From b87bb602182e210da2cff03065cf7034bdae4876 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Sat, 11 Jul 2026 16:53:29 +0000 Subject: [PATCH] Patch telegraf for CVE-2026-58253, CVE-2026-58252, CVE-2026-58251, CVE-2026-58250, CVE-2026-58209, CVE-2026-58208, CVE-2026-58207 --- SPECS/telegraf/CVE-2026-58207.patch | 63 ++++++++++++++++++++ SPECS/telegraf/CVE-2026-58208.patch | 90 +++++++++++++++++++++++++++++ SPECS/telegraf/CVE-2026-58209.patch | 50 ++++++++++++++++ SPECS/telegraf/CVE-2026-58250.patch | 52 +++++++++++++++++ SPECS/telegraf/CVE-2026-58251.patch | 64 ++++++++++++++++++++ SPECS/telegraf/CVE-2026-58252.patch | 47 +++++++++++++++ SPECS/telegraf/CVE-2026-58253.patch | 55 ++++++++++++++++++ SPECS/telegraf/telegraf.spec | 12 +++- 8 files changed, 432 insertions(+), 1 deletion(-) create mode 100644 SPECS/telegraf/CVE-2026-58207.patch create mode 100644 SPECS/telegraf/CVE-2026-58208.patch create mode 100644 SPECS/telegraf/CVE-2026-58209.patch create mode 100644 SPECS/telegraf/CVE-2026-58250.patch create mode 100644 SPECS/telegraf/CVE-2026-58251.patch create mode 100644 SPECS/telegraf/CVE-2026-58252.patch create mode 100644 SPECS/telegraf/CVE-2026-58253.patch diff --git a/SPECS/telegraf/CVE-2026-58207.patch b/SPECS/telegraf/CVE-2026-58207.patch new file mode 100644 index 00000000000..b8864340f92 --- /dev/null +++ b/SPECS/telegraf/CVE-2026-58207.patch @@ -0,0 +1,63 @@ +From b9842abe9b95268ed25be7d0429a43bb3413a263 Mon Sep 17 00:00:00 2001 +From: Maurice van Veen +Date: Thu, 18 Jun 2026 10:59:49 +0200 +Subject: [PATCH] Connz/Subsz pagination panic on Offset+Limit integer overflow + +Signed-off-by: Maurice van Veen +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/nats-io/nats-server/commit/894d9411927681d66ce349bf1afe49608dc0c1a3.patch +--- + .../nats-io/nats-server/v2/server/monitor.go | 28 ++++--------------- + 1 file changed, 6 insertions(+), 22 deletions(-) + +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/monitor.go b/vendor/github.com/nats-io/nats-server/v2/server/monitor.go +index 3da0930d..96793902 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/monitor.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/monitor.go +@@ -506,18 +506,10 @@ func (s *Server) Connz(opts *ConnzOptions) (*Connz, error) { + sort.Sort(sort.Reverse(byRTT{pconns})) + } + +- minoff := c.Offset +- maxoff := c.Offset + c.Limit +- +- maxIndex := totalClients +- + // Make sure these are sane. +- if minoff > maxIndex { +- minoff = maxIndex +- } +- if maxoff > maxIndex { +- maxoff = maxIndex +- } ++ maxIndex := totalClients ++ minoff := min(max(c.Offset, 0), maxIndex) ++ maxoff := minoff + min(c.Limit, maxIndex-minoff) + + // Now pare down to the requested size. + // TODO(dlc) - for very large number of connections we +@@ -1019,18 +1011,10 @@ func (s *Server) Subsz(opts *SubszOptions) (*Subsz, error) { + sub.client.mu.Unlock() + i++ + } +- minoff := sz.Offset +- maxoff := sz.Offset + sz.Limit +- +- maxIndex := i +- + // Make sure these are sane. +- if minoff > maxIndex { +- minoff = maxIndex +- } +- if maxoff > maxIndex { +- maxoff = maxIndex +- } ++ maxIndex := i ++ minoff := min(max(sz.Offset, 0), maxIndex) ++ maxoff := minoff + min(sz.Limit, maxIndex-minoff) + sz.Subs = details[minoff:maxoff] + sz.Total = len(sz.Subs) + } else { +-- +2.45.4 + diff --git a/SPECS/telegraf/CVE-2026-58208.patch b/SPECS/telegraf/CVE-2026-58208.patch new file mode 100644 index 00000000000..f93df28eb0b --- /dev/null +++ b/SPECS/telegraf/CVE-2026-58208.patch @@ -0,0 +1,90 @@ +From cd3fe2220270483a9b20abc65e4329b7a9cfb52a Mon Sep 17 00:00:00 2001 +From: Maurice van Veen +Date: Thu, 