microsoft
Updated `blobfuse2` to version 2.1.2.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
- [X] The toolchain has been rebuilt successfully (or no changes were made to it)
- [X] The toolchain/worker package manifests are up-to-date
- [X] Any updated packages successfully build (or no packages were changed)
- [X] Packages depending on static components modified in this PR (Golang,
*-staticsubpackages, etc.) have had theirReleasetag incremented. - [X] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
- [X] All package sources are available
- [X] cgmanifest files are up-to-date and sorted (
./cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json) - [X] LICENSE-MAP files are up-to-date (
./SPECS/LICENSES-AND-NOTICES/data/licenses.json,./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md,./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON) - [X] All source files have up-to-date hashes in the
*.signatures.jsonfiles - [X]
sudo make go-tidy-allandsudo make go-test-coveragepass - [X] Documentation has been updated to match any changes to the build system
- [X] Ready to merge
Summary
While working on CVEs, we've noticed 3.0's blobfuse2 is behind the 2.0 version. Fixing this here.
Does this affect the toolchain?
No.
Test Methodology
- Local build.
- Buddy build.
It looks like https://github.com/Azure/azure-storage-fuse/releases/tag/blobfuse2-2.3.0 has the updated version of
netrequired to fix CVE-2023-45288, so you wouldn't need to patch it.Any reason to not do that?
I was trying to not rock the boat too much before GA, so I limited the changes to what we know already works in 2.0. Having said that, I've read the release notes for the newer versions now and looks like none introduce any breaking changes, so I'll give it a shot.