Stall Information Metrics
+  * Switch to opencontainers/cgroups repository (includes update
+    from golang 1.22 to 1.24)
+  * Bump to newer opencontainers/image-spec @ v1.1.1
+- update to 0.49.2:
+  * Cp fix test
+  * Revert "reduce_logs_for_kubelet_use_crio"
+- add CVE-2025-22868.patch (CVE-2025-22868, bsc#1239291)
+
 -------------------------------------------------------------------
 Thu Jul 11 15:42:44 UTC 2024 - dmueller@suse.com

--- a/cadvisor.spec
+++ b/cadvisor.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package cadvisor
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,20 +19,21 @@

 %global goipath github.com/google/cadvisor
 Name:           cadvisor
-Version:        0.49.1
+Version:        0.52.1
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
 Group:          System/Management
 URL:            https://github.com/google/cadvisor
 Source:         %{name}-%{version}.tar.zst
-Source1:        vendor-cmd.tar.zst
+Source1:        vendor.tar.zst
 Source2:        cadvisor.service
 Source3:        sysconfig.cadvisor
+Patch1:         CVE-2025-22868.patch
 BuildRequires:  golang-packaging
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  zstd
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.24
 Requires:       ca-certificates
 Requires:       git-core
 Requires:       rpm
@@ -54,8 +55,8 @@ abstraction is based on lmctfy's so containers are inherently nested
 hierarchically.

 %prep
-%setup -qa1
-%autopatch -p1
+%autosetup -p1 -a1
+mv vendor cmd

 %build
 %{goprep} %{goipath}
--- a/vendor-cmd.tar.zst
+++ b/vendor-cmd.tar.zst
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:99577c78f6ba472852f7e881c2d416e64b459727b623c93314024bedd63a6df9
-size 4733036
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5c5861ba3da7d22779405bcee9d6f705e39acbdc6dbbd17b2e55b1552e8aa255
+size 4090132