[Low] Patch telegraf for CVE-2025-29923, CVE-2025-46327#14747
Open
jykanase wants to merge 5 commits into
Open
Conversation
12 tasks
Author
|
Buddy Build is successful. |
d69000a to
1403f5b
Compare
1403f5b to
079f50f
Compare
079f50f to
20c15ca
Compare
mfrw
requested changes
Jun 5, 2026
mfrw
left a comment
Member
There was a problem hiding this comment.
can we please rebase this to the latest 3.0-dev
20c15ca to
d45e935
Compare
mfrw
approved these changes
Jun 6, 2026
mfrw
left a comment
Member
There was a problem hiding this comment.
LGTM ✅
Did a thorough check on this CVE patch series:
- Spec
Releasebumped23 → 24, andPatch46/47/48declared in correct order. -
%prepuses%autosetup -a1 -p1— so the newPatchNdeclarations get applied automatically; no manual%patchNline needed. - All three patches apply cleanly w.r.t the vendored sources in
v1.31.0/vendor. - Cross-checked every backport against its upstream commit (see per-patch notes below).
- ADO Test Build green — buildId 1133197.
Per-patch verification
CVE-2025-29923.patch (go-redis CLIENT SETINFO panic)
- Backport of upstream
d236865(PR #3295). - The dropped
UnstableResp3refs are expected — that symbol doesn't exist in the older vendored copy shipped in this telegraf release. - The
DisableIndentity → DisableIdentitydeprecation rename is preserved exactly as upstream. - Patch looks good w.r.t upstream ✅.
CVE-2025-46327-prereqs.patch (4-commit prereq stack on snowflakedb/gosnowflake)
- 1/4 →
e926883 - 2/4 →
d8df82e - 3/4 →
61b822d - 4/4 →
40e4f5c - All four match upstream exactly. Patch looks good w.r.t upstream ✅.
CVE-2025-46327.patch (snowflake easy-logging perm-check TOCTOU race)
- Backport of upstream
ba94a48(PR #1382). - The replacement of the racy
os.Stat → os.ReadFilepair withgetFileContents(filePath, expectedPerm)(singleOpen+fstaton the same fd) is exactly the upstream approach. - Patch looks good w.r.t upstream ✅.
Test Build
Test Build: 1133197 — ✅ succeeded (34 min)
| Stage | AMD64 | ARM64 |
|---|---|---|
| build | ✅ | ✅ |
| postbuild | ✅ | ✅ |
| test_install | ✅ | ✅ |
Only warnings on the run are pre-existing Component Governance alerts that fire on every buddy build — not caused by this PR.
Signed-Off By: @mfrw
kgodara912
requested changes
Jun 19, 2026
kgodara912
left a comment
There was a problem hiding this comment.
The patch is too big for low CVE. Is there any better approach to backport the change?
a2eedf7 to
d1be704
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Required backporting four patches so that the actual patch would apply. Any patches that were changed beyond adding the patch link to the commit message have been re-written such that I am listed as the author, and the main changes made were simply omitting changes to files that we do not ship.
Change Log
[Low] Patch telegraf for GHSA-92cp-5422-2mw7
Patch did not apply cleanly, I had to remove all references to UnstableResp3 as that symbol is not present in the version we ship.
Upstream Patch Link: https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6.patch
Patch was found via astrolabe
[Low] Patch telegraf for GHSA-6jgm-j7h2-2fqg
Required backporting four patches so that the actual patch would apply. Any patches that were changed beyond adding the patch link to the commit message have been re-written such that I am listed as the author, and the main changes made were simply omitting changes to files that we do not ship.
Initial patch was found via astrolabe, backported supporting patches were found via git blame.
Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology