Accepting request 1247497 from security:sensor

OBS-URL: https://build.opensuse.org/request/show/1247497
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/velociraptor?expand=0&rev=19

CVE-2022-25883-npm-watch-semver-deps.patch

@@ -1,24 +0,0 @@
-From 76e999d0976ad6559574c92b79fe7432596d2d6c Mon Sep 17 00:00:00 2001
-From: snyk-bot <snyk-bot@snyk.io>
-Date: Sat, 27 Apr 2024 00:20:54 +0000
-Subject: [PATCH] fix: gui/velociraptor/package.json to reduce vulnerabilities
-
-The following vulnerabilities are fixed with an upgrade:
-- https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
----
- gui/velociraptor/package.json | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: b/gui/velociraptor/package.json
-===================================================================
---- a/gui/velociraptor/package.json
-+++ b/gui/velociraptor/package.json
-@@ -31,7 +31,7 @@
-         "lodash": "^4.17.21",
-         "moment": "^2.29.4",
-         "moment-timezone": "0.5.43",
--        "npm-watch": "^0.11.0",
-+        "npm-watch": "^0.12.0",
-         "prop-types": "^15.8.1",
-         "qs": "^6.11.2",
-         "query-string": "^6.14.1",

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/SUSE/linux-security-sensor</param>
-              <param name="changesrevision">675e45f90f6a78190d8428bd0a375e9dfd483589</param></service></servicedata>
+              <param name="changesrevision">862ef239506b42b208625b83420ebed67804e11e</param></service></servicedata>

velociraptor.changes

@@ -1,3 +1,104 @@
+-------------------------------------------------------------------
+Mon Feb 17 13:55:06 UTC 2025 - Darragh O'Reilly <doreilly@suse.com>
+
+- Use the latest llvm/clang on tumbleweed
+
+-------------------------------------------------------------------
+Tue Jan 28 15:46:54 UTC 2025 - Darragh O'Reilly <doreilly@suse.com>
+
+- Use llvm17 for SLE15SP6+
+
+-------------------------------------------------------------------
+Mon Jan 27 15:40:56 UTC 2025 - Darragh O'Reilly <doreilly@suse.com>
+
+- Don't try to build or use system-user-velociraptor on SLE12
+
+-------------------------------------------------------------------
+Fri Jan 17 17:37:39 UTC 2025 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Reorganize llvm dependency version conditionals
+- Use llvm17 for Leap 15.5
+
+-------------------------------------------------------------------
+Fri Jan 17 13:49:28 UTC 2025 - antonio.teixeira@suse.com
+
+- Update to version 0.7.0.4.git142.862ef23:
+  * github: fix deprecated upload artifact again
+  * Update npm packages
+    Includes fixes for the following vulnerabilities:
+    CVE-2023-45133
+    CVE-2023-46234
+    CVE-2024-55565
+    CVE-2024-45296
+    CVE-2023-44270
+    CVE-2024-47068
+    CVE-2024-23331
+    CVE-2024-31207
+    CVE-2024-45812
+    CVE-2024-45811
+  * Update go dependencies
+    Includes fixes for the following vulnerabilities:
+    CVE-2024-45338
+    CVE-2024-37298
+    CVE-2024-24786
+    CVE-2023-45683 (bsc#1216310)
+    CVE-2023-1732
+  * Update jwt to 4.5.1
+    Fixes CVE-2024-51744 (bsc#1232944)
+  * Update go-retryablehttp to 0.7.7
+    Fixes CVE-2024-6104 (bsc#1227061)
+  * Update go-oidc and go-jose
+    Fixes CVE-2024-28180 (bsc#1235168)
+  * Update dompurify to 3.1.3
+    Fixes CVE-2024-47875 (bsc#1231574)
+  * Update package-lock.json
+  * Update micromatch to 4.0.8
+    Partial fix for CVE-2024-4067 (bsc#1224367)
+    Partial fix for CVE-2024-4068 (bsc#1224296)
+  * Update axios to 1.7.9
+    Fixes CVE-2024-39338 (bsc#1229424)
+  * Update cross-spawn to 7.0.6
+    Fixes CVE-2024-21538 (bsc#1233845)
+  * Update elliptic to 6.6.1
+    Update contains fixes for:
+    CVE-2024-48949 (bsc#1231558)
+    CVE-2024-48948 (bsc#1231685)
+    CVE-2024-42459 (bsc#1232543)
+    CVE-2024-42460 (bsc#1232543)
+    CVE-2024-42461 (bsc#1232543)
+  * Update follow-redirects to 1.15.6
+    Fixes CVE-2024-28849 (bsc#1221456)
+  * fix: gui/velociraptor/package.json to reduce vulnerabilities
+    Fixes CVE-2022-25883 (bsc#1212572)
+- Drop CVE-2022-25883-npm-watch-semver-deps.patch
+  * Fix was included upstream
+
+-------------------------------------------------------------------
+Tue Jan 14 20:22:25 UTC 2025 - doreilly@suse.com
+
+- Update to version 0.7.0.4.git126.27cfbe1:
+  * bpf: fix plugins not stopping when context cancelled
+  * tcpsnoop: move parsing to its own function
+  * bpf plugins: remove depreciated libbpfgo calls
+  * bpf plugins: add context to error logs
+  * chattrsnoop: fix files not getting closed
+  * chattrsnoop: move hashing from plugin to artifact
+  * RPM artifact: start checks immediately on artifact load
+  * rpm plugin: fix ndb magic error
+  * audit s390x: fix arch filter rules errors
+  * github: fix deprecated upload artifact
+  * tcpsnoop: fix ipv6 local and remote addresses order
+  * tcpsnoop: fix missing ipv6 outbound connections
+  * Linux.Events.ProcessExecutions: remove parent cmdline
+  * audit: reduce FileBufferLeaseSize to ease GC overhead
+  * audit: fix auditBuf allocation and go vet warnings
+  * audit: fix plugin shutdown race condition
+  * audit: fix audit client data races
+  * audit: fix race in subscriber
+  * audit: prevent Windows loading audit package
+  * sdjournal: fix package causing test failures
+  * github: run linux unit tests
+
 -------------------------------------------------------------------
 Mon Aug 19 20:45:30 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
 

