diff --git a/SPECS-EXTENDED/apache-commons-io/apache-commons-io-build.xml b/SPECS-EXTENDED/apache-commons-io/apache-commons-io-build.xml
index f2e078f85fc..1376756bb17 100644
--- a/SPECS-EXTENDED/apache-commons-io/apache-commons-io-build.xml
+++ b/SPECS-EXTENDED/apache-commons-io/apache-commons-io-build.xml
@@ -10,7 +10,7 @@
 
   <property name="project.groupId" value="commons-io"/>
   <property name="project.artifactId" value="commons-io"/>
-  <property name="project.version" value="2.8.0"/>
+  <property name="project.version" value="2.14.0"/>
   <property name="project.name" value="Apache Commons IO"/>
   <property name="project.description" value="The Apache Commons IO library 
 contains utility classes, stream implementations, file filters, 
diff --git a/SPECS-EXTENDED/apache-commons-io/apache-commons-io.signatures.json b/SPECS-EXTENDED/apache-commons-io/apache-commons-io.signatures.json
index fc0f92dc6b0..00808a0e837 100644
--- a/SPECS-EXTENDED/apache-commons-io/apache-commons-io.signatures.json
+++ b/SPECS-EXTENDED/apache-commons-io/apache-commons-io.signatures.json
@@ -1,7 +1,7 @@
 {
  "Signatures": {
-  "apache-commons-io-build.xml": "3661f04824b5f93033dfc9f993a97f1435ff467f7e3cf5e2846f2d63a690ad3b",
-  "commons-io-2.8.0-src.tar.gz": "1e44c2b038bf825526305f0320b2e24dce039f399968326aab30c475ab765612",
-  "commons-io-2.8.0-src.tar.gz.asc": "5df617e9034a4e31cf7671af111edae1537dd14dc8d5e2fa4392a038f912df61"
+  "apache-commons-io-build.xml": "d7daa228b59ff41d5917745a77732bd31dc38dc1cea4edf1f65879c8ab82c4a2",
+  "commons-io-2.14.0-src.tar.gz": "306d53e907f491b9ac6b0e74e6ad9d8cbc0cf1b024cfb21df59a0c486fd181bc",
+  "commons-io-2.14.0-src.tar.gz.asc": "e46f87969e7accfa80aa194207c47d213730bc2427fb8ce7affbbfef5c3d1ec5"
  }
 }
\ No newline at end of file
diff --git a/SPECS-EXTENDED/apache-commons-io/apache-commons-io.spec b/SPECS-EXTENDED/apache-commons-io/apache-commons-io.spec
index 48183dd923b..58218549f48 100644
--- a/SPECS-EXTENDED/apache-commons-io/apache-commons-io.spec
+++ b/SPECS-EXTENDED/apache-commons-io/apache-commons-io.spec
@@ -22,8 +22,8 @@ Distribution:   Mariner
 %define short_name      commons-%{base_name}
 %bcond_with tests
 Name:           apache-%{short_name}
-Version:        2.8.0
-Release:        2%{?dist}
+Version:        2.14.0
+Release:        1%{?dist}
 Summary:        Utilities to assist with developing IO functionality
 License:        Apache-2.0
 Group:          Development/Libraries/Java
@@ -93,6 +93,10 @@ cp -pr target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}
 %doc %{_javadocdir}/%{name}
 
 %changelog
+* Mon Oct 7 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 2.14.0-1
+- Upgrade to 2.14.0 to fix the CVE-2024-47554.
+- License verified
+
 * Thu Oct 14 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.8.0-2
 - Converting the 'Release' tag to the '[number].[distribution]' format.
 
diff --git a/SPECS-EXTENDED/apache-commons-io/commons-io-2.14.0-src.tar.gz.asc b/SPECS-EXTENDED/apache-commons-io/commons-io-2.14.0-src.tar.gz.asc
new file mode 100644
index 00000000000..b72e47dc79e
--- /dev/null
+++ b/SPECS-EXTENDED/apache-commons-io/commons-io-2.14.0-src.tar.gz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEELbTx7w+nYezE6pNchv3H4qESYssFAmURZkQACgkQhv3H4qES
+YssmAAf+Opr906UCvufO2/ncd3Q2RuJDC24WoUlK8t18yNLTXcG1ZhxtqHn0ms/l
+D59OwQQaerBr2f/Y4dB1WLTg/XIrgtbmjImKk0iOXwVirb5etdXdnLUXf3oRvJG+
+C98BB26kY4QPYmRzQMFdf6AVRMZvva51c+u7zrKDOC0/VlxYPY8UlYQfCJ6Uyxqu
+TMUwQ1/cfSr65DIQui/X/RM09tGcyItb2wScZlGSq7FqtYNUj6GYAEZqhPeG74pq
+5xC19viyCGnTLO8LRaqmzmqidMPcYc95GqO9BiQDcI393qZJsq9GSxMwvIPcVJNp
+l6oNdUcPRxIf0yFJm47dmFtEeM4KXg==
+=+Thz
+-----END PGP SIGNATURE-----
diff --git a/SPECS-EXTENDED/apache-commons-io/commons-io-2.8.0-src.tar.gz.asc b/SPECS-EXTENDED/apache-commons-io/commons-io-2.8.0-src.tar.gz.asc
deleted file mode 100644
index bf44d2ffb77..00000000000
--- a/SPECS-EXTENDED/apache-commons-io/commons-io-2.8.0-src.tar.gz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEELbTx7w+nYezE6pNchv3H4qESYssFAl9U6ioACgkQhv3H4qES
-Ysuy1wf/VcyqeNE80VLt0Pl4SPArhnLfgPzXcJVW54IIw3Ndlha/1i8iiJ9VLmEv
-I8pue0SI+yEMcUyTU6/GfqfEUrp43VqBOSFFr2mDICYpiWiYXLBaGIT9dk8cpl1q
-mZ6Y1lgF6LK58a3faZlusXj4dyiAkaf6ul5v27JjY8Fma8DpmIKMjCLfDbvjF6HQ
-g+IP+5zoCWULKKGfziecMz9uL4sztu1bGPCcfVd5jOIIufmYyf36sG/kXYGhHd23
-kPFC8zMOXeCjMBdFV1y3o1OpmGVlnh5gry0J04ySYykYzLmm6ZR7i3cXNaaSO/nA
-IWBTAMTdeuo+rbqORG4GcnSMd1/kew==
-=Dh1z
------END PGP SIGNATURE-----
diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
index ba288f78de6..8e161b9d5d8 100644
--- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec
+++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        5.15.167.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Oct 23 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.167.1-2
+- Bump release to match kernel
+
 * Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.167.1-1
 - Auto-upgrade to 5.15.167.1
 
diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
index 48acb35567a..afd5291f3fc 100644
--- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
+++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
@@ -12,7 +12,7 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic
 | Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress <br> asc <br> azcopy <br> azl-compliance <br> azure-iot-sdk-c <br> azure-storage-cpp <br> azurelinux-sysinfo <br> bazel <br> blobfuse <br> blobfuse2 <br> bmon <br> bpftrace <br> ccache <br> cert-manager <br> cf-cli <br> check-restart <br> clamav <br> cloud-hypervisor <br> cloud-hypervisor-cvm <br> cmake-fedora <br> coredns <br> csi-driver-lvm <br> dcos-cli <br> debugedit <br> dejavu-fonts <br> distroless-packages <br> doxygen <br> dtc <br> elixir <br> espeak-ng <br> espeakup <br> flannel <br> fluent-bit <br> freefont <br> gflags <br> gh <br> go-md2man <br> grpc <br> grub2-efi-binary-signed <br> GSL <br> gtk-update-icon-cache <br> helm <br> hvloader <br> hvloader-signed <br> installkernel <br> intel-pf-bb-config <br> ivykis <br> jsonbuilder <br> jx <br> kata-containers-cc <br> kata-packages-uvm <br> keda <br> keras <br> kernel-azure-signed <br> kernel-hci-signed <br> kernel-mos-signed <br> kernel-mshv-signed <br> kernel-signed <br> KeysInUse-OpenSSL <br> kpatch <br> kube-vip-cloud-provider <br> kubernetes <br> libacvp <br> libconfini <br> libconfuse <br> libgdiplus <br> libmaxminddb <br> libmetalink <br> libsafec <br> libuv <br> libxml++ <br> livepatch-5.15.102.1-1.cm2 <br> livepatch-5.15.102.1-3.cm2 <br> livepatch-5.15.107.1-1.cm2 <br> livepatch-5.15.110.1-1.cm2 <br> livepatch-5.15.111.1-1.cm2 <br> livepatch-5.15.112.1-1.cm2 <br> livepatch-5.15.112.1-2.cm2 <br> livepatch-5.15.116.1-1.cm2 <br> livepatch-5.15.116.1-2.cm2 <br> livepatch-5.15.122.1-2.cm2 <br> livepatch-5.15.125.1-1.cm2 <br> livepatch-5.15.125.1-2.cm2 <br> livepatch-5.15.126.1-1.cm2 <br> livepatch-5.15.131.1-1.cm2 <br> livepatch-5.15.131.1-3.cm2 <br> livepatch-5.15.94.1-1.cm2 <br> livepatch-5.15.94.1-1.cm2-signed <br> livepatch-5.15.95.1-1.cm2 <br> livepatch-5.15.98.1-1.cm2 <br> livepatching <br> lld <br> lld16 <br> local-path-provisioner <br> lsb-release <br> ltp <br> lttng-consume <br> mariner-release <br> mariner-repos <br> mariner-rpm-macros <br> maven3 <br> mm-common <br> moby-buildx <br> moby-cli <br> moby-compose <br> moby-containerd <br> moby-containerd-cc <br> moby-engine <br> moby-runc <br> msgpack <br> ncompress <br> networkd-dispatcher <br> nlohmann-json <br> nmap <br> nmi <br> node-problem-detector <br> ntopng <br> opentelemetry-cpp <br> osslsigncode <br> packer <br> pcaudiolib <br> pcre2 <br> perl-Test-Warnings <br> perl-Text-Template <br> pigz <br> prebuilt-ca-certificates <br> prebuilt-ca-certificates-base <br> prometheus-adapter <br> python-cachetools <br> python-cherrypy <br> python-cstruct <br> python-execnet <br> python-google-pasta <br> python-libclang <br> python-logutils <br> python-nocasedict <br> python-opt-einsum <br> python-pecan <br> python-pyrpm <br> python-remoto <br> python-repoze-lru <br> python-routes <br> python-rsa <br> python-sphinxcontrib-websupport <br> python-tensorboard <br> python-tensorboard-plugin-wit <br> python-tensorflow-estimator <br> python-yamlloader <br> R <br> rabbitmq-server <br> reaper <br> rocksdb <br> rubygem-addressable <br> rubygem-asciidoctor <br> rubygem-async <br> rubygem-async-http <br> rubygem-async-io <br> rubygem-async-pool <br> rubygem-aws-eventstream <br> rubygem-aws-partitions <br> rubygem-aws-sdk-core <br> rubygem-aws-sdk-kms <br> rubygem-aws-sdk-s3 <br> rubygem-aws-sdk-sqs <br> rubygem-aws-sigv4 <br> rubygem-bigdecimal <br> rubygem-bindata <br> rubygem-concurrent-ruby <br> rubygem-connection_pool <br> rubygem-console <br> rubygem-cool.io <br> rubygem-deep_merge <br> rubygem-digest-crc <br> rubygem-elastic-transport <br> rubygem-elasticsearch <br> rubygem-elasticsearch-api <br> rubygem-eventmachine <br> rubygem-excon <br> rubygem-faraday <br> rubygem-faraday-em_http <br> rubygem-faraday-em_synchrony <br> rubygem-faraday-excon <br> rubygem-faraday-httpclient <br> rubygem-faraday-multipart <br> rubygem-faraday-net_http <br> rubygem-faraday-net_http_persistent <br> rubygem-faraday-patron <br> rubygem-faraday-rack <br> rubygem-faraday-retry <br> rubygem-ffi <br> rubygem-fiber-local <br> rubygem-fluent-config-regexp-type <br> rubygem-fluent-logger <br> rubygem-fluent-plugin-elasticsearch <br> rubygem-fluent-plugin-kafka <br> rubygem-fluent-plugin-prometheus <br> rubygem-fluent-plugin-prometheus_pushgateway <br> rubygem-fluent-plugin-record-modifier <br> rubygem-fluent-plugin-rewrite-tag-filter <br> rubygem-fluent-plugin-s3 <br> rubygem-fluent-plugin-systemd <br> rubygem-fluent-plugin-td <br> rubygem-fluent-plugin-webhdfs <br> rubygem-fluent-plugin-windows-exporter <br> rubygem-fluentd <br> rubygem-hirb <br> rubygem-hocon <br> rubygem-hoe <br> rubygem-http_parser.rb <br> rubygem-httpclient <br> rubygem-io-event <br> rubygem-jmespath <br> rubygem-ltsv <br> rubygem-mini_portile2 <br> rubygem-minitest <br> rubygem-mocha <br> rubygem-msgpack <br> rubygem-multi_json <br> rubygem-multipart-post <br> rubygem-net-http-persistent <br> rubygem-nio4r <br> rubygem-nokogiri <br> rubygem-oj <br> rubygem-parallel <br> rubygem-power_assert <br> rubygem-prometheus-client <br> rubygem-protocol-hpack <br> rubygem-protocol-http <br> rubygem-protocol-http1 <br> rubygem-protocol-http2 <br> rubygem-public_suffix <br> rubygem-puppet-resource_api <br> rubygem-rdiscount <br> rubygem-rdkafka <br> rubygem-rexml <br> rubygem-ruby-kafka <br> rubygem-ruby-progressbar <br> rubygem-rubyzip <br> rubygem-semantic_puppet <br> rubygem-serverengine <br> rubygem-sigdump <br> rubygem-strptime <br> rubygem-systemd-journal <br> rubygem-td <br> rubygem-td-client <br> rubygem-td-logger <br> rubygem-test-unit <br> rubygem-thor <br> rubygem-timers <br> rubygem-tzinfo <br> rubygem-tzinfo-data <br> rubygem-webhdfs <br> rubygem-webrick <br> rubygem-yajl-ruby <br> rubygem-zip-zip <br> sdbus-cpp <br> sgx-backwards-compatability <br> shim <br> shim-unsigned <br> shim-unsigned-aarch64 <br> shim-unsigned-x64 <br> skopeo <br> span-lite <br> sriov-network-device-plugin <br> swupdate <br> SymCrypt <br> SymCrypt-OpenSSL <br> tensorflow <br> terraform <br> tinyxml2 <br> toml11 <br> tracelogging <br> umoci <br> usrsctp <br> vala <br> verity-read-only-root <br> vnstat <br> zstd |
 | Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan |
 | Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad |
-| NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | knem <br> libnvidia-container <br> mlnx-ofa_kernel <br> mlnx-tools <br> mlx-bootctl <br> nvidia-container-runtime <br> nvidia-container-toolkit <br> nvidia-docker2 <br> ofed-scripts <br> perftest |
+| NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | knem <br> libnvidia-container <br> mlnx-ofa_kernel <br> mlnx-tools <br> mlx-bootctl <br> nvidia-container-toolkit <br> nvidia-docker2 <br> ofed-scripts <br> perftest |
 | OpenEuler | [BSD-3 License](https://github.com/pytorch/pytorch/blob/master/LICENSE) | pytorch |
 | OpenMamba | [Openmamba GPLv2 License](https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt) | bash-completion |
 | OpenSUSE | Following [openSUSE guidelines](https://en.opensuse.org/openSUSE:Specfile_guidelines#Specfile_Licensing) | ant <br> ant-junit <br> antlr <br> aopalliance <br> apache-commons-beanutils <br> apache-commons-cli <br> apache-commons-codec <br> apache-commons-collections <br> apache-commons-collections4 <br> apache-commons-compress <br> apache-commons-daemon <br> apache-commons-dbcp <br> apache-commons-digester <br> apache-commons-httpclient <br> apache-commons-io <br> apache-commons-jexl <br> apache-commons-lang <br> apache-commons-lang3 <br> apache-commons-logging <br> apache-commons-net <br> apache-commons-pool <br> apache-commons-pool2 <br> apache-commons-validator <br> apache-commons-vfs2 <br> apache-parent <br> args4j <br> atinject <br> base64coder <br> bazel-workspaces <br> bcel <br> bea-stax <br> beust-jcommander <br> bsf <br> byaccj <br> cal10n <br> cdparanoia <br> cglib <br> cni <br> containerized-data-importer <br> cpulimit <br> cri-o <br> ecj <br> fillup <br> flux <br> gd <br> geronimo-specs <br> glassfish-annotation-api <br> glassfish-servlet-api <br> gnu-getopt <br> gnu-regexp <br> golang-packaging <br> guava <br> guava20 <br> hamcrest <br> hawtjni-runtime <br> httpcomponents-core <br> influx-cli <br> influxdb <br> jakarta-taglibs-standard <br> jansi <br> jarjar <br> java-cup <br> java-cup-bootstrap <br> javacc <br> javacc-bootstrap <br> javassist <br> jboss-interceptors-1.2-api <br> jdepend <br> jflex <br> jflex-bootstrap <br> jlex <br> jline <br> jna <br> jsch <br> jsoup <br> jsr-305 <br> jtidy <br> junit <br> junitperf <br> jzlib <br> kubevirt <br> kured <br> libcontainers-common <br> libtheora <br> libva <br> libvdpau <br> lynx <br> maven-parent <br> multus <br> objectweb-anttask <br> objectweb-asm <br> objenesis <br> oro <br> osgi-annotation <br> osgi-compendium <br> osgi-core <br> patterns-ceph-containers <br> plexus-classworlds <br> plexus-interpolation <br> plexus-pom <br> plexus-utils <br> proj <br> psl-make-dafsa <br> publicsuffix <br> qdox <br> regexp <br> relaxngDatatype <br> rhino <br> ripgrep <br> rook <br> servletapi4 <br> servletapi5 <br> shapelib <br> slf4j <br> trilead-ssh2 <br> xalan-j2 <br> xbean <br> xcursor-themes <br> xerces-j2 <br> xml-commons-apis <br> xml-commons-resolver <br> xmldb-api <br> xmlrpc-c <br> xmlunit <br> xpp2 <br> xpp3 <br> xz-java |
diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json
index 822f66bb87c..b8a11663a6f 100644
--- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json
+++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json
@@ -2451,7 +2451,6 @@
                 "mlnx-ofa_kernel",
                 "mlnx-tools",
                 "mlx-bootctl",
-                "nvidia-container-runtime",
                 "nvidia-container-toolkit",
                 "nvidia-docker2",
                 "ofed-scripts",
diff --git a/SPECS/OpenIPMI/OpenIPMI.signatures.json b/SPECS/OpenIPMI/OpenIPMI.signatures.json
index d64035347c7..95dcc9ccd3b 100644
--- a/SPECS/OpenIPMI/OpenIPMI.signatures.json
+++ b/SPECS/OpenIPMI/OpenIPMI.signatures.json
@@ -1,7 +1,7 @@
 {
- "Signatures": {
-  "OpenIPMI-2.0.32.tar.gz": "f6d0fd4c0a74b05f80907229d0b270f54ca23294bcc11979f8b8d12766786945",
-  "ipmi.service": "7f55866340569bfbb4bcce32a6218667d0e8dbba99d9aac4ef8e192d3952fa71",
-  "openipmi-helper": "e646bf49b3962dd0cd6261d5a7c44240261c856e0bc47d70bdc2720a2ea7d530"
- }
-}
\ No newline at end of file
+  "Signatures": {
+    "ipmi.service": "7f55866340569bfbb4bcce32a6218667d0e8dbba99d9aac4ef8e192d3952fa71",
+    "openipmi-helper": "e646bf49b3962dd0cd6261d5a7c44240261c856e0bc47d70bdc2720a2ea7d530",
+    "OpenIPMI-2.0.36.tar.gz": "a0403148fa5f7bed930c958a4d1c558047e273763a408b3a0368edc137cc55d9"
+  }
+}
diff --git a/SPECS/OpenIPMI/OpenIPMI.spec b/SPECS/OpenIPMI/OpenIPMI.spec
index 6b6f385762b..e4f8f3fb68d 100644
--- a/SPECS/OpenIPMI/OpenIPMI.spec
+++ b/SPECS/OpenIPMI/OpenIPMI.spec
@@ -1,13 +1,13 @@
 Summary:        A shared library implementation of IPMI and the basic tools
 Name:           OpenIPMI
-Version:        2.0.32
+Version:        2.0.36
 Release:        1%{?dist}
 License:        LGPLv2+ AND GPLv2+ OR BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Base
 URL:            https://sourceforge.net/projects/openipmi/
-Source0:        https://downloads.sourceforge.net/openipmi/OpenIPMI-2.0.32.tar.gz
+Source0:        https://downloads.sourceforge.net/openipmi/%{name}-%{version}.tar.gz
 Source1:        openipmi-helper
 Source2:        ipmi.service
 BuildRequires:  ncurses-devel
@@ -188,6 +188,9 @@ echo "disable ipmi.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-ip
 %{_mandir}/man5/ipmi_sim_cmd.5.gz
 
 %changelog
+* Mon Oct 14 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.0.36-1
+- Upgrade to 2.0.36 to fix CVE-2024-42934
+
 * Tue Feb 22 2022 Max Brodeur-Urbas <maxbr@microsoft.com> - 2.0.32-1
 - Upgrading to version 2.0.32.
 
diff --git a/SPECS/apr/apr.signatures.json b/SPECS/apr/apr.signatures.json
index 9f69f874ad0..c77682409bd 100644
--- a/SPECS/apr/apr.signatures.json
+++ b/SPECS/apr/apr.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "apr-1.7.2.tar.gz": "3d8999b216f7b6235343a4e3d456ce9379aa9a380ffb308512f133f0c5eb2db9"
+  "apr-1.7.5.tar.gz": "3375fa365d67bcf945e52b52cba07abea57ef530f40b281ffbe977a9251361db"
  }
 }
\ No newline at end of file
diff --git a/SPECS/apr/apr.spec b/SPECS/apr/apr.spec
index 1d8ad12e693..44b47b7bf86 100644
--- a/SPECS/apr/apr.spec
+++ b/SPECS/apr/apr.spec
@@ -1,14 +1,15 @@
 %define         aprver  1
 Summary:        The Apache Portable Runtime
 Name:           apr
-Version:        1.7.2
-Release:        2%{?dist}
+Version:        1.7.5
+Release:        1%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Libraries
 URL:            https://apr.apache.org/
 Source0:        https://dlcdn.apache.org/%{name}/%{name}-%{version}.tar.gz
+Patch0:         skip-known-test-failure.patch
 %if %{with_check}
 # test_serv_by_name test requires /etc/services file from iana-etc package
 BuildRequires:  iana-etc
@@ -25,7 +26,7 @@ Requires:       %{name} = %{version}-%{release}
 It contains the libraries and header files to create applications
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 ./configure --prefix=%{_prefix} \
@@ -64,6 +65,10 @@ make -j1 check
 %{_libdir}/pkgconfig
 
 %changelog
+* Wed Oct 16 2024 Muhammad Falak <mwani@microsoft.com> - 1.7.5-1
+- Upgrade version to address CVE-2023-49582
+- Enable ptests
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 1.7.2-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
diff --git a/SPECS/apr/skip-known-test-failure.patch b/SPECS/apr/skip-known-test-failure.patch
new file mode 100644
index 00000000000..d05c6dab70d
--- /dev/null
+++ b/SPECS/apr/skip-known-test-failure.patch
@@ -0,0 +1,31 @@
+From d4aa66b790e48f4745bcc6623b286577f2e0aef0 Mon Sep 17 00:00:00 2001
+From: Muhammad Falak R Wani <falakreyaz@gmail.com>
+Date: Wed, 16 Oct 2024 19:47:33 +0530
+Subject: [PATCH] test: skip known test failure
+
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ test/Makefile.in | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/test/Makefile.in b/test/Makefile.in
+index e3b71e0..b609c74 100644
+--- a/test/Makefile.in
++++ b/test/Makefile.in
+@@ -172,6 +172,13 @@ check: $(TESTALL_COMPONENTS) $(STDTEST_PORTABLE) $(STDTEST_NONPORTABLE)
+ 					progfailed="$$progfailed '$$prog mode $$mode'"; \
+ 				fi; \
+ 			done; \
++		elif test "$$prog" = 'testall'; then \
++			./$$prog -v -x testsock; \
++			status=$$?; \
++			if test $$status != 0; then \
++				teststatus=$$status; \
++				progfailed="$$progfailed $$prog"; \
++			fi; \
+ 	        else \
+ 			./$$prog -v; \
+ 			status=$$?; \
+-- 
+2.40.1
+
diff --git a/SPECS/cni-plugins/CVE-2023-3978.patch b/SPECS/cni-plugins/CVE-2023-3978.patch
new file mode 100644
index 00000000000..9b04a4f1b00
--- /dev/null
+++ b/SPECS/cni-plugins/CVE-2023-3978.patch
@@ -0,0 +1,78 @@
+From 8ffa475fbdb33da97e8bf79cc5791ee8751fca5e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 06 Jul 2023 10:25:47 -0700
+Subject: [PATCH] html: only render content literally in the HTML namespace
+
+Per the WHATWG HTML specification, section 13.3, only append the literal
+content of a text node if we are in the HTML namespace.
+
+Thanks to Mohammad Thoriq Aziz for reporting this issue.
+
+Fixes golang/go#61615
+Fixes CVE-2023-3978
+
+Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1942896
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/514896
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+---
+
+diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go
+index 8b28031..e8c1233 100644
+--- a/vendor/golang.org/x/net/html/render.go
++++ b/vendor/golang.org/x/net/html/render.go
+@@ -194,9 +194,8 @@
+ 		}
+ 	}
+ 
+-	// Render any child nodes.
+-	switch n.Data {
+-	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++	// Render any child nodes
++	if childTextNodesAreLiteral(n) {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if c.Type == TextNode {
+ 				if _, err := w.WriteString(c.Data); err != nil {
+@@ -213,7 +212,7 @@
+ 			// last element in the file, with no closing tag.
+ 			return plaintextAbort
+ 		}
+-	default:
++	} else {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if err := render1(w, c); err != nil {
+ 				return err
+@@ -231,6 +230,27 @@
+ 	return w.WriteByte('>')
+ }
+ 
++func childTextNodesAreLiteral(n *Node) bool {
++	// Per WHATWG HTML 13.3, if the parent of the current node is a style,
++	// script, xmp, iframe, noembed, noframes, or plaintext element, and the
++	// current node is a text node, append the value of the node's data
++	// literally. The specification is not explicit about it, but we only
++	// enforce this if we are in the HTML namespace (i.e. when the namespace is
++	// "").
++	// NOTE: we also always include noscript elements, although the
++	// specification states that they should only be rendered as such if
++	// scripting is enabled for the node (which is not something we track).
++	if n.Namespace != "" {
++		return false
++	}
++	switch n.Data {
++	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++		return true
++	default:
++		return false
++	}
++}
++
+ // writeQuoted writes s to w surrounded by quotes. Normally it will use double
+ // quotes, but if s contains a double quote, it will use single quotes.
+ // It is used for writing the identifiers in a doctype declaration.
diff --git a/SPECS/cni-plugins/cni-plugins.spec b/SPECS/cni-plugins/cni-plugins.spec
index fb6fbf1ffc5..a96025c8c37 100644
--- a/SPECS/cni-plugins/cni-plugins.spec
+++ b/SPECS/cni-plugins/cni-plugins.spec
@@ -1,7 +1,7 @@
 Summary:        Container Network Interface (CNI) plugins
 Name:           cni-plugins
 Version:        1.3.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ Group:          Development/Tools
 URL:            https://github.com/containernetworking/plugins
 #Source0:       https://github.com/containernetworking/plugins/archive/v%{version}.tar.gz
 Source0:        %{name}-%{version}.tar.gz
+Patch0:         CVE-2023-3978.patch
 %define _default_cni_plugins_dir /opt/cni/bin
 BuildRequires:  golang
 Provides:       kubernetes-cni
@@ -18,7 +19,7 @@ Provides:       kubernetes-cni
 The CNI (Container Network Interface) project consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins.
 
 %prep
-%setup -q -n plugins-%{version}
+%autosetup -p1 -n plugins-%{version}
 
 %build
 ./build_linux.sh -ldflags "-X github.com/containernetworking/plugins/pkg/utils/buildversion.BuildVersion=v%{version}"
@@ -39,6 +40,9 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
 %{_default_cni_plugins_dir}/*
 
 %changelog
+* Thu Oct 10 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.0-6
+- Add patch to resolve CVE-2023-3978.
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.3.0-5
 - Bump release to rebuild with go 1.22.7
 
diff --git a/SPECS/curl/CVE-2024-8096.patch b/SPECS/curl/CVE-2024-8096.patch
new file mode 100644
index 00000000000..0f780f08c32
--- /dev/null
+++ b/SPECS/curl/CVE-2024-8096.patch
@@ -0,0 +1,200 @@
+From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 20 Aug 2024 16:14:39 +0200
+Subject: [PATCH] gtls: fix OCSP stapling management
+
+Reported-by: Hiroki Kurosawa
+Closes #14642
+---
+ lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
+ 1 file changed, 73 insertions(+), 73 deletions(-)
+
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 03d6fcc038aac3..c7589d9d39bc81 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
+   init_flags |= GNUTLS_NO_TICKETS;
+ #endif
+ 
++#if defined(GNUTLS_NO_STATUS_REQUEST)
++  if(!config->verifystatus)
++    /* Disable the "status_request" TLS extension, enabled by default since
++       GnuTLS 3.8.0. */
++    init_flags |= GNUTLS_NO_STATUS_REQUEST;
++#endif
++
+   rc = gnutls_init(&gtls->session, init_flags);
+   if(rc != GNUTLS_E_SUCCESS) {
+     failf(data, "gnutls_init() failed: %d", rc);
+@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+     infof(data, "  server certificate verification SKIPPED");
+ 
+   if(config->verifystatus) {
+-    if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
+-      gnutls_datum_t status_request;
+-      gnutls_ocsp_resp_t ocsp_resp;
++    gnutls_datum_t status_request;
++    gnutls_ocsp_resp_t ocsp_resp;
++    gnutls_ocsp_cert_status_t status;
++    gnutls_x509_crl_reason_t reason;
+ 
+-      gnutls_ocsp_cert_status_t status;
+-      gnutls_x509_crl_reason_t reason;
++    rc = gnutls_ocsp_status_request_get(session, &status_request);
+ 
+-      rc = gnutls_ocsp_status_request_get(session, &status_request);
++    if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
++      failf(data, "No OCSP response received");
++      return CURLE_SSL_INVALIDCERTSTATUS;
++    }
+ 
+-      infof(data, " server certificate status verification FAILED");
++    if(rc < 0) {
++      failf(data, "Invalid OCSP response received");
++      return CURLE_SSL_INVALIDCERTSTATUS;
++    }
+ 
+-      if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+-        failf(data, "No OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
++    gnutls_ocsp_resp_init(&ocsp_resp);
+ 
+-      if(rc < 0) {
+-        failf(data, "Invalid OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
++    rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
++    if(rc < 0) {
++      failf(data, "Invalid OCSP response received");
++      return CURLE_SSL_INVALIDCERTSTATUS;
++    }
+ 
+-      gnutls_ocsp_resp_init(&ocsp_resp);
++    (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
++                                      &status, NULL, NULL, NULL, &reason);
+ 
+-      rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+-      if(rc < 0) {
+-        failf(data, "Invalid OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
++    switch(status) {
++    case GNUTLS_OCSP_CERT_GOOD:
++      break;
+ 
+-      (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+-                                        &status, NULL, NULL, NULL, &reason);
++    case GNUTLS_OCSP_CERT_REVOKED: {
++      const char *crl_reason;
+ 
+-      switch(status) {
+-      case GNUTLS_OCSP_CERT_GOOD:
++      switch(reason) {
++      default:
++      case GNUTLS_X509_CRLREASON_UNSPECIFIED:
++        crl_reason = "unspecified reason";
+         break;
+ 
+-      case GNUTLS_OCSP_CERT_REVOKED: {
+-        const char *crl_reason;
+-
+-        switch(reason) {
+-          default:
+-          case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+-            crl_reason = "unspecified reason";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+-            crl_reason = "private key compromised";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+-            crl_reason = "CA compromised";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+-            crl_reason = "affiliation has changed";
+-            break;
++      case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
++        crl_reason = "private key compromised";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_SUPERSEDED:
+-            crl_reason = "certificate superseded";
+-            break;
++      case GNUTLS_X509_CRLREASON_CACOMPROMISE:
++        crl_reason = "CA compromised";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+-            crl_reason = "operation has ceased";
+-            break;
++      case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
++        crl_reason = "affiliation has changed";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+-            crl_reason = "certificate is on hold";
+-            break;
++      case GNUTLS_X509_CRLREASON_SUPERSEDED:
++        crl_reason = "certificate superseded";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+-            crl_reason = "will be removed from delta CRL";
+-            break;
++      case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
++        crl_reason = "operation has ceased";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+-            crl_reason = "privilege withdrawn";
+-            break;
++      case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
++        crl_reason = "certificate is on hold";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+-            crl_reason = "AA compromised";
+-            break;
+-        }
++      case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
++        crl_reason = "will be removed from delta CRL";
++        break;
+ 
+-        failf(data, "Server certificate was revoked: %s", crl_reason);
++      case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
++        crl_reason = "privilege withdrawn";
+         break;
+-      }
+ 
+-      default:
+-      case GNUTLS_OCSP_CERT_UNKNOWN:
+-        failf(data, "Server certificate status is unknown");
++      case GNUTLS_X509_CRLREASON_AACOMPROMISE:
++        crl_reason = "AA compromised";
+         break;
+       }
+ 
+-      gnutls_ocsp_resp_deinit(ocsp_resp);
++      failf(data, "Server certificate was revoked: %s", crl_reason);
++      break;
++    }
+ 
+-      return CURLE_SSL_INVALIDCERTSTATUS;
++    default:
++    case GNUTLS_OCSP_CERT_UNKNOWN:
++      failf(data, "Server certificate status is unknown");
++      break;
+     }
+-    else
+-      infof(data, "  server certificate status verification OK");
++
++    gnutls_ocsp_resp_deinit(ocsp_resp);
++    if(status != GNUTLS_OCSP_CERT_GOOD)
++      return CURLE_SSL_INVALIDCERTSTATUS;
+   }
+   else
+     infof(data, "  server certificate status verification SKIPPED");
diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec
index c4d5b5fb2dd..514766bb87c 100644
--- a/SPECS/curl/curl.spec
+++ b/SPECS/curl/curl.spec
@@ -1,7 +1,7 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.8.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -9,6 +9,7 @@ Group:          System Environment/NetworkingLibraries
 URL:            https://curl.haxx.se
 Source0:        https://curl.haxx.se/download/%{name}-%{version}.tar.gz
 Patch0:         CVE-2024-6197.patch
+Patch1:         CVE-2024-8096.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  nghttp2-devel
@@ -86,6 +87,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Tue Oct 15 2024 Muhammad Falak <mwani@microsoft.com> - 8.8.0-3
+- Address CVE-2024-8096
+
 * Wed Sep 4 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 8.8.0-2
 - Patch CVE-2024-6197
 
diff --git a/SPECS/dcos-cli/CVE-2024-28180.patch b/SPECS/dcos-cli/CVE-2024-28180.patch
new file mode 100644
index 00000000000..0218386131f
--- /dev/null
+++ b/SPECS/dcos-cli/CVE-2024-28180.patch
@@ -0,0 +1,76 @@
+diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go
+index d24cabf6..a6283865 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/crypter.go
++++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go
+@@ -405,6 +405,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
+ // Decrypt and validate the object and return the plaintext. Note that this
+ // function does not support multi-recipient, if you desire multi-recipient
+ // decryption use DecryptMulti instead.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >10x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
+ 	headers := obj.mergedHeaders(nil)
+ 
+@@ -469,6 +472,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
+ // with support for multiple recipients. It returns the index of the recipient
+ // for which the decryption was successful, the merged headers for that recipient,
+ // and the plaintext.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >3x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
+ 	globalHeaders := obj.mergedHeaders(nil)
+ 
+diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+index 70f7385c..ab9e0867 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+@@ -21,6 +21,7 @@ import (
+ 	"compress/flate"
+ 	"encoding/base64"
+ 	"encoding/binary"
++	"fmt"
+ 	"io"
+ 	"math/big"
+ 	"strings"
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
diff --git a/SPECS/dcos-cli/dcos-cli.spec b/SPECS/dcos-cli/dcos-cli.spec
index f5f474f9ec9..c708df8987f 100644
--- a/SPECS/dcos-cli/dcos-cli.spec
+++ b/SPECS/dcos-cli/dcos-cli.spec
@@ -1,13 +1,14 @@
 Summary:        The command line for DC/OS
 Name:           dcos-cli
 Version:        1.2.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/Tools
 URL:            https://github.com/dcos/dcos-cli
 Source0:        https://github.com/dcos/dcos-cli/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-28180.patch
 
 BuildRequires:  golang
 BuildRequires:  git
@@ -45,6 +46,9 @@ go test -mod=vendor
 %{_bindir}/dcos
 
