azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

Update packer to 1.10.1 to address CVE-2023-49569

Open Sumynwa opened this issue 1 year ago • 0 comments

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • [x] The toolchain has been rebuilt successfully (or no changes were made to it)
  • [x] The toolchain/worker package manifests are up-to-date
  • [x] Any updated packages successfully build (or no packages were changed)
  • [x] Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • [x] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • [x] All package sources are available
  • [x] cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • [x] LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • [x] All source files have up-to-date hashes in the *.signatures.json files
  • [x] sudo make go-tidy-all and sudo make go-test-coverage pass
  • [x] Documentation has been updated to match any changes to the build system
  • [ ] Ready to merge
Summary

Bump packer version to 1.10.1 to address CVE-2023-49569.

NOTE: Reference On May 16th 2023, HCP introduced multi-project support to the platform. In order to use multiple projects in your organization, you will need to update Packer to version 1.9.1 or above. Starting with 1.9.1, you may specify a project ID to push builds to with the HCP_PROJECT_ID environment variable. If no project ID is specified, Packer will pick the project with the oldest creation date. Older versions of Packer are incompatible with multi-project support on HCP, and builds will fail for HCP organizations with multiple projects on versions before 1.9.1.

Change Log
  • Bump package version
  • Remove patches no longer needed
Does this affect the toolchain?

NO

Associated issues
Links to CVEs
  • https://nvd.nist.gov/vuln/detail/CVE-2023-49569
Test Methodology

Sumynwa avatar Apr 04 '24 18:04 Sumynwa