Merge pull request #2860 from flatcar/krnowak/missing-profile-changes

Missing profile changes

changelog/security/2025-04-38-weekly-updates.md

@@ -0,0 +1,2 @@
+- c-ares ([CVE-2025-31498](https://www.cve.org/CVERecord?id=CVE-2025-31498))
+- containerd ([CVE-2024-40635](https://www.cve.org/CVERecord?id=CVE-2024-40635))

changelog/updates/2025-04-28-weekly-updates.md

@@ -0,0 +1,33 @@
+- SDK: rust ([1.85.1](https://github.com/rust-lang/rust/releases/tag/1.85.1) (includes [1.85.0](https://github.com/rust-lang/rust/releases/tag/1.85.0)))
+- azure, dev, gce, sysext-python: gdbm ([1.25](https://lists.gnu.org/archive/html/info-gnu/2025-03/msg00010.html))
+- base, dev: azure-vm-utils ([0.6.0](https://github.com/Azure/azure-vm-utils/releases/tag/v0.6.0) (includes [0.5.2](https://github.com/Azure/azure-vm-utils/releases/tag/v0.5.2), [0.5.1](https://github.com/Azure/azure-vm-utils/releases/tag/v0.5.1), [0.5.0](https://github.com/Azure/azure-vm-utils/releases/tag/v0.5.0)))
+- base, dev: bind ([9.18.31](https://bind9.readthedocs.io/en/v9.18.31/notes.html#notes-for-bind-9-18-31) (includes [9.18.30](https://bind9.readthedocs.io/en/v9.18.30/notes.html#notes-for-bind-9-18-30)))
+- base, dev: elfutils ([0.192](https://inbox.sourceware.org/elfutils-devel/CAJDtP-T3+gXqHWp3T0mejWWbPr0_1tHetEXwfB67-o+zz7ShiA@mail.gmail.com/T/))
+- base, dev: ethtool ([6.11](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v6.11))
+- base, dev: iproute2 ([6.14.0](https://lore.kernel.org/all/20250324092319.28d39f2f@hermes.local/))
+- base, dev: libnvme ([1.12](https://github.com/linux-nvme/libnvme/releases/tag/v1.12))
+- base, dev: libxcrypt ([4.4.38](https://github.com/besser82/libxcrypt/releases/tag/v4.4.38) (includes [4.4.37](https://github.com/besser82/libxcrypt/releases/tag/v4.4.37)))
+- base, dev: nvme-cli ([2.12](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.12))
+- base, dev: open-iscsi ([2.1.11](https://github.com/open-iscsi/open-iscsi/blob/2.1.11/Changelog))
+- base, dev: open-isns ([0.103](https://github.com/open-iscsi/open-isns/releases/tag/v0.103))
+- base, dev: pkgconf ([2.4.3](https://github.com/pkgconf/pkgconf/blob/pkgconf-2.4.3/NEWS) (includes [2.4.2](https://github.com/pkgconf/pkgconf/blob/pkgconf-2.4.2/NEWS), [2.4.1](https://github.com/pkgconf/pkgconf/blob/pkgconf-2.4.1/NEWS), [2.4.0](https://github.com/pkgconf/pkgconf/blob/pkgconf-2.4.0/NEWS)))
+- base, dev: rpcbind ([1.2.7](http://git.linux-nfs.org/?p=steved/rpcbind.git;a=shortlog;h=refs/tags/rpcbind-1_2_7))
+- base, dev: timezone-data ([2025b](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/6JVHNHLB6I2WAYTQ75L6KEPEQHFXAJK3/))
+- base, dev: xfsprogs ([6.13.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.13.0))
+- dev: eselect ([1.4.30](https://gitweb.gentoo.org/proj/eselect.git/tree/NEWS?h=eselect-1.4.30))
+- dev: mpfr ([4.2.2](https://www.mpfr.org/mpfr-4.2.2/))
+- sysext-docker: docker-buildx ([0.21.2](https://github.com/docker/buildx/releases/tag/v0.21.2) (includes [0.21.1](https://github.com/docker/buildx/releases/tag/v0.21.1), [0.21.0](https://github.com/docker/buildx/releases/tag/v0.21.0)))
+- sysext-podman, vmware: fuse ([3.17.2](https://github.com/libfuse/libfuse/releases/tag/fuse-3.17.2) (includes [3.17.1](https://github.com/libfuse/libfuse/releases/tag/fuse-3.17.1)))
+- sysext-podman: aardvark-dns ([1.14.0](https://github.com/containers/aardvark-dns/releases/tag/v1.14.0) (includes [1.13.1](https://github.com/containers/aardvark-dns/releases/tag/v1.13.1), [1.13.0](https://github.com/containers/aardvark-dns/releases/tag/v1.13.0)))
+- sysext-podman: conmon ([2.1.13](https://github.com/containers/conmon/releases/tag/v2.1.13) (includes [2.1.12](https://github.com/containers/conmon/releases/tag/v2.1.12)))
+- sysext-podman: containers-common ([0.62.2](https://github.com/containers/common/releases/tag/v0.62.2) (includes [0.62.1](https://github.com/containers/common/releases/tag/v0.62.1), [0.62.0](https://github.com/containers/common/releases/tag/v0.62.0), [0.61.0](https://github.com/containers/common/releases/tag/v0.61.0)))
+- sysext-podman: containers-image ([5.34.2](https://github.com/containers/image/releases/tag/v5.34.2) (includes [5.34.1](https://github.com/containers/image/releases/tag/v5.34.1), [5.34.0](https://github.com/containers/image/releases/tag/v5.34.0), [5.33.0](https://github.com/containers/image/releases/tag/v5.33.0)))
+- sysext-podman: containers-shortnames ([2025.03.19](https://github.com/containers/shortnames/releases/tag/v2025.03.19))
+- sysext-podman: containers-storage ([1.57.2](https://github.com/containers/storage/releases/tag/v1.57.2) (includes [1.57.1](https://github.com/containers/storage/releases/tag/v1.57.1), [1.57.0](https://github.com/containers/storage/releases/tag/v1.57.0), [1.56.0](https://github.com/containers/storage/releases/tag/v1.56.0)))
+- sysext-podman: netavark ([1.14.1](https://github.com/containers/netavark/releases/tag/v1.14.1) (includes [1.14.0](https://github.com/containers/netavark/releases/tag/v1.14.0), [1.13.1](https://github.com/containers/netavark/releases/tag/v1.13.1), [1.13.0](https://github.com/containers/netavark/releases/tag/v1.13.0)))
+- sysext-podman: passt ([2025.02.17](https://archives.passt.top/passt-user/20250217101614.561b23bc@elisabeth/T/#u))
+- sysext-python: rich ([14.0.0](https://github.com/Textualize/rich/releases/tag/v14.0.0))
+- sysext-python: trove-classifiers ([2025.4.11.15](https://github.com/pypa/trove-classifiers/releases/tag/2025.4.11.15))
+- sysext-python: typing-extensions ([4.13.2](https://github.com/python/typing_extensions/releases/tag/4.13.2) (includes [4.13.1](https://github.com/python/typing_extensions/releases/tag/4.13.1), [4.13.0](https://github.com/python/typing_extensions/releases/tag/4.13.0)))
+- sysext-python: urllib3 ([2.4.0](https://github.com/urllib3/urllib3/releases/tag/2.4.0))
+- sysext-python: wheel ([0.46.1](https://github.com/pypa/wheel/releases/tag/0.46.1) (includes [0.46.0](https://github.com/pypa/wheel/releases/tag/0.46.0)))

sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind

@@ -39,26 +39,13 @@ fowners() {
 # of the script. Thus we fool the phase function by putting an empty
 # key file there, so the function won't trigger the generation. We
 # drop the key file later too.
-#
-# TODO: The paths ought to be prefixed with ${EROOT}, but the
-# 9.18.29-r2 ebuild is botched in this regard. This was fixed in
-# 9.18.31-r1, so when we update to that version, the ${EROOT} prefix
-# will need to be added.
 cros_pre_pkg_postinst_add_fake_rndc_key() {
-    local dir='/etc/bind'
+    local dir="${EROOT}/etc/bind"
     if [[ ! -d "${dir}" ]]; then
         mkdir "${dir}" || die
     fi
     touch "${dir}/rndc.key" || die
 }
-# TODO: This function should just do:
-#
-# rm -rf "${EROOT}/etc/bind" || die
 cros_post_pkg_postinst_drop_fake_rndc_key() {
-    # Remove the file only if it exists and is empty.
-    local dir='/etc/bind' file="${dir}/rndc.key"
-    if [[ -f "${file}" && ! -s "${file}" ]]; then
-       rm -f "${file}" || die
-    fi
-    rmdir "${dir}" # it's fine if it fails
+    rm -rf "${EROOT}/etc/bind" || die
 }