 %changelog
+* Mon Oct 01 2024 Henry Li <lihl@microsoft.com> - 1.2.0-19
+- Add patch to resolve CVE-2024-28180
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.2.0-18
 - Bump release to rebuild with go 1.22.7
 
diff --git a/SPECS/fluent-bit/CVE-2024-25629.patch b/SPECS/fluent-bit/CVE-2024-25629.patch
new file mode 100644
index 00000000000..86758d5fd74
--- /dev/null
+++ b/SPECS/fluent-bit/CVE-2024-25629.patch
@@ -0,0 +1,19 @@
+diff --git a/lib/c-ares-1.24.0/src/lib/ares__read_line.c b/lib/c-ares-1.24.0/src/lib/ares__read_line.c
+index d65ac1fcf..018f55e8b 100644
+--- a/lib/c-ares-1.24.0/src/lib/ares__read_line.c
++++ b/lib/c-ares-1.24.0/src/lib/ares__read_line.c
+@@ -59,6 +59,14 @@ ares_status_t ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+     }
+     len = offset + ares_strlen(*buf + offset);
++
++    /* Probably means there was an embedded NULL as the first character in
++     * the line, throw away line */
++    if (len == 0) {
++      offset = 0;
++      continue;
++    }
++
+     if ((*buf)[len - 1] == '\n') {
+       (*buf)[len - 1] = 0;
+       break;
diff --git a/SPECS/fluent-bit/CVE-2024-26455.patch b/SPECS/fluent-bit/CVE-2024-26455.patch
new file mode 100644
index 00000000000..57d7c11254f
--- /dev/null
+++ b/SPECS/fluent-bit/CVE-2024-26455.patch
@@ -0,0 +1,60 @@
+diff --git a/plugins/custom_calyptia/calyptia.c b/plugins/custom_calyptia/calyptia.c
+index 5639af427..4aba53ca7 100644
+--- a/plugins/custom_calyptia/calyptia.c
++++ b/plugins/custom_calyptia/calyptia.c
+@@ -245,7 +245,6 @@ static struct flb_output_instance *setup_cloud_output(struct flb_config *config,
+ 
+     if (!cloud) {
+         flb_plg_error(ctx->ins, "could not load Calyptia Cloud connector");
+-        flb_free(ctx);
+         return NULL;
+     }
+ 
+@@ -254,7 +253,6 @@ static struct flb_output_instance *setup_cloud_output(struct flb_config *config,
+ 
+     if (ret != 0) {
+         flb_plg_error(ctx->ins, "could not load Calyptia Cloud connector");
+-        flb_free(ctx);
+         return NULL;
+     }
+ 
+@@ -268,7 +266,6 @@ static struct flb_output_instance *setup_cloud_output(struct flb_config *config,
+             label = flb_sds_create_size(strlen(key->str) + strlen(val->str) + 1);
+ 
+             if (!label) {
+-                flb_free(ctx);
+                 return NULL;
+             }
+ 
+@@ -316,7 +313,6 @@ static struct flb_output_instance *setup_cloud_output(struct flb_config *config,
+         label = flb_sds_create_size(strlen("fleet_id") + strlen(ctx->fleet_id) + 1);
+ 
+         if (!label) {
+-            flb_free(ctx);
+             return NULL;
+         }
+ 
+@@ -424,6 +420,7 @@ static int cb_calyptia_init(struct flb_custom_instance *ins,
+ 
+         if (ctx->machine_id == NULL) {
+             flb_plg_error(ctx->ins, "unable to retrieve machine_id");
++            flb_free(ctx);
+             return -1;
+         }
+ 
+@@ -435,6 +432,7 @@ static int cb_calyptia_init(struct flb_custom_instance *ins,
+ 
+     if (!ctx->i) {
+         flb_plg_error(ctx->ins, "could not load metrics collector");
++        flb_free(ctx);
+         return -1;
+     }
+ 
+@@ -455,6 +453,7 @@ static int cb_calyptia_init(struct flb_custom_instance *ins,
+         ctx->o = setup_cloud_output(config, ctx);
+ 
+         if (ctx->o == NULL) {
++            flb_free(ctx);
+             return -1;
+         }
+     }
diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec
index 9bf83a66bbb..34b3e9db415 100644
--- a/SPECS/fluent-bit/fluent-bit.spec
+++ b/SPECS/fluent-bit/fluent-bit.spec
@@ -1,7 +1,7 @@
 Summary:        Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
 Name:           fluent-bit
 Version:        2.2.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,8 @@ Source0:        https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.
 Patch0:         CVE-2024-34250.patch
 Patch1:         in_emitter_fix_issue_8198.patch
 Patch2:         fix_issue_8025.patch
+Patch3:         CVE-2024-26455.patch
+Patch4:         CVE-2024-25629.patch
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  cyrus-sasl-devel
@@ -83,6 +85,10 @@ Development files for %{name}
 %{_libdir}/fluent-bit/*.so
 
 %changelog
+* Tue Oct 15 2024 Chris Gunn <chrisgun@microsoft.com> - 2.2.3-4
+- CVE-2024-26455
+- CVE-2024-25629
+
 * Wed Jun 05 2024 Sindhu Karri <lakarri@microsoft.com> - 2.2.3-3
 - Apply patch in_emitter_fix_issue_8198.patch to fix #8198 ( Potential log loss during high load at Multiline & Rewrite Tag Filter (in_emitter) )
 - Fix issue #8025 with a patch ( in_tail: missing log for offset processing due to non-existent old inodes in sqlite )
diff --git a/SPECS/gdb/CVE-2023-39128.patch b/SPECS/gdb/CVE-2023-39128.patch
new file mode 100644
index 00000000000..1c3802c93f0
--- /dev/null
+++ b/SPECS/gdb/CVE-2023-39128.patch
@@ -0,0 +1,71 @@
+From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001
+From: Tom Tromey <tromey@adacore.com>
+Date: Wed, 16 Aug 2023 11:29:19 -0600
+Subject: [PATCH] Avoid buffer overflow in ada_decode
+
+A bug report pointed out a buffer overflow in ada_decode, which Keith
+helpfully analyzed.  ada_decode had a logic error when the input was
+all digits.  While this isn't valid -- and would probably only appear
+in fuzzer tests -- it still should be handled properly.
+
+This patch adds a missing bounds check.  Tested with the self-tests in
+an asan build.
+
+Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639
+Reviewed-by: Keith Seitz <keiths@redhat.com>
+---
+ gdb/ada-lang.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c
+index 70a2b44..f682302 100644
+--- a/gdb/ada-lang.c
++++ b/gdb/ada-lang.c
+@@ -57,6 +57,7 @@
+ #include "cli/cli-utils.h"
+ #include "gdbsupport/function-view.h"
+ #include "gdbsupport/byte-vector.h"
++#include "gdbsupport/selftest.h"
+ #include <algorithm>
+ #include "ada-exp.h"
+ 
+@@ -1057,7 +1058,7 @@ ada_decode (const char *encoded, bool wrap)
+ 	i -= 1;
+       if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_')
+ 	len0 = i - 1;
+-      else if (encoded[i] == '$')
++      else if (i >= 0 && encoded[i] == '$')
+ 	len0 = i;
+     }
+ 
+@@ -1225,6 +1226,18 @@ ada_decode (const char *encoded, bool wrap)
+   return decoded;
+ }
+ 
++#ifdef GDB_SELF_TEST
++
++static void
++ada_decode_tests ()
++{
++  /* This isn't valid, but used to cause a crash.  PR gdb/30639.  The
++     result does not really matter very much.  */
++  SELF_CHECK (ada_decode ("44") == "44");
++}
++
++#endif
++
+ /* Table for keeping permanent unique copies of decoded names.  Once
+    allocated, names in this table are never released.  While this is a
+    storage leak, it should not be significant unless there are massive
+@@ -13497,4 +13510,8 @@ DWARF attribute."),
+   gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang");
+   gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang");
+   gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang");
++
++#ifdef GDB_SELF_TEST
++  selftests::register_test ("ada-decode", ada_decode_tests);
++#endif
+ }
+-- 
+2.34.1
+
diff --git a/SPECS/gdb/CVE-2023-39129.patch b/SPECS/gdb/CVE-2023-39129.patch
new file mode 100644
index 00000000000..6e5da59df70
--- /dev/null
+++ b/SPECS/gdb/CVE-2023-39129.patch
@@ -0,0 +1,124 @@
+From 58abdf887821a5da09ba184c6e400a3bc5cccd5a Mon Sep 17 00:00:00 2001
+From: Keith Seitz <keiths@redhat.com>
+Date: Wed, 2 Aug 2023 08:35:11 -0700
+Subject: [PATCH] Verify COFF symbol stringtab offset
+
+This patch addresses an issue with malformed/fuzzed debug information that
+was recently reported in gdb/30639. That bug specifically deals with
+an ASAN issue, but the reproducer provided by the reporter causes a
+another failure outside of ASAN:
+
+$ ./gdb --data-directory data-directory -nx -q UAF_2
+Reading symbols from /home/keiths/UAF_2...
+
+
+Fatal signal: Segmentation fault
+----- Backtrace -----
+0x59a53a gdb_internal_backtrace_1
+	../../src/gdb/bt-utils.c:122
+0x59a5dd _Z22gdb_internal_backtracev
+	../../src/gdb/bt-utils.c:168
+0x786380 handle_fatal_signal
+	../../src/gdb/event-top.c:889
+0x7864ec handle_sigsegv
+	../../src/gdb/event-top.c:962
+0x7ff354c5fb6f ???
+0x611f9a process_coff_symbol
+	../../src/gdb/coffread.c:1556
+0x611025 coff_symtab_read
+	../../src/gdb/coffread.c:1172
+0x60f8ff coff_read_minsyms
+	../../src/gdb/coffread.c:549
+0x60fe4b coff_symfile_read
+	../../src/gdb/coffread.c:698
+0xbde0f6 read_symbols
+	../../src/gdb/symfile.c:772
+0xbde7a3 syms_from_objfile_1
+	../../src/gdb/symfile.c:966
+0xbde867 syms_from_objfile
+	../../src/gdb/symfile.c:983
+0xbded42 symbol_file_add_with_addrs
+	../../src/gdb/symfile.c:1086
+0xbdf083 _Z24symbol_file_add_from_bfdRKN3gdb7ref_ptrI3bfd18gdb_bfd_ref_policyEEPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaISC_EES8_I12objfile_flagEP7objfile
+	../../src/gdb/symfile.c:1166
+0xbdf0d2 _Z15symbol_file_addPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaIS5_EES1_I12objfile_flagE
+	../../src/gdb/symfile.c:1179
+0xbdf197 symbol_file_add_main_1
+	../../src/gdb/symfile.c:1203
+0xbdf13e _Z20symbol_file_add_mainPKc10enum_flagsI16symfile_add_flagE
+	../../src/gdb/symfile.c:1194
+0x90f97f symbol_file_add_main_adapter
+	../../src/gdb/main.c:549
+0x90f895 catch_command_errors
+	../../src/gdb/main.c:518
+0x9109b6 captured_main_1
+	../../src/gdb/main.c:1203
+0x910fc8 captured_main
+	../../src/gdb/main.c:1310
+0x911067 _Z8gdb_mainP18captured_main_args
+	../../src/gdb/main.c:1339
+0x418c71 main
+	../../src/gdb/gdb.c:39
+---------------------
+A fatal error internal to GDB has been detected, further
+debugging is not possible.  GDB will now terminate.
+
+This is a bug, please report it.  For instructions, see:
+<https://www.gnu.org/software/gdb/bugs/>.
+
+Segmentation fault (core dumped)
+
+The issue here is that the COFF offset for the fuzzed symbol's
+name is outside the string table. That is, the offset is greater
+than the actual string table size.
+
+coffread.c:getsymname actually contains a FIXME about this, and that's
+what I've chosen to address to fix this issue, following what is done
+in the DWARF reader:
+
+$ ./gdb --data-directory data-directory -nx -q UAF_2
+Reading symbols from /home/keiths/UAF_2...
+COFF Error: string table offset (256) outside string table (length 0)
+(gdb)
+
+Unfortunately, I haven't any idea how else to test this patch since
+COFF is not very common anymore. GCC removed support for it five
+years ago with GCC 8.
+---
+ gdb/coffread.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/gdb/coffread.c b/gdb/coffread.c
+index f8e14d8ad93..ae7632d49cb 100644
+--- a/gdb/coffread.c
++++ b/gdb/coffread.c
+@@ -159,6 +159,7 @@ static file_ptr linetab_offset;
+ static file_ptr linetab_size;
+ 
+ static char *stringtab = NULL;
++static long stringtab_length = 0;
+ 
+ extern void stabsread_clear_cache (void);
+ 
+@@ -1303,6 +1304,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora
+   /* This is in target format (probably not very useful, and not
+      currently used), not host format.  */
+   memcpy (stringtab, lengthbuf, sizeof lengthbuf);
++  stringtab_length = length;
+   if (length == sizeof length)	/* Empty table -- just the count.  */
+     return 0;
+ 
+@@ -1322,8 +1324,9 @@ getsymname (struct internal_syment *symbol_entry)
+ 
+   if (symbol_entry->_n._n_n._n_zeroes == 0)
+     {
+-      /* FIXME: Probably should be detecting corrupt symbol files by
+-	 seeing whether offset points to within the stringtab.  */
++      if (symbol_entry->_n._n_n._n_offset > stringtab_length)
++	error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"),
++	       symbol_entry->_n._n_n._n_offset, stringtab_length);
+       result = stringtab + symbol_entry->_n._n_n._n_offset;
+     }
+   else
+-- 
+2.43.5
diff --git a/SPECS/gdb/CVE-2023-39130.patch b/SPECS/gdb/CVE-2023-39130.patch
new file mode 100644
index 00000000000..2f759e26710
--- /dev/null
+++ b/SPECS/gdb/CVE-2023-39130.patch
@@ -0,0 +1,326 @@
+From 2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Aug 2023 09:58:36 +0930
+Subject: [PATCH] gdb: warn unused result for bfd IO functions
+
+This fixes the compilation warnings introduced by my bfdio.c patch.
+
+The removed bfd_seeks in coff_symfile_read date back to 1994, commit
+7f4c859520, prior to which the file used stdio rather than bfd to read
+symbols.  Since it now uses bfd to read the file there should be no
+need to synchronise to bfd's idea of the file position.  I also fixed
+a potential uninitialised memory access.
+
+Approved-By: Andrew Burgess <aburgess@redhat.com>
+---
+ gdb/coff-pe-read.c | 114 +++++++++++++++++++++++++++++----------------
+ gdb/coffread.c     |  27 ++---------
+ gdb/dbxread.c      |   7 +--
+ gdb/xcoffread.c    |   5 +-
+ 4 files changed, 85 insertions(+), 68 deletions(-)
+
+diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c
+index c2dc3cd..35e1cb5 100644
+--- a/gdb/coff-pe-read.c
++++ b/gdb/coff-pe-read.c
+@@ -291,23 +291,31 @@ read_pe_truncate_name (char *dll_name)
+ 
+ /* Low-level support functions, direct from the ld module pe-dll.c.  */
+ static unsigned int
+-pe_get16 (bfd *abfd, int where)
++pe_get16 (bfd *abfd, int where, bool *fail)
+ {
+   unsigned char b[2];
+ 
+-  bfd_seek (abfd, (file_ptr) where, SEEK_SET);
+-  bfd_bread (b, (bfd_size_type) 2, abfd);
++  if (bfd_seek (abfd, where, SEEK_SET) != 0
++      || bfd_bread (b, 2, abfd) != 2)
++    {
++      *fail = true;
++      return 0;
++    }
+   return b[0] + (b[1] << 8);
+ }
+ 
+ static unsigned int
+-pe_get32 (bfd *abfd, int where)
++pe_get32 (bfd *abfd, int where, bool *fail)
+ {
+   unsigned char b[4];
+ 
+-  bfd_seek (abfd, (file_ptr) where, SEEK_SET);
+-  bfd_bread (b, (bfd_size_type) 4, abfd);
+-  return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24);
++  if (bfd_seek (abfd, where, SEEK_SET) != 0
++      || bfd_bread (b, 4, abfd) != 4)
++    {
++      *fail = true;
++      return 0;
++    }
++  return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24);
+ }
+ 
+ static unsigned int
+@@ -323,7 +331,7 @@ pe_as32 (void *ptr)
+ {
+   unsigned char *b = (unsigned char *) ptr;
+ 
+-  return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24);
++  return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24);
+ }
+ 
+ /* Read the (non-debug) export symbol table from a portable
+@@ -376,37 +384,50 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
+ 	     || strcmp (target, "pei-i386") == 0
+ 	     || strcmp (target, "pe-arm-wince-little") == 0
+ 	     || strcmp (target, "pei-arm-wince-little") == 0);
++
++  /* Possibly print a debug message about DLL not having a valid format.  */
++  auto maybe_print_debug_msg = [&] () -> void {
++    if (debug_coff_pe_read)
++      fprintf_unfiltered (gdb_stdlog, _("%s doesn't appear to be a DLL\n"),
++                 bfd_get_filename (dll));
++  };
++
+   if (!is_pe32 && !is_pe64)
+-    {
+-      /* This is not a recognized PE format file.  Abort now, because
+-	 the code is untested on anything else.  *FIXME* test on
+-	 further architectures and loosen or remove this test.  */
+-      return;
+-    }
++    return maybe_print_debug_msg ();
+ 
+   /* Get pe_header, optional header and numbers of export entries.  */
+-  pe_header_offset = pe_get32 (dll, 0x3c);
++  bool fail = false;
++  pe_header_offset = pe_get32 (dll, 0x3c, &fail);
++  if (fail)
++    return maybe_print_debug_msg ();
+   opthdr_ofs = pe_header_offset + 4 + 20;
+   if (is_pe64)
+-    num_entries = pe_get32 (dll, opthdr_ofs + 108);
++    num_entries = pe_get32 (dll, opthdr_ofs + 108, &fail);
+   else
+-    num_entries = pe_get32 (dll, opthdr_ofs + 92);
++    num_entries = pe_get32 (dll, opthdr_ofs + 92, &fail);
++  if (fail)
++    return maybe_print_debug_msg ();
+ 
+   if (num_entries < 1)		/* No exports.  */
+     return;
+   if (is_pe64)
+     {
+-      export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112);
+-      export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116);
++      export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112, &fail);
++      export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116, &fail);
+     }
+   else
+     {
+-      export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96);
+-      export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100);
++      export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96, &fail);
++      export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100, &fail);
+     }
+-  nsections = pe_get16 (dll, pe_header_offset + 4 + 2);
++  if (fail)
++    return maybe_print_debug_msg ();
++
++  nsections = pe_get16 (dll, pe_header_offset + 4 + 2, &fail);
+   secptr = (pe_header_offset + 4 + 20 +
+-	    pe_get16 (dll, pe_header_offset + 4 + 16));
++           pe_get16 (dll, pe_header_offset + 4 + 16, &fail));
++  if (fail)
++    return maybe_print_debug_msg ();
+   expptr = 0;
+   export_size = 0;
+ 
+@@ -415,12 +436,13 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
+     {
+       char sname[8];
+       unsigned long secptr1 = secptr + 40 * i;
+-      unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
+-      unsigned long vsize = pe_get32 (dll, secptr1 + 16);
+-      unsigned long fptr = pe_get32 (dll, secptr1 + 20);
++      unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail);
++      unsigned long vsize = pe_get32 (dll, secptr1 + 16, &fail);
++      unsigned long fptr = pe_get32 (dll, secptr1 + 20, &fail);
+ 
+-      bfd_seek (dll, (file_ptr) secptr1, SEEK_SET);
+-      bfd_bread (sname, (bfd_size_type) sizeof (sname), dll);
++      if (fail
++         || bfd_seek (dll, secptr1, SEEK_SET) != 0
++         || bfd_bread (sname, sizeof (sname), dll) != sizeof (sname))
+ 
+       if ((strcmp (sname, ".edata") == 0)
+ 	  || (vaddr <= export_opthdrrva && export_opthdrrva < vaddr + vsize))
+@@ -461,16 +483,18 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
+   for (i = 0; i < nsections; i++)
+     {
+       unsigned long secptr1 = secptr + 40 * i;
+-      unsigned long vsize = pe_get32 (dll, secptr1 + 8);
+-      unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
+-      unsigned long characteristics = pe_get32 (dll, secptr1 + 36);
++      unsigned long vsize = pe_get32 (dll, secptr1 + 8, &fail);
++      unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail);
++      unsigned long characteristics = pe_get32 (dll, secptr1 + 36, &fail);
+       char sec_name[SCNNMLEN + 1];
+       int sectix;
+       unsigned int bfd_section_index;
+       asection *section;
+ 
+-      bfd_seek (dll, (file_ptr) secptr1 + 0, SEEK_SET);
+-      bfd_bread (sec_name, (bfd_size_type) SCNNMLEN, dll);
++      if (fail
++         || bfd_seek (dll, secptr1 + 0, SEEK_SET) != 0
++         || bfd_bread (sec_name, SCNNMLEN, dll) != SCNNMLEN)
++       return maybe_print_debug_msg ();
+       sec_name[SCNNMLEN] = '\0';
+ 
+       sectix = read_pe_section_index (sec_name);
+@@ -509,8 +533,9 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
+   gdb::def_vector<unsigned char> expdata_storage (export_size);
+   expdata = expdata_storage.data ();
+ 
+-  bfd_seek (dll, (file_ptr) expptr, SEEK_SET);
+-  bfd_bread (expdata, (bfd_size_type) export_size, dll);
++  if (bfd_seek (dll, expptr, SEEK_SET) != 0
++      || bfd_bread (expdata, export_size, dll) != export_size)
++    return maybe_print_debug_msg ();
+   erva = expdata - export_rva;
+ 
+   nexp = pe_as32 (expdata + 24);
+@@ -658,20 +683,27 @@ pe_text_section_offset (struct bfd *abfd)
+     }
+ 
+   /* Get pe_header, optional header and numbers of sections.  */
+-  pe_header_offset = pe_get32 (abfd, 0x3c);
+-  nsections = pe_get16 (abfd, pe_header_offset + 4 + 2);
++  bool fail = false;
++  pe_header_offset = pe_get32 (abfd, 0x3c, &fail);
++  if (fail)
++    return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
++  nsections = pe_get16 (abfd, pe_header_offset + 4 + 2, &fail);
+   secptr = (pe_header_offset + 4 + 20 +
+-	    pe_get16 (abfd, pe_header_offset + 4 + 16));
++           pe_get16 (abfd, pe_header_offset + 4 + 16, &fail));
++  if (fail)
++    return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
+ 
+   /* Get the rva and size of the export section.  */
+   for (i = 0; i < nsections; i++)
+     {
+       char sname[SCNNMLEN + 1];
+       unsigned long secptr1 = secptr + 40 * i;
+-      unsigned long vaddr = pe_get32 (abfd, secptr1 + 12);
++      unsigned long vaddr = pe_get32 (abfd, secptr1 + 12, &fail);
+ 
+-      bfd_seek (abfd, (file_ptr) secptr1, SEEK_SET);
+-      bfd_bread (sname, (bfd_size_type) SCNNMLEN, abfd);
++      if (fail
++         || bfd_seek (abfd, secptr1, SEEK_SET) != 0
++         || bfd_bread (sname, SCNNMLEN, abfd) != SCNNMLEN)
++       return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
+       sname[SCNNMLEN] = '\0';
+       if (strcmp (sname, ".text") == 0)
+ 	return vaddr;
+diff --git a/gdb/coffread.c b/gdb/coffread.c
+index 856f495..f363dbc 100644
+--- a/gdb/coffread.c
++++ b/gdb/coffread.c
+@@ -690,8 +690,6 @@ coff_symfile_read (struct objfile *objfile, symfile_add_flags symfile_flags)
+ 
+       /* FIXME: dubious.  Why can't we use something normal like
+ 	 bfd_get_section_contents?  */
+-      bfd_seek (abfd, abfd->where, 0);
+-
+       stabstrsize = bfd_section_size (info->stabstrsect);
+ 
+       coffstab_build_psymtabs (objfile,
+@@ -780,22 +778,6 @@ coff_symtab_read (minimal_symbol_reader &reader,
+ 
+   scoped_free_pendings free_pending;
+ 
+-  /* Work around a stdio bug in SunOS4.1.1 (this makes me nervous....
+-     it's hard to know I've really worked around it.  The fix should
+-     be harmless, anyway).  The symptom of the bug is that the first
+-     fread (in read_one_sym), will (in my example) actually get data
+-     from file offset 268, when the fseek was to 264 (and ftell shows
+-     264).  This causes all hell to break loose.  I was unable to
+-     reproduce this on a short test program which operated on the same
+-     file, performing (I think) the same sequence of operations.
+-
+-     It stopped happening when I put in this (former) rewind().
+-
+-     FIXME: Find out if this has been reported to Sun, whether it has
+-     been fixed in a later release, etc.  */
+-
+-  bfd_seek (objfile->obfd, 0, 0);
+-
+   /* Position to read the symbol table.  */
+   val = bfd_seek (objfile->obfd, symtab_offset, 0);
+   if (val < 0)
+@@ -1285,12 +1267,13 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora
+   if (bfd_seek (abfd, offset, 0) < 0)
+     return -1;
+ 
+-  val = bfd_bread ((char *) lengthbuf, sizeof lengthbuf, abfd);
+-  length = bfd_h_get_32 (symfile_bfd, lengthbuf);
+-
++  val = bfd_bread (lengthbuf, sizeof lengthbuf, abfd);
+   /* If no string table is needed, then the file may end immediately
+      after the symbols.  Just return with `stringtab' set to null.  */
+-  if (val != sizeof lengthbuf || length < sizeof lengthbuf)
++  if (val != sizeof lengthbuf)
++    return 0;
++  length = bfd_h_get_32 (symfile_bfd, lengthbuf);
++  if (length < sizeof lengthbuf)
+     return 0;
+ 
+   storage->reset ((char *) xmalloc (length));
+diff --git a/gdb/dbxread.c b/gdb/dbxread.c
+index cae1195..4e717cb 100644
+--- a/gdb/dbxread.c
++++ b/gdb/dbxread.c
+@@ -812,7 +812,8 @@ stabs_seek (int sym_offset)
+       symbuf_left -= sym_offset;
+     }
+   else
+-    bfd_seek (symfile_bfd, sym_offset, SEEK_CUR);
++    if (bfd_seek (symfile_bfd, sym_offset, SEEK_CUR) != 0)
++      perror_with_name (bfd_get_filename (symfile_bfd));
+ }
+ 
+ #define INTERNALIZE_SYMBOL(intern, extern, abfd)			\
+@@ -2095,8 +2096,8 @@ dbx_expand_psymtab (legacy_psymtab *pst, struct objfile *objfile)
+       symbol_size = SYMBOL_SIZE (pst);
+ 
+       /* Read in this file's symbols.  */
+-      bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET);
+-      read_ofile_symtab (objfile, pst);
++      if (bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET) == 0)
++       read_ofile_symtab (objfile, pst);
+     }
+ 
+   pst->readin = true;
+diff --git a/gdb/xcoffread.c b/gdb/xcoffread.c
+index 8f3d1b9..2d79d30 100644
+--- a/gdb/xcoffread.c
++++ b/gdb/xcoffread.c
+@@ -865,8 +865,9 @@ enter_line_range (struct subfile *subfile, unsigned beginoffset,
+ 
+   while (curoffset <= limit_offset)
+     {
+-      bfd_seek (abfd, curoffset, SEEK_SET);
+-      bfd_bread (ext_lnno, linesz, abfd);
++      if (bfd_seek (abfd, curoffset, SEEK_SET) != 0
++         || bfd_bread (ext_lnno, linesz, abfd) != linesz)
++       return;
+       bfd_coff_swap_lineno_in (abfd, ext_lnno, &int_lnno);
+ 
+       /* Find the address this line represents.  */
+-- 
+2.34.1
+
diff --git a/SPECS/gdb/gdb.spec b/SPECS/gdb/gdb.spec
index 635c0e1b910..c776ff0a6e9 100644
--- a/SPECS/gdb/gdb.spec
+++ b/SPECS/gdb/gdb.spec
@@ -1,13 +1,16 @@
 Summary:        C debugger
 Name:           gdb
 Version:        11.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Tools
 URL:            https://www.gnu.org/software/gdb
 Source0:        https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
+Patch0:         CVE-2023-39128.patch
+Patch1:         CVE-2023-39129.patch
+Patch2:         CVE-2023-39130.patch
 BuildRequires:  expat-devel
 BuildRequires:  gcc-c++
 BuildRequires:  gcc-gfortran
@@ -88,6 +91,9 @@ rm -f $(dirname $(gcc -print-libgcc-file-name))/../specs
 %{_mandir}/*/*
 
 %changelog
+* Tue Oct 08 2024 Mitch Zhu <mitchzhu@microsoft.com> - 11.2-3
+- Fix CVE-2023-39128, CVE-2023-39129, CVE-2023-39130
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 11.2-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
diff --git a/SPECS/gh/CVE-2022-32149.patch b/SPECS/gh/CVE-2022-32149.patch
new file mode 100644
index 00000000000..7938e0831b3
--- /dev/null
+++ b/SPECS/gh/CVE-2022-32149.patch
@@ -0,0 +1,65 @@
+From a47ab91255e04dda4ca0d734afef58216c7479a2 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 2 Sep 2022 09:35:37 -0700
+Subject: [PATCH] language: reject excessively large Accept-Language strings
+
+Backported to apply on vendor direcotry by @mfrw
+
+The BCP 47 tag parser has quadratic time complexity due to inherent
+aspects of its design. Since the parser is, by design, exposed to
+untrusted user input, this can be leveraged to force a program to
+consume significant time parsing Accept-Language headers.
+
+The parser cannot be easily rewritten to fix this behavior for
+various reasons. Instead the solution implemented in this CL is to
+limit the total complexity of tags passed into ParseAcceptLanguage
+by limiting the number of dashes in the string to 1000. This should
+be more than enough for the majority of real world use cases, where
+the number of tags being sent is likely to be in the single digits.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to Adam
+Korczynski (ADA Logics) for writing the fuzz case and for reporting the
+issue.
+
+Fixes CVE-2022-32149
+Fixes golang/go#56152
+
+Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ vendor/golang.org/x/text/language/parse.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
+index 59b0410..b982d9e 100644
+--- a/vendor/golang.org/x/text/language/parse.go
++++ b/vendor/golang.org/x/text/language/parse.go
+@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
+ 		}
+ 	}()
+ 
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {
+-- 
+2.40.1
+
diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec
index 1bce25690a9..33c33dacd02 100644
--- a/SPECS/gh/gh.spec
+++ b/SPECS/gh/gh.spec
@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.13.0
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -30,6 +30,7 @@ Source1:        %{name}-%{version}-vendor.tar.gz
 # Available upstream in 2.16.0
 Patch0:         fix-relative-time-search-tests.patch
 Patch1:         CVE-2021-43565.patch
+Patch2:         CVE-2022-32149.patch
 
 BuildRequires:  golang
 BuildRequires:  git
@@ -45,6 +46,7 @@ GitHub official command line tool.
 %patch0 -p1
 tar --no-same-owner -xf %{SOURCE1}
 %patch1 -p1
+%patch2 -p1
 
 %build
 export GOPATH=%{our_gopath}
@@ -75,6 +77,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Thu Sep 19 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 2.13.0-22
+- Patch CVE-2022-32149
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.13.0-21
 - Bump release to rebuild with go 1.22.7
 
diff --git a/SPECS/giflib/CVE-2022-28506.patch b/SPECS/giflib/CVE-2022-28506.patch
new file mode 100644
index 00000000000..c5293f68425
--- /dev/null
+++ b/SPECS/giflib/CVE-2022-28506.patch
@@ -0,0 +1,30 @@
+From 006158597ac945d1992c9411f393eb228fb9c7bc Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Fri, 11 Oct 2024 10:39:07 +0530
+Subject: [PATCH] Patch for CVE-2022-28506
+
+Upstream patch details are given below.
+https://sourceforge.net/u/mmuzila/giflib/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/
+---
+ gif2rgb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index 9d16664..82f1130 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             GifRow = ScreenBuffer[i];
+             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
++                /* Check if color is within color palete */
++                if (GifRow[j] >= ColorMap->ColorCount)
++                {
++                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
++                }
+                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+                 *BufferP++ = ColorMapEntry->Red;
+                 *BufferP++ = ColorMapEntry->Green;
+-- 
+2.34.1
+
diff --git a/SPECS/giflib/CVE-2023-48161.patch b/SPECS/giflib/CVE-2023-48161.patch
new file mode 100644
index 00000000000..2349854a5bd
--- /dev/null
+++ b/SPECS/giflib/CVE-2023-48161.patch
@@ -0,0 +1,43 @@
+From e9ed0342ff3da16c646e355c1bb8a37ab0c93240 Mon Sep 17 00:00:00 2001
+From: Bogdan Codres <bogdan.codres@windriver.com>
+Date: Fri, 8 Mar 2024 01:30:45 +0800
+Subject: [PATCH] Free Buffers from DumpScreen2RGB in error case
+
+==581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002bfc at pc 0x557cbdc9b28d bp 0x7ffde35804b0 sp 0x7ffde35804a0
+READ of size 1 at 0x602000002bfc thread T0
+    #0 0x557cbdc9b28c in DumpScreen2RGB ../../giflib-5.1.4/util/gif2rgb.c:323
+    #1 0x557cbdc9b28c in GIF2RGB ../../giflib-5.1.4/util/gif2rgb.c:480
+    #2 0x557cbdc9b28c in main ../../giflib-5.1.4/util/gif2rgb.c:538
+    #3 0x7fb09ad8214a in __libc_start_main (/lib64/libc.so.6+0x391602414a)
+    #4 0x557cbdc9bb19 in _start (/usr/bin/gif2rgb+0x5b19)
+
+0x602000002bfc is located 0 bytes to the right of 12-byte region [0x602000002bf0,0x602000002bfc)
+allocated by thread T0 here:
+    #0 0x7fb09b021138 in __interceptor_calloc (/usr/lib64/libasan.so.5+0xee138)
+    #1 0x7fb09af2ab1e in GifMakeMapObject ../../giflib-5.1.4/lib/gifalloc.c:55
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow ../../giflib-5.1.4/util/gif2rgb.c:323 in DumpScreen2RGB
+
+Signed-off-by: Bogdan Codres <bogdan.codres@windriver.com>
+---
+ util/gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index bdc861f..9916fde 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -327,6 +327,9 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             if (fwrite(Buffers[0], ScreenWidth, 1, rgbfp[0]) != 1 ||
+                 fwrite(Buffers[1], ScreenWidth, 1, rgbfp[1]) != 1 ||
+                 fwrite(Buffers[2], ScreenWidth, 1, rgbfp[2]) != 1)
++		free((char *) Buffers[0]);
++		free((char *) Buffers[1]);
++		free((char *) Buffers[2]);
+                 GIF_EXIT("Write to file(s) failed.");
+         }
+ 
+-- 
+2.26.1
+
+
diff --git a/SPECS/giflib/giflib.spec b/SPECS/giflib/giflib.spec
index 174bc84dc71..a44b87f0a96 100644
--- a/SPECS/giflib/giflib.spec
+++ b/SPECS/giflib/giflib.spec
@@ -1,7 +1,7 @@
 Name:           giflib
 Summary:        A library and utilities for processing GIFs
 Version:        5.2.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -9,6 +9,8 @@ URL:            http://www.sourceforge.net/projects/giflib/
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 # Move quantize.c back into libgif.so (#1750122)
 Patch0:         giflib_quantize.patch
+Patch1:         CVE-2023-48161.patch
+Patch2:         CVE-2022-28506.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  xmlto
@@ -59,6 +61,9 @@ find %{buildroot} -name '*.a' -print -delete
 %{_mandir}/man1/*.1*
 
 %changelog
+* Fri Oct 11 2024 Suresh Thelkar <sthelkar@microsoft.com> - 5.2.1-7
+- Patch CVE-2023-48161 and CVE-2022-28506
+
 * Mon Jul 11 2022 Olivia Crain <oliviacrain@microsoft.com> - 5.2.1-6
 - Promote to mariner-official-base repo
 - Lint spec
diff --git a/SPECS/gnutls/gnutls.signatures.json b/SPECS/gnutls/gnutls.signatures.json
index fd7a01f2b5a..4bed96492c2 100644
--- a/SPECS/gnutls/gnutls.signatures.json
+++ b/SPECS/gnutls/gnutls.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "gnutls-3.7.7.tar.xz": "be9143d0d58eab64dba9b77114aaafac529b6c0d7e81de6bdf1c9b59027d2106"
+  "gnutls-3.7.11.tar.xz": "90e337504031ef7d3077ab1a52ca8bac9b2f72bc454c95365a1cd1e0e81e06e9"
  }
 }
\ No newline at end of file
diff --git a/SPECS/gnutls/gnutls.spec b/SPECS/gnutls/gnutls.spec
index 9b0f53f4ef5..3916dd9c2bf 100644
--- a/SPECS/gnutls/gnutls.spec
+++ b/SPECS/gnutls/gnutls.spec
@@ -1,15 +1,13 @@
 Summary:        The GnuTLS Transport Layer Security Library
 Name:           gnutls
-Version:        3.7.7
-Release:        4%{?dist}
+Version:        3.7.11
+Release:        1%{?dist}
 License:        GPLv3+ AND LGPLv2.1+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Libraries
 URL:            https://www.gnutls.org
 Source0:        https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
-Patch0:         CVE-2023-0361.patch
-Patch1:         CVE-2024-0567.patch
 BuildRequires:  autogen-libopts-devel
 BuildRequires:  gc-devel
 BuildRequires:  guile-devel
@@ -96,6 +94,10 @@ sed -i 's/TESTS += test-ciphers-openssl.sh//'  tests/slow/Makefile.am
 %{_mandir}/man3/*
 