18 Jun 2026 08:54:11 +0200 +Subject: [PATCH] WebSocket /mqtt upgrade panics when MQTT is disabled + +Signed-off-by: Maurice van Veen +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/nats-io/nats-server/commit/73b3dd9a5ea0fa7bf08b702338676355b29b5fb4.patch +--- + plugins/outputs/websocket/websocket_test.go | 50 +++++++++++++++++++ + .../nats-server/v2/server/websocket.go | 5 ++ + 2 files changed, 55 insertions(+) + +diff --git a/plugins/outputs/websocket/websocket_test.go b/plugins/outputs/websocket/websocket_test.go +index 98289055..ea5b181b 100644 +--- a/plugins/outputs/websocket/websocket_test.go ++++ b/plugins/outputs/websocket/websocket_test.go +@@ -221,3 +221,53 @@ func TestWebSocket_Close(t *testing.T) { + // Check no error on second close. + require.NoError(t, w.Close()) + } ++ ++func TestWSUpgradeMQTTOnlyWhenEnabled(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ mqttPort int ++ path string ++ kind int ++ err string ++ }{ ++ {"mqtt disabled rejects /mqtt", 0, mqttWSPath, 0, "mqtt websocket endpoint not enabled"}, ++ {"mqtt enabled allows /mqtt", -1, mqttWSPath, MQTT, _EMPTY_}, ++ {"mqtt disabled allows client path", 0, "/", CLIENT, _EMPTY_}, ++ } { ++ t.Run(test.name, func(t *testing.T) { ++ opts := testWSOptions() ++ opts.MQTT.Port = test.mqttPort ++ s := &Server{opts: opts} ++ s.wsSetOriginOptions(&opts.Websocket) ++ ++ rw := &testResponseWriter{} ++ req := testWSCreateValidReq() ++ req.URL = &url.URL{Path: test.path} ++ res, err := s.wsUpgrade(rw, req) ++ ++ if test.err != _EMPTY_ { ++ if err == nil || !strings.Contains(err.Error(), test.err) { ++ t.Fatalf("Expected error %q, got %v", test.err, err) ++ } ++ if res != nil { ++ t.Fatalf("Should not have returned a result, got %v", res) ++ } ++ expected := fmt.Sprintf("%v%s\n", http.StatusNotFound, http.StatusText(http.StatusNotFound)) ++ if got := rw.buf.String(); got != expected { ++ t.Fatalf("Expected response %q, got %q", expected, got) ++ } ++ return ++ } ++ ++ if err != nil { ++ t.Fatalf("Unexpected error: %v", err) ++ } ++ if res == nil { ++ t.Fatal("Expected an upgrade result, got nil") ++ } ++ if res.kind != test.kind { ++ t.Fatalf("Expected upgrade kind %v, got %v", test.kind, res.kind) ++ } ++ }) ++ } ++} +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/websocket.go b/vendor/github.com/nats-io/nats-server/v2/server/websocket.go +index 1804b4de..f5c45aed 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/websocket.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/websocket.go +@@ -720,6 +720,11 @@ func (s *Server) wsUpgrade(w http.ResponseWriter, r *http.Request) (*wsUpgradeRe + + opts := s.getOpts() + ++ // Reject MQTT-over-WebSocket upgrades unless MQTT is enabled. ++ if kind == MQTT && opts.MQTT.Port == 0 { ++ return nil, wsReturnHTTPError(w, r, http.StatusNotFound, "mqtt websocket endpoint not enabled") ++ } ++ + // From https://tools.ietf.org/html/rfc6455#section-4.2.1 + // Point 1. + if r.Method != "GET" { +-- +2.45.4 + diff --git a/SPECS/telegraf/CVE-2026-58209.patch b/SPECS/telegraf/CVE-2026-58209.patch new file mode 100644 index 00000000000..58b22e8f19d --- /dev/null +++ b/SPECS/telegraf/CVE-2026-58209.patch @@ -0,0 +1,50 @@ +From 79480a2bfcd7b77490cffebee3a93c38437d735d Mon Sep 17 00:00:00 2001 +From: Maurice van Veen +Date: Thu, 18 Jun 2026 09:28:23 +0200 +Subject: [PATCH] MQTT subscribe deny not enforced on retained/QoS replay paths + +Signed-off-by: Maurice van Veen +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/nats-io/nats-server/commit/1c429b6fdc5afd4188cc5faf1127f6334896cd87.patch +--- + .../nats-io/nats-server/v2/server/mqtt.go | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go +index f5ef29e6..637d682c 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/mqtt.go +@@ -2671,6 +2671,13 @@ func (as *mqttAccountSessionManager) serializeRetainedMsgsForSub(rms map[string] + // calling serialize. + continue + } ++ // A broad wildcard subscription can overlap a subscribe deny clause. ++ c.mu.Lock() ++ denied := c.mperms != nil && c.checkDenySub(string(subj)) ++ c.mu.Unlock() ++ if denied { ++ return ++ } + var pi uint16 + qos := mqttGetQoS(rm.Flags) + if qos > sub.mqtt.qos { +@@ -4702,6 +4709,16 @@ func mqttDeliverMsgCbQoS12(sub *subscription, pc *client, _ *Account, subject, r + return + } + ++ // A broad wildcard subscription can overlap a subscribe deny clause. ++ cc.mu.Lock() ++ denied := cc.mperms != nil && cc.checkDenySub(strippedSubj) ++ cc.mu.Unlock() ++ if denied { ++ sess.mu.Unlock() ++ sess.jsa.sendAck(reply) ++ return ++ } ++ + pi, dup := sess.trackPublish(sub.mqtt.jsDur, reply) + sess.mu.Unlock() + +-- +2.45.4 + diff --git a/SPECS/telegraf/CVE-2026-58250.patch b/SPECS/telegraf/CVE-2026-58250.patch new file mode 100644 index 00000000000..ee5be64b2e5 --- /dev/null +++ b/SPECS/telegraf/CVE-2026-58250.patch @@ -0,0 +1,52 @@ +From 68e1bb6d032212721828564e7cce5c5073fc3486 Mon Sep 17 00:00:00 2001 +From: Daniele Sciascia +Date: Fri, 17 Apr 2026 18:20:29 +0200 +Subject: [PATCH] Prevent pre-auth leafnode INFO nil derefs + +Inbound leaf connections can process INFO before CONNECT during +compression negotiation. A second INFO in that state could still +reach paths that assume c.acc or c.leaf.remote are set and panic. + +Reject those cases with an authorization violation instead, +and add a regression test for the double-INFO sequence. + +Signed-off-by: Daniele Sciascia +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27.patch +--- + .../nats-io/nats-server/v2/server/leafnode.go | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go +index 652ec5d1..e775bd4b 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/leafnode.go +@@ -1346,6 +1346,12 @@ func (c *client) processLeafnodeInfo(info *Info) { + + // Check if we have the remote account information and if so make sure it's stored. + if info.RemoteAccount != _EMPTY_ { ++ if c.acc == nil { ++ c.mu.Unlock() ++ c.sendErr("Authorization Violation") ++ c.closeConnection(ProtocolViolation) ++ return ++ } + s.leafRemoteAccounts.Store(c.acc.Name, info.RemoteAccount) + } + c.mu.Unlock() +@@ -2997,6 +3003,12 @@ func (s *Server) leafNodeFinishConnectProcess(c *client) { + return + } + remote := c.leaf.remote ++ if remote == nil || c.acc == nil { ++ c.mu.Unlock() ++ c.sendErr("Authorization Violation") ++ c.closeConnection(ProtocolViolation) ++ return ++ } + // Check if we will need to send the system connect event. + remote.RLock() + sendSysConnectEvent := remote.Hub +-- +2.45.4 + diff --git a/SPECS/telegraf/CVE-2026-58251.patch b/SPECS/telegraf/CVE-2026-58251.patch new file mode 100644 index 00000000000..9496562d7f6 --- /dev/null +++ b/SPECS/telegraf/CVE-2026-58251.patch @@ -0,0 +1,64 @@ +From 846ebad87c005299a27409ef9b288dacac90a2de Mon Sep 17 00:00:00 2001 +From: Daniele Sciascia +Date: Fri, 27 Mar 2026 15:03:22 +0100 +Subject: [PATCH] Prevent queue subscriptions from bypassing plain subject + denies + +A user with a list containing both plain and queue subscribe +permissions, could be allowed to create subscriptions that +should have been denied. For example: + +``` +permissions: { + subscribe: { allow: ">", deny: ["admin.>", "> restricted"] } +} +``` + +`SUB admin.secret workers 1` should be denied because of the +`admin.>` deny rule. However, because the queue deny check did +not match, the earlier deny was incorrectly overwritten. +The fix ensures that queue subscriptions are denied as soon +as one of the deny rules applies. + +Signed-off-by: Daniele Sciascia +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/nats-io/nats-server/commit/79c2f6e9ff87f594596337b6427dda85c38d1fe1.patch +--- + plugins/inputs/ecs/client_test.go | 7 +++++++ + vendor/github.com/nats-io/nats-server/v2/server/client.go | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/plugins/inputs/ecs/client_test.go b/plugins/inputs/ecs/client_test.go +index 71974031..d1e57cf4 100644 +--- a/plugins/inputs/ecs/client_test.go ++++ b/plugins/inputs/ecs/client_test.go +@@ -301,6 +301,13 @@ func TestResolveStatsURL(t *testing.T) { + ver: 3, + exp: "http://169.254.170.2/v3/metadata/task/stats", + }, ++ { ++ name: "plain sub deny bypassed by queue deny rules", ++ perms: &SubjectPermission{Allow: []string{">"}, Deny: []string{"admin.>", "> restricted"}}, ++ subject: "admin.secret", ++ queue: "workers", ++ want: "-ERR 'Permissions Violation for Subscription to \"admin.secret\" using queue \"workers\"'\r\n", ++ }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/client.go b/vendor/github.com/nats-io/nats-server/v2/server/client.go +index cd24cc8b..4bd67688 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/client.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/client.go +@@ -3004,7 +3004,7 @@ func (c *client) canSubscribe(subject string, optQueue ...string) bool { + r := c.perms.sub.deny.Match(subject) + allowed = len(r.psubs) == 0 + +- if queue != _EMPTY_ && len(r.qsubs) > 0 { ++ if allowed && queue != _EMPTY_ && len(r.qsubs) > 0 { + // If the queue appears in the deny list, then DO NOT allow. + allowed = !queueMatches(queue, r.qsubs) + } +-- +2.45.4 + diff --git a/SPECS/telegraf/CVE-2026-58252.patch b/SPECS/telegraf/CVE-2026-58252.patch new file mode 100644 index 00000000000..333f7283788 --- /dev/null +++ b/SPECS/telegraf/CVE-2026-58252.patch @@ -0,0 +1,47 @@ +From 1142a8ea87c2f123dc095b55e7c0bad452dee196 Mon Sep 17 00:00:00 2001 +From: Daniele Sciascia +Date: Fri, 27 Mar 2026 13:09:24 +0100 +Subject: [PATCH] Enforce subscription deny on overlapping subjects + +Method `client.canSubscribe` used `subjectIsSubsetMatch` +to determine if a subscription deny filter should be set on +a given subject. That missed overlapping wildcard patterns +such as "*.secret" and "foo.*", allowing denied messaged +to be delivered. A subscription to "foo.*" could deliver +denied messages on "foo.secret". +The fix replaces `subjectIsSubsetMatch` with `SubjectsCollide`, +which detects arbitrary intersections between wildcard +subjects. + +Signed-off-by: Daniele Sciascia +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/nats-io/nats-server/commit/e611ca9604697b02d8f22beb76037400a9cf72e6.patch +--- + vendor/github.com/nats-io/nats-server/v2/server/client.go | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/client.go b/vendor/github.com/nats-io/nats-server/v2/server/client.go +index 4bd67688..97136bab 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/client.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/client.go +@@ -3010,13 +3010,14 @@ func (c *client) canSubscribe(subject string, optQueue ...string) bool { + } + + // We use the actual subscription to signal us to spin up the deny mperms +- // and cache. We check if the subject is a wildcard that contains any of ++ // and cache. We check if the subject is a wildcard that intersects any of + // the deny clauses. + // FIXME(dlc) - We could be smarter and track when these go away and remove. + if allowed && c.mperms == nil && subjectHasWildcard(subject) { +- // Whip through the deny array and check if this wildcard subject is within scope. ++ // Whip through the deny array and check if this wildcard subject can ++ // overlap with any denied deliveries. + for _, sub := range c.darray { +- if subjectIsSubsetMatch(sub, subject) { ++ if SubjectsCollide(sub, subject) { + c.loadMsgDenyFilter() + break + } +-- +2.45.4 + diff --git a/SPECS/telegraf/CVE-2026-58253.patch b/SPECS/telegraf/CVE-2026-58253.patch new file mode 100644 index 00000000000..8dbe71bc7f6 --- /dev/null +++ b/SPECS/telegraf/CVE-2026-58253.patch @@ -0,0 +1,55 @@ +From 838c097a3600be1bebcfc0ad9e0ad81c7bb2e5c5 Mon Sep 17 00:00:00 2001 +From: Neil Twigg +Date: Fri, 27 Mar 2026 10:54:10 +0000 +Subject: [PATCH] Restrict `no_auth_user` to client connections only + +Signed-off-by: Neil Twigg +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/nats-io/nats-server/commit/b86147e81710a52b72a7f7275f91d69f723f5cb3.patch +--- + .../nats-io/nats-server/v2/server/parser.go | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/vendor/github.com/nats-io/nats-server/v2/server/parser.go b/vendor/github.com/nats-io/nats-server/v2/server/parser.go +index 74f55f57..ce20fa6b 100644 +--- a/vendor/github.com/nats-io/nats-server/v2/server/parser.go ++++ b/vendor/github.com/nats-io/nats-server/v2/server/parser.go +@@ -165,7 +165,7 @@ func (c *client) parse(buf []byte) error { + var ok bool + // Check here for NoAuthUser. If this is set allow non CONNECT protos as our first. + // E.g. telnet proto demos. +- if noAuthUser := s.getOpts().NoAuthUser; noAuthUser != _EMPTY_ { ++ if noAuthUser := s.getOpts().NoAuthUser; noAuthUser != _EMPTY_ && c.kind == CLIENT { + s.mu.Lock() + user, exists := s.users[noAuthUser] + s.mu.Unlock() +@@ -179,16 +179,19 @@ func (c *client) parse(buf []byte) error { + } + } + if !ok { ++ // Non-client connections (routes, leafnodes, gateways) must ++ // always start with a CONNECT protocol message. ++ switch c.kind { ++ case ROUTER, LEAF: ++ goto authErr ++ case GATEWAY: ++ if c.gw == nil || (!c.gw.outbound && !c.gw.connected) { ++ goto authErr ++ } ++ } + goto authErr + } + } +- // If the connection is a gateway connection, make sure that +- // if this is an inbound, it starts with a CONNECT. +- if c.kind == GATEWAY && !c.gw.outbound && !c.gw.connected { +- // Use auth violation since no CONNECT was sent. +- // It could be a parseErr too. +- goto authErr +- } + } + switch b { + case 'P', 'p': +-- +2.45.4 + diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index c50196d110e..76beb8e8dee 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.31.0 -Release: 23%{?dist} +Release: 24%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -58,6 +58,13 @@ Patch41: CVE-2026-39828.patch Patch43: CVE-2026-39835.patch Patch44: CVE-2026-42502.patch Patch45: CVE-2026-46598.patch +Patch46: CVE-2026-58207.patch +Patch47: CVE-2026-58208.patch +Patch48: CVE-2026-58209.patch +Patch49: CVE-2026-58250.patch +Patch50: CVE-2026-58251.patch +Patch51: CVE-2026-58252.patch +Patch52: CVE-2026-58253.patch BuildRequires: golang BuildRequires: systemd-devel @@ -122,6 +129,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Sat Jul 11 2026 Azure Linux Security Servicing Account - 1.31.0-24 +- Patch for CVE-2026-58253, CVE-2026-58252, CVE-2026-58251, CVE-2026-58250, CVE-2026-58209, CVE-2026-58208, CVE-2026-58207 + * Tue Jun 02 2026 Azure Linux Security Servicing Account - 1.31.0-23 - Patch for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39828, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680