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -7,6 +7,9 @@
 # Gentoo upstream package stabilisation
 # (the following packages are "unstable" upstream; we're stabilising these)
 
+# Needed to address CVE-2024-40635.
+=app-containers/containerd-2.0.4 ~amd64 ~arm64
+
 # Keep versions on both arches in sync.
 =app-containers/cri-tools-1.32.0 ~arm64
 
@@ -28,6 +31,9 @@
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =app-crypt/clevis-19-r1 **
 
+# Keep versions on both arches in sync.
+=app-crypt/tpm2-tss-4.1.3-r2 ~amd64
+
 # Needed by arm64-native SDK.
 =app-emulation/open-vmdk-1.0 *
 
@@ -38,11 +44,7 @@
 # arm64, and fix a segfault concerning vgetrandom.
 =dev-lang/go-1.24.2-r2 ~amd64 ~arm64
 
-# Needed to address CVE-2024-56406.
-=dev-lang/perl-5.40.2 ~amd64 ~arm64
-
 # Keep versions on both arches in sync.
-=dev-lang/python-3.11.12 ~amd64
 =dev-lang/yasm-1.3.0-r1 ~arm64
 =dev-libs/ding-libs-0.6.2-r1 ~arm64
 
@@ -61,6 +63,12 @@
 # Catalyst 4 is not stable yet, but earlier versions are masked now.
 =dev-util/catalyst-4.0.0 ~amd64 ~arm64
 
+# Keep versions on both arches in sync.
+=net-dns/bind-9.18.31-r1 ~arm64
+
+# Needed to address CVE-2025-31498.
+=net-dns/c-ares-1.34.5 ~amd64 ~arm64
+
 # Keep versions on both arches in sync.
 =net-firewall/conntrack-tools-1.4.8-r1 ~arm64
 
@@ -77,11 +85,10 @@
 # Needed to address CVE-2024-53580.
 =net-misc/iperf-3.18 ~amd64 ~arm64
 
-# Needed to address CVE-2024-54661
-=net-misc/socat-1.8.0.3 ~amd64 ~arm64
-
-# Package has not been stabilised yet.
-=sys-apps/azure-vm-utils-0.4.0 ~amd64 ~arm64
+# Package has not been stabilised yet. Nothing is using it in Gentoo,
+# so it will never be stabilized. Thus an unusual form is used to pick
+# up the latest version of the package with the unstable keywords.
+sys-apps/azure-vm-utils
 
 # Keep versions on both arches in sync.
 =sys-apps/policycoreutils-3.7 ~arm64
@@ -90,7 +97,7 @@
 =sys-apps/zram-generator-1.2.1 ~arm64
 
 # Needed to avoid pulling python into production images.
-=sys-auth/sssd-2.9.6-r1 ~arm64
+=sys-auth/sssd-2.9.6-r3 ~arm64
 
 # Keep versions on both arches in sync.
 =sys-boot/mokutil-0.7.2 **
@@ -99,5 +106,6 @@
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
 # Keep versions on both arches in sync.
+=sys-fs/fuse-3.17.2 ~arm64
 =sys-libs/libsemanage-3.7 ~arm64
 =sys-process/audit-4.0.2-r1 ~arm64

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -173,3 +173,6 @@ sys-kernel/dracut -dracut-cpio
 # Avoid initrd bloat by using OpenSSL instead of gcrypt in systemd.
 # systemd-journal's FSS feature requires gcrypt, but Flatcar doesn't need it.
 sys-apps/systemd -gcrypt
+
+# Make dracut module available for initrd build.
+sys-apps/azure-vm-utils dracut

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask

@@ -25,3 +25,9 @@ sys-fs/btrfs-progs man
 # put anywhere. Thus avoid pulling more dependencies than necessary
 # for throw-away things.
 dev-python/pillow jpeg
+
+# Gentoo force-enables X for app-emulation/qemu, because qemu is doing
+# some automagic detection of gtk ignoring whether we want to use gtk
+# or not. We don't have gtk on Flatcar, so it is not an issue here,
+# but we need to mask X, so we won't try pulling gtk package.
+app-emulation/qemu X

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.88-r1.ebuild

@@ -24,6 +24,7 @@ DEPEND="
 	app-shells/bash
 	coreos-base/afterburn
 	coreos-base/coreos-init:=
+	sys-apps/azure-vm-utils[dracut]
 	sys-apps/baselayout
 	sys-apps/coreutils
 	sys-apps/findutils