 %changelog
+* Mon Sep 30 2024 Muhammad Falak <mwani@microsoft.com> - 3.7.11-1
+- Upgrade to v3.7.11 to address CVE-2023-5981, CVE-2024-28835, CVE-2024-28834, CVE-2024-0553
+- Drop patches which are already included in the source.
+
 * Wed Sep 20 2023 Zhichun Wan <zhichunwan@microsoft.com> - 3.7.7-4
 - Add patch to fix CVE-2024-0567
 
diff --git a/SPECS/heimdal/CVE-2022-3116.patch b/SPECS/heimdal/CVE-2022-3116.patch
new file mode 100644
index 00000000000..21fe55075b0
--- /dev/null
+++ b/SPECS/heimdal/CVE-2022-3116.patch
@@ -0,0 +1,52 @@
+From 2584657af19b706fe49225cc9227bbfded0ee704 Mon Sep 17 00:00:00 2001
+From: ankita <ankitapareek@microsoft.com>
+Date: Tue, 1 Oct 2024 16:05:50 +0530
+Subject: [PATCH] heimdal: Fix NULL deref in spnego for fixing CVE-2022-3116
+
+Signed-off-by: ankita <ankitapareek@microsoft.com>
+---
+ lib/gssapi/spnego/accept_sec_context.c | 28 +++++++++++++-------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c
+index 5fe1a1a..4920664 100644
+--- a/lib/gssapi/spnego/accept_sec_context.c
++++ b/lib/gssapi/spnego/accept_sec_context.c
+@@ -605,20 +605,20 @@ acceptor_start
+      * If opportunistic token failed, lets try the other mechs.
+      */
+ 
+-    if (!first_ok && ni->mechToken != NULL) {
+-	size_t j;
+-
+-	preferred_mech_type = GSS_C_NO_OID;
+-
+-	/* Call glue layer to find first mech we support */
+-	for (j = 1; j < ni->mechTypes.len; ++j) {
+-	    ret = select_mech(minor_status,
+-			      &ni->mechTypes.val[j],
+-			      1,
+-			      &preferred_mech_type);
+-	    if (ret == 0)
+-		break;
+-	}
++    if (!first_ok) {
++		size_t j;
++
++		preferred_mech_type = GSS_C_NO_OID;
++
++		/* Call glue layer to find first mech we support */
++		for (j = 1; j < ni->mechTypes.len; ++j) {
++			ret = select_mech(minor_status,
++					&ni->mechTypes.val[j],
++					1,
++					&preferred_mech_type);
++			if (ret == 0)
++			break;
++		}
+     }
+ 
+     ctx->preferred_mech_type = preferred_mech_type;
+-- 
+2.34.1
+
diff --git a/SPECS/heimdal/heimdal.spec b/SPECS/heimdal/heimdal.spec
index 3c6605d7687..27ec4d23864 100644
--- a/SPECS/heimdal/heimdal.spec
+++ b/SPECS/heimdal/heimdal.spec
@@ -12,7 +12,7 @@
 Summary:        A Kerberos 5 implementation without export restrictions
 Name:           heimdal
 Version:        7.7.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -45,6 +45,7 @@ Patch4:         CVE-2022-42898.patch
 Patch5:         0001-lib-krb5-krb5_pac_parse-mem-leak-if-pac_header_size-.patch
 Patch6:         0002-kdc-Check-generate_pac-return-code.patch
 Patch7:         0003-kdc-avoid-re-encoding-KDC-REQ-BODY.patch
+Patch8:         CVE-2022-3116.patch
 BuildRequires:  bison
 #libcom_err-devel is in
 #BuildRequires:  libcom_err-devel
@@ -487,6 +488,9 @@ fi
 %{_sysconfdir}/profile.d/%{name}.csh
 
 %changelog
+* Tue Oct 01 2024 Ankita Pareek <ankitapareek@microsoft.com> - 7.7.1-4
+- Add backported patch for CVE-2022-3116
+
 * Thu Aug 24 2023 Muhammad Falak R Wani <mwani@microsoft.com> - 7.7.1-3
 - Address CVE-2022-42898
 - Introduce 3 more patches that fix bugs: https://github.com/heimdal/heimdal/issues/1011
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
index baa5bdebb86..490821e1c1f 100644
--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@@ -12,7 +12,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        5.15.167.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -73,6 +73,9 @@ done
 %endif
 
 %changelog
+* Wed Oct 23 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.167.1-2
+- Bump release to match kernel
+
 * Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.167.1-1
 - Auto-upgrade to 5.15.167.1
 
diff --git a/SPECS/kernel/CVE-2024-38381.nopatch b/SPECS/kernel/CVE-2024-38381.nopatch
new file mode 100644
index 00000000000..0e176d3a40b
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-38381.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-38381 - patched in 5.15.161.1 - (generated by autopatch tool)
+upstream e4a87abf588536d1cdfb128595e6e680af5cf3ed - stable ad4d196d2008c7f413167f0a693feb4f0439d7fe
+
diff --git a/SPECS/kernel/CVE-2024-38577.nopatch b/SPECS/kernel/CVE-2024-38577.nopatch
new file mode 100644
index 00000000000..eac2fa16d86
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-38577.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-38577 - patched in 5.15.167.1 - (generated by autopatch tool)
+upstream cc5645fddb0ce28492b15520306d092730dffa48 - stable af7b560c88fb420099e29890aa682b8a3efc8784
+
diff --git a/SPECS/kernel/CVE-2024-38588.nopatch b/SPECS/kernel/CVE-2024-38588.nopatch
new file mode 100644
index 00000000000..5328225bfc3
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-38588.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-38588 - patched in 5.15.162.1 - (generated by autopatch tool)
+upstream e60b613df8b6253def41215402f72986fee3fc8d - stable 8ea8ef5e42173560ac510e92a1cc797ffeea8831
+
diff --git a/SPECS/kernel/CVE-2024-41011.nopatch b/SPECS/kernel/CVE-2024-41011.nopatch
new file mode 100644
index 00000000000..ee58c28507a
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-41011.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-41011 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7 - stable 8ad4838040e5515939c071a0f511ce2661a0889d
+
diff --git a/SPECS/kernel/CVE-2024-41098.nopatch b/SPECS/kernel/CVE-2024-41098.nopatch
new file mode 100644
index 00000000000..43a21d51bdd
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-41098.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-41098 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 5d92c7c566dc76d96e0e19e481d926bbe6631c1e - stable 221e3b1297e74fdec32d0f572f4dcb2260a0a2af
+
diff --git a/SPECS/kernel/CVE-2024-42228.nopatch b/SPECS/kernel/CVE-2024-42228.nopatch
new file mode 100644
index 00000000000..93aadd5b597
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-42228.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-42228 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 - stable da6a85d197888067e8d38b5d22c986b5b5cab712
+
diff --git a/SPECS/kernel/CVE-2024-42246.nopatch b/SPECS/kernel/CVE-2024-42246.nopatch
new file mode 100644
index 00000000000..fba5c0b8f7b
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-42246.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-42246 - patched in 5.15.167.1 - (generated by autopatch tool)
+upstream 626dfed5fa3bfb41e0dffd796032b555b69f9cde - stable 5d8254e012996cee1a0f9cc920531cb7e4d9a011
+
diff --git a/SPECS/kernel/CVE-2024-42297.nopatch b/SPECS/kernel/CVE-2024-42297.nopatch
new file mode 100644
index 00000000000..c0629f0ee7e
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-42297.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-42297 - patched in 5.15.165.1 - (generated by autopatch tool)
+upstream 192b8fb8d1c8ca3c87366ebbef599fa80bb626b8 - stable ec56571b4b146a1cfbedab49d5fcaf19fe8bf4f1
+
diff --git a/SPECS/kernel/CVE-2024-43829.nopatch b/SPECS/kernel/CVE-2024-43829.nopatch
new file mode 100644
index 00000000000..c529b05375a
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-43829.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-43829 - patched in 5.15.165.1 - (generated by autopatch tool)
+upstream 7bd09a2db0f617377027a2bb0b9179e6959edff3 - stable 3efe34f95b1ac8c138a46b14ce75956db0d6ee7c
+
diff --git a/SPECS/kernel/CVE-2024-43853.nopatch b/SPECS/kernel/CVE-2024-43853.nopatch
new file mode 100644
index 00000000000..7efdbead891
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-43853.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-43853 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 1be59c97c83ccd67a519d8a49486b3a8a73ca28a - stable 4e8d6ac8fc9f843e940ab7389db8136634e07989
+
diff --git a/SPECS/kernel/CVE-2024-43884.nopatch b/SPECS/kernel/CVE-2024-43884.nopatch
new file mode 100644
index 00000000000..8114ed4d7a9
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-43884.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-43884 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 538fd3921afac97158d4177139a0ad39f056dbb2 - stable 951d6cb5eaac5130d076c728f2a6db420621afdb
+
diff --git a/SPECS/kernel/CVE-2024-43892.nopatch b/SPECS/kernel/CVE-2024-43892.nopatch
new file mode 100644
index 00000000000..0691991572b
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-43892.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-43892 - patched in 5.15.167.1 - (generated by autopatch tool)
+upstream 9972605a238339b85bd16b084eed5f18414d22db - stable e6cc9ff2ac0b5df9f25eb790934c3104f6710278
+
diff --git a/SPECS/kernel/CVE-2024-43897.nopatch b/SPECS/kernel/CVE-2024-43897.nopatch
new file mode 100644
index 00000000000..b95a63da7b1
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-43897.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-43897 - patched in 5.15.167.1 - (generated by autopatch tool)
+upstream 89add40066f9ed9abe5f7f886fe5789ff7e0c50e - stable 413e785a89f8bde0d4156a54b8ac2fa003c06756
+
diff --git a/SPECS/kernel/CVE-2024-43905.nopatch b/SPECS/kernel/CVE-2024-43905.nopatch
new file mode 100644
index 00000000000..563d6074da8
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-43905.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-43905 - patched in 5.15.167.1 - (generated by autopatch tool)
+upstream 50151b7f1c79a09117837eb95b76c2de76841dab - stable 0fa11f9df96217c2785b040629ff1a16900fb51c
+
diff --git a/SPECS/kernel/CVE-2024-44946.nopatch b/SPECS/kernel/CVE-2024-44946.nopatch
new file mode 100644
index 00000000000..75cbb483b34
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44946.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44946 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 807067bf014d4a3ae2cc55bd3de16f22a01eb580 - stable fa6c23fe6dcac8c8bd63920ee8681292a2bd544e
+
diff --git a/SPECS/kernel/CVE-2024-44947.nopatch b/SPECS/kernel/CVE-2024-44947.nopatch
new file mode 100644
index 00000000000..7872d31013d
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44947.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44947 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 3c0da3d163eb32f1f91891efaade027fa9b245b9 - stable 8c78303eafbf85a728dd84d1750e89240c677dd9
+
diff --git a/SPECS/kernel/CVE-2024-44974.nopatch b/SPECS/kernel/CVE-2024-44974.nopatch
new file mode 100644
index 00000000000..c9e042f32d8
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44974.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44974 - patched in 5.15.167.1 - (generated by autopatch tool)
+upstream 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d - stable f2c865e9e3ca44fc06b5f73b29a954775e4dbb38
+
diff --git a/SPECS/kernel/CVE-2024-44983.nopatch b/SPECS/kernel/CVE-2024-44983.nopatch
new file mode 100644
index 00000000000..dcccc2d02a5
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44983.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44983 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 6ea14ccb60c8ab829349979b22b58a941ec4a3ee - stable c05155cc455785916164aa5e1b4605a2ae946537
+
diff --git a/SPECS/kernel/CVE-2024-44985.nopatch b/SPECS/kernel/CVE-2024-44985.nopatch
new file mode 100644
index 00000000000..fcb1f86aed7
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44985.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44985 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 2d5ff7e339d04622d8282661df36151906d0e1c7 - stable 975f764e96f71616b530e300c1bb2ac0ce0c2596
+
diff --git a/SPECS/kernel/CVE-2024-44986.nopatch b/SPECS/kernel/CVE-2024-44986.nopatch
new file mode 100644
index 00000000000..3fb61b523e9
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44986.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44986 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream da273b377ae0d9bd255281ed3c2adb228321687b - stable e891b36de161fcd96f12ff83667473e5067b9037
+
diff --git a/SPECS/kernel/CVE-2024-44987.nopatch b/SPECS/kernel/CVE-2024-44987.nopatch
new file mode 100644
index 00000000000..fcfe02b970a
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44987.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44987 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream faa389b2fbaaec7fd27a390b4896139f9da662e3 - stable 24e93695b1239fbe4c31e224372be77f82dab69a
+
diff --git a/SPECS/kernel/CVE-2024-44989.nopatch b/SPECS/kernel/CVE-2024-44989.nopatch
new file mode 100644
index 00000000000..b8fe3251adb
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44989.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44989 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream f8cde9805981c50d0c029063dc7d82821806fc44 - stable 2f72c6a66bcd7e0187ec085237fee5db27145294
+
diff --git a/SPECS/kernel/CVE-2024-44990.nopatch b/SPECS/kernel/CVE-2024-44990.nopatch
new file mode 100644
index 00000000000..9a04be405f5
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44990.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44990 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 95c90e4ad89d493a7a14fa200082e466e2548f9d - stable 2f5bdd68c1ce64bda6bef4d361a3de23b04ccd59
+
diff --git a/SPECS/kernel/CVE-2024-44995.nopatch b/SPECS/kernel/CVE-2024-44995.nopatch
new file mode 100644
index 00000000000..1170b8c4f61
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44995.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44995 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream be5e816d00a506719e9dbb1a9c861c5ced30a109 - stable 195918217448a6bb7f929d6a2ffffce9f1ece1cc
+
diff --git a/SPECS/kernel/CVE-2024-44998.nopatch b/SPECS/kernel/CVE-2024-44998.nopatch
new file mode 100644
index 00000000000..dfe604f33e6
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44998.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44998 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream a9a18e8f770c9b0703dab93580d0b02e199a4c79 - stable 24cf390a5426aac9255205e9533cdd7b4235d518
+
diff --git a/SPECS/kernel/CVE-2024-44999.nopatch b/SPECS/kernel/CVE-2024-44999.nopatch
new file mode 100644
index 00000000000..3257694a76f
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44999.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44999 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 3a3be7ff9224f424e485287b54be00d2c6bd9c40 - stable 1f6b62392453d8f36685d19b761307a8c5617ac1
+
diff --git a/SPECS/kernel/CVE-2024-45006.nopatch b/SPECS/kernel/CVE-2024-45006.nopatch
new file mode 100644
index 00000000000..dcd555b9c1f
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45006.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45006 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream af8e119f52e9c13e556be9e03f27957554a84656 - stable 365ef7c4277fdd781a695c3553fa157d622d805d
+
diff --git a/SPECS/kernel/CVE-2024-45009.nopatch b/SPECS/kernel/CVE-2024-45009.nopatch
new file mode 100644
index 00000000000..5eb04e02d5b
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45009.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45009 - patched in 5.15.167.1 - (generated by autopatch tool)
+upstream 1c1f721375989579e46741f59523e39ec9b2a9bd - stable 35b31f5549ede4070566b949781e83495906b43d
+
diff --git a/SPECS/kernel/CVE-2024-45011.nopatch b/SPECS/kernel/CVE-2024-45011.nopatch
new file mode 100644
index 00000000000..b4e6ecc679a
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45011.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45011 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 2374bf7558de915edc6ec8cb10ec3291dfab9594 - stable 25ee8b2908200fc862c0434e5ad483817d50ceda
+
diff --git a/SPECS/kernel/CVE-2024-45016.nopatch b/SPECS/kernel/CVE-2024-45016.nopatch
new file mode 100644
index 00000000000..7cb575bf83b
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45016.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45016 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream c07ff8592d57ed258afee5a5e04991a48dbaf382 - stable 52d99a69f3d556c6426048c9d481b912205919d8
+
diff --git a/SPECS/kernel/CVE-2024-45018.nopatch b/SPECS/kernel/CVE-2024-45018.nopatch
new file mode 100644
index 00000000000..4c28d97c595
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45018.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45018 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream e9767137308daf906496613fd879808a07f006a2 - stable 356beb911b63a8cff34cb57f755c2a2d2ee9dec7
+
diff --git a/SPECS/kernel/CVE-2024-45021.nopatch b/SPECS/kernel/CVE-2024-45021.nopatch
new file mode 100644
index 00000000000..c6c15698616
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45021.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45021 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 046667c4d3196938e992fba0dfcde570aa85cd0e - stable 0fbe2a72e853a1052abe9bc2b7df8ddb102da227
+
diff --git a/SPECS/kernel/CVE-2024-45025.nopatch b/SPECS/kernel/CVE-2024-45025.nopatch
new file mode 100644
index 00000000000..592a3439602
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45025.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45025 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 9a2fa1472083580b6c66bdaf291f591e1170123a - stable 5053581fe5dfb09b58c65dd8462bf5dea71f41ff
+
diff --git a/SPECS/kernel/CVE-2024-45026.nopatch b/SPECS/kernel/CVE-2024-45026.nopatch
new file mode 100644
index 00000000000..8838f2096b8
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45026.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45026 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 7db4042336580dfd75cb5faa82c12cd51098c90b - stable a665e3b7ac7d5cdc26e00e3d0fc8fd490e00316a
+
diff --git a/SPECS/kernel/CVE-2024-45028.nopatch b/SPECS/kernel/CVE-2024-45028.nopatch
new file mode 100644
index 00000000000..b25a9e07ecf
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45028.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45028 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream a1e627af32ed60713941cbfc8075d44cad07f6dd - stable e40515582141a9e7c84b269be699c05236a499a6
+
diff --git a/SPECS/kernel/CVE-2024-46673.nopatch b/SPECS/kernel/CVE-2024-46673.nopatch
new file mode 100644
index 00000000000..b328da455d0
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46673.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46673 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 919ddf8336f0b84c0453bac583808c9f165a85c2 - stable 85449b28ff6a89c4513115e43ddcad949b5890c9
+
diff --git a/SPECS/kernel/CVE-2024-46674.nopatch b/SPECS/kernel/CVE-2024-46674.nopatch
new file mode 100644
index 00000000000..603fdfd1f1f
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46674.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46674 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream ddfcfeba891064b88bb844208b43bef2ef970f0c - stable 060f41243ad7f6f5249fa7290dda0c01f723d12d
+
diff --git a/SPECS/kernel/CVE-2024-46677.nopatch b/SPECS/kernel/CVE-2024-46677.nopatch
new file mode 100644
index 00000000000..42e5c7d9a87
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46677.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46677 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream defd8b3c37b0f9cb3e0f60f47d3d78d459d57fda - stable 4643b91691e969b1b9ad54bf552d7a990cfa3b87
+
diff --git a/SPECS/kernel/CVE-2024-46685.nopatch b/SPECS/kernel/CVE-2024-46685.nopatch
new file mode 100644
index 00000000000..e7beea02f57
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46685.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46685 - patched in 5.15.166.1 - (generated by autopatch tool)
+upstream 1c38a62f15e595346a1106025722869e87ffe044 - stable 6341c2856785dca7006820b127278058a180c075
+
diff --git a/SPECS/kernel/CVE-2024-46863.nopatch b/SPECS/kernel/CVE-2024-46863.nopatch
new file mode 100644
index 00000000000..84be2916e20
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46863.nopatch
@@ -0,0 +1,4 @@
+CVE-2024-46863 - Introducing commit(s) not present in LTS - (generated by autopatch tool)
+upstream fix commit: c4246f1fe9f24f8dcd97887ed67d8fcfd91f4796 
+upstream introducing commit: dd3bd9dc47084195fcb3c1b371cb03046abb13ab 
+
diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64
index 80894ddb8d3..e3e322650bf 100644
--- a/SPECS/kernel/config_aarch64
+++ b/SPECS/kernel/config_aarch64
@@ -1789,7 +1789,7 @@ CONFIG_HAMRADIO=y
 CONFIG_AX25=m
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_NETROM=m
-CONFIG_ROSE=m
+# CONFIG_ROSE is not set
 
 #
 # AX.25 network device drivers
diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json
index 42ccdb1d085..d5e3b8abb45 100644
--- a/SPECS/kernel/kernel.signatures.json
+++ b/SPECS/kernel/kernel.signatures.json
@@ -2,7 +2,7 @@
   "Signatures": {
     "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
     "config": "dc024483419fd8d1df7191058e01d80d7421d1c141f0bfc30f330201abb51ed3",
-    "config_aarch64": "784b95a886e48269d5da1ca7451ead489a84d8af9a8579874f9554741fa73916",
+    "config_aarch64": "000300cac16ea745e68e93e1cada7c344518d4e848e287530b2d3f1225b51e05",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
     "kernel-5.15.167.1.tar.gz": "2f529a3abf4167d1de5f7dd73043827db2c08d647d924990843ee914b0558ee0"
   }
diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec
index e306af0fe70..ddd26aec995 100644
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@@ -28,7 +28,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        5.15.167.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -426,6 +426,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Wed Oct 23 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.167.1-2
+- Remove Amateur Radio X.25 PLP Rose for CVE-2022-2961
+
 * Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.167.1-1
 - Auto-upgrade to 5.15.167.1
 
diff --git a/SPECS/kube-vip-cloud-provider/CVE-2024-28180.patch b/SPECS/kube-vip-cloud-provider/CVE-2024-28180.patch
new file mode 100644
index 00000000000..b90c00427c8
--- /dev/null
+++ b/SPECS/kube-vip-cloud-provider/CVE-2024-28180.patch
@@ -0,0 +1,91 @@
+From 1970c450067bcd4862a4674d30036d35c4e24e33 Mon Sep 17 00:00:00 2001
+From: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
+Date: Thu, 7 Mar 2024 14:25:21 -0800
+Subject: [PATCH] v2: backport decompression limit fix (#109)
+
+Backport from #107.
+
+Modified to apply to vendored code by: Ahmed Badawi <ahmedbadawi@microsoft.com>
+---
+ vendor/gopkg.in/square/go-jose.v2/crypter.go  |  6 ++++++
+ vendor/gopkg.in/square/go-jose.v2/encoding.go | 21 +++++++++++++++----
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go
+index c45c712..d364dcc 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/crypter.go
++++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go
+@@ -399,6 +399,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
+ // Decrypt and validate the object and return the plaintext. Note that this
+ // function does not support multi-recipient, if you desire multi-recipient
+ // decryption use DecryptMulti instead.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >10x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
+ 	headers := obj.mergedHeaders(nil)
+ 
+@@ -463,6 +466,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
+ // with support for multiple recipients. It returns the index of the recipient
+ // for which the decryption was successful, the merged headers for that recipient,
+ // and the plaintext.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >3x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
+ 	globalHeaders := obj.mergedHeaders(nil)
+ 
+diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+index b9687c6..ac4a44e 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+@@ -21,6 +21,7 @@ import (
+ 	"compress/flate"
+ 	"encoding/base64"
+ 	"encoding/binary"
++	"fmt"
+ 	"io"
+ 	"math/big"
+ 	"regexp"
+@@ -79,7 +80,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -91,15 +92,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+-- 
+2.39.4
diff --git a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec
index 24742036846..4f2c20e8622 100644
--- a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec
+++ b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec
@@ -1,7 +1,7 @@
 Summary:        The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups
 Name:           kube-vip-cloud-provider
 Version:        0.0.2
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        ASL 2.0
 URL:            https://github.com/kube-vip/kube-vip-cloud-provider
 Group:          Applications/Text
@@ -24,6 +24,7 @@ Source1: %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2022-21698.patch
 Patch1:         CVE-2021-44716.patch
 Patch2:         CVE-2023-44487.patch
+Patch3:         CVE-2024-28180.patch
 BuildRequires: golang
 
 %description
@@ -49,6 +50,9 @@ go test -mod=vendor ./...
 %{_bindir}/kube-vip-cloud-provider
 
 %changelog
+* Mon Oct 07 2024 Ahmed Badawi <ahmedbadawi@microsoft.com> - 0.0.2-19
+- Apply security fix for CVE-2024-28180 by patching vendored go-jose
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.0.2-18
 - Bump release to rebuild with go 1.22.7
 
diff --git a/SPECS/kubernetes/CVE-2024-24786.patch b/SPECS/kubernetes/CVE-2024-24786.patch
new file mode 100644
index 00000000000..4cfbbf2d06c
--- /dev/null
+++ b/SPECS/kubernetes/CVE-2024-24786.patch
@@ -0,0 +1,28 @@
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 6c37d41..70c2ba6 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error {
+ 				}
+ 			}
+ 		}
++	case json.EOF:
++		// This can only happen if there's a bug in Decoder.Read.
++		// Avoid an infinite loop if this does happen.
++		return errors.New("unexpected EOF")
+ 	}
+ 	return nil
+ }
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index d043a6e..d2b3ac0 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
diff --git a/SPECS/kubernetes/CVE-2024-28180.patch b/SPECS/kubernetes/CVE-2024-28180.patch
new file mode 100644
index 00000000000..a418b2a876b
--- /dev/null
+++ b/SPECS/kubernetes/CVE-2024-28180.patch
@@ -0,0 +1,76 @@
+diff --git a/./vendor/gopkg.in/square/go-jose.v2/crypter.go b/../kubernetes/vendor/gopkg.in/square/go-jose.v2/crypter.go
+index be7433e..763eae0 100644
+--- a/./vendor/gopkg.in/square/go-jose.v2/crypter.go
++++ b/../kubernetes/vendor/gopkg.in/square/go-jose.v2/crypter.go
+@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
+ // Decrypt and validate the object and return the plaintext. Note that this
+ // function does not support multi-recipient, if you desire multi-recipient
+ // decryption use DecryptMulti instead.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >10x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
+ 	headers := obj.mergedHeaders(nil)
+ 
+@@ -470,6 +473,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
+ // with support for multiple recipients. It returns the index of the recipient
+ // for which the decryption was successful, the merged headers for that recipient,
+ // and the plaintext.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >3x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
+ 	globalHeaders := obj.mergedHeaders(nil)
+ 
+diff --git a/./vendor/gopkg.in/square/go-jose.v2/encoding.go b/../kubernetes/vendor/gopkg.in/square/go-jose.v2/encoding.go
+index 70f7385..ab9e086 100644
+--- a/./vendor/gopkg.in/square/go-jose.v2/encoding.go
++++ b/../kubernetes/vendor/gopkg.in/square/go-jose.v2/encoding.go
+@@ -21,6 +21,7 @@ import (
+ 	"compress/flate"
+ 	"encoding/base64"
+ 	"encoding/binary"
++	"fmt"
+ 	"io"
+ 	"math/big"
+ 	"strings"
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec
index 7814bf23675..3b018cc3b52 100644
--- a/SPECS/kubernetes/kubernetes.spec
+++ b/SPECS/kubernetes/kubernetes.spec
@@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.28.4
-Release:        10%{?dist}
+Release:        12%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -22,6 +22,8 @@ Patch0:         CVE-2024-21626.patch
 Patch1:         CVE-2023-48795.patch
 Patch2:         CVE-2023-5408.patch
 Patch3:         CVE-2023-45288.patch
+Patch4:         CVE-2024-28180.patch
+Patch5:         CVE-2024-24786.patch
 BuildRequires:  flex-devel
 BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  golang
@@ -268,6 +270,12 @@ fi
 %{_exec_prefix}/local/bin/pause
 
 %changelog
+* Mon Oct 14 2024 Henry Li <lihl@microsoft.com> - 1.28.4-12
+- Add patch to resolve CVE-2024-24786
+
+* Mon Oct 01 2024 Henry Li <lihl@microsoft.com> - 1.28.4-11
+- Add patch to resolve CVE-2024-28180
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.28.4-10
 - Bump release to rebuild with go 1.22.7
 
diff --git a/SPECS/libarchive/CVE-2024-20696.patch b/SPECS/libarchive/CVE-2024-20696.patch
new file mode 100644
index 00000000000..22b376887e7
--- /dev/null
+++ b/SPECS/libarchive/CVE-2024-20696.patch
@@ -0,0 +1,126 @@
+From 0d2efd8e6869b21dffdd956a50ba2f220f11e238 Mon Sep 17 00:00:00 2001
+From: Nan Liu <liunan@microsoft.com>
+Date: Tue, 15 Oct 2024 18:31:23 +0000
+Subject: [PATCH] rar4 reader: protect copy_..._to_unp from too-big or
+ too-small length (CVE-2024-20696)
+
+---
+From 020c40df9e31ec727201a8e3ddf1f94093f8fc02 Mon Sep 17 00:00:00 2001
+From: "Dustin L. Howett" <dustin@howett.net>
+Date: Mon, 15 Jan 2024 22:16:27 -0600
+Subject: [PATCH] rar4 reader: protect copy_..._to_unp from too-big or
+ too-small length
+
+copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
+both of its callers were holding a `size_t`.
+
+A lzss opcode chain could be cosntructed that resulted in a negative
+copy length, which when passed into memcpy would result in a very, very
+large positive number.
+
+Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
+properly bounds-check length.
+
+In addition, this patch also ensures that `length` is not itself larger
+than the destination buffer.
+
+---
+ libarchive/archive_read_support_format_rar.c | 28 +++++++++++++-------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index f9cbe2a..024711c 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -432,7 +432,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int,
+                               struct huffman_table_entry *, int, int);
+ static int expand(struct archive_read *, int64_t *);
+ static int copy_from_lzss_window_to_unp(struct archive_read *, const void **,
+-                                        int64_t, int);
++                                        int64_t, size_t);
+ static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
+ static int parse_filter(struct archive_read *, const uint8_t *, uint16_t,
+                         uint8_t);
+@@ -2059,7 +2059,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
+         bs = rar->unp_buffer_size - rar->unp_offset;
+       else
+         bs = (size_t)rar->bytes_uncopied;
+-      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
++      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+       if (ret != ARCHIVE_OK)
+         return (ret);
+       rar->offset += bs;
+@@ -2199,7 +2199,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
+       bs = rar->unp_buffer_size - rar->unp_offset;
+     else
+       bs = (size_t)rar->bytes_uncopied;
+-    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
++    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+     if (ret != ARCHIVE_OK)
+       return (ret);
+     rar->offset += bs;
+@@ -3080,11 +3080,16 @@ copy_from_lzss_window(struct archive_read *a, void *buffer,
+ 
+ static int
+ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+-                             int64_t startpos, int length)
++                             int64_t startpos, size_t length)
+ {
+   int windowoffs, firstpart;
+   struct rar *rar = (struct rar *)(a->format->data);
+ 
++  if (length > rar->unp_buffer_size)
++  {
++    goto fatal;
++  }
++
+   if (!rar->unp_buffer)
+   {
+     if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
+@@ -3096,17 +3101,17 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+   }
+ 
+   windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
+-  if(windowoffs + length <= lzss_size(&rar->lzss)) {
++  if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
+     memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
+            length);
+-  } else if (length <= lzss_size(&rar->lzss)) {
++  } else if (length <= (size_t)lzss_size(&rar->lzss)) {
+     firstpart = lzss_size(&rar->lzss) - windowoffs;
+     if (firstpart < 0) {
+       archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                         "Bad RAR file data");
+       return (ARCHIVE_FATAL);
+     }
+-    if (firstpart < length) {
++    if ((size_t)firstpart < length) {
+       memcpy(&rar->unp_buffer[rar->unp_offset],
+              &rar->lzss.window[windowoffs], firstpart);
+       memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
+@@ -3116,9 +3121,7 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+              &rar->lzss.window[windowoffs], length);
+     }
+   } else {
+-      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+-                        "Bad RAR file data");
+-      return (ARCHIVE_FATAL);
++      goto fatal;
+   }
+   rar->unp_offset += length;
+   if (rar->unp_offset >= rar->unp_buffer_size)
+@@ -3126,6 +3129,11 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+   else
+     *buffer = NULL;
+   return (ARCHIVE_OK);
++
++fatal:
++  archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                    "Bad RAR file data");
++  return (ARCHIVE_FATAL);
+ }
+ 
+ static const void *
+-- 
+2.34.1
+
diff --git a/SPECS/libarchive/CVE-2024-48957.patch b/SPECS/libarchive/CVE-2024-48957.patch
new file mode 100644
index 00000000000..9f24e86f8b5
--- /dev/null
+++ b/SPECS/libarchive/CVE-2024-48957.patch
@@ -0,0 +1,35 @@
+From 9a6a505a1da891df29909eb2aeb6f067fe46f7d3 Mon Sep 17 00:00:00 2001
+From: Nan Liu <liunan@microsoft.com>
+Date: Tue, 15 Oct 2024 18:44:56 +0000
+Subject: [PATCH] fix: OOB in rar audio filter(CVE-2024-48957)
+
+---
+From 3ad7b9b6cc37d8a197a6c55af4634560df13771f Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Fri, 26 Apr 2024 16:35:06 +0900
+Subject: [PATCH] fix: OOB in rar audio filter
+
+---
+ libarchive/archive_read_support_format_rar.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index dae2309..6510bcf 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3716,6 +3716,12 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
+     memset(&state, 0, sizeof(state));
+     for (j = i; j < length; j += numchannels)
+     {
++      /*
++       * The src block should not overlap with the dst block.
++       * If so it would be better to consider this archive is broken.
++       */
++      if (src >= dst)
++        return 0;
+       int8_t delta = (int8_t)*src++;
+       uint8_t predbyte, byte;
+       int prederror;
+-- 
+2.34.1
+
diff --git a/SPECS/libarchive/CVE-2024-48958.patch b/SPECS/libarchive/CVE-2024-48958.patch
new file mode 100644
index 00000000000..99f4f3edabd
--- /dev/null
+++ b/SPECS/libarchive/CVE-2024-48958.patch
@@ -0,0 +1,38 @@
+From b76fa2148bed31bd38acd896c19ee8a9a420eeae Mon Sep 17 00:00:00 2001
+From: Nan Liu <liunan@microsoft.com>
+Date: Tue, 15 Oct 2024 18:37:24 +0000
+Subject: [PATCH] fix: OOB in rar delta filter(CVE-2024-48958)
+
+---
+From 17d9d73ee92eeb1a08b0a56659d010d8120af33a Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Fri, 26 Apr 2024 13:58:34 +0900
+Subject: [PATCH] fix: OOB in rar delta filter
+
+---
+ libarchive/archive_read_support_format_rar.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 024711c..dae2309 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3606,7 +3606,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
+   {
+     uint8_t lastbyte = 0;
+     for (idx = i; idx < length; idx += numchannels)
++    {
++      /*
++       * The src block should not overlap with the dst block.
++       * If so it would be better to consider this archive is broken.
++       */
++      if (src >= dst)
++        return 0;
+       lastbyte = dst[idx] = lastbyte - *src++;
++    }
+   }
+ 
+   filter->filteredblockaddress = length;
+-- 
+2.34.1
+
diff --git a/SPECS/libarchive/libarchive.spec b/SPECS/libarchive/libarchive.spec
index 62114524033..20681c9a840 100644
--- a/SPECS/libarchive/libarchive.spec
+++ b/SPECS/libarchive/libarchive.spec
@@ -1,7 +1,7 @@
 Summary:        Multi-format archive and compression library
 Name:           libarchive
 Version:        3.6.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 # Certain files have individual licenses. For more details see contents of "COPYING".
 License:        BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
 Vendor:         Microsoft Corporation
@@ -10,6 +10,10 @@ URL:            https://www.libarchive.org/
 Source0:        https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Patch0:         CVE-2022-36227.patch
 Patch1:         CVE-2024-26256.patch
+# Please remove the following patches when upgrading to v3.7.5 and above
+Patch2:         CVE-2024-20696.patch
+Patch3:         CVE-2024-48958.patch
+Patch4:         CVE-2024-48957.patch
 Provides:       bsdtar = %{version}-%{release}
 
 BuildRequires:  xz-libs
@@ -62,6 +66,9 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Oct 15 2024 Nan Liu <liunan@microsoft.com> - 3.6.1-4
+- Patch CVE-2024-48957, CVE-2024-48958, CVE-2024-20696
+
 * Thu Jun 06 2024 Nan Liu <liunan@microsoft.com> - 3.6.1-3
 - Patch CVE-2024-26256
 
diff --git a/SPECS/libnvidia-container/common.mk.patch b/SPECS/libnvidia-container/common.mk.patch
index a0399927007..3db5d625fcf 100644
--- a/SPECS/libnvidia-container/common.mk.patch
+++ b/SPECS/libnvidia-container/common.mk.patch
@@ -1,6 +1,6 @@
-diff -urN libnvidia-container-1.9.0-orig/mk/common.mk libnvidia-container-1.9.0/mk/common.mk
---- libnvidia-container-1.9.0-orig/mk/common.mk	2022-03-18 03:31:56.000000000 -0700
-+++ libnvidia-container-1.9.0/mk/common.mk	2022-03-29 15:16:01.971189500 -0700
+diff -urN libnvidia-container-1.16.2-orig/mk/common.mk libnvidia-container-1.16.2/mk/common.mk
+--- libnvidia-container-1.16.2-orig/mk/common.mk	2022-03-18 03:31:56.000000000 -0700
++++ libnvidia-container-1.16.2/mk/common.mk	2022-03-29 15:16:01.971189500 -0700
 @@ -27,7 +27,7 @@
  else
      DATE := $(shell date -u --iso-8601=minutes)
diff --git a/SPECS/libnvidia-container/libnvidia-container.signatures.json b/SPECS/libnvidia-container/libnvidia-container.signatures.json
index 6fab87ed43c..c9a2d47f7da 100644
--- a/SPECS/libnvidia-container/libnvidia-container.signatures.json
+++ b/SPECS/libnvidia-container/libnvidia-container.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "libnvidia-container-1.13.5.tar.gz": "431522239d71728d2840b2f048d0a0733c3e6ad7a209bdf21c7d17c0aa661657",
-  "nvidia-modprobe-495.44.tar.gz": "ae6e9c7e6b43368945c28f6b8b6d0d7cc36ee7e1be8955a009a1cb189e46de92"
+  "libnvidia-container-1.16.2.tar.gz": "6f0775f51ac4bec285879bf084545f826094eba4e8430258eb5e2536e711c875",
+  "nvidia-modprobe-550.54.14.tar.gz": "5687b0dfa6087dd480ae91e91ff1dca975794e35a2edcf9ec08d8f9cb98ef905"
  }
 }
\ No newline at end of file
diff --git a/SPECS/libnvidia-container/libnvidia-container.spec b/SPECS/libnvidia-container/libnvidia-container.spec
index 40b53460c90..56068f7a884 100644
--- a/SPECS/libnvidia-container/libnvidia-container.spec
+++ b/SPECS/libnvidia-container/libnvidia-container.spec
@@ -1,10 +1,10 @@
-%define modprobe_version 495.44
+%define modprobe_version 550.54.14
 %define _major 1
 %define mod_probe_dir deps/src/nvidia-modprobe-%{modprobe_version}
 Summary:        NVIDIA container runtime library
 Name:           libnvidia-container
-Version:        1.13.5
-Release:        7%{?dist}
+Version:        1.16.2
+Release:        1%{?dist}
 License:        BSD AND ASL2.0 AND GPLv3+ AND LGPLv3+ AND MIT AND GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -39,6 +39,9 @@ tar -C %{mod_probe_dir} --strip-components=1 -xzf %{SOURCE1}
 touch %{mod_probe_dir}/.download_stamp
 
 %build
+sed -i 's/^MAJOR[[:space:]]*:=.*$/MAJOR := 1/' versions.mk
+sed -i 's/^MINOR[[:space:]]*:=.*$/MINOR := 16/' versions.mk
+sed -i 's/^PATCH[[:space:]]*:=.*$/PATCH := 2/' versions.mk
 %make_build WITH_LIBELF=yes
 
 %install
@@ -132,6 +135,9 @@ This package contains command-line tools that facilitate using the library.
 %{_bindir}/*
 
 %changelog
+* Mon Oct 07 2024 Mandeep Plaha <mandeepplaha@microsoft.com> - 1.16.2-1
+- Upgrade to version 1.16.2 to stay in sync with nvidia-container-toolkit.
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.13.5-7
 - Bump release to rebuild with go 1.22.7
 
diff --git a/SPECS/libnvidia-container/libtirpc.patch b/SPECS/libnvidia-container/libtirpc.patch
index ca2156de969..8d153d2766f 100644
--- a/SPECS/libnvidia-container/libtirpc.patch
+++ b/SPECS/libnvidia-container/libtirpc.patch
@@ -1,6 +1,6 @@
-diff -urN libnvidia-container-1.9.0-orig/Makefile libnvidia-container-1.9.0/Makefile
---- libnvidia-container-1.9.0-orig/Makefile	2022-03-18 03:31:56.000000000 -0700
-+++ libnvidia-container-1.9.0/Makefile	2022-03-29 15:20:11.362669600 -0700
+diff -urN libnvidia-container-1.16.2-orig/Makefile libnvidia-container-1.16.2/Makefile
+--- libnvidia-container-1.16.2-orig/Makefile	2022-03-18 03:31:56.000000000 -0700
++++ libnvidia-container-1.16.2/Makefile	2022-03-29 15:20:11.362669600 -0700
 @@ -168,6 +168,9 @@
  LIB_CPPFLAGS       += -isystem $(DEPS_DIR)$(includedir)/tirpc -DWITH_TIRPC
  LIB_LDLIBS_STATIC  += -l:libtirpc.a
diff --git a/SPECS/libnvidia-container/nvidia-modprobe.patch b/SPECS/libnvidia-container/nvidia-modprobe.patch
index d99a17488a0..145ab9b4730 100644
--- a/SPECS/libnvidia-container/nvidia-modprobe.patch
+++ b/SPECS/libnvidia-container/nvidia-modprobe.patch
@@ -1,7 +1,7 @@
-diff -ruN nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.c nvidia-modprobe-495.44-patched/modprobe-utils/nvidia-modprobe-utils.c
---- nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.c	2021-11-13 14:36:58.096684602 +0000
-+++ nvidia-modprobe-495.44-patched/modprobe-utils/nvidia-modprobe-utils.c	2021-11-13 14:43:40.965146390 +0000
-@@ -888,10 +888,10 @@
+diff -ruN nvidia-modprobe-550.54.14/modprobe-utils/nvidia-modprobe-utils.c nvidia-modprobe-550.54.14-patched/modprobe-utils/nvidia-modprobe-utils.c
+--- nvidia-modprobe-550.54.14/modprobe-utils/nvidia-modprobe-utils.c	2021-11-13 14:36:58.096684602 +0000
++++ nvidia-modprobe-550.54.14-patched/modprobe-utils/nvidia-modprobe-utils.c	2021-11-13 14:43:40.965146390 +0000
+@@ -959,10 +959,10 @@
      return mknod_helper(major, minor_num, vgpu_dev_name, NV_PROC_REGISTRY_PATH);
  }
  
@@ -16,14 +16,16 @@ diff -ruN nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.c nvidia-m
  {
      char field[32];
      FILE *fp;
-diff -ruN nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.h nvidia-modprobe-495.44-patched/modprobe-utils/nvidia-modprobe-utils.h
---- nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.h	2021-11-13 14:36:58.096684602 +0000
-+++ nvidia-modprobe-495.44-patched/modprobe-utils/nvidia-modprobe-utils.h	2021-11-13 14:38:34.078700961 +0000
-@@ -81,6 +81,7 @@
+diff -ruN nvidia-modprobe-550.54.14/modprobe-utils/nvidia-modprobe-utils.h nvidia-modprobe-550.54.14-patched/modprobe-utils/nvidia-modprobe-utils.h
+--- nvidia-modprobe-550.54.14/modprobe-utils/nvidia-modprobe-utils.h	2021-11-13 14:36:58.096684602 +0000
++++ nvidia-modprobe-550.54.14-patched/modprobe-utils/nvidia-modprobe-utils.h	2021-11-13 14:38:34.078700961 +0000
+@@ -87,6 +87,7 @@
  int nvidia_nvswitch_get_file_state(int minor);
  int nvidia_cap_mknod(const char* cap_file_path, int *minor);
  int nvidia_cap_get_file_state(const char* cap_file_path);
 +int nvidia_cap_get_device_file_attrs(const char* cap_file_path, int *major, int *minor, char *name);
+ int nvidia_cap_imex_channel_mknod(int minor);
+ int nvidia_cap_imex_channel_file_state(int minor);
  int nvidia_get_chardev_major(const char *name);
  int nvidia_msr_modprobe(void);
- 
+ 
\ No newline at end of file
diff --git a/SPECS/libpcap/CVE-2024-8006.patch b/SPECS/libpcap/CVE-2024-8006.patch
new file mode 100644
index 00000000000..f8e5c2a2095
--- /dev/null
+++ b/SPECS/libpcap/CVE-2024-8006.patch
@@ -0,0 +1,38 @@
+From 1af34597acf0ad0392c16c20d35522c35126738f Mon Sep 17 00:00:00 2001
+From: Sudipta Pandit <sudpandit@microsoft.com>
+Date: Mon, 21 Oct 2024 13:38:21 +0530
+Subject: [PATCH] Backport patch for CVE-2024-8006
+
+Original Reference: https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6
+---
+ pcap-new.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/pcap-new.c b/pcap-new.c
+index 7c006595..eadc3c9c 100644
+--- a/pcap-new.c
++++ b/pcap-new.c
+@@ -231,13 +231,19 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t
+ #else
+ 		/* opening the folder */
+ 		unixdir= opendir(path);
++		if (unixdir == NULL) {
++			snprintf(errbuf, PCAP_ERRBUF_SIZE,
++			    "Error when listing files: does folder '%s' exist?", path);
++			return -1;
++		}
+ 
+ 		/* get the first file into it */
+ 		filedata= readdir(unixdir);
+ 
+ 		if (filedata == NULL)
+ 		{
+-			snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' exist?", path);
++			snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' contain files?", path);
++			closedir(unixdir);
+ 			return -1;
+ 		}
+ #endif
+-- 
+2.34.1
+
diff --git a/SPECS/libpcap/libpcap.spec b/SPECS/libpcap/libpcap.spec
index c73bc73a58e..797da8b31ef 100755
--- a/SPECS/libpcap/libpcap.spec
+++ b/SPECS/libpcap/libpcap.spec
@@ -1,7 +1,7 @@
 Summary:        C/C++ library for network traffic capture
 Name:           libpcap
 Version:        1.10.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -9,6 +9,7 @@ Group:          Networking/Libraries
 URL:            https://www.tcpdump.org/
 #Source0:       https://github.com/the-tcpdump-group/%{name}/archive/%{name}-%{version}.tar.gz
 Source0:        %{name}-%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-8006.patch
 
 %description
 Libpcap provides a portable framework for low-level network
@@ -38,7 +39,7 @@ Requires:       %{name}-devel = %{version}-%{release}
 This package contains static lib for %{name}.
 
 %prep
-%setup -q -n %{name}-%{name}-%{version}
+%autosetup -p1 -n %{name}-%{name}-%{version}
 
 %build
 %configure
@@ -77,6 +78,9 @@ make DESTDIR=%{buildroot} install
 %{_libdir}/*.a
 
 %changelog
+* Mon Oct 21 2024 Sudipta Pandit <sudpandit@microsoft.com> - 1.10.1-3
+- Backport patch for CVE-2024-8006
+
 * Wed Dec 13 2023 Zhichun Wan <zhichunwan@microsoft.com> - 1.10.1-2
 - Add static library as sub package
 
diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec
index ec28b276c7a..99680ee5831 100644
--- a/SPECS/mariner-release/mariner-release.spec
+++ b/SPECS/mariner-release/mariner-release.spec
@@ -1,7 +1,7 @@
 Summary:        CBL-Mariner release files
 Name:           mariner-release
 Version:        2.0
-Release:        67%{?dist}
+Release:        68%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -62,6 +62,9 @@ EOF
 %config(noreplace) %{_sysconfdir}/issue.net
 
 %changelog
+* Fri Oct 25 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.0-68
+- Bump release for November 2024
+
 * Wed Sep 25 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.0-67
 - Bump release for October 2024 Update
 
diff --git a/SPECS/nghttp2/CVE-2024-28182.patch b/SPECS/nghttp2/CVE-2024-28182.patch
new file mode 100644
index 00000000000..a956196d3b0
--- /dev/null
+++ b/SPECS/nghttp2/CVE-2024-28182.patch
@@ -0,0 +1,210 @@
+From 0480c05df47962b324f7e918a71f764102ff7441 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 9 Mar 2024 16:26:42 +0900
+Subject: [PATCH 1/2] Limit CONTINUATION frames following an incoming HEADER
+ frame
+
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ lib/includes/nghttp2/nghttp2.h |  7 ++++++-
+ lib/nghttp2_helper.c           |  2 ++
+ lib/nghttp2_session.c          |  7 +++++++
+ lib/nghttp2_session.h          | 10 ++++++++++
+ 4 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index fa22081c..b394bde9 100644
+--- a/lib/includes/nghttp2/nghttp2.h
++++ b/lib/includes/nghttp2/nghttp2.h
+@@ -440,7 +440,12 @@ typedef enum {
+    * exhaustion on server side to send these frames forever and does
+    * not read network.
+    */
+-  NGHTTP2_ERR_FLOODED = -904
++  NGHTTP2_ERR_FLOODED = -904,
++  /**
++   * When a local endpoint receives too many CONTINUATION frames
++   * following a HEADER frame.
++   */
++  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
+ } nghttp2_error;
+ 
+ /**
+diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
+index 93dd4754..b3563d98 100644
+--- a/lib/nghttp2_helper.c
++++ b/lib/nghttp2_helper.c
+@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
+            "closed";
+   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
+     return "SETTINGS frame contained more than the maximum allowed entries";
++  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
++    return "Too many CONTINUATION frames following a HEADER frame";
+   default:
+     return "Unknown error code";
+   }
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index ec5024d0..8e4d2e7e 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
++  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
+ 
+   if (option) {
+     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           }
+         }
+         session_inbound_frame_reset(session);
++
++        session->num_continuations = 0;
+       }
+       break;
+     }
+@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+       }
+ #endif /* DEBUGBUILD */
+ 
++      if (++session->num_continuations > session->max_continuations) {
++        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
++      }
++
+       readlen = inbound_frame_buf_read(iframe, in, last);
+       in += readlen;
+ 
+diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
+index b119329a..ef8f7b27 100644
+--- a/lib/nghttp2_session.h
++++ b/lib/nghttp2_session.h
+@@ -110,6 +110,10 @@ typedef struct {
+ #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+ #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+ 
++/* The default max number of CONTINUATION frames following an incoming
++   HEADER frame. */
++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
++
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+   /* Receiving frame header */
+@@ -290,6 +294,12 @@ struct nghttp2_session {
+   size_t max_send_header_block_length;
+   /* The maximum number of settings accepted per SETTINGS frame. */
+   size_t max_settings;
++  /* The maximum number of CONTINUATION frames following an incoming
++     HEADER frame. */
++  size_t max_continuations;
++  /* The number of CONTINUATION frames following an incoming HEADER
++     frame.  This variable is reset when END_HEADERS flag is seen. */
++  size_t num_continuations;
+   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+   uint32_t next_stream_id;
+   /* The last stream ID this session initiated.  For client session,
+-- 
+2.47.0
+
+From 90f8bb08e4322ac9f58110a8c87a8385e424f53d Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 9 Mar 2024 16:48:10 +0900
+Subject: [PATCH 2/2] Add nghttp2_option_set_max_continuations
+
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ doc/Makefile.am                |  1 +
+ lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
+ lib/nghttp2_option.c           |  5 +++++
+ lib/nghttp2_option.h           |  5 +++++
+ lib/nghttp2_session.c          |  4 ++++
+ 5 files changed, 26 insertions(+)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index 96f449ff..5636a137 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -73,6 +73,7 @@ APIDOCS= \
+ 	nghttp2_option_set_peer_max_concurrent_streams.rst \
+ 	nghttp2_option_set_server_fallback_rfc7540_priorities.rst \
+ 	nghttp2_option_set_user_recv_extension_type.rst \
++	nghttp2_option_set_max_continuations.rst \
+ 	nghttp2_option_set_max_outbound_ack.rst \
+ 	nghttp2_option_set_max_settings.rst \
+ 	nghttp2_option_set_stream_reset_rate_limit.rst \
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index b394bde9..4d3339b5 100644
+--- a/lib/includes/nghttp2/nghttp2.h
++++ b/lib/includes/nghttp2/nghttp2.h
+@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
+ nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+                                            uint64_t burst, uint64_t rate);
+ 
++/**
++ * @function
++ *
++ * This function sets the maximum number of CONTINUATION frames
++ * following an incoming HEADER frame.  If more than those frames are
++ * received, the remote endpoint is considered to be misbehaving and
++ * session will be closed.  The default value is 8.
++ */
++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
++                                                         size_t val);
++
+ /**
+  * @function
+  *
+diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
+index 43d4e952..53144b9b 100644
+--- a/lib/nghttp2_option.c
++++ b/lib/nghttp2_option.c
+@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+   option->stream_reset_burst = burst;
+   option->stream_reset_rate = rate;
+ }
++
++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
++  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
++  option->max_continuations = val;
++}
+diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
+index 2259e184..c89cb97f 100644
+--- a/lib/nghttp2_option.h
++++ b/lib/nghttp2_option.h
+@@ -71,6 +71,7 @@ typedef enum {
+   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
+   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
+   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
++  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
+ } nghttp2_option_flag;
+ 
+ /**
+@@ -98,6 +99,10 @@ struct nghttp2_option {
+    * NGHTTP2_OPT_MAX_SETTINGS
+    */
+   size_t max_settings;
++  /**
++   * NGHTTP2_OPT_MAX_CONTINUATIONS
++   */
++  size_t max_continuations;
+   /**
+    * Bitwise OR of nghttp2_option_flag to determine that which fields
+    * are specified.
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 8e4d2e7e..ced7517b 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
+                            option->stream_reset_burst,
+                            option->stream_reset_rate);
+     }
++
++    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
++      (*session_ptr)->max_continuations = option->max_continuations;
++    }
+   }
+ 
+   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
+-- 
+2.47.0
+
diff --git a/SPECS/nghttp2/nghttp2.spec b/SPECS/nghttp2/nghttp2.spec
index e49d0d01bc8..64a933025ee 100644
--- a/SPECS/nghttp2/nghttp2.spec
+++ b/SPECS/nghttp2/nghttp2.spec
@@ -1,13 +1,14 @@
 Summary:        nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
 Name:           nghttp2
 Version:        1.57.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://nghttp2.org
 Source0:        https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz
+Patch0:         CVE-2024-28182.patch
 BuildRequires:  gcc
 BuildRequires:  make
 %if %{with_check}
@@ -59,6 +60,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Oct 08 2024 Muhammad Falak <mwani@microsoft.com> - 1.57.0-2
+- Address CVE-2024-28182
+
 * Wed Oct 11 2023 Dan Streetman <ddstreet@ieee.org> - 1.57.0-1
 - Update version to 1.57.0 to include patches for CVE-2023-44487
 
diff --git a/SPECS/nvidia-container-runtime/nvidia-container-runtime.signatures.json b/SPECS/nvidia-container-runtime/nvidia-container-runtime.signatures.json
deleted file mode 100644
index 0fccb582ca8..00000000000
--- a/SPECS/nvidia-container-runtime/nvidia-container-runtime.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "nvidia-container-runtime-3.13.0.tar.gz": "5a2516501eaf762fcb8bdeeeeab6e2597b3ccf52d9c5ed77d4c52c12f70cf3d1"
- }
-}
\ No newline at end of file
diff --git a/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec b/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec
deleted file mode 100644
index bb110a612fe..00000000000
--- a/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec
+++ /dev/null
@@ -1,90 +0,0 @@
-%global debug_package %{nil}
-Summary:        NVIDIA container runtime
-Name:           nvidia-container-runtime
-Version:        3.13.0
-Release:        1%{?dist}
-License:        ASL 2.0
-Vendor:         Microsoft Corporation
-Distribution:   Mariner
-URL:            https://github.com/NVIDIA/nvidia-container-runtime
-#Source0:       https://github.com/NVIDIA/%%{name}/archive/v%%{version}.tar.gz
-Source0:        %{name}-%{version}.tar.gz
-Obsoletes: nvidia-container-runtime < 2.0.0
-Requires: nvidia-container-toolkit >= 1.13.5, nvidia-container-toolkit < 2.0.0
-Requires:       libseccomp
-# NVIDIA now includes the runtime within the toolkit installs itself.
-# Previously there were independent installs of the runtime and the toolkit
-# but with v3.9.0 and beyond the nvidia-container-runtime package no longer builds.
-#
-# The package is now a meta package that only forces the toolkit installation.
-
-%description
-Provides a modified version of runc allowing users to run GPU enabled
-containers.
-
-%prep
-%setup -q
-
-%install
-
-%files
-%license LICENSE
-
-
-%changelog
-* Mon Jul 10 2023 Henry Li <lihl@microsoft.com> - 3.13.0-1
-- Upgrade to version 3.13.0
-- Add nvidia-container-toolkit minimum version 1.13.5 dependency
-
-* Wed Sep 21 2022 Henry Li <lihl@microsoft.com> - 3.11.0-1
-- Upgrade to version 3.11.0
-- Add nvidia-container-toolkit minimum version 1.11.0 dependency
-
-* Wed Mar 30 2022 Adithya Jayachandran <adjayach@microsoft.com> - 3.9.0-1
-- Bumped version to 3.9.0
-- Package is officially included in toolkit install, this is a meta package
-- Added nvidia-container-toolkit minimum version 1.9.0 dependence
-
-* Tue Mar 29 2022 Adithya Jayachandran <adjayach@microsoft.com> - 3.5.0-1
-- Ported nvidia container runtime update v3.5.0 to 2.0
-- Added dependence on nvidia-container-toolkit >= 1.5.0
-- Change directory structure for build output
-
-* Wed Nov 17 2021 Mateusz Malisz <mateusz.malisz@microsoft.com> 3.4.2-5
-- Move buildroot directory tree creation to install step
-- Use make macros.
-
-* Fri Aug 06 2021 Nicolas Guibourge <nicolasg@microsoft.com> 3.4.2-5
-- Increment release to force republishing using golang 1.16.7.
-
-* Tue Jun 08 2021 Henry Beberman <henry.beberman@microsoft.com> 3.4.2-4
-- Increment release to force republishing using golang 1.15.13.
-
-* Mon Apr 26 2021 Nicolas Guibourge <nicolasg@microsoft.com> 3.4.2-3
-- Increment release to force republishing using golang 1.15.11.
-
-* Wed Apr 21 2021 Joseph Knierman <jknierman@microsoft.com> - 3.4.2-2
-- License verified
-- Initial CBL-Mariner import from NVIDIA (license: ASL 2.0).
-
-* Fri Feb 05 2021 NVIDIA CORPORATION <cudatools@nvidia.com> 3.4.2-1
-- Add dependence on nvidia-container-toolkit >= 1.4.2
-
-* Mon Jan 25 2021 NVIDIA CORPORATION <cudatools@nvidia.com> 3.4.1-1
-- Update README to list 'compute' as part of the default capabilities
-- Switch to gomod for vendoring
-- Update to Go 1.15.6 for builds
-- Add dependence on nvidia-container-toolkit >= 1.4.1
-
-* Wed Sep 16 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 3.4.0-1
-- Bump version to v3.4.0
-- Add dependence on nvidia-container-toolkit >= 1.3.0
-
-* Wed Jul 08 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 3.3.0-1
-- e550cb15 Update package license to match source license
-- f02eef53 Update project License
-- c0fe8aae Update dependence on nvidia-container-toolkit to 1.2.0
-
-* Fri May 15 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 3.2.0-1
-- e486a70e Update build system to support multi-arch builds
-- 854f4c48 Require new MIG changes
diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json
index feef863b361..901b31f14bf 100644
--- a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json
+++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json
@@ -1,6 +1,6 @@
 {
- "Signatures": {
-  "nvidia-container-toolkit-1.13.5-vendor.tar.gz": "e2a72626fedaf53ad5e8a167509451eadd567e417fab4dec07cd9c19a84baae9",
-  "nvidia-container-toolkit-1.13.5.tar.gz": "2e95a89ca3ab95528df4bf32c5e0c8333e283e0465b9636458282c3d49a1b1da"
- }
-}
\ No newline at end of file
+  "Signatures": {
+    "nvidia-container-toolkit-1.16.2-vendor.tar.gz": "e9ed76163b347b73de1b3af838f0c1b83a61faadcdef65550d0f3160cd236cd6",
+    "nvidia-container-toolkit-1.16.2.tar.gz": "0062b4123bc8fd34191d95464e42dc18c34c6fff4c7bda0e23ba336f9ecd7997"
+  }
+}
diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec
index a7d89e65b54..09c01b3abd3 100644
--- a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec
+++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec
@@ -1,8 +1,8 @@
 %global debug_package %{nil}
 Summary:        NVIDIA container runtime hook
 Name:           nvidia-container-toolkit
-Version:        1.13.5
-Release:        7%{?dist}
+Version:        1.16.2
+Release:        1%{?dist}
 License:        ALS2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -65,35 +65,28 @@ install -m 755 -t %{buildroot}%{_bindir} nvidia-container-runtime-hook
 install -m 755 -t %{buildroot}%{_bindir} nvidia-container-runtime
 install -m 755 -t %{buildroot}%{_bindir} nvidia-ctk
 
-cp config/config.toml.rpm-yum config.toml
-mkdir -p %{buildroot}%{_sysconfdir}/nvidia-container-runtime
-install -m 644 -t %{buildroot}%{_sysconfdir}/nvidia-container-runtime config.toml
-
-mkdir -p %{buildroot}%{_libexecdir}/oci/hooks.d
-install -m 755 -t %{buildroot}%{_libexecdir}/oci/hooks.d oci-nvidia-hook
-
-mkdir -p %{buildroot}%{_datadir}/containers/oci/hooks.d
-install -m 644 -t %{buildroot}%{_datadir}/containers/oci/hooks.d oci-nvidia-hook.json
-
 %posttrans
 ln -sf %{_bindir}/nvidia-container-runtime-hook %{_bindir}/nvidia-container-toolkit
 
+# Generate the default config; If this file already exists no changes are made.
+%{_bindir}/nvidia-ctk --quiet config --config-file=%{_sysconfdir}/nvidia-container-runtime/config.toml --in-place
+
 %postun
 rm -f %{_bindir}/nvidia-container-toolkit
 
 %files
 %license LICENSE
 %{_bindir}/nvidia-container-runtime-hook
-%{_libexecdir}/oci/hooks.d/oci-nvidia-hook
-%{_datadir}/containers/oci/hooks.d/oci-nvidia-hook.json
 
 %files base
 %license LICENSE
-%config %{_sysconfdir}/nvidia-container-runtime/config.toml
 %{_bindir}/nvidia-container-runtime
 %{_bindir}/nvidia-ctk
 
 %changelog
+* Fri Oct 04 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.16.2-1
+- Auto-upgrade to 1.16.2 - Critical vulnerability CVE-2024-0132, Medium vulnerability CVE-2024-0133
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.13.5-7
 - Bump release to rebuild with go 1.22.7
 
@@ -225,5 +218,5 @@ rm -f %{_bindir}/nvidia-container-toolkit
 * Fri May 15 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 1.1.0-1
 - 4e4de762 Update build system to support multi-arch builds
 - fcc1d116 Add support for MIG (Multi-Instance GPUs)
-- d4ff0416 Add ability to merge envars of the form NVIDIA_VISIBLE_DEVICES_* 
+- d4ff0416 Add ability to merge envars of the form NVIDIA_VISIBLE_DEVICES_*
 - 60f165ad Add no-pivot option to toolkit
diff --git a/SPECS/oath-toolkit/CVE-2024-47191.patch b/SPECS/oath-toolkit/CVE-2024-47191.patch
new file mode 100644
index 00000000000..e2addd65682
--- /dev/null
+++ b/SPECS/oath-toolkit/CVE-2024-47191.patch
@@ -0,0 +1,873 @@
+From 4302b149a186ba8ca155ea7e211c25fac112a3ef Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Wed, 11 Sep 2024 14:09:25 +0200
+Subject: [PATCH] usersfile: fix potential security issues in PAM module
+ context (CVE-2024-47191)
+
+With the addition of the possibility to place a usersfile also into
+a user's home directory via variable expansion of ${HOME} and ${USER} in
+the `usersfile=` path specification, security issues sneaked in. The PAM
+process usually runs with root privileges. The file operations in an
+unprivileged user's home directory follow symlinks both when reading and
+creating files, allowing for a potential local root exploit, because of
+the `fchown()` performed on the newly created usersfile.
+
+The situation is not that easy to fix, since the current PAM module
+configuration does not indicate explicitly whether the usersfile will be
+placed in an unprivileged or in a privileged location. It is advisable
+to drop privileges to the owner of the usersfile, if we're running as
+root. To determine the ownership of the usersfile, it first has to be
+opened in a safe way, though.
+
+This change addresses the issue by introducing a usersfile_ctx datatype
+which holds state information about the target usersfile. The new
+function `safe_open_usersfile()` will open the target path in a safe
+way, rejecting any symlinks on the way. The function also rejects any
+world-writable directories or files, which would generally be a bad idea
+to have in the usersfile path.
+
+The global `umask()` alteration is dropped in favor of using an unnamed
+temporary file to achieve the proper file permissions of a newly created
+usersfile. Since the target mode is 0600, the umask would need to be
+really awkward anyway to change the outcome. `fchown()` is no longer
+called on the new file, assuming we are already running with the correct
+credentials.
+
+The locking logic of the existing code is incomplete, because the
+initial reading of the usersfile is performed without locking. Only
+during updating of the file, the lock is obtained. I believe this can
+lead to inconsistencies. Also the current code unlinks the lockfile
+after its use, which opens a race condition making the lock again
+unreliable.
+
+The creation of the lockfile in the directory containing the usersfile
+is somewhat unfortunate. Lockfiles are runtime state data that should go
+into /run or a shared sticky-bit directory. It is unclear whether mixed
+root and non-root accesses need to be synchronized (probably). An
+advantage of using the location of the usersfile is that if the
+usersfile should be placed on a network share (NFS, CIFS), that the
+locking can theoretically happen across the network.
+
+This patch aims to make the locking complete by acquiring it before
+parsing the actual usersfile. To prevent cluttering of users' home
+directories no separate lockfile is used anymore, but the usersfile
+itself it used for locking. This involves some extra complexity, since
+even after acquiring the lock, the actual usersfile on disk might have
+been replaced by a new one in the meantime. This situation needs to be
+detected and recovered from.
+
+In the PAM module context the unprivileged user could try to DoS the
+privileged PAM stack, by taking the lock and never releasing it.
+Therefore a polling loop is implemented that fails after 15 seconds of
+failing to obtain the lock. Unfortunately there exists no lock with
+timeout API, thus it needs to be polled.
+
+Instead of the POSIX compatible fcntl(F_SETLK) locking API this patch
+switches to the Linux specific fcntl(F_OFD_SETLK) locking. The reason
+for this is that locks obtained with F_SETLK cannot be inherited to
+child processes, which we need to do now. flock() would also have been
+an alternative, but it has unfortunate properties if the lockfile should
+be located on a network file system.
+---
+
+diff -Naur oath-toolkit-2.6.7-mariner-patched/liboath/errors.c oath-toolkit-2.6.7/liboath/errors.c
+--- oath-toolkit-2.6.7-mariner-patched/liboath/errors.c	2024-10-05 19:53:03.559981287 -0700
++++ oath-toolkit-2.6.7/liboath/errors.c	2024-10-05 19:21:23.755488969 -0700
+@@ -58,7 +58,12 @@
+   ERR (OATH_FILE_SYNC_ERROR, "System error when syncing file to disk"),
+   ERR (OATH_FILE_CLOSE_ERROR, "System error when closing file"),
+   ERR (OATH_FILE_CHOWN_ERROR, "System error when changing file ownership"),
+-  ERR (OATH_FILE_STAT_ERROR, "System error when getting file status")
++  ERR (OATH_FILE_STAT_ERROR, "System error when getting file status"),
++  ERR (OATH_FILE_OPEN_ERROR, "System error trying to open file"),
++  ERR (OATH_FORK_ERROR, "System error when forking a process"),
++  ERR (OATH_WAIT_ERROR, "System error when waiting for a process"),
++  ERR (OATH_SETUID_ERROR, "System error when setting process UID"),
++  ERR (OATH_SETGID_ERROR, "System error when setting process GID")
+ };
+
+ /**
+diff -Naur oath-toolkit-2.6.7-mariner-patched/liboath/oath.h.in oath-toolkit-2.6.7/liboath/oath.h.in
+--- oath-toolkit-2.6.7-mariner-patched/liboath/oath.h.in	2024-10-05 19:53:03.939985058 -0700
++++ oath-toolkit-2.6.7/liboath/oath.h.in	2024-10-05 19:21:56.115570760 -0700
+@@ -152,9 +152,14 @@
+   OATH_FILE_CLOSE_ERROR = -25,
+   OATH_FILE_CHOWN_ERROR = -26,
+   OATH_FILE_STAT_ERROR = -27,
++  OATH_FILE_OPEN_ERROR = -28,
++  OATH_FORK_ERROR = -29,
++  OATH_WAIT_ERROR = -30,
++  OATH_SETUID_ERROR = -31,
++  OATH_SETGID_ERROR = -32,
+   /* When adding anything here, update OATH_LAST_ERROR, errors.c
+      and tests/tst_errors.c. */
+-  OATH_LAST_ERROR = -27
++  OATH_LAST_ERROR = -33
+ } oath_rc;
+
+ /* Global */
+diff -Naur oath-toolkit-2.6.7-mariner-patched/liboath/usersfile.c oath-toolkit-2.6.7/liboath/usersfile.c
+--- oath-toolkit-2.6.7-mariner-patched/liboath/usersfile.c	2024-10-05 19:55:00.017139982 -0700
++++ oath-toolkit-2.6.7/liboath/usersfile.c	2024-10-05 19:37:06.910860525 -0700
+@@ -29,7 +29,226 @@
+ #include <unistd.h>		/* For ssize_t. */
+ #include <fcntl.h>		/* For fcntl. */
+ #include <errno.h>		/* For errno. */
++#include <limits.h>		/* For PATH_MAX & friends. */
+ #include <sys/stat.h>		/* For S_IRUSR, S_IWUSR. */
++#include <sys/wait.h>		/* For wait */
++#include <sys/stat.h>		/* For stat */
++
++struct usersfile_ctx {
++    const char *path;
++    const char *basename;  /* basename of path, points into `path` */
++    int parent_fd;         /* file descriptor for the parent directory of the usersfile */
++    int fd;                /* file descriptor for the usersfile */
++    struct stat st;        /* stat information for the usersfile */
++};
++
++/*
++ * Upgrade a file descriptor opened with O_PATH to a fully functional file
++ * descriptor.
++ *
++ * To achieve this the file is reopened via /proc, which is supported by the
++ * Linux kernel. `fd` needs to point to the currently open file descriptor. On
++ * success it will be replaced by the new upgraded file descriptor, while the
++ * original file descriptor will be closed.
++ *
++ * `flags` are passed to `open()` for the new file descriptor.
++ */
++static int
++reopen_path_fd (int *fd, int flags)
++{
++  /* we need to open /proc/self/fd/<int>, so the path won't get too long here */
++  char proc_path[128];
++  int res = snprintf(proc_path, sizeof(proc_path), "/proc/self/fd/%d", *fd);
++
++  if (res < 0 || res >= sizeof(proc_path))
++      return OATH_PRINTF_ERROR;
++
++  int newfd = open(proc_path, flags);
++
++  if (newfd < 0)
++      return OATH_FILE_OPEN_ERROR;
++
++  close(*fd);
++  *fd = newfd;
++  return OATH_OK;
++}
++
++static void
++init_usersfile_ctx(struct usersfile_ctx *ctx, const char *path)
++{
++  ctx->path = path;
++  ctx->basename = NULL;
++  ctx->parent_fd = -1;
++  ctx->fd = -1;
++  memset(&ctx->st, 0, sizeof(ctx->st));
++}
++
++static void
++destroy_usersfile_ctx(struct usersfile_ctx *ctx)
++{
++   if (ctx->parent_fd != -1)
++     {
++         close (ctx->parent_fd);
++         ctx->parent_fd = -1;
++     }
++
++   if (ctx->fd != -1)
++     {
++         close (ctx->fd);
++         ctx->fd = -1;
++     }
++
++   /* reset everything but keep the path so it might be reused */
++   init_usersfile_ctx(ctx, ctx->path);
++}
++
++/*
++ * Obtain a lock for the usersfile. The lock is placed on the usersfile itself
++ * as found in `ctx->fd`
++ *
++ * On success the lock on `ctx->fd` has been correctly obtained.
++ */
++static int
++lock_usersfile (struct usersfile_ctx *ctx)
++{
++  /*
++   * There exist three file locking APIs:
++   *
++   * - flock(): this would be the simplest API, but it doesn't properly support
++   *   network file systems like NFS, which then causes a transparent fallback
++   *   to fcntl() file locking.
++   * - fcntl using F_SETLCK & friends: this lock is not based on the open file
++   *   description and thus cannot be inherited to child processes, which we
++   *   need to do.
++   * - fcntl using F_OFD_SETLCK & friends: this is a Linux specific lock that
++   *   _is_ based on the open file description. It seems like the best bet for
++   *   our scenario.
++   *
++   * Since we are potentially running in PAM module context, we have to
++   * take a local DoS scenario into account here, where the unprivileged user
++   * holds the lock, preventing us from ever getting it.
++   *
++   * There's no file locking API supporting a timeout (except for using a
++   * SIGALRM timer to interrupt the system call). Using asynchronous signals
++   * in a library is not so great. Thus make a best effort polling attempt:
++   *
++   * `F_OFD_SETLK` polls for the lock. If we cannot get it, sleep half a
++   * second and retry. Do this for at max 15 seconds, else fail.
++   */
++
++  struct flock fl;
++  memset(&fl, 0, sizeof(fl));
++  /* lock the entire file with a write lock */
++  fl.l_type = F_WRLCK;
++  fl.l_whence = SEEK_SET;
++  fl.l_start = 0;
++  fl.l_len = 0;
++
++  for (int i = 0; i < 30; i++) {
++      if (fcntl(ctx->fd, F_OFD_SETLK, &fl) == 0)
++          return OATH_OK;
++
++      if (errno == EACCES || errno == EAGAIN)
++        usleep(1000 * 500);
++      else
++        break;
++  }
++
++  return OATH_FILE_LOCK_ERROR;
++}
++
++/*
++ * After traversing all directory path elements this function actually opens
++ * the target usersfile. `ctx->parent_fd` must be valid.
++ *
++ * This function takes care of the locking logic, which is a bit complicated,
++ * since we use the usersfile itself for locking. This is done, because we
++ * don't want to clutter arbitrary directories with lockfiles, possibly making
++ * the locking also less robust (e.g. if users delete them interactively).
++ *
++ * Since we don't actually write to the usersfile, but replace it atomically,
++ * to prevent any inconsistent state to ever be stored to disk, we need a
++ * recovery mechanism if we obtain a lock on the file, but the file has
++ * already been replaced by a new version. This situation is detected by
++ * opening the file again after the lock has been placed and comparing the
++ * inode numbers. If the no longer match, then the new file has to be locked
++ * instead.
++ *
++ * On successful return ctx->fd will be valid and locked and ctx->st will
++ * contain the current stat information for the usersfile.
++ */
++static int
++finish_open_usersfile (struct usersfile_ctx *ctx)
++{
++  const int oflags = O_RDONLY|O_PATH|O_CLOEXEC|O_NOFOLLOW;
++  ctx->fd = openat(ctx->parent_fd, ctx->basename, oflags);
++
++  if (ctx->fd < 0)
++    return errno == ENOENT ? OATH_NO_SUCH_FILE : OATH_FILE_OPEN_ERROR;
++
++  if (fstat(ctx->fd, &ctx->st) != 0)
++      return OATH_FILE_STAT_ERROR;
++
++  /* lock and retry opening until all is consistent, abort after a couple of
++   * times, it's unlikely that we race all the time (could be a DoS attempt) */
++  for (int i = 0; i < 5; i++)
++    {
++      /* deny world-writable or special usersfile */
++      if ((ctx->st.st_mode & S_IWOTH) != 0 || !S_ISREG(ctx->st.st_mode))
++          return OATH_FILE_OPEN_ERROR;
++
++      /* we need to open it read-write for write-locking it via fcntl(),
++       * otherwise we wouldn't need write access for the file, since we'll
++       * atomically replace it with a new one. */
++      int err = reopen_path_fd(&ctx->fd, O_RDWR|O_CLOEXEC);
++      if (err != OATH_OK)
++          return err;
++
++      err = lock_usersfile(ctx);
++      if (err != OATH_OK)
++          return err;
++
++      /*
++       * we now own a lock on the usersfile, but another process might already
++       * have replaced the file in question by new version. Thus we need to
++       * check whether the file is still there and is the same as the one we
++       * have opened. Otherwise a race occurred an we need to retry.
++       */
++      int check_fd = openat(ctx->parent_fd, ctx->basename, oflags);
++      struct stat check_st;
++      err = fstat(check_fd, &check_st);
++      if (err != OATH_OK)
++        {
++          close(check_fd);
++          return err;
++        }
++
++      /* comparing the inode should be enough, since parent_fd didn't change,
++       * so it should be the same file system */
++      if (ctx->st.st_ino != check_st.st_ino)
++        {
++          /* race occurred, retry using the new FD */
++          close(ctx->fd);
++          ctx->fd = check_fd;
++          memcpy(&ctx->st, &check_st, sizeof(ctx->st));
++          continue;
++        }
++
++      /* we own the lock and the file is still in place, we did it */
++      close(check_fd);
++
++      /* now also reopen the parent directory FD, so it can be used for
++       * fsync() later on. */
++      err = reopen_path_fd(&ctx->parent_fd, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
++      if (err != OATH_OK)
++          return err;
++
++      return OATH_OK;
++    }
++
++  /* maximum number of locking attempts exceeded */
++  return OATH_FILE_LOCK_ERROR;
++}
+
+ static int
+ parse_type (const char *str, unsigned *digits, unsigned *totpstepsize)
+@@ -296,8 +515,92 @@
+   return OATH_OK;
+ }
+
++/*
++ * create a new file in the directory referred to by ctx->parent_fd. A unique
++ * filename will be selected and written out to `newname`.
++ */
+ static int
+-update_usersfile (const char *usersfile,
++create_new_usersfile(struct usersfile_ctx *ctx, char *newname)
++{
++  int err = OATH_OK;
++  newname[0] = '\0';
++
++  /* create an unnamed temporary file, this way we can fix the file mode
++     without anybody else being able to access the file */
++  int fd = openat(ctx->parent_fd, ".", O_TMPFILE|O_WRONLY|O_CLOEXEC, 0600);
++  if (fd < 0)
++    return OATH_FILE_OPEN_ERROR;
++
++  /* make sure the mode is as we want it, since umask might have changed the outcome. */
++  if (fchmod(fd, 0600) != 0)
++    {
++        err = OATH_FILE_CHOWN_ERROR;
++        goto out;
++    }
++
++  /* there's nothing like mkostmpat() where we can use our parent_fd.
++   * tmpname() & friends are deprecated and also not fully suitable here.
++   *
++   * what we're actually missing here is an additional flag LINKAT_REPLACE
++   * which would allow to atomically replace the original file, instead of
++   * using renameat(). This doesn't exist yet, though.
++   *
++   * linkat() doesn't follow symlinks or overwrite files, so we're safe here
++   * against any shenanigans. The user owning parent_fd can try to guess the
++   * filename we're using here and thus DoS us. Setup an arbitrary limit of
++   * creation attempts to prevent an infinite loop in such situations. Such a
++   * bad actor would then only DoS itself, preventing login.
++   *
++   * Shared world-writable directories should never be used for the usersfile,
++   * this would be a configuration error, thus we don't try to protect against
++   * such scenarios.
++   *
++   * An alternative would be using rand(), but then we'd need to also seed it,
++   * with possible process wide side effects, which is also not great.
++   */
++
++  int ret = snprintf(newname, NAME_MAX, "%s.new.%d", ctx->basename, getpid());
++  if (ret < 0 || ret >= NAME_MAX)
++    {
++      err = OATH_PRINTF_ERROR;
++      goto out;
++    }
++
++  /* we need to specify /proc/self/fd/<int>, so the path won't get too long here */
++  char proc_path[128];
++  ret = snprintf(proc_path, sizeof(proc_path), "/proc/self/fd/%d", fd);
++  if (ret < 0 || ret >= NAME_MAX)
++    {
++      err = OATH_PRINTF_ERROR;
++      goto out;
++    }
++
++  /* we cannot reliably use AT_EMPTY_PATH here, since it can require the
++   * CAP_DAC_READ_SEARCH capability when running as non-root. Starting with
++   * kernel 6.10 this requirement has been softened, but we need to stay
++   * backward compatible. Linking the magic link in /proc into the directory
++   * works without extra capabilities.
++   * For this workaround to function AT_SYMLINK_FOLLOW _must_ be specified
++   * so this is a conscious decision.
++   */
++  if (linkat(AT_FDCWD, proc_path, ctx->parent_fd, newname, AT_SYMLINK_FOLLOW))
++    {
++      err = OATH_FILE_CREATE_ERROR;
++    }
++
++out:
++  if (err != OATH_OK)
++    {
++        if (fd >= 0)
++            close(fd);
++        return err;
++    }
++
++  return fd;
++}
++
++static int
++update_usersfile (struct usersfile_ctx *ctx,
+ 		  const char *username,
+ 		  const char *otp,
+ 		  FILE * infh,
+@@ -305,9 +608,7 @@
+ 		  size_t *n, char *timestamp, uint64_t new_moving_factor,
+ 		  size_t skipped_users)
+ {
+-  FILE *outfh, *lockfh;
+   int rc;
+-  char *newfilename, *lockfile;
+
+   /* Rewind input file. */
+   {
+@@ -319,120 +620,236 @@
+     clearerr (infh);
+   }
+
+-  /* Open lockfile. */
+-  {
+-    int l;
++  char newfilename[NAME_MAX];
+
+-    if (oath_lockfile_path)
++  /* Open the "new" file. We aim for atomic replacement of the old file to
++   * address possible power failure or system lockup scenarios. */
++  int outfd = create_new_usersfile(ctx, newfilename);
++  if (outfd < 0)
+     {
+-      l = asprintf (&lockfile, "%s", oath_lockfile_path);
+-      if (lockfile == NULL || ((size_t) l) != strlen (oath_lockfile_path))
+-        return OATH_PRINTF_ERROR;
++      return outfd;
+     }
+-    else
++
++  FILE *outfh = fdopen (outfd, "w");
++  if (!outfh)
+     {
+-      l = asprintf (&lockfile, "%s.lock", usersfile);
+-      if (lockfile == NULL || ((size_t) l) != strlen (usersfile) + 5)
+-        return OATH_PRINTF_ERROR;
++      rc = OATH_FILE_CREATE_ERROR;
++      goto out;
+     }
+
+-    lockfh = fopen (lockfile, "w");
+-    if (!lockfh)
+-      {
+-	free (lockfile);
+-	return OATH_FILE_CREATE_ERROR;
+-      }
+-  }
++  /* ownership has been transferred to outfh */
++  outfd = -1;
+
+-  /* Lock the lockfile. */
+-  {
+-    struct flock l;
++  /* Create the new usersfile content. */
++  rc = update_usersfile2 (username, otp, infh, outfh, lineptr, n,
++          timestamp, new_moving_factor, skipped_users);
+
+-    memset (&l, 0, sizeof (l));
+-    l.l_whence = SEEK_SET;
+-    l.l_start = 0;
+-    l.l_len = 0;
+-    l.l_type = F_WRLCK;
++  if (rc != OATH_OK)
++      goto out;
+
+-    while ((rc = fcntl (fileno (lockfh), F_SETLKW, &l)) < 0 && errno == EINTR)
+-      continue;
+-    if (rc == -1)
+-      {
+-	fclose (lockfh);
+-	free (lockfile);
+-	return OATH_FILE_LOCK_ERROR;
+-      }
++  /* On success, flush the buffers. */
++  if (fflush (outfh) != 0) {
++    rc = OATH_FILE_FLUSH_ERROR;
++    goto out;
+   }
+
+-  /* Open the "new" file. */
+-  {
+-    int l;
+-
+-    l = asprintf (&newfilename, "%s.new", usersfile);
+-    if (newfilename == NULL || ((size_t) l) != strlen (usersfile) + 4)
+-      {
+-	fclose (lockfh);
+-	free (lockfile);
+-	return OATH_PRINTF_ERROR;
+-      }
++  /* On success, sync the disks. */
++  if (fsync (fileno (outfh)) != 0) {
++    rc = OATH_FILE_SYNC_ERROR;
++    goto out;
++  }
+
+-    outfh = fopen (newfilename, "w");
+-    if (!outfh)
+-      {
+-	free (newfilename);
+-	fclose (lockfh);
+-	free (lockfile);
+-	return OATH_FILE_CREATE_ERROR;
+-      }
++  /* On success, replace the usersfile with the new copy.
++   * This does not follow symlinks in the target, the target will always be
++   * replaced.
++   * */
++  if (renameat (ctx->parent_fd, newfilename, ctx->parent_fd, ctx->basename) != 0) {
++    rc = OATH_FILE_RENAME_ERROR;
++    goto out;
+   }
+
+-  /* Create the new usersfile content. */
+-  rc = update_usersfile2 (username, otp, infh, outfh, lineptr, n,
+-			  timestamp, new_moving_factor, skipped_users);
++  /* this name no longer exists now */
++  newfilename[0] = '\0';
+
+-  /* Preserve ownership of the new usersfile file */
+-  {
+-    struct stat insb;
++  /* make sure the directory is also synced such that directory inodes are written out */
++  if (fsync(ctx->parent_fd) != 0) {
++    rc = OATH_FILE_SYNC_ERROR;
++    goto out;
++  }
++
++out:
++  if (outfd >= 0)
++      close(outfd);
++  if (outfh)
++      fclose(outfh);
++  if (rc != OATH_OK && newfilename[0])
++      unlinkat(ctx->parent_fd, newfilename, 0);
++  return rc;
++}
+
+-    if(rc == OATH_OK && fstat(fileno(infh), &insb) == -1)
+-      rc = OATH_FILE_STAT_ERROR;
++static int
++oath_process_usersfile (struct usersfile_ctx *ctx,
++			     const char *username,
++			     const char *otp,
++			     size_t window,
++			     const char *passwd, time_t *last_otp)
++{
++  FILE *infh;
++  char *line = NULL;
++  size_t n = 0;
++  uint64_t new_moving_factor;
++  int rc;
++  size_t skipped_users;
+
+-    if(rc == OATH_OK && fchown(fileno(outfh), insb.st_uid, insb.st_gid) != 0)
+-      rc = OATH_FILE_CHOWN_ERROR;
+-  }
++  infh = fdopen (ctx->fd, "r");
++  if (infh == NULL)
++    return OATH_FILE_OPEN_ERROR;
+
+-  /* On success, flush the buffers. */
+-  if (rc == OATH_OK && fflush (outfh) != 0)
+-    rc = OATH_FILE_FLUSH_ERROR;
++  /* ownership has been transferred to the FILE stream now */
++  ctx->fd = -1;
+
+-  /* On success, sync the disks. */
+-  if (rc == OATH_OK && fsync (fileno (outfh)) != 0)
+-    rc = OATH_FILE_SYNC_ERROR;
++  rc = parse_usersfile (username, otp, window, passwd, last_otp,
++        infh, &line, &n, &new_moving_factor, &skipped_users);
++
++  if (rc == OATH_OK)
++    {
++      char timestamp[30];
++      size_t max = sizeof (timestamp);
++      struct tm now;
++      time_t t;
++      size_t l;
+
+-  /* Close the file regardless of success. */
+-  if (fclose (outfh) != 0)
+-    rc = OATH_FILE_CLOSE_ERROR;
++      if (time (&t) == (time_t) - 1)
++        return OATH_TIME_ERROR;
+
+-  /* On success, overwrite the usersfile with the new copy. */
+-  if (rc == OATH_OK && rename (newfilename, usersfile) != 0)
+-    rc = OATH_FILE_RENAME_ERROR;
++      if (localtime_r (&t, &now) == NULL)
++        return OATH_TIME_ERROR;
+
+-  /* Something has failed, don't leave garbage lying around. */
+-  if (rc != OATH_OK)
+-    unlink (newfilename);
++      l = strftime (timestamp, max, TIME_FORMAT_STRING, &now);
++      if (l != 20)
++        return OATH_TIME_ERROR;
+
+-  free (newfilename);
++      rc = update_usersfile (ctx, username, otp, infh,
++             &line, &n, timestamp, new_moving_factor,
++             skipped_users);
++    }
+
+-  /* Complete, close the lockfile */
+-  if (fclose (lockfh) != 0)
+-    rc = OATH_FILE_CLOSE_ERROR;
+-  if (unlink (lockfile) != 0)
+-    rc = OATH_FILE_UNLINK_ERROR;
+-  free (lockfile);
++  free (line);
++  fclose (infh);
+
+   return rc;
+ }
+
++/*
++ * Safely open `ctx->path`, filling all the other fields in `ctx` from it. On
++ * error destroy_usersfile_ctx() is invoked for `ctx`.
++ *
++ * When operating with raised privileges we cannot know the ownership of
++ * `ctx->path` in advance, thus we need to carefully open the path. Any
++ * symbolic links in the path will be rejected for simplicity reasons.
++ *
++ * Every path element will be extracted step-by-step and opened by passing the
++ * `O_PATH` flag. This is the safest approach which prevents any side effects
++ * that might result from opening e.g. FIFO special files, symlinks or device
++ * files.
++ *
++ * Once the final path element has been reached and verified, the file
++ * descriptors have to be upgraded to regular ones without the `O_PATH`
++ * property, for being able to use them for regular file operations.
++ *
++ * NOTE: a similar result can be achieved by using openat2() and passing
++ * RESOLVE_NO_SYMLINKS, but the system call is not yet wrapped in Glibc, which
++ * makes it hard to use it.
++ */
++static int
++safe_open_usersfile (struct usersfile_ctx *ctx)
++{
++  int err = OATH_OK;
++
++  /* reject relative paths */
++  if (ctx->path[0] != '/')
++    return OATH_FILE_OPEN_ERROR;
++
++  ctx->parent_fd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC|O_RDONLY);
++  if (ctx->parent_fd < 0)
++    return OATH_FILE_OPEN_ERROR;
++
++  char *path_start = strdup (ctx->path);
++  if (!path_start) {
++      err = OATH_MALLOC_ERROR;
++      goto out;
++  }
++
++  char *element = path_start;
++
++  while (true)
++    {
++      /* ignore any extra leading slashes */
++      while (element[0] == '/')
++          element++;
++
++      /* end of path has been reached (trailing slashes? shouldn't really happen) */
++      if (!element[0])
++        {
++          err = OATH_FILE_OPEN_ERROR;
++          goto out;
++        }
++
++      char *sep = strpbrk(element, "/");
++
++      /* intermediate path (directory) element */
++      if (sep)
++        {
++          *sep = '\0';
++
++          ctx->fd = openat(ctx->parent_fd, element, O_RDONLY|O_PATH|O_CLOEXEC|O_NOFOLLOW|O_DIRECTORY);
++
++          if (ctx->fd < 0)
++            {
++              err = errno == ENOENT ? OATH_NO_SUCH_FILE : OATH_FILE_OPEN_ERROR;
++              goto out;
++            }
++
++          if (fstat(ctx->fd, &ctx->st) != 0)
++            {
++              err = OATH_FILE_STAT_ERROR;
++              goto out;
++            }
++
++          /* If we encounter any world-writable components, refuse the path.
++           * This prevents any unwise configurations like placing the file into
++           * /var/tmp or a dedicated world-writable sticky-bit directory from
++           * working. */
++          if (ctx->st.st_mode & S_IWOTH)
++            {
++              err = OATH_FILE_OPEN_ERROR;
++              goto out;
++            }
++
++          close(ctx->parent_fd);
++          ctx->parent_fd = ctx->fd;
++          ctx->fd = -1;
++          element = sep + 1;
++        }
++      /* final path element has been encountered */
++      else
++        {
++          ctx->basename = ctx->path + (element - path_start);
++          err = finish_open_usersfile(ctx);
++          break;
++        }
++    }
++
++
++out:
++  if (err != OATH_OK)
++    {
++      destroy_usersfile_ctx(ctx);
++    }
++  free (path_start);
++  return err;
++}
++
+ /**
+  * oath_authenticate_usersfile:
+  * @usersfile: string with user credential filename, in UsersFile format
+@@ -466,50 +883,67 @@
+ 			     size_t window,
+ 			     const char *passwd, time_t * last_otp)
+ {
+-  FILE *infh;
+-  char *line = NULL;
+-  size_t n = 0;
+-  uint64_t new_moving_factor;
+   int rc;
+-  size_t skipped_users;
+-
+-  infh = fopen (usersfile, "r");
+-  if (!infh)
+-    return OATH_NO_SUCH_FILE;
++  struct usersfile_ctx ctx;
++  init_usersfile_ctx(&ctx, usersfile);
+
+-  rc = parse_usersfile (username, otp, window, passwd, last_otp,
+-			infh, &line, &n, &new_moving_factor, &skipped_users);
+-
+-  if (rc == OATH_OK)
++  rc = safe_open_usersfile (&ctx);
++  if (rc < 0)
++    return rc;
++
++  /* if user is not root we cannot change credentials,
++     just run _oath_authenticate_usersfile normally in this case.
++     Similarly if the file is owned by root, we don't need to change
++     credentials. */
++  if (geteuid () != 0 || ctx.st.st_uid == 0)
++     {
++        rc = oath_process_usersfile (&ctx, username, otp, window, passwd, last_otp);
++        destroy_usersfile_ctx(&ctx);
++        return rc;
++     }
++
++  /* else spawn a new process so we can drop privileges to the owner of the
++   * file, to be on the safe side when operating in a directory owned by
++   * non-root. */
++  pid_t cpid = fork ();
++  if (cpid < 0)
+     {
+-      char timestamp[30];
+-      size_t max = sizeof (timestamp);
+-      struct tm now;
+-      time_t t;
+-      size_t l;
+-      mode_t old_umask;
+-
+-      if (time (&t) == (time_t) - 1)
+-	return OATH_TIME_ERROR;
+-
+-      if (localtime_r (&t, &now) == NULL)
+-	return OATH_TIME_ERROR;
+-
+-      l = strftime (timestamp, max, TIME_FORMAT_STRING, &now);
+-      if (l != 20)
+-	return OATH_TIME_ERROR;
+-
+-      old_umask = umask (~(S_IRUSR | S_IWUSR));
+-
+-      rc = update_usersfile (usersfile, username, otp, infh,
+-			     &line, &n, timestamp, new_moving_factor,
+-			     skipped_users);
+-
+-      umask (old_umask);
++        destroy_usersfile_ctx(&ctx);
++        return OATH_FORK_ERROR;
+     }
+
+-  free (line);
+-  fclose (infh);
++  if (cpid == 0)
++    {
++      /* child */
++      if (setgid (ctx.st.st_gid) != 0)
++        exit (abs(OATH_SETGID_ERROR));
++      if (setuid (ctx.st.st_uid) != 0)
++        exit (abs(OATH_SETUID_ERROR));
++      rc = oath_process_usersfile (&ctx, username, otp, window, passwd, last_otp);
++      exit (abs(rc));
++    }
++  else
++    {
++      int status;
++      rc = waitpid (cpid, &status, 0);
++      if (rc < 0)
++        goto wait_out;
+
+-  return rc;
++      if (!WIFEXITED(status))
++        {
++            /* child exited abnormally */
++            rc = OATH_WAIT_ERROR;
++            goto wait_out;
++        }
++
++      const int exit_code = WEXITSTATUS(status);
++      rc = exit_code == 0 ? OATH_OK : -exit_code;
++wait_out:
++      /*
++       * only destroy the ctx after the child exited, otherwise the lockfile
++       * would be unlinked before the job is finished.
++       */
++      destroy_usersfile_ctx(&ctx);
++      return rc;
++    }
+ }
diff --git a/SPECS/oath-toolkit/oath-toolkit.spec b/SPECS/oath-toolkit/oath-toolkit.spec
index 43c0d9c4717..61bad6d3520 100644
--- a/SPECS/oath-toolkit/oath-toolkit.spec
+++ b/SPECS/oath-toolkit/oath-toolkit.spec
@@ -1,14 +1,15 @@
 Summary:        One-time password components
 Name:           oath-toolkit
 Version:        2.6.7
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv3+ and LGPLv2+
 URL:            https://www.nongnu.org/oath-toolkit/
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Source0:        https://download.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz
 
-Patch0:        oath-toolkit-2.6.2-lockfile.patch
+Patch0:         oath-toolkit-2.6.2-lockfile.patch
+Patch1:         CVE-2024-47191.patch
 
 BuildRequires: pam-devel
 BuildRequires: gtk-doc
@@ -110,8 +111,7 @@ Requires: pam
 A PAM module for pluggable login authentication for OATH.
 
 %prep
-%setup -q
-%patch0 -p1 -b .lockfile
+%autosetup -p1
 
 %build
 autoreconf -fi
@@ -186,6 +186,9 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
 %{_libdir}/security/pam_oath.so
 
 %changelog
+* Thu Oct 03 2024 Mandeep Plaha <mandeepplaha@microsoft.com> - 2.6.7-3
+- Fix CVE-2024-47191
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 2.6.7-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
@@ -297,4 +300,4 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
 - Added /etc/liboath directory to hold configuration / user lists
 
 * Sun Apr 07 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 2.0.2-1
-- Initial version
\ No newline at end of file
+- Initial version
diff --git a/SPECS/php/php.signatures.json b/SPECS/php/php.signatures.json
index 292d27de10c..38ef7214772 100644
--- a/SPECS/php/php.signatures.json
+++ b/SPECS/php/php.signatures.json
@@ -1,19 +1,19 @@
 {
- "Signatures": {
-  "10-opcache.ini": "6065beb2ace54d6cb5a8cde751330ea358bd23692073c6e3d2c57f7c97bec869",
-  "20-ffi.ini": "f5e968fdd3eca54f3dab2399e243931cf16cd9da034f0364800aefab222271c0",
-  "macros.php": "917104496e8239e1ed1d4812871be772a5fa8b38cf80c4c59ec3e0c36d48310e",
-  "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59",
-  "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95",
-  "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38",
-  "php-8.1.29.tar.xz": "288884af60581d4284baba2ace9ca6d646f72facbd3e3c2dd2acc7fe6f903536",
-  "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8",
-  "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9",
-  "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79",
-  "php-fpm.service": "574f50dec5a0edd60e60e44e7cc2d03575bc728bdc0b0cab021ce3c55abc0117",
-  "php-fpm.wants": "846297e91ba02bd0e29b6635eeddcca01a7ad4faf5a8f27113543804331d0328",
-  "php.conf": "e2388be032eccf7c0197d597ba72259a095bf8434438a184e6a640edb4b59de2",
-  "php.ini": "8fd5a4d891c19320c07010fbbbac982c886b422bc8d062acaeae49d70c136fc8",
-  "php.modconf": "dc7303ea584452d2f742d002a648abe74905025aabf240259c7e8bd01746d278"
- }
+  "Signatures": {
+    "10-opcache.ini": "6065beb2ace54d6cb5a8cde751330ea358bd23692073c6e3d2c57f7c97bec869",
+    "20-ffi.ini": "f5e968fdd3eca54f3dab2399e243931cf16cd9da034f0364800aefab222271c0",
+    "macros.php": "917104496e8239e1ed1d4812871be772a5fa8b38cf80c4c59ec3e0c36d48310e",
+    "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59",
+    "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95",
+    "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38",
+    "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8",
+    "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9",
+    "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79",
+    "php-fpm.service": "574f50dec5a0edd60e60e44e7cc2d03575bc728bdc0b0cab021ce3c55abc0117",
+    "php-fpm.wants": "846297e91ba02bd0e29b6635eeddcca01a7ad4faf5a8f27113543804331d0328",
+    "php.conf": "e2388be032eccf7c0197d597ba72259a095bf8434438a184e6a640edb4b59de2",
+    "php.ini": "8fd5a4d891c19320c07010fbbbac982c886b422bc8d062acaeae49d70c136fc8",
+    "php.modconf": "dc7303ea584452d2f742d002a648abe74905025aabf240259c7e8bd01746d278",
+    "php-8.1.30.tar.xz": "f24a6007f0b25a53cb7fbaee69c85017e0345b62089c2425a0afb7e177192ed1"
+  }
 }
diff --git a/SPECS/php/php.spec b/SPECS/php/php.spec
index 3b4c021ae00..dd8cb3b4f54 100644
--- a/SPECS/php/php.spec
+++ b/SPECS/php/php.spec
@@ -32,7 +32,7 @@
 %global with_qdbm     0
 Summary:        PHP scripting language for creating dynamic web sites
 Name:           php
-Version:        8.1.29
+Version:        8.1.30
 Release:        1%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
@@ -1516,6 +1516,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 %dir %{_datadir}/php/preload
 
 %changelog
+* Mon Oct 21 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 8.1.30-1
+- Auto-upgrade to 8.1.30 - CVE-2024-8927, CVE-2024-8925
+
 * Mon Jun 10 2024 Neha Agarwal <nehaagawral@microsoft.com> - 8.1.29-1
 - Upgrade to 8.1.29 to fix CVE-2024-4577, CVE-2024-5585 and CVE-2024-5458
 
diff --git a/SPECS/prometheus/CVE-2024-24786.patch b/SPECS/prometheus/CVE-2024-24786.patch
new file mode 100644
index 00000000000..1ba319244f1
--- /dev/null
+++ b/SPECS/prometheus/CVE-2024-24786.patch
@@ -0,0 +1,28 @@
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 72924a9..2586bb3 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error {
+ 				}
+ 			}
+ 		}
++	case json.EOF:
++		// This can only happen if there's a bug in Decoder.Read.
++		// Avoid an infinite loop if this does happen.
++		return errors.New("unexpected EOF")
+ 	}
+ 	return nil
+ }
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
diff --git a/SPECS/prometheus/prometheus.signatures.json b/SPECS/prometheus/prometheus.signatures.json
index d3c8fed3e88..9278e41a928 100644
--- a/SPECS/prometheus/prometheus.signatures.json
+++ b/SPECS/prometheus/prometheus.signatures.json
@@ -1,11 +1,11 @@
 {
  "Signatures": {
-  "prometheus-2.37.0.tar.gz": "98892e82b97004a458e81f03d804859d485323af2d85c34f8a996e25fe1305a9",
+  "prometheus-2.37.9.tar.gz": "f26eba405e0836c5a53bfff91b45dc71b14900d5edc0fe8db7238d3c85ac45fb",
   "prometheus.conf": "ce522e82dfb2945c520b482b15b5cf591364f7a571f0f28259b64dbeda42b043",
   "prometheus.logrotate": "061b92500cd40fcaaf486ff488bcf1b09eac6743d8e840ba6966dc70d4e2067b",
   "prometheus.service": "29bf1c886e1d55080e859f2afe112bb7344490e6992e946efe3360fd94d1a604",
   "prometheus.sysconfig": "ec89a45641e3411478794106246aa91e7b72f86070a28a4782e3b8be955e4587",
   "prometheus.yml": "0112e0bf54660c5e2391fff11a56404a25684c588caa7281677f7f8e19da6f28",
-  "promu-0.13.0.tar.gz": "3473b87214968c79158f553228baef6e9a37ed3e11e1a4f3e7267ffd3180a8b6"
+  "promu-0.14.0.tar.gz": "d71d2a0d54093f3f17dc406d7a5825b6d6acd304cd90d9c60ed3f1335fb6ed2a"
  }
-}
\ No newline at end of file
+}
diff --git a/SPECS/prometheus/prometheus.spec b/SPECS/prometheus/prometheus.spec
index 103e57a290a..c7639090cc0 100644
--- a/SPECS/prometheus/prometheus.spec
+++ b/SPECS/prometheus/prometheus.spec
@@ -1,10 +1,10 @@
 # When upgrading Prometheus, run `./generate_source_tarball.sh --pkgVersion <version>`
 # The script will spit out custom tarballs for `prometheus` and `promu` (More details in the script)
-%global promu_version 0.13.0
+%global promu_version 0.14.0
 Summary:        Prometheus monitoring system and time series database
 Name:           prometheus
-Version:        2.37.0
-Release:        15%{?dist}
+Version:        2.37.9
+Release:        1%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -19,6 +19,7 @@ Source6:        promu-%{promu_version}.tar.gz
 # Debian patch for default settings
 Patch0:         02-Default_settings.patch
 Patch1:         CVE-2024-6104.patch
+Patch2:         CVE-2024-24786.patch
 BuildRequires:  golang
 BuildRequires:  nodejs
 BuildRequires:  systemd-rpm-macros
@@ -132,6 +133,10 @@ fi
 %doc README.md RELEASE.md documentation
 
 %changelog
+* Tue Oct 08 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 2.37.0-16
+- Bump version to patch CVE-2022-41717
+- Patch for CVE-2024-24786
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.37.0-15
 - Bump release to rebuild with go 1.22.7
 