velociraptor.obsinfo

@@ -1,4 +1,4 @@
 name: velociraptor
-version: 0.7.0.4.git97.675e45f9
+version: 0.7.0.4.git142.862ef23
-mtime: 1719345654
+mtime: 1737120535
-commit: 675e45f90f6a78190d8428bd0a375e9dfd483589
+commit: 862ef239506b42b208625b83420ebed67804e11e

velociraptor.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package velociraptor
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -51,6 +51,18 @@
 %bcond_without bpf
 %endif
 
+%if %{with bpf} && 0%{?suse_version}
+%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150600 || (0%{?sle_version} == 150500 && 0%{?is_opensuse})
+%global llvm_version 17
+%else
+%if 0%{?sle_version} >= 150300
+%global llvm_version 16
+%else
+%global llvm_version 13
+%endif
+%endif
+%endif
+
 %if "%{_vendor}" == "debbuild"
 %define _unitdir /usr/lib/systemd/system
 %endif
@@ -71,7 +83,7 @@
 %endif
 
 Name:           velociraptor%{name_suffix}
-Version:        0.7.0.4.git97.675e45f9
+Version:        0.7.0.4.git142.862ef23
 Release:        0
 %if %{build_server}
 Summary:        Endpoint visibility and collection tool
@@ -100,8 +112,6 @@ Source12:       package-lock.json
 Patch1:         vendor-build-fixes-for-SLE12.patch
 Patch2:         sdjournal-build-fix-for-SLE12.patch
 Patch3:         velociraptor-reproducible-timestamp.diff
-# PATCH-FIX-UPSTREAM CVE-2022-25883-npm-watch-semver-deps.patch bsc#1212572 -- upgrade npm-watch
-Patch4:         CVE-2022-25883-npm-watch-semver-deps.patch
 BuildRequires:  fileb0x
 %if 0%{?suse_version}
 BuildRequires:  systemd-rpm-macros
@@ -124,22 +134,19 @@ BuildRequires:  local-npm-registry
 BuildRequires:  nodejs >= 18
 BuildRequires:  npm >= 18
 %endif
+
 %if %{with bpf}
 %if 0%{?suse_version}
-%if 0%{?suse_version} > 1500 || 0%{?sle_version} == 150600
+# Use latest llvm/clang on TW
-BuildRequires:  clang17
+%if 0%{?suse_version} == 1699
-BuildRequires:  llvm17
+BuildRequires:  clang
+BuildRequires:  llvm
 %else
-%if 0%{?sle_version} >= 150300
+BuildRequires:  clang%{?llvm_version}
-BuildRequires:  clang16
+BuildRequires:  llvm%{?llvm_version}
-BuildRequires:  llvm16
+%if 0%{?sle_version} == 150500 && !0%{?is_opensuse}
-%if 0%{?sle_version} > 150400
 BuildRequires:  llvm16-libclang13
 %endif
-%else
-BuildRequires:  clang13
-BuildRequires:  llvm13
-%endif
 %endif
 BuildRequires:  libelf-devel
 BuildRequires:  libzstd-devel
@@ -234,7 +241,7 @@ https://docs.velociraptor.app/
 This package contains only the endpoint agent.  For the full server and GUI
 console, please install the 'velociraptor' package.
 
-%if 0%{?suse_version}
+%if 0%{?suse_version} && !0%{?pre_create_group}
 %package -n system-user-velociraptor
 Summary:        System user and group 'velociraptor'
 Version:        1.0.0
@@ -251,10 +258,7 @@ This package provides a shared system user for all velociraptor components
 
 %prep
 %setup -q -a 1 -a 2 -n %{projname}-%{VERSION}
-%patch -P 1 -p1
+%autopatch -p1
-%patch -P 2 -p1
-%patch -P 3 -p1
-%patch -P 4 -p1
 
 # Set the version to something more specific than <next-tag>-dev
 sed -ie "s/\([[:space:]]VERSION *= \).*/\1 \"%{VERSION}\"/" constants/constants.go
@@ -322,7 +326,7 @@ sysconfig_file_source=%{SOURCE7}
 config_file=server.config
 
 %else
-%if 0%{?suse_version}
+%if 0%{?suse_version} && !0%{?pre_create_group}
 install -D -m 0644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-user-velociraptor.conf
 %endif
 service_file_source=%{SOURCE5}
@@ -364,7 +368,7 @@ install -D -m 0755 output/velociraptor-v%{VERSION}-linux-* %buildroot/%{_bindir}
 %dir %attr(%{state_dir_perms}) %{_sharedstatedir}/%{name}/tmp
 
 %if %{build_client}
-%if 0%{?suse_version}
+%if 0%{?suse_version} && !0%{?pre_create_group}
 %files -n system-user-velociraptor
 %defattr(-, root, root)
 %{_sysusersdir}/system-user-velociraptor.conf