diff --git a/SPECS/python3/CVE-2024-4032.patch b/SPECS/python3/CVE-2024-4032.patch
new file mode 100644
index 00000000000..d93868d696d
--- /dev/null
+++ b/SPECS/python3/CVE-2024-4032.patch
@@ -0,0 +1,444 @@
+From 5e58376d424fb951966277e5d46cf0b11d860ef3 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 24 Apr 2024 14:29:30 +0200
+Subject: [PATCH 1/3] gh-113171: gh-65056: Fix "private" (non-global) IP
+ address ranges (GH-113179) (GH-113186) (GH-118177)
+
+* GH-113171: Fix "private" (non-global) IP address ranges (GH-113179)
+
+The _private_networks variables, used by various is_private
+implementations, were missing some ranges and at the same time had
+overly strict ranges (where there are more specific ranges considered
+globally reachable by the IANA registries).
+
+This patch updates the ranges with what was missing or otherwise
+incorrect.
+
+100.64.0.0/10 is left alone, for now, as it's been made special in [1].
+
+The _address_exclude_many() call returns 8 networks for IPv4, 121
+networks for IPv6.
+
+[1] https://github.com/python/cpython/issues/61602
+
+* GH-65056: Improve the IP address' is_global/is_private documentation (GH-113186)
+
+It wasn't clear what the semantics of is_global/is_private are and, when
+one gets to the bottom of it, it's not quite so simple (hence the
+exceptions listed).
+
+(cherry picked from commit 2a4cbf17af19a01d942f9579342f77c39fbd23c4)
+(cherry picked from commit 40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f)
+
+---------
+
+(cherry picked from commit f86b17ac511e68192ba71f27e752321a3252cee3)
+
+Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
+---
+ Doc/library/ipaddress.rst                     | 43 ++++++++-
+ Doc/whatsnew/3.9.rst                          |  9 ++
+ Lib/ipaddress.py                              | 95 +++++++++++++++----
+ Lib/test/test_ipaddress.py                    | 52 ++++++++++
+ ...-03-14-01-38-44.gh-issue-113171.VFnObz.rst |  9 ++
+ 5 files changed, 187 insertions(+), 21 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
+
+diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
+index 9c2dff55703273..f9c1ebf3f3df26 100644
+--- a/Doc/library/ipaddress.rst
++++ b/Doc/library/ipaddress.rst
+@@ -188,18 +188,53 @@ write code that handles both IP versions correctly.  Address objects are
+ 
+    .. attribute:: is_private
+ 
+-      ``True`` if the address is allocated for private networks.  See
++      ``True`` if the address is defined as not globally reachable by
+       iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
+-      (for IPv6).
++      (for IPv6) with the following exceptions:
++
++      * ``is_private`` is ``False`` for the shared address space (``100.64.0.0/10``)
++      * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++        semantics of the underlying IPv4 addresses and the following condition holds
++        (see :attr:`IPv6Address.ipv4_mapped`)::
++
++            address.is_private == address.ipv4_mapped.is_private
++
++      ``is_private`` has value opposite to :attr:`is_global`, except for the shared address space
++      (``100.64.0.0/10`` range) where they are both ``False``.
++
++      .. versionchanged:: 3.9.20
++
++         Fixed some false positives and false negatives.
++
++         * ``192.0.0.0/24`` is considered private with the exception of ``192.0.0.9/32`` and
++           ``192.0.0.10/32`` (previously: only the ``192.0.0.0/29`` sub-range was considered private).
++         * ``64:ff9b:1::/48`` is considered private.
++         * ``2002::/16`` is considered private.
++         * There are exceptions within ``2001::/23`` (otherwise considered private): ``2001:1::1/128``,
++           ``2001:1::2/128``, ``2001:3::/32``, ``2001:4:112::/48``, ``2001:20::/28``, ``2001:30::/28``.
++           The exceptions are not considered private.
+ 
+    .. attribute:: is_global
+ 
+-      ``True`` if the address is allocated for public networks.  See
++      ``True`` if the address is defined as globally reachable by
+       iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
+-      (for IPv6).
++      (for IPv6) with the following exception:
++
++      For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++      semantics of the underlying IPv4 addresses and the following condition holds
++      (see :attr:`IPv6Address.ipv4_mapped`)::
++
++         address.is_global == address.ipv4_mapped.is_global
++
++      ``is_global`` has value opposite to :attr:`is_private`, except for the shared address space
++      (``100.64.0.0/10`` range) where they are both ``False``.
+ 
+       .. versionadded:: 3.4
+ 
++      .. versionchanged:: 3.9.20
++
++         Fixed some false positives and false negatives, see :attr:`is_private` for details.
++
+    .. attribute:: is_unspecified
+ 
+       ``True`` if the address is unspecified.  See :RFC:`5735` (for IPv4)
+diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst
+index 0064e074a3adfb..1756a3733863c8 100644
+--- a/Doc/whatsnew/3.9.rst
++++ b/Doc/whatsnew/3.9.rst
+@@ -1616,3 +1616,12 @@ tarfile
+   :exc:`DeprecationWarning`.
+   In Python 3.14, the default will switch to ``'data'``.
+   (Contributed by Petr Viktorin in :pep:`706`.)
++
++Notable changes in 3.9.20
++=========================
++
++ipaddress
++---------
++
++* Fixed ``is_global`` and ``is_private`` behavior in ``IPv4Address``,
++  ``IPv6Address``, ``IPv4Network`` and ``IPv6Network``.
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 25f373a06a2b66..9b35340d9ac171 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1322,18 +1322,41 @@ def is_reserved(self):
+     @property
+     @functools.lru_cache()
+     def is_private(self):
+-        """Test if this address is allocated for private networks.
++        """``True`` if the address is defined as not globally reachable by
++        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
++        (for IPv6) with the following exceptions:
+ 
+-        Returns:
+-            A boolean, True if the address is reserved per
+-            iana-ipv4-special-registry.
++        * ``is_private`` is ``False`` for ``100.64.0.0/10``
++        * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++            semantics of the underlying IPv4 addresses and the following condition holds
++            (see :attr:`IPv6Address.ipv4_mapped`)::
++
++                address.is_private == address.ipv4_mapped.is_private
+ 
++        ``is_private`` has value opposite to :attr:`is_global`, except for the ``100.64.0.0/10``
++        IPv4 range where they are both ``False``.
+         """
+-        return any(self in net for net in self._constants._private_networks)
++        return (
++            any(self in net for net in self._constants._private_networks)
++            and all(self not in net for net in self._constants._private_networks_exceptions)
++        )
+ 
+     @property
+     @functools.lru_cache()
+     def is_global(self):
++        """``True`` if the address is defined as globally reachable by
++        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
++        (for IPv6) with the following exception:
++
++        For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++        semantics of the underlying IPv4 addresses and the following condition holds
++        (see :attr:`IPv6Address.ipv4_mapped`)::
++
++            address.is_global == address.ipv4_mapped.is_global
++
++        ``is_global`` has value opposite to :attr:`is_private`, except for the ``100.64.0.0/10``
++        IPv4 range where they are both ``False``.
++        """
+         return self not in self._constants._public_network and not self.is_private
+ 
+     @property
+@@ -1537,13 +1560,15 @@ class _IPv4Constants:
+ 
+     _public_network = IPv4Network('100.64.0.0/10')
+ 
++    # Not globally reachable address blocks listed on
++    # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+     _private_networks = [
+         IPv4Network('0.0.0.0/8'),
+         IPv4Network('10.0.0.0/8'),
+         IPv4Network('127.0.0.0/8'),
+         IPv4Network('169.254.0.0/16'),
+         IPv4Network('172.16.0.0/12'),
+-        IPv4Network('192.0.0.0/29'),
++        IPv4Network('192.0.0.0/24'),
+         IPv4Network('192.0.0.170/31'),
+         IPv4Network('192.0.2.0/24'),
+         IPv4Network('192.168.0.0/16'),
+@@ -1554,6 +1579,11 @@ class _IPv4Constants:
+         IPv4Network('255.255.255.255/32'),
+         ]
+ 
++    _private_networks_exceptions = [
++        IPv4Network('192.0.0.9/32'),
++        IPv4Network('192.0.0.10/32'),
++    ]
++
+     _reserved_network = IPv4Network('240.0.0.0/4')
+ 
+     _unspecified_address = IPv4Address('0.0.0.0')
+@@ -1995,23 +2025,42 @@ def is_site_local(self):
+     @property
+     @functools.lru_cache()
+     def is_private(self):
+-        """Test if this address is allocated for private networks.
++        """``True`` if the address is defined as not globally reachable by
++        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
++        (for IPv6) with the following exceptions:
+ 
+-        Returns:
+-            A boolean, True if the address is reserved per
+-            iana-ipv6-special-registry.
++        * ``is_private`` is ``False`` for ``100.64.0.0/10``
++        * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++            semantics of the underlying IPv4 addresses and the following condition holds
++            (see :attr:`IPv6Address.ipv4_mapped`)::
++
++                address.is_private == address.ipv4_mapped.is_private
+ 
++        ``is_private`` has value opposite to :attr:`is_global`, except for the ``100.64.0.0/10``
++        IPv4 range where they are both ``False``.
+         """
+-        return any(self in net for net in self._constants._private_networks)
++        ipv4_mapped = self.ipv4_mapped
++        if ipv4_mapped is not None:
++            return ipv4_mapped.is_private
++        return (
++            any(self in net for net in self._constants._private_networks)
++            and all(self not in net for net in self._constants._private_networks_exceptions)
++        )
+ 
+     @property
+     def is_global(self):
+-        """Test if this address is allocated for public networks.
++        """``True`` if the address is defined as globally reachable by
++        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
++        (for IPv6) with the following exception:
+ 
+-        Returns:
+-            A boolean, true if the address is not reserved per
+-            iana-ipv6-special-registry.
++        For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++        semantics of the underlying IPv4 addresses and the following condition holds
++        (see :attr:`IPv6Address.ipv4_mapped`)::
++
++            address.is_global == address.ipv4_mapped.is_global
+ 
++        ``is_global`` has value opposite to :attr:`is_private`, except for the ``100.64.0.0/10``
++        IPv4 range where they are both ``False``.
+         """
+         return not self.is_private
+ 
+@@ -2252,19 +2301,31 @@ class _IPv6Constants:
+ 
+     _multicast_network = IPv6Network('ff00::/8')
+ 
++    # Not globally reachable address blocks listed on
++    # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+     _private_networks = [
+         IPv6Network('::1/128'),
+         IPv6Network('::/128'),
+         IPv6Network('::ffff:0:0/96'),
++        IPv6Network('64:ff9b:1::/48'),
+         IPv6Network('100::/64'),
+         IPv6Network('2001::/23'),
+-        IPv6Network('2001:2::/48'),
+         IPv6Network('2001:db8::/32'),
+-        IPv6Network('2001:10::/28'),
++        # IANA says N/A, let's consider it not globally reachable to be safe
++        IPv6Network('2002::/16'),
+         IPv6Network('fc00::/7'),
+         IPv6Network('fe80::/10'),
+         ]
+ 
++    _private_networks_exceptions = [
++        IPv6Network('2001:1::1/128'),
++        IPv6Network('2001:1::2/128'),
++        IPv6Network('2001:3::/32'),
++        IPv6Network('2001:4:112::/48'),
++        IPv6Network('2001:20::/28'),
++        IPv6Network('2001:30::/28'),
++    ]
++
+     _reserved_networks = [
+         IPv6Network('::/8'), IPv6Network('100::/8'),
+         IPv6Network('200::/7'), IPv6Network('400::/6'),
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 90897f6bedb868..84c806ee058403 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2263,6 +2263,10 @@ def testReservedIpv4(self):
+         self.assertEqual(True, ipaddress.ip_address(
+                 '172.31.255.255').is_private)
+         self.assertEqual(False, ipaddress.ip_address('172.32.0.0').is_private)
++        self.assertFalse(ipaddress.ip_address('192.0.0.0').is_global)
++        self.assertTrue(ipaddress.ip_address('192.0.0.9').is_global)
++        self.assertTrue(ipaddress.ip_address('192.0.0.10').is_global)
++        self.assertFalse(ipaddress.ip_address('192.0.0.255').is_global)
+ 
+         self.assertEqual(True,
+                          ipaddress.ip_address('169.254.100.200').is_link_local)
+@@ -2278,6 +2282,40 @@ def testReservedIpv4(self):
+         self.assertEqual(False, ipaddress.ip_address('128.0.0.0').is_loopback)
+         self.assertEqual(True, ipaddress.ip_network('0.0.0.0').is_unspecified)
+ 
++    def testPrivateNetworks(self):
++        self.assertEqual(False, ipaddress.ip_network("0.0.0.0/0").is_private)
++        self.assertEqual(False, ipaddress.ip_network("1.0.0.0/8").is_private)
++
++        self.assertEqual(True, ipaddress.ip_network("0.0.0.0/8").is_private)
++        self.assertEqual(True, ipaddress.ip_network("10.0.0.0/8").is_private)
++        self.assertEqual(True, ipaddress.ip_network("127.0.0.0/8").is_private)
++        self.assertEqual(True, ipaddress.ip_network("169.254.0.0/16").is_private)
++        self.assertEqual(True, ipaddress.ip_network("172.16.0.0/12").is_private)
++        self.assertEqual(True, ipaddress.ip_network("192.0.0.0/29").is_private)
++        self.assertEqual(False, ipaddress.ip_network("192.0.0.9/32").is_private)
++        self.assertEqual(True, ipaddress.ip_network("192.0.0.170/31").is_private)
++        self.assertEqual(True, ipaddress.ip_network("192.0.2.0/24").is_private)
++        self.assertEqual(True, ipaddress.ip_network("192.168.0.0/16").is_private)
++        self.assertEqual(True, ipaddress.ip_network("198.18.0.0/15").is_private)
++        self.assertEqual(True, ipaddress.ip_network("198.51.100.0/24").is_private)
++        self.assertEqual(True, ipaddress.ip_network("203.0.113.0/24").is_private)
++        self.assertEqual(True, ipaddress.ip_network("240.0.0.0/4").is_private)
++        self.assertEqual(True, ipaddress.ip_network("255.255.255.255/32").is_private)
++
++        self.assertEqual(False, ipaddress.ip_network("::/0").is_private)
++        self.assertEqual(False, ipaddress.ip_network("::ff/128").is_private)
++
++        self.assertEqual(True, ipaddress.ip_network("::1/128").is_private)
++        self.assertEqual(True, ipaddress.ip_network("::/128").is_private)
++        self.assertEqual(True, ipaddress.ip_network("::ffff:0:0/96").is_private)
++        self.assertEqual(True, ipaddress.ip_network("100::/64").is_private)
++        self.assertEqual(True, ipaddress.ip_network("2001:2::/48").is_private)
++        self.assertEqual(False, ipaddress.ip_network("2001:3::/48").is_private)
++        self.assertEqual(True, ipaddress.ip_network("2001:db8::/32").is_private)
++        self.assertEqual(True, ipaddress.ip_network("2001:10::/28").is_private)
++        self.assertEqual(True, ipaddress.ip_network("fc00::/7").is_private)
++        self.assertEqual(True, ipaddress.ip_network("fe80::/10").is_private)
++
+     def testReservedIpv6(self):
+ 
+         self.assertEqual(True, ipaddress.ip_network('ffff::').is_multicast)
+@@ -2351,6 +2389,20 @@ def testReservedIpv6(self):
+         self.assertEqual(True, ipaddress.ip_address('0::0').is_unspecified)
+         self.assertEqual(False, ipaddress.ip_address('::1').is_unspecified)
+ 
++        self.assertFalse(ipaddress.ip_address('64:ff9b:1::').is_global)
++        self.assertFalse(ipaddress.ip_address('2001::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:1::1').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:1::2').is_global)
++        self.assertFalse(ipaddress.ip_address('2001:2::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:3::').is_global)
++        self.assertFalse(ipaddress.ip_address('2001:4::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:4:112::').is_global)
++        self.assertFalse(ipaddress.ip_address('2001:10::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:20::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:30::').is_global)
++        self.assertFalse(ipaddress.ip_address('2001:40::').is_global)
++        self.assertFalse(ipaddress.ip_address('2002::').is_global)
++
+         # some generic IETF reserved addresses
+         self.assertEqual(True, ipaddress.ip_address('100::').is_reserved)
+         self.assertEqual(True, ipaddress.ip_network('4000::1/128').is_reserved)
+diff --git a/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst b/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
+new file mode 100644
+index 00000000000000..f9a72473be4e2c
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
+@@ -0,0 +1,9 @@
++Fixed various false positives and false negatives in
++
++* :attr:`ipaddress.IPv4Address.is_private` (see these docs for details)
++* :attr:`ipaddress.IPv4Address.is_global`
++* :attr:`ipaddress.IPv6Address.is_private`
++* :attr:`ipaddress.IPv6Address.is_global`
++
++Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network`
++attributes.
+
+From 5ad4fcf305f81a153f885c8abc36668307449b4b Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 24 Apr 2024 15:16:13 +0200
+Subject: [PATCH 2/3] Adjust test for 3.9 semantics of is_private on networks
+
+In 3.10 and below, is_private checks whether the network and broadcast
+address are both private.
+In later versions (where the test wss backported from), it checks
+whether they both are in the same private network.
+
+For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
+but one is in 0.0.0.0/8 ("This network") and the other in
+255.255.255.255/32 ("Limited broadcast").
+---
+ Lib/test/test_ipaddress.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 84c806ee058403..bd14f04f6c6af1 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2283,7 +2283,7 @@ def testReservedIpv4(self):
+         self.assertEqual(True, ipaddress.ip_network('0.0.0.0').is_unspecified)
+ 
+     def testPrivateNetworks(self):
+-        self.assertEqual(False, ipaddress.ip_network("0.0.0.0/0").is_private)
++        self.assertEqual(True, ipaddress.ip_network("0.0.0.0/0").is_private)
+         self.assertEqual(False, ipaddress.ip_network("1.0.0.0/8").is_private)
+ 
+         self.assertEqual(True, ipaddress.ip_network("0.0.0.0/8").is_private)
+
+From 248e0f267d27b5b3197693fc8505b4e769a0c44b Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 1 May 2024 15:29:13 +0200
+Subject: [PATCH 3/3] Add IPv6 addresses to suspignore.csv
+
+That's a lot of semicolons!
+---
+ Doc/tools/susp-ignored.csv | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/Doc/tools/susp-ignored.csv b/Doc/tools/susp-ignored.csv
+index 3eb3d7954f8fb2..de91a50bad063d 100644
+--- a/Doc/tools/susp-ignored.csv
++++ b/Doc/tools/susp-ignored.csv
+@@ -169,6 +169,14 @@ library/ipaddress,,:db00,2001:db00::0/24
+ library/ipaddress,,::,2001:db00::0/24
+ library/ipaddress,,:db00,2001:db00::0/ffff:ff00::
+ library/ipaddress,,::,2001:db00::0/ffff:ff00::
++library/ipaddress,,:ff9b,64:ff9b:1::/48
++library/ipaddress,,::,64:ff9b:1::/48
++library/ipaddress,,::,2001::
++library/ipaddress,,::,2001:1::
++library/ipaddress,,::,2001:3::
++library/ipaddress,,::,2001:4:112::
++library/ipaddress,,::,2001:20::
++library/ipaddress,,::,2001:30::
+ library/itertools,,:step,elements from seq[start:stop:step]
+ library/itertools,,:stop,elements from seq[start:stop:step]
+ library/itertools,,::,kernel = tuple(kernel)[::-1]
diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec
index 82603b247fb..f11f6656684 100644
--- a/SPECS/python3/python3.spec
+++ b/SPECS/python3/python3.spec
@@ -12,7 +12,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.19
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -26,6 +26,7 @@ Patch2:         CVE-2024-0397.patch
 Patch3:         CVE-2024-7592.patch
 Patch4:         CVE-2024-6232.patch
 Patch5:         CVE-2024-8088.patch
+Patch6:         CVE-2024-4032.patch
 # Patch for setuptools, resolved in 65.5.1
 Patch1000:      CVE-2022-40897.patch
 Patch1001:      CVE-2024-6345.patch
@@ -169,6 +170,7 @@ The test package contains all regression tests for Python as well as the modules
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 %build
 # Remove GCC specs and build environment linker scripts
@@ -324,6 +326,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Tue Oct 01 2024 Ankita Pareek <ankitapareek@microsoft.com> - 3.9.19-6
+- Patch for CVE-2024-4032
+
 * Fri Sep 20 2024 Himaja Kesari <himajakesari@microsoft.com> - 3.9.19-5
 - Patch CVE-2024-6232 and CVE-2024-8088
 
diff --git a/SPECS/reaper/CVE-2024-43799.patch b/SPECS/reaper/CVE-2024-43799.patch
new file mode 100644
index 00000000000..f264afd7713
--- /dev/null
+++ b/SPECS/reaper/CVE-2024-43799.patch
@@ -0,0 +1,27 @@
+From 6309d1f68103ef27c565cf58ab03f9ed32ff631c Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Thu, 10 Oct 2024 13:44:09 +0000
+Subject: [PATCH] CVE-2024-43799
+
+from: https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35
+---
+ send/index.js | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/ui/node_modules/send/index.js b/src/ui/node_modules/send/index.js
+index 89afd7e5..768f8ca6 100644
+--- a/src/ui/node_modules/send/index.js
++++ b/src/ui/node_modules/send/index.js
+@@ -482,8 +482,7 @@ SendStream.prototype.redirect = function redirect (path) {
+   }
+ 
+   var loc = encodeUrl(collapseLeadingSlashes(this.path + '/'))
+-  var doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' +
+-    escapeHtml(loc) + '</a>')
++  var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc))
+ 
+   // redirect
+   res.statusCode = 301
+-- 
+2.39.4
+
diff --git a/SPECS/reaper/CVE-2024-43800.patch b/SPECS/reaper/CVE-2024-43800.patch
new file mode 100644
index 00000000000..3a8cd6b2690
--- /dev/null
+++ b/SPECS/reaper/CVE-2024-43800.patch
@@ -0,0 +1,26 @@
+From cb67c9a152a1e2d8ffb3a74c504d4c9a845bf4dc Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Mon, 14 Oct 2024 07:18:16 +0000
+Subject: [PATCH] serve-static don't pass untrusted user input
+
+---
+ serve-static/index.js | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/ui/node_modules/serve-static/index.js b/src/ui/node_modules/serve-static/index.js
+index b7d3984c..3f3e64e9 100644
+--- a/src/ui/node_modules/serve-static/index.js
++++ b/src/ui/node_modules/serve-static/index.js
+@@ -195,8 +195,7 @@ function createRedirectDirectoryListener () {
+ 
+     // reformat the URL
+     var loc = encodeUrl(url.format(originalUrl))
+-    var doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' +
+-      escapeHtml(loc) + '</a>')
++    var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc))
+ 
+     // send redirect response
+     res.statusCode = 301
+-- 
+2.39.4
+
diff --git a/SPECS/reaper/CVE-2024-45296.patch b/SPECS/reaper/CVE-2024-45296.patch
new file mode 100644
index 00000000000..8528fbe296b
--- /dev/null
+++ b/SPECS/reaper/CVE-2024-45296.patch
@@ -0,0 +1,190 @@
+From 6f1351c1c631d01ced7d2461c5eeee4552865306 Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Thu, 10 Oct 2024 12:14:51 +0000
+Subject: [PATCH] Upgrade path-to-regexp from 0.1.7 to 0.1.11
+
+CVE-2024-45296 was fixed in https://github.com/pillarjs/path-to-regexp/pull/320
+which was released in version 0.1.11
+---
+ path-to-regexp/index.js | 103 ++++++++++++++++++++++++----------------
+ 1 file changed, 62 insertions(+), 41 deletions(-)
+
+diff --git a/src/ui/node_modules/path-to-regexp/index.js b/src/ui/node_modules/path-to-regexp/index.js
+index 500d1dad..39b7caac 100644
+--- a/src/ui/node_modules/path-to-regexp/index.js
++++ b/src/ui/node_modules/path-to-regexp/index.js
+@@ -1,13 +1,13 @@
+ /**
+- * Expose `pathtoRegexp`.
++ * Expose `pathToRegexp`.
+  */
+ 
+-module.exports = pathtoRegexp;
++module.exports = pathToRegexp;
+ 
+ /**
+  * Match matching groups in a regular expression.
+  */
+-var MATCHING_GROUP_REGEXP = /\((?!\?)/g;
++var MATCHING_GROUP_REGEXP = /\\.|\((?:\?<(.*?)>)?(?!\?)/g;
+ 
+ /**
+  * Normalize the given path string,
+@@ -25,22 +25,27 @@ var MATCHING_GROUP_REGEXP = /\((?!\?)/g;
+  * @api private
+  */
+ 
+-function pathtoRegexp(path, keys, options) {
++function pathToRegexp(path, keys, options) {
+   options = options || {};
+   keys = keys || [];
+   var strict = options.strict;
+   var end = options.end !== false;
+   var flags = options.sensitive ? '' : 'i';
++  var lookahead = options.lookahead !== false;
+   var extraOffset = 0;
+   var keysOffset = keys.length;
+   var i = 0;
+   var name = 0;
++  var pos = 0;
++  var backtrack = '';
+   var m;
+ 
+   if (path instanceof RegExp) {
+     while (m = MATCHING_GROUP_REGEXP.exec(path.source)) {
++      if (m[0][0] === '\\') continue;
++
+       keys.push({
+-        name: name++,
++        name: m[1] || name++,
+         optional: false,
+         offset: m.index
+       });
+@@ -54,20 +59,51 @@ function pathtoRegexp(path, keys, options) {
+     // the same keys and options instance into every generation to get
+     // consistent matching groups before we join the sources together.
+     path = path.map(function (value) {
+-      return pathtoRegexp(value, keys, options).source;
++      return pathToRegexp(value, keys, options).source;
+     });
+ 
+-    return new RegExp('(?:' + path.join('|') + ')', flags);
++    return new RegExp(path.join('|'), flags);
++  }
++
++  if (typeof path !== 'string') {
++    throw new TypeError('path must be a string, array of strings, or regular expression');
+   }
+ 
+-  path = ('^' + path + (strict ? '' : path[path.length - 1] === '/' ? '?' : '/?'))
+-    .replace(/\/\(/g, '/(?:')
+-    .replace(/([\/\.])/g, '\\$1')
+-    .replace(/(\\\/)?(\\\.)?:(\w+)(\(.*?\))?(\*)?(\?)?/g, function (match, slash, format, key, capture, star, optional, offset) {
++  path = path.replace(
++    /\\.|(\/)?(\.)?:(\w+)(\(.*?\))?(\*)?(\?)?|[.*]|\/\(/g,
++    function (match, slash, format, key, capture, star, optional, offset) {
++      pos = offset + match.length;
++
++      if (match[0] === '\\') {
++        backtrack += match;
++        return match;
++      }
++
++      if (match === '.') {
++        backtrack += '\\.';
++        extraOffset += 1;
++        return '\\.';
++      }
++
++      backtrack = slash || format ? '' : path.slice(pos, offset);
++
++      if (match === '*') {
++        extraOffset += 3;
++        return '(.*)';
++      }
++
++      if (match === '/(') {
++        backtrack += '/';
++        extraOffset += 2;
++        return '/(?:';
++      }
++
+       slash = slash || '';
+-      format = format || '';
+-      capture = capture || '([^\\/' + format + ']+?)';
++      format = format ? '\\.' : '';
+       optional = optional || '';
++      capture = capture ?
++        capture.replace(/\\.|\*/, function (m) { return m === '*' ? '(.*)' : m; }) :
++        (backtrack ? '((?:(?!/|' + backtrack + ').)+?)' : '([^/' + format + ']+?)');
+ 
+       keys.push({
+         name: key,
+@@ -75,41 +111,20 @@ function pathtoRegexp(path, keys, options) {
+         offset: offset + extraOffset
+       });
+ 
+-      var result = ''
+-        + (optional ? '' : slash)
+-        + '(?:'
+-        + format + (optional ? slash : '') + capture
+-        + (star ? '((?:[\\/' + format + '].+?)?)' : '')
++      var result = '(?:'
++        + format + slash + capture
++        + (star ? '((?:[/' + format + '].+?)?)' : '')
+         + ')'
+         + optional;
+ 
+       extraOffset += result.length - match.length;
+ 
+       return result;
+-    })
+-    .replace(/\*/g, function (star, index) {
+-      var len = keys.length
+-
+-      while (len-- > keysOffset && keys[len].offset > index) {
+-        keys[len].offset += 3; // Replacement length minus asterisk length.
+-      }
+-
+-      return '(.*)';
+     });
+ 
+   // This is a workaround for handling unnamed matching groups.
+   while (m = MATCHING_GROUP_REGEXP.exec(path)) {
+-    var escapeCount = 0;
+-    var index = m.index;
+-
+-    while (path.charAt(--index) === '\\') {
+-      escapeCount++;
+-    }
+-
+-    // It's possible to escape the bracket.
+-    if (escapeCount % 2 === 1) {
+-      continue;
+-    }
++    if (m[0][0] === '\\') continue;
+ 
+     if (keysOffset + i === keys.length || keys[keysOffset + i].offset > m.index) {
+       keys.splice(keysOffset + i, 0, {
+@@ -122,8 +137,14 @@ function pathtoRegexp(path, keys, options) {
+     i++;
+   }
+ 
++  path += strict ? '' : path[path.length - 1] === '/' ? '?' : '/?';
++
+   // If the path is non-ending, match until the end or a slash.
+-  path += (end ? '$' : (path[path.length - 1] === '/' ? '' : '(?=\\/|$)'));
++  if (end) {
++    path += '$';
++  } else if (path[path.length - 1] !== '/') {
++    path += lookahead ? '(?=/|$)' : '(?:/|$)';
++  }
+ 
+-  return new RegExp(path, flags);
+-};
++  return new RegExp('^' + path, flags);
++};
+\ No newline at end of file
+-- 
+2.39.4
+
diff --git a/SPECS/reaper/CVE-2024-45590.patch b/SPECS/reaper/CVE-2024-45590.patch
new file mode 100644
index 00000000000..52aa5bd83e7
--- /dev/null
+++ b/SPECS/reaper/CVE-2024-45590.patch
@@ -0,0 +1,87 @@
+From 58b0b02d2501825235a1c1c2598171513621df45 Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Wed, 25 Sep 2024 12:35:30 +0000
+Subject: [PATCH] CVE-2024-45590: Set default depth limit to 32
+
+---
+ .../body-parser/lib/types/urlencoded.js       | 37 +++++++++++++++----
+ 1 file changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/src/ui/node_modules/body-parser/lib/types/urlencoded.js b/src/ui/node_modules/body-parser/lib/types/urlencoded.js
+index b2ca8f16..886a3ce2 100644
+--- a/src/ui/node_modules/body-parser/lib/types/urlencoded.js
++++ b/src/ui/node_modules/body-parser/lib/types/urlencoded.js
+@@ -55,6 +55,9 @@ function urlencoded (options) {
+     : opts.limit
+   var type = opts.type || 'application/x-www-form-urlencoded'
+   var verify = opts.verify || false
++  var depth = typeof opts.depth !== 'number'
++    ? Number(opts.depth || 32)
++    : opts.depth
+ 
+   if (verify !== false && typeof verify !== 'function') {
+     throw new TypeError('option verify must be function')
+@@ -118,7 +121,8 @@ function urlencoded (options) {
+       encoding: charset,
+       inflate: inflate,
+       limit: limit,
+-      verify: verify
++      verify: verify,
++      depth: depth
+     })
+   }
+ }
+@@ -133,12 +137,20 @@ function extendedparser (options) {
+   var parameterLimit = options.parameterLimit !== undefined
+     ? options.parameterLimit
+     : 1000
++
++  var depth = typeof options.depth !== 'number'
++    ? Number(options.depth || 32)
++    : options.depth
+   var parse = parser('qs')
+ 
+   if (isNaN(parameterLimit) || parameterLimit < 1) {
+     throw new TypeError('option parameterLimit must be a positive number')
+   }
+ 
++  if(isNaN(depth) || depth < 0) {
++    throw new TypeError('option depth must be a zero or a positive number')
++  }
++
+   if (isFinite(parameterLimit)) {
+     parameterLimit = parameterLimit | 0
+   }
+@@ -156,12 +168,23 @@ function extendedparser (options) {
+     var arrayLimit = Math.max(100, paramCount)
+ 
+     debug('parse extended urlencoding')
+-    return parse(body, {
+-      allowPrototypes: true,
+-      arrayLimit: arrayLimit,
+-      depth: Infinity,
+-      parameterLimit: parameterLimit
+-    })
++    try {
++      return parse(body, {
++        allowPrototypes: true,
++        arrayLimit: arrayLimit,
++        depth: depth,
++        strictDepth: true,
++        parameterLimit: parameterLimit
++      })
++    } catch (err) {
++      if (err instanceof RangeError) {
++        throw createError(400, 'The input exceeded the depth', {
++          type: 'querystring.parse.rangeError'
++        })
++      } else {
++        throw err
++      }
++    }
+   }
+ }
+ 
+-- 
+2.39.4
+
diff --git a/SPECS/reaper/CVE-2024-47764.patch b/SPECS/reaper/CVE-2024-47764.patch
new file mode 100644
index 00000000000..6c5880950c8
--- /dev/null
+++ b/SPECS/reaper/CVE-2024-47764.patch
@@ -0,0 +1,116 @@
+From 9ca5ddf291fcd82a34925e1584bb7356a554fbe3 Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Mon, 14 Oct 2024 09:44:29 +0000
+Subject: [PATCH] narrow the validation cookies to match RFC6265
+
+---
+ cookie/index.js | 64 ++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 55 insertions(+), 9 deletions(-)
+
+diff --git a/src/ui/node_modules/cookie/index.js b/src/ui/node_modules/cookie/index.js
+index 03d4c386..5e8c805d 100644
+--- a/src/ui/node_modules/cookie/index.js
++++ b/src/ui/node_modules/cookie/index.js
+@@ -23,14 +23,60 @@ exports.serialize = serialize;
+ var __toString = Object.prototype.toString
+ 
+ /**
+- * RegExp to match field-content in RFC 7230 sec 3.2
++ * RegExp to match cookie-name in RFC 6265 sec 4.1.1
++ * This refers out to the obsoleted definition of token in RFC 2616 sec 2.2
++ * which has been replaced by the token definition in RFC 7230 appendix B.
+  *
+- * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+- * field-vchar   = VCHAR / obs-text
+- * obs-text      = %x80-FF
++ * cookie-name       = token
++ * token             = 1*tchar
++ * tchar             = "!" / "#" / "$" / "%" / "&" / "'" /
++ *                     "*" / "+" / "-" / "." / "^" / "_" /
++ *                     "`" / "|" / "~" / DIGIT / ALPHA
+  */
+ 
+-var fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/;
++var cookieNameRegExp = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
++
++/**
++ * RegExp to match cookie-value in RFC 6265 sec 4.1.1
++ *
++ * cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
++ * cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
++ *                     ; US-ASCII characters excluding CTLs,
++ *                     ; whitespace DQUOTE, comma, semicolon,
++ *                     ; and backslash
++ */
++
++var cookieValueRegExp = /^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005B\u005D-\u007E]*\1$/;
++
++/**
++ * RegExp to match domain-value in RFC 6265 sec 4.1.1
++ *
++ * domain-value      = <subdomain>
++ *                     ; defined in [RFC1034], Section 3.5, as
++ *                     ; enhanced by [RFC1123], Section 2.1
++ * <subdomain>       = <label> | <subdomain> "." <label>
++ * <label>           = <let-dig> [ [ <ldh-str> ] <let-dig> ]
++ *                     Labels must be 63 characters or less.
++ *                     'let-dig' not 'letter' in the first char, per RFC1123
++ * <ldh-str>         = <let-dig-hyp> | <let-dig-hyp> <ldh-str>
++ * <let-dig-hyp>     = <let-dig> | "-"
++ * <let-dig>         = <letter> | <digit>
++ * <letter>          = any one of the 52 alphabetic characters A through Z in
++ *                     upper case and a through z in lower case
++ * <digit>           = any one of the ten digits 0 through 9
++ */
++
++var domainValueRegExp = /^([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)([.][a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i;
++
++/**
++ * RegExp to match path-value in RFC 6265 sec 4.1.1
++ *
++ * path-value        = <any CHAR except CTLs or ";">
++ * CHAR              = %x01-7F
++ *                     ; defined in RFC 5234 appendix B.1
++ */
++
++var pathValueRegExp = /^[\u0020-\u003A\u003D-\u007E]*$/;
+ 
+ /**
+  * Parse a cookie header.
+@@ -116,13 +162,13 @@ function serialize(name, val, options) {
+     throw new TypeError('option encode is invalid');
+   }
+ 
+-  if (!fieldContentRegExp.test(name)) {
++  if (!cookieNameRegExp.test(name)) {
+     throw new TypeError('argument name is invalid');
+   }
+ 
+   var value = enc(val);
+ 
+-  if (value && !fieldContentRegExp.test(value)) {
++  if (value && !cookieValueRegExp.test(value)) {
+     throw new TypeError('argument val is invalid');
+   }
+ 
+@@ -139,7 +185,7 @@ function serialize(name, val, options) {
+   }
+ 
+   if (opt.domain) {
+-    if (!fieldContentRegExp.test(opt.domain)) {
++    if (!domainValueRegExp.test(opt.domain)) {
+       throw new TypeError('option domain is invalid');
+     }
+ 
+@@ -147,7 +193,7 @@ function serialize(name, val, options) {
+   }
+ 
+   if (opt.path) {
+-    if (!fieldContentRegExp.test(opt.path)) {
++    if (!pathValueRegExp.test(opt.path)) {
+       throw new TypeError('option path is invalid');
+     }
+ 
+-- 
+2.39.4
+
diff --git a/SPECS/reaper/CVE-2024-48949.patch b/SPECS/reaper/CVE-2024-48949.patch
new file mode 100644
index 00000000000..dc21788cada
--- /dev/null
+++ b/SPECS/reaper/CVE-2024-48949.patch
@@ -0,0 +1,23 @@
+From 7ac5360118f74eb02da73bdf9f24fd0c72ff5281 Mon Sep 17 00:00:00 2001
+From: Markus-MS <45643263+Markus-MS@users.noreply.github.com>
+Date: Tue, 16 Jul 2024 22:22:53 -0400
+Subject: [PATCH] Merge commit from fork
+
+---
+ lib/elliptic/eddsa/index.js | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ui/node_modules/elliptic/lib/elliptic/eddsa/index.js b/src/ui/node_modules/elliptic/lib/elliptic/eddsa/index.js
+index d777983..cb703a7 100644
+--- a/src/ui/node_modules/elliptic/lib/elliptic/eddsa/index.js
++++ b/src/ui/node_modules/elliptic/lib/elliptic/eddsa/index.js
+@@ -52,6 +52,9 @@ EDDSA.prototype.sign = function sign(message, secret) {
+ EDDSA.prototype.verify = function verify(message, sig, pub) {
+   message = parseBytes(message);
+   sig = this.makeSignature(sig);
++  if (sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()) {
++    return false;
++  }
+   var key = this.keyFromPublic(pub);
+   var h = this.hashInt(sig.Rencoded(), key.pubBytes(), message);
+   var SG = this.g.mul(sig.S());
diff --git a/SPECS/reaper/reaper.spec b/SPECS/reaper/reaper.spec
index 021a9b5b716..0deaf6f5fb9 100755
--- a/SPECS/reaper/reaper.spec
+++ b/SPECS/reaper/reaper.spec
@@ -6,7 +6,7 @@
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        12%{?dist}
+Release:        14%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -37,6 +37,13 @@ Patch1:         CVE-2023-42282.patch
 Patch2:         CVE-2017-18214.patch
 Patch3:         CVE-2024-42459.patch
 Patch4:         CVE-2024-43796.patch
+Patch5:         CVE-2024-45296.patch
+Patch6:         CVE-2024-43799.patch
+Patch7:         CVE-2024-43800.patch
+Patch8:         CVE-2024-47764.patch
+Patch9:         CVE-2024-48949.patch
+Patch10:        CVE-2024-45590.patch
+
 BuildRequires:  git
 BuildRequires:  javapackages-tools
 BuildRequires:  maven
@@ -173,6 +180,16 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Fri Oct 18 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.1.1-14
+- Patch CVE-2024-45590 in body-parser module
+
+* Thu Oct 15 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.1.1-13
+- CVE-2024-45296: upgrade path-to-regexp from 0.1.7 to 1.1.11 in reaper-srcui-node-modules
+- CVE-2024-43799: patch send in reaper-srcui-node-modules
+- CVE-2024-43800: patch serve-static in reaper-srcui-node-modules
+- CVE-2024-47764: patch cookie in reaper-srcui-node-modules
+- CVE-2024-48949: patch elliptic in reaper-srcui-node-modules
+
 * Wed Sep 25 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.1.1-12
 - Patch CVE-2024-43796 in express module
 
diff --git a/SPECS/redis/redis.signatures.json b/SPECS/redis/redis.signatures.json
index 64867ecd061..710b314f2c2 100644
--- a/SPECS/redis/redis.signatures.json
+++ b/SPECS/redis/redis.signatures.json
@@ -1,5 +1,5 @@
 {
-  "Signatures": {
-    "redis-6.2.14.tar.gz": "34e74856cbd66fdb3a684fb349d93961d8c7aa668b06f81fd93ff267d09bc277"
-  }
+ "Signatures": {
+  "redis-6.2.16.tar.gz": "846bff83c26d827d49f8cc8114ea9d1e72eea1169f7de36b8135ea2cec104e7d"
+ }
 }
\ No newline at end of file
diff --git a/SPECS/redis/redis.spec b/SPECS/redis/redis.spec
index 1f0a953fed2..d2ff8f9aee1 100644
--- a/SPECS/redis/redis.spec
+++ b/SPECS/redis/redis.spec
@@ -1,7 +1,7 @@
 Summary:        advanced key-value store
 Name:           redis
-Version:        6.2.14
-Release:        2%{?dist}
+Version:        6.2.16
+Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -84,6 +84,13 @@ exit 0
 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf
 
 %changelog
+* Mon Oct 21 2024 Sudipta Pandit <sudpandit@microsoft.com> - 6.2.16-1
+- Bump version to 6.2.16 (fixes CVE-2024-31228 and CVE-2024-31449)
+- Remove patch file for CVE-2024-31449
+
+* Thu Oct 10 2024 Suresh Thelkar <sthelkar@microsoft.com> - 6.2.14-3
+- Patch for CVE-2024-31449
+
 * Fri Apr 26 2024 Mandeep Plaha <mandeepplaha@microsoft.com> - 6.2.14-2
 - Build with BUILD_TLS=yes option.
 
diff --git a/SPECS/rubygem-async-http/remove-http-protocol1-dep.patch b/SPECS/rubygem-async-http/remove-http-protocol1-dep.patch
new file mode 100644
index 00000000000..fe2832b0804
--- /dev/null
+++ b/SPECS/rubygem-async-http/remove-http-protocol1-dep.patch
@@ -0,0 +1,25 @@
+From 058c72f0bdc5daa6078de96674aa68d8895ae921 Mon Sep 17 00:00:00 2001
+From: Dallas Delaney <dadelan@microsoft.com>
+Date: Tue, 8 Oct 2024 12:59:09 -0700
+Subject: [PATCH] remove version dependency on protocol-http1
+
+---
+ async-http.gemspec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/async-http.gemspec b/async-http.gemspec
+index 5078ab0..44c8035 100644
+--- a/async-http.gemspec
++++ b/async-http.gemspec
+@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
+ 	spec.add_dependency "async-io", ">= 1.28"
+ 	spec.add_dependency "async-pool", ">= 0.2"
+ 	spec.add_dependency "protocol-http", "~> 0.22.0"
+-	spec.add_dependency "protocol-http1", "~> 0.14.0"
++	spec.add_dependency "protocol-http1"
+ 	spec.add_dependency "protocol-http2", "~> 0.14.0"
+ 	
+ 	spec.add_development_dependency "async-container", "~> 0.14"
+-- 
+2.34.1
+
diff --git a/SPECS/rubygem-async-http/rubygem-async-http.spec b/SPECS/rubygem-async-http/rubygem-async-http.spec
index a7717e69ba3..e5c3619831b 100644
--- a/SPECS/rubygem-async-http/rubygem-async-http.spec
+++ b/SPECS/rubygem-async-http/rubygem-async-http.spec
@@ -3,13 +3,14 @@
 Summary:        A HTTP client and server library
 Name:           rubygem-%{gem_name}
 Version:        0.56.5
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages
 URL:            https://github.com/socketry/async-http
 Source0:        https://github.com/socketry/async-http/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
+Patch0:         remove-http-protocol1-dep.patch
 BuildRequires:  ruby
 Requires:       rubygem-async
 Requires:       rubygem-async-io
@@ -25,7 +26,7 @@ HTTP/1.1 and HTTP/2 including TLS. Support for streaming requests
 and responses.
 
 %prep
-%setup -q -n %{gem_name}-%{version}
+%autosetup -p1 -n %{gem_name}-%{version}
 
 %build
 gem build %{gem_name}
@@ -38,6 +39,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Thu Oct 03 2024 Dallas Delaney <dadelan@microsoft.com> - 0.56.5-2
+- Add patch to remove dependency on pinned version of rubygem-protocol-http1
+
 * Wed Jun 22 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 0.56.5-1
 - Update to v0.56.5.
 - Build from .tar.gz source.
diff --git a/SPECS/terraform/CVE-2022-32149.patch b/SPECS/terraform/CVE-2022-32149.patch
new file mode 100644
index 00000000000..ff0fbab0103
--- /dev/null
+++ b/SPECS/terraform/CVE-2022-32149.patch
@@ -0,0 +1,61 @@
+From 434eadcdbc3b0256971992e8c70027278364c72c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 02 Sep 2022 09:35:37 -0700
+Subject: [PATCH] language: reject excessively large Accept-Language strings
+
+The BCP 47 tag parser has quadratic time complexity due to inherent
+aspects of its design. Since the parser is, by design, exposed to
+untrusted user input, this can be leveraged to force a program to
+consume significant time parsing Accept-Language headers.
+
+The parser cannot be easily rewritten to fix this behavior for
+various reasons. Instead the solution implemented in this CL is to
+limit the total complexity of tags passed into ParseAcceptLanguage
+by limiting the number of dashes in the string to 1000. This should
+be more than enough for the majority of real world use cases, where
+the number of tags being sent is likely to be in the single digits.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to Adam
+Korczynski (ADA Logics) for writing the fuzz case and for reporting the
+issue.
+
+Fixes CVE-2022-32149
+Fixes golang/go#56152
+
+Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+
+Modified to apply to vendored code by: Sumedh Sharma <sumsharma@microsoft.com>
+ - Adjusted paths
+ - Removed reference to parse_test.go
+---
+
+diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
+index 59b0410..b982d9e 100644
+--- a/vendor/golang.org/x/text/language/parse.go
++++ b/vendor/golang.org/x/text/language/parse.go
+@@ -147,6 +147,7 @@
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -164,6 +165,10 @@
+ 		}
+ 	}()
+ 
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {
diff --git a/SPECS/terraform/CVE-2023-4782.patch b/SPECS/terraform/CVE-2023-4782.patch
new file mode 100644
index 00000000000..577f2a1e566
--- /dev/null
+++ b/SPECS/terraform/CVE-2023-4782.patch
@@ -0,0 +1,91 @@
+From 0f2314fb62193c4be94328cc026fcb7ec1e9b893 Mon Sep 17 00:00:00 2001
+From: CJ Horton <17039873+radditude@users.noreply.github.com>
+Date: Wed, 30 Aug 2023 09:37:06 -0700
+Subject: [PATCH] initwd: require valid module name (#33745)
+
+We install remote modules prior to showing any validation errors during init
+so that we can show errors about the core version requirement before we do
+anything else. Unfortunately, this means that we don't validate module names
+until after remote modules have been installed, which may cause unexpected
+problems if we can't convert the module name into a valid path.
+---
+ internal/initwd/module_install.go             |  7 +++++++
+ internal/initwd/module_install_test.go        | 18 +++++++++++++++++++
+ .../invalid-module-name/child/main.tf         |  3 +++
+ .../testdata/invalid-module-name/main.tf      |  3 +++
+ 4 files changed, 31 insertions(+)
+ create mode 100644 internal/initwd/testdata/invalid-module-name/child/main.tf
+ create mode 100644 internal/initwd/testdata/invalid-module-name/main.tf
+
+diff --git a/internal/initwd/module_install.go b/internal/initwd/module_install.go
+index adc5dec..779deb9 100644
+--- a/internal/initwd/module_install.go
++++ b/internal/initwd/module_install.go
+@@ -11,6 +11,7 @@ import (
+ 	"strings"
+ 
+ 	version "github.com/hashicorp/go-version"
++	"github.com/hashicorp/hcl/v2/hclsyntax"
+ 	"github.com/hashicorp/terraform-config-inspect/tfconfig"
+ 	"github.com/hashicorp/terraform/internal/addrs"
+ 	"github.com/hashicorp/terraform/internal/earlyconfig"
+@@ -119,6 +120,12 @@ func (i *ModuleInstaller) installDescendentModules(ctx context.Context, rootMod
+ 
+ 	cfg, cDiags := earlyconfig.BuildConfig(rootMod, earlyconfig.ModuleWalkerFunc(
+ 		func(req *earlyconfig.ModuleRequest) (*tfconfig.Module, *version.Version, tfdiags.Diagnostics) {
++			if !hclsyntax.ValidIdentifier(req.Name) {
++				// A module with an invalid name shouldn't be installed at all. This is
++				// mostly a concern for remote modules, since we need to be able to convert
++				// the name to a valid path.
++				return nil, nil, diags
++			}
+ 
+ 			key := manifest.ModuleKey(req.Path)
+ 			instPath := i.packageInstallPath(req.Path)
+diff --git a/internal/initwd/module_install_test.go b/internal/initwd/module_install_test.go
+index b05c561..4edb323 100644
+--- a/internal/initwd/module_install_test.go
++++ b/internal/initwd/module_install_test.go
+@@ -110,6 +110,24 @@ func TestModuleInstaller_error(t *testing.T) {
+ 	}
+ }
+ 
++func TestModuleInstaller_invalidModuleName(t *testing.T) {
++	fixtureDir := filepath.Clean("testdata/invalid-module-name")
++	dir, done := tempChdir(t, fixtureDir)
++	defer done()
++
++	hooks := &testInstallHooks{}
++
++	modulesDir := filepath.Join(dir, ".terraform/modules")
++	inst := NewModuleInstaller(modulesDir, nil)
++	_, diags := inst.InstallModules(context.Background(), dir, false, hooks)
++
++	if !diags.HasErrors() {
++		t.Fatal("expected error")
++	} else {
++		assertDiagnosticSummary(t, diags, "Invalid module instance name")
++	}
++}
++
+ func TestModuleInstaller_packageEscapeError(t *testing.T) {
+ 	fixtureDir := filepath.Clean("testdata/load-module-package-escape")
+ 	dir, done := tempChdir(t, fixtureDir)
+diff --git a/internal/initwd/testdata/invalid-module-name/child/main.tf b/internal/initwd/testdata/invalid-module-name/child/main.tf
+new file mode 100644
+index 000000000000..6187fa659d2c
+--- /dev/null
++++ b/internal/initwd/testdata/invalid-module-name/child/main.tf
+@@ -0,0 +1,3 @@
++output "boop" {
++  value = "beep"
++}
+diff --git a/internal/initwd/testdata/invalid-module-name/main.tf b/internal/initwd/testdata/invalid-module-name/main.tf
+new file mode 100644
+index 000000000000..316afe474c5c
+--- /dev/null
++++ b/internal/initwd/testdata/invalid-module-name/main.tf
+@@ -0,0 +1,3 @@
++module "../invalid" {
++  source  = "./child"
++}
diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec
index 6f227491d64..b3e3f146d51 100644
--- a/SPECS/terraform/terraform.spec
+++ b/SPECS/terraform/terraform.spec
@@ -1,7 +1,7 @@
 Summary:        Infrastructure as code deployment management tool
 Name:           terraform
 Version:        1.3.2
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -31,7 +31,8 @@ Patch0:         CVE-2023-44487.patch
 Patch1:         CVE-2024-3817.patch
 Patch2:         CVE-2024-6257.patch
 Patch3:         CVE-2024-6104.patch
-
+Patch4:         CVE-2022-32149.patch
+Patch5:         CVE-2023-4782.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -65,6 +66,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
 %{_bindir}/terraform
 
 %changelog
+* Thu Oct 10 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.2-19
+- Add patch to resolve CVE-2023-4782 & CVE-2022-32149
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.3.2-18
 - Bump release to rebuild with go 1.22.7
 
diff --git a/SPECS/unbound/CVE-2024-33655.patch b/SPECS/unbound/CVE-2024-33655.patch
new file mode 100644
index 00000000000..33a72dda9a5
--- /dev/null
+++ b/SPECS/unbound/CVE-2024-33655.patch
@@ -0,0 +1,799 @@
+From c3206f4568f60c486be6d165b1f2b5b254fea3de Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Wed, 1 May 2024 10:10:58 +0200
+Subject: [PATCH] - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
+ Xiang Li   from the Network and Information Security Lab of Tsinghua
+ University   for reporting it.
+
+---
+ doc/Changelog                                 |   5 +
+ doc/example.conf.in                           |  15 ++
+ doc/unbound.conf.5.in                         |  30 ++++
+ services/cache/infra.c                        | 170 +++++++++++++++++-
+ services/cache/infra.h                        |  28 +++
+ services/mesh.c                               |  65 +++++++
+ .../doh_downstream.tdir/doh_downstream.conf   |   1 +
+ .../doh_downstream_notls.conf                 |   1 +
+ .../doh_downstream_post.conf                  |   1 +
+ .../fwd_three_service.conf                    |   1 +
+ testdata/iter_ghost_timewindow.rpl            |   1 +
+ .../ssl_req_order.tdir/ssl_req_order.conf     |   1 +
+ .../tcp_req_order.tdir/tcp_req_order.conf     |   1 +
+ testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf    |   3 +-
+ util/config_file.c                            |  15 ++
+ util/config_file.h                            |  15 ++
+ util/configlexer.lex                          |   5 +
+ util/configparser.y                           |  55 ++++++
+ 18 files changed, 410 insertions(+), 3 deletions(-)
+
+diff --git a/doc/Changelog b/doc/Changelog
+index 05112e8..501beea 100644
+--- a/doc/Changelog
++++ b/doc/Changelog
+@@ -1,3 +1,8 @@
++1 May 2024: Wouter
++	- Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
++	  from the Network and Information Security Lab of Tsinghua University
++	  for reporting it.
++
+ 2 November 2023: Wouter
+ 	- Set version number to 1.19.0.
+ 	- Tag for 1.19.0rc1 release.
+diff --git a/doc/example.conf.in b/doc/example.conf.in
+index 6bf1c66..71fb6c0 100644
+--- a/doc/example.conf.in
++++ b/doc/example.conf.in
+@@ -191,6 +191,21 @@ server:
+ 	# are behind a slow satellite link, to eg. 1128.
+ 	# unknown-server-time-limit: 376
+ 
++	# msec before recursion replies are dropped. The work item continues.
++	# discard-timeout: 1900
++
++	# Max number of replies waiting for recursion per IP address.
++	# wait-limit: 1000
++
++	# Max replies waiting for recursion for IP address with cookie.
++	# wait-limit-cookie: 10000
++
++	# Apart from the default, the wait limit can be set for a netblock.
++	# wait-limit-netblock: 192.0.2.0/24 50000
++
++	# Apart from the default, the wait limit with cookie can be adjusted.
++	# wait-limit-cookie-netblock: 192.0.2.0/24 50000
++
+ 	# the amount of memory to use for the RRset cache.
+ 	# plain value in bytes or you can append k, m or G. default is "4Mb".
+ 	# rrset-cache-size: 4m
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
+index 76cfa23..b3800f1 100644
+--- a/doc/unbound.conf.5.in
++++ b/doc/unbound.conf.5.in
+@@ -302,6 +302,36 @@ Increase this if you are behind a slow satellite link, to eg. 1128.
+ That would then avoid re\-querying every initial query because it times out.
+ Default is 376 msec.
+ .TP
++.B discard\-timeout: \fI<msec>
++The wait time in msec where recursion requests are dropped. This is
++to stop a large number of replies from accumulating. They receive
++no reply, the work item continues to recurse. It is nice to be a bit
++larger than serve\-expired\-client\-timeout if that is enabled.
++A value of 1900 msec is suggested. The value 0 disables it.
++Default 1900 msec.
++.TP
++.B wait\-limit: \fI<number>
++The number of replies that can wait for recursion, for an IP address.
++This makes a ratelimit per IP address of waiting replies for recursion.
++It stops very large amounts of queries waiting to be returned to one
++destination. The value 0 disables wait limits. Default is 1000.
++.TP
++.B wait\-limit\-cookie: \fI<number>
++The number of replies that can wait for recursion, for an IP address
++that sent the query with a valid DNS cookie. Since the cookie validates
++the client address, the limit can be higher. Default is 10000.
++.TP
++.B wait\-limit\-netblock: \fI<netblock> <number>
++The wait limit for the netblock. If not given the wait\-limit value is
++used. The most specific netblock is used to determine the limit. Useful for
++overriding the default for a specific, group or individual, server.
++The value -1 disables wait limits for the netblock.
++.TP
++.B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
++The wait limit for the netblock, when the query has a DNS cookie.
++If not given, the wait\-limit\-cookie value is used.
++The value -1 disables wait limits for the netblock.
++.TP
+ .B so\-rcvbuf: \fI<number>
+ If not 0, then set the SO_RCVBUF socket option to get more buffer
+ space on UDP port 53 incoming queries.  So that short spikes on busy
+diff --git a/services/cache/infra.c b/services/cache/infra.c
+index 31462d1..457685a 100644
+--- a/services/cache/infra.c
++++ b/services/cache/infra.c
+@@ -234,6 +234,81 @@ setup_domain_limits(struct infra_cache* infra, struct config_file* cfg)
+ 	return 1;
+ }
+ 
++/** find or create element in wait limit netblock tree */
++static struct wait_limit_netblock_info*
++wait_limit_netblock_findcreate(struct infra_cache* infra, char* str,
++	int cookie)
++{
++	rbtree_type* tree;
++	struct sockaddr_storage addr;
++	int net;
++	socklen_t addrlen;
++	struct wait_limit_netblock_info* d;
++
++	if(!netblockstrtoaddr(str, 0, &addr, &addrlen, &net)) {
++		log_err("cannot parse wait limit netblock '%s'", str);
++		return 0;
++	}
++
++	/* can we find it? */
++	if(cookie)
++		tree = &infra->wait_limits_cookie_netblock;
++	else
++		tree = &infra->wait_limits_netblock;
++	d = (struct wait_limit_netblock_info*)addr_tree_find(tree, &addr,
++		addrlen, net);
++	if(d)
++		return d;
++
++	/* create it */
++	d = (struct wait_limit_netblock_info*)calloc(1, sizeof(*d));
++	if(!d)
++		return NULL;
++	d->limit = -1;
++	if(!addr_tree_insert(tree, &d->node, &addr, addrlen, net)) {
++		log_err("duplicate element in domainlimit tree");
++		free(d);
++		return NULL;
++	}
++	return d;
++}
++
++
++/** insert wait limit information into lookup tree */
++static int
++infra_wait_limit_netblock_insert(struct infra_cache* infra,
++	struct config_file* cfg)
++{
++	struct config_str2list* p;
++	struct wait_limit_netblock_info* d;
++	for(p = cfg->wait_limit_netblock; p; p = p->next) {
++		d = wait_limit_netblock_findcreate(infra, p->str, 0);
++		if(!d)
++			return 0;
++		d->limit = atoi(p->str2);
++	}
++	for(p = cfg->wait_limit_cookie_netblock; p; p = p->next) {
++		d = wait_limit_netblock_findcreate(infra, p->str, 1);
++		if(!d)
++			return 0;
++		d->limit = atoi(p->str2);
++	}
++	return 1;
++}
++
++/** setup wait limits tree (0 on failure) */
++static int
++setup_wait_limits(struct infra_cache* infra, struct config_file* cfg)
++{
++	addr_tree_init(&infra->wait_limits_netblock);
++	addr_tree_init(&infra->wait_limits_cookie_netblock);
++	if(!infra_wait_limit_netblock_insert(infra, cfg))
++		return 0;
++	addr_tree_init_parents(&infra->wait_limits_netblock);
++	addr_tree_init_parents(&infra->wait_limits_cookie_netblock);
++	return 1;
++}
++
+ struct infra_cache* 
+ infra_create(struct config_file* cfg)
+ {
+@@ -267,6 +342,10 @@ infra_create(struct config_file* cfg)
+ 		infra_delete(infra);
+ 		return NULL;
+ 	}
++	if(!setup_wait_limits(infra, cfg)) {
++		infra_delete(infra);
++		return NULL;
++	}
+ 	infra_ip_ratelimit = cfg->ip_ratelimit;
+ 	infra->client_ip_rates = slabhash_create(cfg->ip_ratelimit_slabs,
+ 	    INFRA_HOST_STARTSIZE, cfg->ip_ratelimit_size, &ip_rate_sizefunc,
+@@ -287,6 +366,12 @@ static void domain_limit_free(rbnode_type* n, void* ATTR_UNUSED(arg))
+ 	}
+ }
+ 
++/** delete wait_limit_netblock_info entries */
++static void wait_limit_netblock_del(rbnode_type* n, void* ATTR_UNUSED(arg))
++{
++	free(n);
++}
++
+ void 
+ infra_delete(struct infra_cache* infra)
+ {
+@@ -296,6 +381,10 @@ infra_delete(struct infra_cache* infra)
+ 	slabhash_delete(infra->domain_rates);
+ 	traverse_postorder(&infra->domain_limits, domain_limit_free, NULL);
+ 	slabhash_delete(infra->client_ip_rates);
++	traverse_postorder(&infra->wait_limits_netblock,
++		wait_limit_netblock_del, NULL);
++	traverse_postorder(&infra->wait_limits_cookie_netblock,
++		wait_limit_netblock_del, NULL);
+ 	free(infra);
+ }
+ 
+@@ -880,7 +969,8 @@ static void infra_create_ratedata(struct infra_cache* infra,
+ 
+ /** create rate data item for ip address */
+ static void infra_ip_create_ratedata(struct infra_cache* infra,
+-	struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow)
++	struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
++	int mesh_wait)
+ {
+ 	hashvalue_type h = hash_addr(addr, addrlen, 0);
+ 	struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k));
+@@ -898,6 +988,7 @@ static void infra_ip_create_ratedata(struct infra_cache* infra,
+ 	k->entry.data = d;
+ 	d->qps[0] = 1;
+ 	d->timestamp[0] = timenow;
++	d->mesh_wait = mesh_wait;
+ 	slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL);
+ }
+ 
+@@ -1121,6 +1212,81 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
+ 	}
+ 
+ 	/* create */
+-	infra_ip_create_ratedata(infra, addr, addrlen, timenow);
++	infra_ip_create_ratedata(infra, addr, addrlen, timenow, 0);
+ 	return 1;
+ }
++
++int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
++	int cookie_valid, struct config_file* cfg)
++{
++	struct lruhash_entry* entry;
++	if(cfg->wait_limit == 0)
++		return 1;
++
++	entry = infra_find_ip_ratedata(infra, &rep->client_addr,
++		rep->client_addrlen, 0);
++	if(entry) {
++		rbtree_type* tree;
++		struct wait_limit_netblock_info* w;
++		struct rate_data* d = (struct rate_data*)entry->data;
++		int mesh_wait = d->mesh_wait;
++		lock_rw_unlock(&entry->lock);
++
++		/* have the wait amount, check how much is allowed */
++		if(cookie_valid)
++			tree = &infra->wait_limits_cookie_netblock;
++		else	tree = &infra->wait_limits_netblock;
++		w = (struct wait_limit_netblock_info*)addr_tree_lookup(tree,
++			&rep->client_addr, rep->client_addrlen);
++		if(w) {
++			if(w->limit != -1 && mesh_wait > w->limit)
++				return 0;
++		} else {
++			/* if there is no IP netblock specific information,
++			 * use the configured value. */
++			if(mesh_wait > (cookie_valid?cfg->wait_limit_cookie:
++				cfg->wait_limit))
++				return 0;
++		}
++	}
++	return 1;
++}
++
++void infra_wait_limit_inc(struct infra_cache* infra, struct comm_reply* rep,
++	time_t timenow, struct config_file* cfg)
++{
++	struct lruhash_entry* entry;
++	if(cfg->wait_limit == 0)
++		return;
++
++	/* Find it */
++	entry = infra_find_ip_ratedata(infra, &rep->client_addr,
++		rep->client_addrlen, 1);
++	if(entry) {
++		struct rate_data* d = (struct rate_data*)entry->data;
++		d->mesh_wait++;
++		lock_rw_unlock(&entry->lock);
++		return;
++	}
++
++	/* Create it */
++	infra_ip_create_ratedata(infra, &rep->client_addr,
++		rep->client_addrlen, timenow, 1);
++}
++
++void infra_wait_limit_dec(struct infra_cache* infra, struct comm_reply* rep,
++	struct config_file* cfg)
++{
++	struct lruhash_entry* entry;
++	if(cfg->wait_limit == 0)
++		return;
++
++	entry = infra_find_ip_ratedata(infra, &rep->client_addr,
++		rep->client_addrlen, 1);
++	if(entry) {
++		struct rate_data* d = (struct rate_data*)entry->data;
++		if(d->mesh_wait > 0)
++			d->mesh_wait--;
++		lock_rw_unlock(&entry->lock);
++	}
++}
+diff --git a/services/cache/infra.h b/services/cache/infra.h
+index 525073b..ee6f384 100644
+--- a/services/cache/infra.h
++++ b/services/cache/infra.h
+@@ -122,6 +122,10 @@ struct infra_cache {
+ 	rbtree_type domain_limits;
+ 	/** hash table with query rates per client ip: ip_rate_key, ip_rate_data */
+ 	struct slabhash* client_ip_rates;
++	/** tree of addr_tree_node, with wait_limit_netblock_info information */
++	rbtree_type wait_limits_netblock;
++	/** tree of addr_tree_node, with wait_limit_netblock_info information */
++	rbtree_type wait_limits_cookie_netblock;
+ };
+ 
+ /** ratelimit, unless overridden by domain_limits, 0 is off */
+@@ -184,10 +188,22 @@ struct rate_data {
+ 	/** what the timestamp is of the qps array members, counter is
+ 	 * valid for that timestamp.  Usually now and now-1. */
+ 	time_t timestamp[RATE_WINDOW];
++	/** the number of queries waiting in the mesh */
++	int mesh_wait;
+ };
+ 
+ #define ip_rate_data rate_data
+ 
++/**
++ * Data to store the configuration per netblock for the wait limit
++ */
++struct wait_limit_netblock_info {
++	/** The addr tree node, this must be first. */
++	struct addr_tree_node node;
++	/** the limit on the amount */
++	int limit;
++};
++
+ /** infra host cache default hash lookup size */
+ #define INFRA_HOST_STARTSIZE 32
+ /** bytes per zonename reserved in the hostcache, dnamelen(zonename.com.) */
+@@ -474,4 +490,16 @@ void ip_rate_delkeyfunc(void* d, void* arg);
+ /* delete data */
+ #define ip_rate_deldatafunc rate_deldatafunc
+ 
++/** See if the IP address can have another reply in the wait limit */
++int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
++	int cookie_valid, struct config_file* cfg);
++
++/** Increment number of waiting replies for IP */
++void infra_wait_limit_inc(struct infra_cache* infra, struct comm_reply* rep,
++	time_t timenow, struct config_file* cfg);
++
++/** Decrement number of waiting replies for IP */
++void infra_wait_limit_dec(struct infra_cache* infra, struct comm_reply* rep,
++	struct config_file* cfg);
++
+ #endif /* SERVICES_CACHE_INFRA_H */
+diff --git a/services/mesh.c b/services/mesh.c
+index 509bee3..11f4642 100644
+--- a/services/mesh.c
++++ b/services/mesh.c
+@@ -47,6 +47,7 @@
+ #include "services/outbound_list.h"
+ #include "services/cache/dns.h"
+ #include "services/cache/rrset.h"
++#include "services/cache/infra.h"
+ #include "util/log.h"
+ #include "util/net_help.h"
+ #include "util/module.h"
+@@ -409,6 +410,14 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
+ 	if(rep->c->tcp_req_info) {
+ 		r_buffer = rep->c->tcp_req_info->spool_buffer;
+ 	}
++	if(!infra_wait_limit_allowed(mesh->env->infra_cache, rep,
++		edns->cookie_valid, mesh->env->cfg)) {
++		verbose(VERB_ALGO, "Too many queries waiting from the IP. "
++			"dropping incoming query.");
++		comm_point_drop_reply(rep);
++		mesh->stats_dropped++;
++		return;
++	}
+ 	if(!unique)
+ 		s = mesh_area_find(mesh, cinfo, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
+ 	/* does this create a new reply state? */
+@@ -505,6 +514,8 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
+ 		log_err("mesh_new_client: out of memory initializing serve expired");
+ 		goto servfail_mem;
+ 	}
++	infra_wait_limit_inc(mesh->env->infra_cache, rep, *mesh->env->now,
++		mesh->env->cfg);
+ 	/* update statistics */
+ 	if(was_detached) {
+ 		log_assert(mesh->num_detached_states > 0);
+@@ -924,6 +935,8 @@ mesh_state_cleanup(struct mesh_state* mstate)
+ 		 * takes no time and also it does not do the mesh accounting */
+ 		mstate->reply_list = NULL;
+ 		for(; rep; rep=rep->next) {
++			infra_wait_limit_dec(mesh->env->infra_cache,
++				&rep->query_reply, mesh->env->cfg);
+ 			comm_point_drop_reply(&rep->query_reply);
+ 			log_assert(mesh->num_reply_addrs > 0);
+ 			mesh->num_reply_addrs--;
+@@ -1407,6 +1420,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
+ 		comm_point_send_reply(&r->query_reply);
+ 		m->reply_list = rlist;
+ 	}
++	infra_wait_limit_dec(m->s.env->infra_cache, &r->query_reply,
++		m->s.env->cfg);
+ 	/* account */
+ 	log_assert(m->s.env->mesh->num_reply_addrs > 0);
+ 	m->s.env->mesh->num_reply_addrs--;
+@@ -1462,6 +1477,28 @@ void mesh_query_done(struct mesh_state* mstate)
+ 		}
+ 	}
+ 	for(r = mstate->reply_list; r; r = r->next) {
++		struct timeval old;
++		timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
++		if(mstate->s.env->cfg->discard_timeout != 0 &&
++			((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
++			mstate->s.env->cfg->discard_timeout) {
++			/* Drop the reply, it is too old */
++			/* briefly set the reply_list to NULL, so that the
++			 * tcp req info cleanup routine that calls the mesh
++			 * to deregister the meshstate for it is not done
++			 * because the list is NULL and also accounting is not
++			 * done there, but instead we do that here. */
++			struct mesh_reply* reply_list = mstate->reply_list;
++			verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
++			infra_wait_limit_dec(mstate->s.env->infra_cache,
++				&r->query_reply, mstate->s.env->cfg);
++			mstate->reply_list = NULL;
++			comm_point_drop_reply(&r->query_reply);
++			mstate->reply_list = reply_list;
++			mstate->s.env->mesh->stats_dropped++;
++			continue;
++		}
++
+ 		i++;
+ 		tv = r->start_time;
+ 
+@@ -1485,6 +1522,8 @@ void mesh_query_done(struct mesh_state* mstate)
+ 			 * because the list is NULL and also accounting is not
+ 			 * done there, but instead we do that here. */
+ 			struct mesh_reply* reply_list = mstate->reply_list;
++			infra_wait_limit_dec(mstate->s.env->infra_cache,
++				&r->query_reply, mstate->s.env->cfg);
+ 			mstate->reply_list = NULL;
+ 			comm_point_drop_reply(&r->query_reply);
+ 			mstate->reply_list = reply_list;
+@@ -2017,6 +2056,8 @@ void mesh_state_remove_reply(struct mesh_area* mesh, struct mesh_state* m,
+ 			/* delete it, but allocated in m region */
+ 			log_assert(mesh->num_reply_addrs > 0);
+ 			mesh->num_reply_addrs--;
++			infra_wait_limit_dec(mesh->env->infra_cache,
++				&n->query_reply, mesh->env->cfg);
+ 
+ 			/* prev = prev; */
+ 			n = n->next;
+@@ -2157,6 +2198,28 @@ mesh_serve_expired_callback(void* arg)
+ 		log_dns_msg("Serve expired lookup", &qstate->qinfo, msg->rep);
+ 
+ 	for(r = mstate->reply_list; r; r = r->next) {
++		struct timeval old;
++		timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
++		if(mstate->s.env->cfg->discard_timeout != 0 &&
++			((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
++			mstate->s.env->cfg->discard_timeout) {
++			/* Drop the reply, it is too old */
++			/* briefly set the reply_list to NULL, so that the
++			 * tcp req info cleanup routine that calls the mesh
++			 * to deregister the meshstate for it is not done
++			 * because the list is NULL and also accounting is not
++			 * done there, but instead we do that here. */
++			struct mesh_reply* reply_list = mstate->reply_list;
++			verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
++			infra_wait_limit_dec(mstate->s.env->infra_cache,
++				&r->query_reply, mstate->s.env->cfg);
++			mstate->reply_list = NULL;
++			comm_point_drop_reply(&r->query_reply);
++			mstate->reply_list = reply_list;
++			mstate->s.env->mesh->stats_dropped++;
++			continue;
++		}
++
+ 		i++;
+ 		tv = r->start_time;
+ 
+@@ -2184,6 +2247,8 @@ mesh_serve_expired_callback(void* arg)
+ 			r, r_buffer, prev, prev_buffer);
+ 		if(r->query_reply.c->tcp_req_info)
+ 			tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
++		infra_wait_limit_dec(mstate->s.env->infra_cache,
++			&r->query_reply, mstate->s.env->cfg);
+ 		prev = r;
+ 		prev_buffer = r_buffer;
+ 	}
+diff --git a/testdata/doh_downstream.tdir/doh_downstream.conf b/testdata/doh_downstream.tdir/doh_downstream.conf
+index f0857bb..222c215 100644
+--- a/testdata/doh_downstream.tdir/doh_downstream.conf
++++ b/testdata/doh_downstream.tdir/doh_downstream.conf
+@@ -11,6 +11,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 	http-query-buffer-size: 1G
+ 	http-response-buffer-size: 1G
+ 	http-max-streams: 200
+diff --git a/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf b/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf
+index bdca456..161c355 100644
+--- a/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf
++++ b/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf
+@@ -11,6 +11,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 	http-query-buffer-size: 1G
+ 	http-response-buffer-size: 1G
+ 	http-max-streams: 200
+diff --git a/testdata/doh_downstream_post.tdir/doh_downstream_post.conf b/testdata/doh_downstream_post.tdir/doh_downstream_post.conf
+index f0857bb..222c215 100644
+--- a/testdata/doh_downstream_post.tdir/doh_downstream_post.conf
++++ b/testdata/doh_downstream_post.tdir/doh_downstream_post.conf
+@@ -11,6 +11,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 	http-query-buffer-size: 1G
+ 	http-response-buffer-size: 1G
+ 	http-max-streams: 200
+diff --git a/testdata/fwd_three_service.tdir/fwd_three_service.conf b/testdata/fwd_three_service.tdir/fwd_three_service.conf
+index 05fafe0..d6c9a20 100644
+--- a/testdata/fwd_three_service.tdir/fwd_three_service.conf
++++ b/testdata/fwd_three_service.tdir/fwd_three_service.conf
+@@ -11,6 +11,7 @@ server:
+ 	num-queries-per-thread: 1024
+ 	use-syslog: no
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ forward-zone:
+ 	name: "."
+ 	forward-addr: "127.0.0.1@@TOPORT@"
+diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl
+index 566be82..9e30462 100644
+--- a/testdata/iter_ghost_timewindow.rpl
++++ b/testdata/iter_ghost_timewindow.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	discard-timeout: 86400
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/ssl_req_order.tdir/ssl_req_order.conf b/testdata/ssl_req_order.tdir/ssl_req_order.conf
+index 3b2e2b1..ec39d3a 100644
+--- a/testdata/ssl_req_order.tdir/ssl_req_order.conf
++++ b/testdata/ssl_req_order.tdir/ssl_req_order.conf
+@@ -9,6 +9,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 	ssl-port: @PORT@
+ 	ssl-service-key: "unbound_server.key"
+ 	ssl-service-pem: "unbound_server.pem"
+diff --git a/testdata/tcp_req_order.tdir/tcp_req_order.conf b/testdata/tcp_req_order.tdir/tcp_req_order.conf
+index 40d6f55..b2804e8 100644
+--- a/testdata/tcp_req_order.tdir/tcp_req_order.conf
++++ b/testdata/tcp_req_order.tdir/tcp_req_order.conf
+@@ -9,6 +9,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 
+ 	local-zone: "example.net" static
+ 	local-data: "www1.example.net. IN A 1.2.3.1"
+diff --git a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf
+index 384f16b..4f1ff9b 100644
+--- a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf
++++ b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf
+@@ -1,5 +1,5 @@
+ server:
+-	verbosity: 2
++	verbosity: 4
+ 	# num-threads: 1
+ 	interface: 127.0.0.1
+ 	port: @PORT@
+@@ -9,6 +9,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 
+ forward-zone:
+ 	name: "."
+diff --git a/util/config_file.c b/util/config_file.c
+index 9302705..91fdce7 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -307,6 +307,11 @@ config_create(void)
+ 	cfg->minimal_responses = 1;
+ 	cfg->rrset_roundrobin = 1;
+ 	cfg->unknown_server_time_limit = 376;
++	cfg->discard_timeout = 1900; /* msec */
++	cfg->wait_limit = 1000;
++	cfg->wait_limit_cookie = 10000;
++	cfg->wait_limit_netblock = NULL;
++	cfg->wait_limit_cookie_netblock = NULL;
+ 	cfg->max_udp_size = 1232; /* value taken from edns_buffer_size */
+ 	if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key")))
+ 		goto error_exit;
+@@ -720,6 +725,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
+ 	else S_YNO("minimal-responses:", minimal_responses)
+ 	else S_YNO("rrset-roundrobin:", rrset_roundrobin)
+ 	else S_NUMBER_OR_ZERO("unknown-server-time-limit:", unknown_server_time_limit)
++	else S_NUMBER_OR_ZERO("discard-timeout:", discard_timeout)
++	else S_NUMBER_OR_ZERO("wait-limit:", wait_limit)
++	else S_NUMBER_OR_ZERO("wait-limit-cookie:", wait_limit_cookie)
+ 	else S_STRLIST("local-data:", local_data)
+ 	else S_YNO("unblock-lan-zones:", unblock_lan_zones)
+ 	else S_YNO("insecure-lan-zones:", insecure_lan_zones)
+@@ -1198,6 +1206,11 @@ config_get_option(struct config_file* cfg, const char* opt,
+ 	else O_YNO(opt, "minimal-responses", minimal_responses)
+ 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
+ 	else O_DEC(opt, "unknown-server-time-limit", unknown_server_time_limit)
++	else O_DEC(opt, "discard-timeout", discard_timeout)
++	else O_DEC(opt, "wait-limit", wait_limit)
++	else O_DEC(opt, "wait-limit-cookie", wait_limit_cookie)
++	else O_LS2(opt, "wait-limit-netblock", wait_limit_netblock)
++	else O_LS2(opt, "wait-limit-cookie-netblock", wait_limit_cookie_netblock)
+ #ifdef CLIENT_SUBNET
+ 	else O_LST(opt, "send-client-subnet", client_subnet)
+ 	else O_LST(opt, "client-subnet-zone", client_subnet_zone)
+@@ -1668,6 +1681,8 @@ config_delete(struct config_file* cfg)
+ 	config_deltrplstrlist(cfg->interface_tag_actions);
+ 	config_deltrplstrlist(cfg->interface_tag_datas);
+ 	config_delstrlist(cfg->control_ifs.first);
++	config_deldblstrlist(cfg->wait_limit_netblock);
++	config_deldblstrlist(cfg->wait_limit_cookie_netblock);
+ 	free(cfg->server_key_file);
+ 	free(cfg->server_cert_file);
+ 	free(cfg->control_key_file);
+diff --git a/util/config_file.h b/util/config_file.h
+index ad22b83..187f02e 100644
+--- a/util/config_file.h
++++ b/util/config_file.h
+@@ -533,6 +533,21 @@ struct config_file {
+ 	/* wait time for unknown server in msec */
+ 	int unknown_server_time_limit;
+ 
++	/** Wait time to drop recursion replies */
++	int discard_timeout;
++
++	/** Wait limit for number of replies per IP address */
++	int wait_limit;
++
++	/** Wait limit for number of replies per IP address with cookie */
++	int wait_limit_cookie;
++
++	/** wait limit per netblock */
++	struct config_str2list* wait_limit_netblock;
++
++	/** wait limit with cookie per netblock */
++	struct config_str2list* wait_limit_cookie_netblock;
++
+ 	/* maximum UDP response size */
+ 	size_t max_udp_size;
+ 
+diff --git a/util/configlexer.lex b/util/configlexer.lex
+index fdc2674..78d1acb 100644
+--- a/util/configlexer.lex
++++ b/util/configlexer.lex
+@@ -462,6 +462,11 @@ domain-insecure{COLON}		{ YDVAR(1, VAR_DOMAIN_INSECURE) }
+ minimal-responses{COLON}	{ YDVAR(1, VAR_MINIMAL_RESPONSES) }
+ rrset-roundrobin{COLON}		{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
+ unknown-server-time-limit{COLON} { YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) }
++discard-timeout{COLON}		{ YDVAR(1, VAR_DISCARD_TIMEOUT) }
++wait-limit{COLON}		{ YDVAR(1, VAR_WAIT_LIMIT) }
++wait-limit-cookie{COLON}	{ YDVAR(1, VAR_WAIT_LIMIT_COOKIE) }
++wait-limit-netblock{COLON}	{ YDVAR(1, VAR_WAIT_LIMIT_NETBLOCK) }
++wait-limit-cookie-netblock{COLON} { YDVAR(1, VAR_WAIT_LIMIT_COOKIE_NETBLOCK) }
+ max-udp-size{COLON}		{ YDVAR(1, VAR_MAX_UDP_SIZE) }
+ dns64-prefix{COLON}		{ YDVAR(1, VAR_DNS64_PREFIX) }
+ dns64-synthall{COLON}		{ YDVAR(1, VAR_DNS64_SYNTHALL) }
+diff --git a/util/configparser.y b/util/configparser.y
+index da5d660..044a87a 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -188,6 +188,8 @@ extern struct config_parser_state* cfg_parser;
+ %token VAR_ANSWER_COOKIE VAR_COOKIE_SECRET VAR_IP_RATELIMIT_COOKIE
+ %token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
+ %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
++%token VAR_DISCARD_TIMEOUT VAR_WAIT_LIMIT VAR_WAIT_LIMIT_COOKIE
++%token VAR_WAIT_LIMIT_NETBLOCK VAR_WAIT_LIMIT_COOKIE_NETBLOCK
+ %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
+ %token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
+ %token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
+@@ -324,6 +326,8 @@ content_server: server_num_threads | server_verbosity | server_port |
+ 	server_fast_server_permil | server_fast_server_num  | server_tls_win_cert |
+ 	server_tcp_connection_limit | server_log_servfail | server_deny_any |
+ 	server_unknown_server_time_limit | server_log_tag_queryreply |
++	server_discard_timeout | server_wait_limit | server_wait_limit_cookie |
++	server_wait_limit_netblock | server_wait_limit_cookie_netblock |
+ 	server_stream_wait_size | server_tls_ciphers |
+ 	server_tls_ciphersuites | server_tls_session_ticket_keys |
+ 	server_answer_cookie | server_cookie_secret | server_ip_ratelimit_cookie |
+@@ -2355,6 +2359,57 @@ server_unknown_server_time_limit: VAR_UNKNOWN_SERVER_TIME_LIMIT STRING_ARG
+ 		free($2);
+ 	}
+ 	;
++server_discard_timeout: VAR_DISCARD_TIMEOUT STRING_ARG
++	{
++		OUTYY(("P(server_discard_timeout:%s)\n", $2));
++		cfg_parser->cfg->discard_timeout = atoi($2);
++		free($2);
++	}
++	;
++server_wait_limit: VAR_WAIT_LIMIT STRING_ARG
++	{
++		OUTYY(("P(server_wait_limit:%s)\n", $2));
++		cfg_parser->cfg->wait_limit = atoi($2);
++		free($2);
++	}
++	;
++server_wait_limit_cookie: VAR_WAIT_LIMIT_COOKIE STRING_ARG
++	{
++		OUTYY(("P(server_wait_limit_cookie:%s)\n", $2));
++		cfg_parser->cfg->wait_limit_cookie = atoi($2);
++		free($2);
++	}
++	;
++server_wait_limit_netblock: VAR_WAIT_LIMIT_NETBLOCK STRING_ARG STRING_ARG
++	{
++		OUTYY(("P(server_wait_limit_netblock:%s %s)\n", $2, $3));
++		if(atoi($3) == 0 && strcmp($3, "0") != 0) {
++			yyerror("number expected");
++			free($2);
++			free($3);
++		} else {
++			if(!cfg_str2list_insert(&cfg_parser->cfg->
++				wait_limit_netblock, $2, $3))
++				fatal_exit("out of memory adding "
++					"wait-limit-netblock");
++		}
++	}
++	;
++server_wait_limit_cookie_netblock: VAR_WAIT_LIMIT_COOKIE_NETBLOCK STRING_ARG STRING_ARG
++	{
++		OUTYY(("P(server_wait_limit_cookie_netblock:%s %s)\n", $2, $3));
++		if(atoi($3) == 0 && strcmp($3, "0") != 0) {
++			yyerror("number expected");
++			free($2);
++			free($3);
++		} else {
++			if(!cfg_str2list_insert(&cfg_parser->cfg->
++				wait_limit_cookie_netblock, $2, $3))
++				fatal_exit("out of memory adding "
++					"wait-limit-cookie-netblock");
++		}
++	}
++	;
+ server_max_udp_size: VAR_MAX_UDP_SIZE STRING_ARG
+ 	{
+ 		OUTYY(("P(server_max_udp_size:%s)\n", $2));
+-- 
+2.25.1
+
diff --git a/SPECS/unbound/CVE-2024-43167.patch b/SPECS/unbound/CVE-2024-43167.patch
new file mode 100644
index 00000000000..886309d15aa
--- /dev/null
+++ b/SPECS/unbound/CVE-2024-43167.patch
@@ -0,0 +1,42 @@
+From 8e43e2574c4e02f79c562a061581cdcefe136912 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 21 May 2024 08:40:16 +0000
+Subject: [PATCH] fix null pointer dereference issue in function ub_ctx_set_fwd
+ of file libunbound/libunbound.c
+
+---
+ libunbound/libunbound.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
+index 17057ec6c..3c8955149 100644
+--- a/libunbound/libunbound.c
++++ b/libunbound/libunbound.c
+@@ -981,7 +981,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	if(!addr) {
+ 		/* disable fwd mode - the root stub should be first. */
+ 		if(ctx->env->cfg->forwards &&
+-			strcmp(ctx->env->cfg->forwards->name, ".") == 0) {
++			(ctx->env->cfg->forwards->name &&
++			strcmp(ctx->env->cfg->forwards->name, ".") == 0)) {
+ 			s = ctx->env->cfg->forwards;
+ 			ctx->env->cfg->forwards = s->next;
+ 			s->next = NULL;
+@@ -1001,7 +1002,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	/* it parses, add root stub in front of list */
+ 	lock_basic_lock(&ctx->cfglock);
+ 	if(!ctx->env->cfg->forwards ||
+-		strcmp(ctx->env->cfg->forwards->name, ".") != 0) {
++		(ctx->env->cfg->forwards->name &&
++		strcmp(ctx->env->cfg->forwards->name, ".") != 0)) {
+ 		s = calloc(1, sizeof(*s));
+ 		if(!s) {
+ 			lock_basic_unlock(&ctx->cfglock);
+@@ -1019,6 +1021,7 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 		ctx->env->cfg->forwards = s;
+ 	} else {
+ 		log_assert(ctx->env->cfg->forwards);
++		log_assert(ctx->env->cfg->forwards->name);
+ 		s = ctx->env->cfg->forwards;
+ 	}
+ 	dupl = strdup(addr);
diff --git a/SPECS/unbound/CVE-2024-8508.patch b/SPECS/unbound/CVE-2024-8508.patch
new file mode 100644
index 00000000000..42d4cf86ca6
--- /dev/null
+++ b/SPECS/unbound/CVE-2024-8508.patch
@@ -0,0 +1,246 @@
+From b7c61d7cc256d6a174e6179622c7fa968272c259 Mon Sep 17 00:00:00 2001
+From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
+Date: Thu, 3 Oct 2024 14:46:57 +0200
+Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
+ denial of   service.
+
+---
+ util/data/msgencode.c | 77 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 46 insertions(+), 31 deletions(-)
+
+diff --git a/util/data/msgencode.c b/util/data/msgencode.c
+index 898ff8412..6d116fb52 100644
+--- a/util/data/msgencode.c
++++ b/util/data/msgencode.c
+@@ -62,6 +62,10 @@
+ #define RETVAL_TRUNC	-4
+ /** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
+ #define RETVAL_OK	0
++/** Max compressions we are willing to perform; more than that will result
++ *  in semi-compressed messages, or truncated even on TCP for huge messages, to
++ *  avoid locking the CPU for long */
++#define MAX_COMPRESSION_PER_MESSAGE 120
+ 
+ /**
+  * Data structure to help domain name compression in outgoing messages.
+@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
+ 
+ /** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
+ static int
+-compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
+-	struct regional* region, struct compress_tree_node** tree, 
+-	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
++compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
++	struct regional* region, struct compress_tree_node** tree,
++	size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
++	size_t* compress_count)
+ {
+ 	struct compress_tree_node* p;
+ 	struct compress_tree_node** insertpt = NULL;
+ 	if(!*owner_ptr) {
+ 		/* compress first time dname */
+-		if((p = compress_tree_lookup(tree, key->rk.dname, 
++		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++			(p = compress_tree_lookup(tree, key->rk.dname,
+ 			owner_labs, &insertpt))) {
+ 			if(p->labs == owner_labs) 
+ 				/* avoid ptr chains, since some software is
+@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			if(!write_compressed_dname(pkt, key->rk.dname, 
+ 				owner_labs, p))
+ 				return RETVAL_TRUNC;
++			(*compress_count)++;
+ 			/* check if typeclass+4 ttl + rdatalen is available */
+ 			if(sldns_buffer_remaining(pkt) < 4+4+2)
+ 				return RETVAL_TRUNC;
+@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			if(owner_pos <= PTR_MAX_OFFSET)
+ 				*owner_ptr = htons(PTR_CREATE(owner_pos));
+ 		}
+-		if(!compress_tree_store(key->rk.dname, owner_labs, 
++		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++			!compress_tree_store(key->rk.dname, owner_labs,
+ 			owner_pos, region, p, insertpt))
+ 			return RETVAL_OUTMEM;
+ 	} else {
+@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 
+ /** compress any domain name to the packet, return RETVAL_* */
+ static int
+-compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, 
+-	struct regional* region, struct compress_tree_node** tree)
++compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
++	struct regional* region, struct compress_tree_node** tree,
++	size_t* compress_count)
+ {
+ 	struct compress_tree_node* p;
+ 	struct compress_tree_node** insertpt = NULL;
+ 	size_t pos = sldns_buffer_position(pkt);
+-	if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
++	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++		(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
+ 		if(!write_compressed_dname(pkt, dname, labs, p))
+ 			return RETVAL_TRUNC;
++		(*compress_count)++;
+ 	} else {
+ 		if(!dname_buffer_write(pkt, dname))
+ 			return RETVAL_TRUNC;
+ 	}
+-	if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
++	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++		!compress_tree_store(dname, labs, pos, region, p, insertpt))
+ 		return RETVAL_OUTMEM;
+ 	return RETVAL_OK;
+ }
+@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
+ 
+ /** compress domain names in rdata, return RETVAL_* */
+ static int
+-compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen, 
+-	struct regional* region, struct compress_tree_node** tree, 
+-	const sldns_rr_descriptor* desc)
++compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
++	struct regional* region, struct compress_tree_node** tree,
++	const sldns_rr_descriptor* desc, size_t* compress_count)
+ {
+ 	int labs, r, rdf = 0;
+ 	size_t dname_len, len, pos = sldns_buffer_position(pkt);
+@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
+ 		switch(desc->_wireformat[rdf]) {
+ 		case LDNS_RDF_TYPE_DNAME:
+ 			labs = dname_count_size_labels(rdata, &dname_len);
+-			if((r=compress_any_dname(rdata, pkt, labs, region, 
+-				tree)) != RETVAL_OK)
++			if((r=compress_any_dname(rdata, pkt, labs, region,
++				tree, compress_count)) != RETVAL_OK)
+ 				return r;
+ 			rdata += dname_len;
+ 			todolen -= dname_len;
+@@ -449,7 +461,8 @@ static int
+ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
+ 	uint16_t* num_rrs, time_t timenow, struct regional* region,
+ 	int do_data, int do_sig, struct compress_tree_node** tree,
+-	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
++	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
++	size_t* compress_count)
+ {
+ 	size_t i, j, owner_pos;
+ 	int r, owner_labs;
+@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 		for(i=0; i<data->count; i++) {
+ 			/* rrset roundrobin */
+ 			j = (i + rr_offset) % data->count;
+-			if((r=compress_owner(key, pkt, region, tree, 
+-				owner_pos, &owner_ptr, owner_labs))
+-				!= RETVAL_OK)
++			if((r=compress_owner(key, pkt, region, tree,
++				owner_pos, &owner_ptr, owner_labs,
++				compress_count)) != RETVAL_OK)
+ 				return r;
+ 			sldns_buffer_write(pkt, &key->rk.type, 2);
+ 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
+@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
+ 			if(c) {
+ 				if((r=compress_rdata(pkt, data->rr_data[j],
+-					data->rr_len[j], region, tree, c))
+-					!= RETVAL_OK)
++					data->rr_len[j], region, tree, c,
++					compress_count)) != RETVAL_OK)
+ 					return r;
+ 			} else {
+ 				if(sldns_buffer_remaining(pkt) < data->rr_len[j])
+@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 					return RETVAL_TRUNC;
+ 				sldns_buffer_write(pkt, &owner_ptr, 2);
+ 			} else {
+-				if((r=compress_any_dname(key->rk.dname, 
+-					pkt, owner_labs, region, tree))
+-					!= RETVAL_OK)
++				if((r=compress_any_dname(key->rk.dname,
++					pkt, owner_labs, region, tree,
++					compress_count)) != RETVAL_OK)
+ 					return r;
+ 				if(sldns_buffer_remaining(pkt) < 
+ 					4+4+data->rr_len[i])
+@@ -544,7 +557,8 @@ static int
+ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 	sldns_buffer* pkt, size_t rrsets_before, time_t timenow, 
+ 	struct regional* region, struct compress_tree_node** tree,
+-	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
++	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
++	size_t* compress_count)
+ {
+ 	int r;
+ 	size_t i, setstart;
+@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 1, 1, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				/* Bad, but if due to size must set TC bit */
+ 				/* trim off the rrset neatly. */
+@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 1, 0, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				sldns_buffer_set_position(pkt, setstart);
+ 				return r;
+@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 0, 1, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				sldns_buffer_set_position(pkt, setstart);
+ 				return r;
+@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 	struct compress_tree_node* tree = 0;
+ 	int r;
+ 	size_t rr_offset;
++	size_t compress_count=0;
+ 
+ 	sldns_buffer_clear(buffer);
+ 	if(udpsize < sldns_buffer_limit(buffer))
+@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 		arep.rrsets = &qinfo->local_alias->rrset;
+ 		if((r=insert_section(&arep, 1, &ancount, buffer, 0,
+ 			timezero, region, &tree, LDNS_SECTION_ANSWER,
+-			qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
++			qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 			if(r == RETVAL_TRUNC) {
+ 				/* create truncated message */
+ 				sldns_buffer_write_u16_at(buffer, 6, ancount);
+@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 	/* insert answer section */
+ 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
+ 		0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
+-		dnssec, rr_offset)) != RETVAL_OK) {
++		dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 		if(r == RETVAL_TRUNC) {
+ 			/* create truncated message */
+ 			sldns_buffer_write_u16_at(buffer, 6, ancount);
+@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 		if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
+ 			rep->an_numrrsets, timenow, region, &tree,
+ 			LDNS_SECTION_AUTHORITY, qinfo->qtype,
+-			dnssec, rr_offset)) != RETVAL_OK) {
++			dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 			if(r == RETVAL_TRUNC) {
+ 				/* create truncated message */
+ 				sldns_buffer_write_u16_at(buffer, 8, nscount);
+@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 			if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
+ 				rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
+ 				&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
+-				dnssec, rr_offset)) != RETVAL_OK) {
++				dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 				if(r == RETVAL_TRUNC) {
+ 					/* no need to set TC bit, this is the additional */
+ 					sldns_buffer_write_u16_at(buffer, 10, arcount);
diff --git a/SPECS/unbound/unbound.spec b/SPECS/unbound/unbound.spec
index 33755c716fd..90f418e07bf 100644
--- a/SPECS/unbound/unbound.spec
+++ b/SPECS/unbound/unbound.spec
@@ -1,7 +1,7 @@
 Summary:        unbound dns server
 Name:           unbound
 Version:        1.19.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,9 @@ URL:            https://nlnetlabs.nl/projects/unbound/about/
 Source0:        https://github.com/nlnetlabs/%{name}/archive/release-%{version}.tar.gz#/%{name}-release-%{version}.tar.gz
 Source1:        %{name}.service
 Patch0:         CVE-2024-43168.patch
+Patch1:         CVE-2024-33655.patch
+Patch2:         CVE-2024-8508.patch
+Patch3:         CVE-2024-43167.patch
 BuildRequires:  expat-devel
 BuildRequires:  libevent-devel
 BuildRequires:  python3-devel
@@ -97,6 +100,9 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 %{_mandir}/*
 
 %changelog
+* Tue Oct 08 2024 Sam Meluch <sammeluch@micrsoft.com> - 1.19.1-3
+- Add patches for CVE-2024-33655, CVE-2024-8508, and CVE-2024-43167
+
 * Thu Aug 15 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 1.19.1-2
 - Add patch to fix CVE-2024-43168
 
diff --git a/SPECS/vim/CVE-2024-43802.patch b/SPECS/vim/CVE-2024-43802.patch
new file mode 100644
index 00000000000..0962098c743
--- /dev/null
+++ b/SPECS/vim/CVE-2024-43802.patch
@@ -0,0 +1,49 @@
+From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 25 Aug 2024 21:33:03 +0200
+Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
+ ins_typebuf
+
+Problem:  heap-buffer-overflow in ins_typebuf
+          (SuyueGuo)
+Solution: When flushing the typeahead buffer, validate that there
+          is enough space left
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+Removed binary test file and test only changes for security fix
+
+---
+ src/getchar.c                    |  15 ++++++++++++---
+ 1 files changed, 12 insertions(+), 3 deletions(-)
+ create mode 100644 src/testdir/crash/heap_overflow3
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 29323fa328bd1..96e180f4ae1a9 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
+ 
+     if (flush_typeahead == FLUSH_MINIMAL)
+     {
+-	// remove mapped characters at the start only
+-	typebuf.tb_off += typebuf.tb_maplen;
+-	typebuf.tb_len -= typebuf.tb_maplen;
++	// remove mapped characters at the start only,
++	// but only when enough space left in typebuf
++	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
++	{
++	    typebuf.tb_off = MAXMAPLEN;
++	    typebuf.tb_len = 0;
++	}
++	else
++	{
++	    typebuf.tb_off += typebuf.tb_maplen;
++	    typebuf.tb_len -= typebuf.tb_maplen;
++	}
+ #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
+ 	if (typebuf.tb_len == 0)
+ 	    typebuf_was_filled = FALSE;
diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec
index 83f6a49a1a2..a6107efc049 100644
--- a/SPECS/vim/vim.spec
+++ b/SPECS/vim/vim.spec
@@ -2,7 +2,7 @@
 Summary:        Text editor
 Name:           vim
 Version:        9.0.2121
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        Vim
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,7 +13,7 @@ Patch0:         CVE-2024-22667.patch
 Patch1:         CVE-2024-43374.patch
 Patch2:         CVE-2024-41957.patch
 Patch3:         CVE-2024-41965.patch
-
+Patch4:         CVE-2024-43802.patch
 BuildRequires:  ncurses-devel
 BuildRequires:  python3-devel
 Requires(post): sed
@@ -201,6 +201,9 @@ fi
 %{_bindir}/vimdiff
 
 %changelog
+* Tue Oct 08 2024 Sam Meluch <sammeluch@microsoft.com> - 9.0.2121-5
+- Add patch to resolve CVE-2024-43802
+
 * Wed Sep 18 2024 Sumedh Sharma <sumsharma@microsoft.com> - 9.0.2121-4
 - Add patch to resolve CVE-2024-41957 & CVE-2024-41965
 
diff --git a/cgmanifest.json b/cgmanifest.json
index a73beccd185..bf1ef35ac50 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -375,8 +375,8 @@
         "type": "other",
         "other": {
           "name": "apache-commons-io",
-          "version": "2.8.0",
-          "downloadUrl": "https://archive.apache.org/dist/commons/io/source/commons-io-2.8.0-src.tar.gz"
+          "version": "2.14.0",
+          "downloadUrl": "https://archive.apache.org/dist/commons/io/source/commons-io-2.14.0-src.tar.gz"
         }
       }
     },
@@ -505,8 +505,8 @@
         "type": "other",
         "other": {
           "name": "apr",
-          "version": "1.7.2",
-          "downloadUrl": "https://dlcdn.apache.org/apr/apr-1.7.2.tar.gz"
+          "version": "1.7.5",
+          "downloadUrl": "https://dlcdn.apache.org/apr/apr-1.7.5.tar.gz"
         }
       }
     },
@@ -4570,8 +4570,8 @@
         "type": "other",
         "other": {
           "name": "gnutls",
-          "version": "3.7.7",
-          "downloadUrl": "https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.7.tar.xz"
+          "version": "3.7.11",
+          "downloadUrl": "https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.11.tar.xz"
         }
       }
     },
@@ -10351,8 +10351,8 @@
         "type": "other",
         "other": {
           "name": "libnvidia-container",
-          "version": "1.13.5",
-          "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.13.5.tar.gz"
+          "version": "1.16.2",
+          "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.16.2.tar.gz"
         }
       }
     },
@@ -14598,23 +14598,13 @@
         }
       }
     },
-    {
-      "component": {
-        "type": "other",
-        "other": {
-          "name": "nvidia-container-runtime",
-          "version": "3.13.0",
-          "downloadUrl": "https://github.com/NVIDIA/nvidia-container-runtime/archive/v3.13.0.tar.gz"
-        }
-      }
-    },
     {
       "component": {
         "type": "other",
         "other": {
           "name": "nvidia-container-toolkit",
-          "version": "1.13.5",
-          "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.13.5.tar.gz"
+          "version": "1.16.2",
+          "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.16.2.tar.gz"
         }
       }
     },
@@ -14633,8 +14623,8 @@
         "type": "other",
         "other": {
           "name": "nvidia-modprobe",
-          "version": "495.44",
-          "downloadUrl": "https://github.com/NVIDIA/nvidia-modprobe/archive/495.44.tar.gz"
+          "version": "550.54.14",
+          "downloadUrl": "https://github.com/NVIDIA/nvidia-modprobe/archive/550.54.14.tar.gz"
         }
       }
     },
@@ -15394,8 +15384,8 @@
         "type": "other",
         "other": {
           "name": "OpenIPMI",
-          "version": "2.0.32",
-          "downloadUrl": "https://downloads.sourceforge.net/openipmi/OpenIPMI-2.0.32.tar.gz"
+          "version": "2.0.36",
+          "downloadUrl": "https://downloads.sourceforge.net/openipmi/OpenIPMI-2.0.36.tar.gz"
         }
       }
     },
@@ -21124,8 +21114,8 @@
         "type": "other",
         "other": {
           "name": "php",
-          "version": "8.1.29",
-          "downloadUrl": "https://www.php.net/distributions/php-8.1.29.tar.xz"
+          "version": "8.1.30",
+          "downloadUrl": "https://www.php.net/distributions/php-8.1.30.tar.xz"
         }
       }
     },
@@ -21584,8 +21574,8 @@
         "type": "other",
         "other": {
           "name": "prometheus",
-          "version": "2.37.0",
-          "downloadUrl": "https://github.com/prometheus/prometheus/archive/refs/tags/v2.37.0.tar.gz"
+          "version": "2.37.9",
+          "downloadUrl": "https://github.com/prometheus/prometheus/archive/refs/tags/v2.37.9.tar.gz"
         }
       }
     },
@@ -25614,8 +25604,8 @@
         "type": "other",
         "other": {
           "name": "redis",
-          "version": "6.2.14",
-          "downloadUrl": "https://download.redis.io/releases/redis-6.2.14.tar.gz"
+          "version": "6.2.16",
+          "downloadUrl": "https://download.redis.io/releases/redis-6.2.16.tar.gz"
         }
       }
     },
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index 2f390d8fa15..33dd78bd452 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-20.cm2.aarch64.rpm
-kernel-headers-5.15.167.1-1.cm2.noarch.rpm
+kernel-headers-5.15.167.1-2.cm2.noarch.rpm
 glibc-2.35-7.cm2.aarch64.rpm
 glibc-devel-2.35-7.cm2.aarch64.rpm
 glibc-i18n-2.35-7.cm2.aarch64.rpm
@@ -173,8 +173,8 @@ openssl-static-1.1.1k-35.cm2.aarch64.rpm
 libcap-2.60-2.cm2.aarch64.rpm
 libcap-devel-2.60-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
-libarchive-3.6.1-3.cm2.aarch64.rpm
-libarchive-devel-3.6.1-3.cm2.aarch64.rpm
+libarchive-3.6.1-4.cm2.aarch64.rpm
+libarchive-devel-3.6.1-4.cm2.aarch64.rpm
 rpm-4.18.0-4.cm2.aarch64.rpm
 rpm-build-4.18.0-4.cm2.aarch64.rpm
 rpm-build-libs-4.18.0-4.cm2.aarch64.rpm
@@ -189,10 +189,10 @@ libsolv-devel-0.7.24-1.cm2.aarch64.rpm
 libssh2-1.9.0-4.cm2.aarch64.rpm
 libssh2-devel-1.9.0-4.cm2.aarch64.rpm
 krb5-1.19.4-3.cm2.aarch64.rpm
-nghttp2-1.57.0-1.cm2.aarch64.rpm
-curl-8.8.0-2.cm2.aarch64.rpm
-curl-devel-8.8.0-2.cm2.aarch64.rpm
-curl-libs-8.8.0-2.cm2.aarch64.rpm
+nghttp2-1.57.0-2.cm2.aarch64.rpm
+curl-8.8.0-3.cm2.aarch64.rpm
+curl-devel-8.8.0-3.cm2.aarch64.rpm
+curl-libs-8.8.0-3.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 libxml2-2.10.4-4.cm2.aarch64.rpm
 libxml2-devel-2.10.4-4.cm2.aarch64.rpm
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-18.cm2.noarch.rpm
 ca-certificates-2.0.0-18.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 unzip-6.0-20.cm2.aarch64.rpm
-python3-3.9.19-5.cm2.aarch64.rpm
-python3-devel-3.9.19-5.cm2.aarch64.rpm
-python3-libs-3.9.19-5.cm2.aarch64.rpm
-python3-setuptools-3.9.19-5.cm2.noarch.rpm
+python3-3.9.19-6.cm2.aarch64.rpm
+python3-devel-3.9.19-6.cm2.aarch64.rpm
+python3-libs-3.9.19-6.cm2.aarch64.rpm
+python3-setuptools-3.9.19-6.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 62d50b10c68..7e551a07cdd 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-20.cm2.x86_64.rpm
-kernel-headers-5.15.167.1-1.cm2.noarch.rpm
+kernel-headers-5.15.167.1-2.cm2.noarch.rpm
 glibc-2.35-7.cm2.x86_64.rpm
 glibc-devel-2.35-7.cm2.x86_64.rpm
 glibc-i18n-2.35-7.cm2.x86_64.rpm
@@ -173,8 +173,8 @@ openssl-static-1.1.1k-35.cm2.x86_64.rpm
 libcap-2.60-2.cm2.x86_64.rpm
 libcap-devel-2.60-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
-libarchive-3.6.1-3.cm2.x86_64.rpm
-libarchive-devel-3.6.1-3.cm2.x86_64.rpm
+libarchive-3.6.1-4.cm2.x86_64.rpm
+libarchive-devel-3.6.1-4.cm2.x86_64.rpm
 rpm-4.18.0-4.cm2.x86_64.rpm
 rpm-build-4.18.0-4.cm2.x86_64.rpm
 rpm-build-libs-4.18.0-4.cm2.x86_64.rpm
@@ -189,10 +189,10 @@ libsolv-devel-0.7.24-1.cm2.x86_64.rpm
 libssh2-1.9.0-4.cm2.x86_64.rpm
 libssh2-devel-1.9.0-4.cm2.x86_64.rpm
 krb5-1.19.4-3.cm2.x86_64.rpm
-nghttp2-1.57.0-1.cm2.x86_64.rpm
-curl-8.8.0-2.cm2.x86_64.rpm
-curl-devel-8.8.0-2.cm2.x86_64.rpm
-curl-libs-8.8.0-2.cm2.x86_64.rpm
+nghttp2-1.57.0-2.cm2.x86_64.rpm
+curl-8.8.0-3.cm2.x86_64.rpm
+curl-devel-8.8.0-3.cm2.x86_64.rpm
+curl-libs-8.8.0-3.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
 libxml2-2.10.4-4.cm2.x86_64.rpm
 libxml2-devel-2.10.4-4.cm2.x86_64.rpm
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-18.cm2.noarch.rpm
 ca-certificates-2.0.0-18.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 unzip-6.0-20.cm2.x86_64.rpm
-python3-3.9.19-5.cm2.x86_64.rpm
-python3-devel-3.9.19-5.cm2.x86_64.rpm
-python3-libs-3.9.19-5.cm2.x86_64.rpm
-python3-setuptools-3.9.19-5.cm2.noarch.rpm
+python3-3.9.19-6.cm2.x86_64.rpm
+python3-devel-3.9.19-6.cm2.x86_64.rpm
+python3-libs-3.9.19-6.cm2.x86_64.rpm
+python3-setuptools-3.9.19-6.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index cb017a79e27..ac89eba9c81 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm
-curl-8.8.0-2.cm2.aarch64.rpm
-curl-debuginfo-8.8.0-2.cm2.aarch64.rpm
-curl-devel-8.8.0-2.cm2.aarch64.rpm
-curl-libs-8.8.0-2.cm2.aarch64.rpm
+curl-8.8.0-3.cm2.aarch64.rpm
+curl-debuginfo-8.8.0-3.cm2.aarch64.rpm
+curl-devel-8.8.0-3.cm2.aarch64.rpm
+curl-libs-8.8.0-3.cm2.aarch64.rpm
 Cython-debuginfo-0.29.33-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
 debugedit-debuginfo-5.0-2.cm2.aarch64.rpm
@@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm
 itstool-2.0.6-4.cm2.noarch.rpm
 kbd-2.2.0-1.cm2.aarch64.rpm
 kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm
-kernel-headers-5.15.167.1-1.cm2.noarch.rpm
+kernel-headers-5.15.167.1-2.cm2.noarch.rpm
 kmod-29-2.cm2.aarch64.rpm
 kmod-debuginfo-29-2.cm2.aarch64.rpm
 kmod-devel-29-2.cm2.aarch64.rpm
@@ -144,9 +144,9 @@ krb5-1.19.4-3.cm2.aarch64.rpm
 krb5-debuginfo-1.19.4-3.cm2.aarch64.rpm
 krb5-devel-1.19.4-3.cm2.aarch64.rpm
 krb5-lang-1.19.4-3.cm2.aarch64.rpm
-libarchive-3.6.1-3.cm2.aarch64.rpm
-libarchive-debuginfo-3.6.1-3.cm2.aarch64.rpm
-libarchive-devel-3.6.1-3.cm2.aarch64.rpm
+libarchive-3.6.1-4.cm2.aarch64.rpm
+libarchive-debuginfo-3.6.1-4.cm2.aarch64.rpm
+libarchive-devel-3.6.1-4.cm2.aarch64.rpm
 libassuan-2.5.5-2.cm2.aarch64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.aarch64.rpm
 libassuan-devel-2.5.5-2.cm2.aarch64.rpm
@@ -261,9 +261,9 @@ newt-0.52.21-5.cm2.aarch64.rpm
 newt-debuginfo-0.52.21-5.cm2.aarch64.rpm
 newt-devel-0.52.21-5.cm2.aarch64.rpm
 newt-lang-0.52.21-5.cm2.aarch64.rpm
-nghttp2-1.57.0-1.cm2.aarch64.rpm
-nghttp2-debuginfo-1.57.0-1.cm2.aarch64.rpm
-nghttp2-devel-1.57.0-1.cm2.aarch64.rpm
+nghttp2-1.57.0-2.cm2.aarch64.rpm
+nghttp2-debuginfo-1.57.0-2.cm2.aarch64.rpm
+nghttp2-devel-1.57.0-2.cm2.aarch64.rpm
 ninja-build-1.10.2-2.cm2.aarch64.rpm
 ninja-build-debuginfo-1.10.2-2.cm2.aarch64.rpm
 npth-1.6-4.cm2.aarch64.rpm
@@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
 procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
-python3-3.9.19-5.cm2.aarch64.rpm
+python3-3.9.19-6.cm2.aarch64.rpm
 python3-audit-3.0.6-8.cm2.aarch64.rpm
 python3-cracklib-2.9.7-5.cm2.aarch64.rpm
-python3-curses-3.9.19-5.cm2.aarch64.rpm
+python3-curses-3.9.19-6.cm2.aarch64.rpm
 python3-Cython-0.29.33-2.cm2.aarch64.rpm
-python3-debuginfo-3.9.19-5.cm2.aarch64.rpm
-python3-devel-3.9.19-5.cm2.aarch64.rpm
+python3-debuginfo-3.9.19-6.cm2.aarch64.rpm
+python3-devel-3.9.19-6.cm2.aarch64.rpm
 python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-4.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
-python3-libs-3.9.19-5.cm2.aarch64.rpm
+python3-libs-3.9.19-6.cm2.aarch64.rpm
 python3-libxml2-2.10.4-4.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-5.cm2.aarch64.rpm
-python3-pip-3.9.19-5.cm2.noarch.rpm
+python3-pip-3.9.19-6.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.aarch64.rpm
-python3-setuptools-3.9.19-5.cm2.noarch.rpm
-python3-test-3.9.19-5.cm2.aarch64.rpm
-python3-tools-3.9.19-5.cm2.aarch64.rpm
+python3-setuptools-3.9.19-6.cm2.noarch.rpm
+python3-test-3.9.19-6.cm2.aarch64.rpm
+python3-tools-3.9.19-6.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 64b26096068..a9189dfbe77 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -49,10 +49,10 @@ createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
 cross-binutils-common-2.37-8.cm2.noarch.rpm
 cross-gcc-common-11.2.0-8.cm2.noarch.rpm
-curl-8.8.0-2.cm2.x86_64.rpm
-curl-debuginfo-8.8.0-2.cm2.x86_64.rpm
-curl-devel-8.8.0-2.cm2.x86_64.rpm
-curl-libs-8.8.0-2.cm2.x86_64.rpm
+curl-8.8.0-3.cm2.x86_64.rpm
+curl-debuginfo-8.8.0-3.cm2.x86_64.rpm
+curl-devel-8.8.0-3.cm2.x86_64.rpm
+curl-libs-8.8.0-3.cm2.x86_64.rpm
 Cython-debuginfo-0.29.33-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
 debugedit-debuginfo-5.0-2.cm2.x86_64.rpm
@@ -141,8 +141,8 @@ intltool-0.51.0-7.cm2.noarch.rpm
 itstool-2.0.6-4.cm2.noarch.rpm
 kbd-2.2.0-1.cm2.x86_64.rpm
 kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm
-kernel-cross-headers-5.15.167.1-1.cm2.noarch.rpm
-kernel-headers-5.15.167.1-1.cm2.noarch.rpm
+kernel-cross-headers-5.15.167.1-2.cm2.noarch.rpm
+kernel-headers-5.15.167.1-2.cm2.noarch.rpm
 kmod-29-2.cm2.x86_64.rpm
 kmod-debuginfo-29-2.cm2.x86_64.rpm
 kmod-devel-29-2.cm2.x86_64.rpm
@@ -150,9 +150,9 @@ krb5-1.19.4-3.cm2.x86_64.rpm
 krb5-debuginfo-1.19.4-3.cm2.x86_64.rpm
 krb5-devel-1.19.4-3.cm2.x86_64.rpm
 krb5-lang-1.19.4-3.cm2.x86_64.rpm
-libarchive-3.6.1-3.cm2.x86_64.rpm
-libarchive-debuginfo-3.6.1-3.cm2.x86_64.rpm
-libarchive-devel-3.6.1-3.cm2.x86_64.rpm
+libarchive-3.6.1-4.cm2.x86_64.rpm
+libarchive-debuginfo-3.6.1-4.cm2.x86_64.rpm
+libarchive-devel-3.6.1-4.cm2.x86_64.rpm
 libassuan-2.5.5-2.cm2.x86_64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.x86_64.rpm
 libassuan-devel-2.5.5-2.cm2.x86_64.rpm
@@ -267,9 +267,9 @@ newt-0.52.21-5.cm2.x86_64.rpm
 newt-debuginfo-0.52.21-5.cm2.x86_64.rpm
 newt-devel-0.52.21-5.cm2.x86_64.rpm
 newt-lang-0.52.21-5.cm2.x86_64.rpm
-nghttp2-1.57.0-1.cm2.x86_64.rpm
-nghttp2-debuginfo-1.57.0-1.cm2.x86_64.rpm
-nghttp2-devel-1.57.0-1.cm2.x86_64.rpm
+nghttp2-1.57.0-2.cm2.x86_64.rpm
+nghttp2-debuginfo-1.57.0-2.cm2.x86_64.rpm
+nghttp2-devel-1.57.0-2.cm2.x86_64.rpm
 ninja-build-1.10.2-2.cm2.x86_64.rpm
 ninja-build-debuginfo-1.10.2-2.cm2.x86_64.rpm
 npth-1.6-4.cm2.x86_64.rpm
@@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
 procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
-python3-3.9.19-5.cm2.x86_64.rpm
+python3-3.9.19-6.cm2.x86_64.rpm
 python3-audit-3.0.6-8.cm2.x86_64.rpm
 python3-cracklib-2.9.7-5.cm2.x86_64.rpm
-python3-curses-3.9.19-5.cm2.x86_64.rpm
+python3-curses-3.9.19-6.cm2.x86_64.rpm
 python3-Cython-0.29.33-2.cm2.x86_64.rpm
-python3-debuginfo-3.9.19-5.cm2.x86_64.rpm
-python3-devel-3.9.19-5.cm2.x86_64.rpm
+python3-debuginfo-3.9.19-6.cm2.x86_64.rpm
+python3-devel-3.9.19-6.cm2.x86_64.rpm
 python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-4.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
-python3-libs-3.9.19-5.cm2.x86_64.rpm
+python3-libs-3.9.19-6.cm2.x86_64.rpm
 python3-libxml2-2.10.4-4.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-5.cm2.x86_64.rpm
-python3-pip-3.9.19-5.cm2.noarch.rpm
+python3-pip-3.9.19-6.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.x86_64.rpm
-python3-setuptools-3.9.19-5.cm2.noarch.rpm
-python3-test-3.9.19-5.cm2.x86_64.rpm
-python3-tools-3.9.19-5.cm2.x86_64.rpm
+python3-setuptools-3.9.19-6.cm2.noarch.rpm
+python3-test-3.9.19-6.cm2.x86_64.rpm
+python3-tools-3.9.19-6.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm