!117 Batch fix sync failed cves for openEuler-22.03-LTS-SP3 branch

From: @running-tortoise 
Reviewed-by: @wubijie123 
Signed-off-by: @wubijie123

0004-backport-Suppress-noisy-basic-auth-token-deletion-log.patch

@@ -0,0 +1,32 @@
+From 0a960a272d46fa3c1d4929543efdfb673f47d37f Mon Sep 17 00:00:00 2001
+From: Ahmet Alp Balkan <ahmet@linkedin.com>
+Date: Fri, 28 Jun 2024 12:10:04 -0700
+Subject: [PATCH] Suppress noisy basic auth token deletion log
+
+Right now the basic auth tokens that are deleted after `--auth-token-ttl`
+cause info-level logs to be emitted. Change this to debug. This helps with
+the issue at #18244 where calling `/readyz` frequently pollutes the etcd server
+logs with this log message.
+
+Fixes #18244.
+
+Signed-off-by: Ahmet Alp Balkan <ahmet@linkedin.com>
+---
+ auth/simple_token.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auth/simple_token.go b/auth/simple_token.go
+index a9dc5b7..364aba2 100644
+--- a/auth/simple_token.go
++++ b/auth/simple_token.go
+@@ -166,7 +166,7 @@ func (t *tokenSimple) enable() {
+ 	delf := func(tk string) {
+ 		if username, ok := t.simpleTokens[tk]; ok {
+ 			if t.lg != nil {
+-				t.lg.Info(
++				t.lg.Debug(
+ 					"deleted a simple token",
+ 					zap.String("user-name", username),
+ 					zap.String("token", tk),
+-- 
+2.9.3.windows.1

0005-backport-fix-CVE-2022-3064.patch

@@ -0,0 +1,117 @@
+From 48b4385de0f9c6e4745205a72185b0f39bc8ea74 Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Thu, 13 Feb 2025 18:13:18 +0800
+Subject: [PATCH] backport-cve-2022-3064
+
+---
+ vendor/gopkg.in/yaml.v2/decode.go   | 36 +++++++++++++++++++++++++++++
+ vendor/gopkg.in/yaml.v2/scannerc.go | 17 +++++++++++++-
+ 2 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
+index e4e56e2..43106a8 100644
+--- a/vendor/gopkg.in/yaml.v2/decode.go
++++ b/vendor/gopkg.in/yaml.v2/decode.go
+@@ -229,6 +229,10 @@ type decoder struct {
+ 	mapType reflect.Type
+ 	terrors []string
+ 	strict  bool
++
++	decodeCount int
++	aliasCount  int
++	aliasDepth  int
+ }
+ 
+ var (
+@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
+ 	return out, false, false
+ }
+ 
++const (
++	// 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion
++	alias_ratio_range_low = 400000
++	// 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion
++	alias_ratio_range_high = 4000000
++	// alias_ratio_range is the range over which we scale allowed alias ratios
++	alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low)
++)
++
++func allowedAliasRatio(decodeCount int) float64 {
++	switch {
++	case decodeCount <= alias_ratio_range_low:
++		// allow 99% to come from alias expansion for small-to-medium documents
++		return 0.99
++	case decodeCount >= alias_ratio_range_high:
++		// allow 10% to come from alias expansion for very large documents
++		return 0.10
++	default:
++		// scale smoothly from 99% down to 10% over the range.
++		// this maps to 396,000 - 400,000 allowed alias-driven decodes over the range.
++		// 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps).
++		return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range)
++	}
++}
++
+ func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
++	d.decodeCount++
++	if d.aliasDepth > 0 {
++		d.aliasCount++
++	}
++	if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) {
++		failf("document contains excessive aliasing")
++	}
+ 	switch n.kind {
+ 	case documentNode:
+ 		return d.document(n, out)
+diff --git a/vendor/gopkg.in/yaml.v2/scannerc.go b/vendor/gopkg.in/yaml.v2/scannerc.go
+index 077fd1d..d1a58a7 100644
+--- a/vendor/gopkg.in/yaml.v2/scannerc.go
++++ b/vendor/gopkg.in/yaml.v2/scannerc.go
+@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_flow_level limits the flow_level
++const max_flow_level = 10000
++
+ // Increase the flow level and resize the simple key list if needed.
+ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 	// Reset the simple key on the next level.
+@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 
+ 	// Increase the flow level.
+ 	parser.flow_level++
++	if parser.flow_level > max_flow_level {
++		return yaml_parser_set_scanner_error(parser,
++			"while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++			fmt.Sprintf("exceeded max depth of %d", max_flow_level))
++	}
+ 	return true
+ }
+ 
+@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_indents limits the indents stack size
++const max_indents = 10000
++
+ // Push the current indentation level to the stack and set the new level
+ // the current column is greater than the indentation level.  In this case,
+ // append or insert the specified token into the token queue.
+@@ -939,7 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
+ 		// indentation level.
+ 		parser.indents = append(parser.indents, parser.indent)
+ 		parser.indent = column
+-
++		if len(parser.indents) > max_indents {
++			return yaml_parser_set_scanner_error(parser,
++				"while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++				fmt.Sprintf("exceeded max depth of %d", max_indents))
++		}
+ 		// Create a token and insert it into the queue.
+ 		token := yaml_token_t{
+ 			typ:        typ,
+-- 
+2.46.0
+

0006-backport-fix-CVE-2022-41723.patch

@@ -0,0 +1,143 @@
+From 33fc2e1988454d3a2f9d887161884f76f344178f Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Fri, 14 Feb 2025 14:29:45 +0800
+Subject: [PATCH] backport fix cve-2022-41723
+
+---
+ vendor/golang.org/x/net/http2/hpack/hpack.go | 80 ++++++++++++--------
+ 1 file changed, 50 insertions(+), 30 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
+index 85f18a2..0d3fd2b 100644
+--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
+@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 
+ 	var hf HeaderField
+ 	wantStr := d.emitEnabled || it.indexed()
++	var undecodedName undecodedString
+ 	if nameIdx > 0 {
+ 		ihf, ok := d.at(nameIdx)
+ 		if !ok {
+@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 		}
+ 		hf.Name = ihf.Name
+ 	} else {
+-		hf.Name, buf, err = d.readString(buf, wantStr)
++		undecodedName, buf, err = d.readString(buf)
+ 		if err != nil {
+ 			return err
+ 		}
+ 	}
+-	hf.Value, buf, err = d.readString(buf, wantStr)
++	undecodedValue, buf, err := d.readString(buf)
+ 	if err != nil {
+ 		return err
+ 	}
++	if wantStr {
++		if nameIdx <= 0 {
++			hf.Name, err = d.decodeString(undecodedName)
++			if err != nil {
++				return err
++			}
++		}
++		hf.Value, err = d.decodeString(undecodedValue)
++		if err != nil {
++			return err
++		}
++	}
+ 	d.buf = buf
+ 	if it.indexed() {
+ 		d.dynTab.add(hf)
+@@ -383,6 +396,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 	return d.callEmit(hf)
+ }
+ 
++
+ func (d *Decoder) callEmit(hf HeaderField) error {
+ 	if d.maxStrLen != 0 {
+ 		if len(hf.Name) > d.maxStrLen || len(hf.Value) > d.maxStrLen {
+@@ -459,46 +473,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
+ 	return 0, origP, errNeedMore
+ }
+ 
+-// readString decodes an hpack string from p.
++// readString reads an hpack string from p.
+ //
+-// wantStr is whether s will be used. If false, decompression and
+-// []byte->string garbage are skipped if s will be ignored
+-// anyway. This does mean that huffman decoding errors for non-indexed
+-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
+-// is returning an error anyway, and because they're not indexed, the error
+-// won't affect the decoding state.
+-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
++// It returns a reference to the encoded string data to permit deferring decode costs
++// until after the caller verifies all data is present.
++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
+ 	if len(p) == 0 {
+-		return "", p, errNeedMore
++		return u, p, errNeedMore
+ 	}
+ 	isHuff := p[0]&128 != 0
+ 	strLen, p, err := readVarInt(7, p)
+ 	if err != nil {
+-		return "", p, err
++		return u, p, err
+ 	}
+ 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
+-		return "", nil, ErrStringLength
++		// Returning an error here means Huffman decoding errors
++		// for non-indexed strings past the maximum string length
++		// are ignored, but the server is returning an error anyway
++		// and because the string is not indexed the error will not
++		// affect the decoding state.
++		return u, nil, ErrStringLength
+ 	}
+ 	if uint64(len(p)) < strLen {
+-		return "", p, errNeedMore
+-	}
+-	if !isHuff {
+-		if wantStr {
+-			s = string(p[:strLen])
+-		}
+-		return s, p[strLen:], nil
++		return u, p, errNeedMore
+ 	}
++	u.isHuff = isHuff
++	u.b = p[:strLen]
++	return u, p[strLen:], nil
++}
+ 
+-	if wantStr {
+-		buf := bufPool.Get().(*bytes.Buffer)
+-		buf.Reset() // don't trust others
+-		defer bufPool.Put(buf)
+-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
+-			buf.Reset()
+-			return "", nil, err
+-		}
++type undecodedString struct {
++	isHuff bool
++	b      []byte
++}
++
++func (d *Decoder) decodeString(u undecodedString) (string, error) {
++	if !u.isHuff {
++		return string(u.b), nil
++	}
++	buf := bufPool.Get().(*bytes.Buffer)
++	buf.Reset() // don't trust others
++	var s string
++	err := huffmanDecode(buf, d.maxStrLen, u.b)
++	if err == nil {
+ 		s = buf.String()
+-		buf.Reset() // be nice to GC
+ 	}
+-	return s, p[strLen:], nil
++	buf.Reset() // be nice to GC
++	bufPool.Put(buf)
++	return s, err
+ }
+-- 
+2.46.0
+

0007-backport-fix-CVE-2022-34038.patch

@@ -0,0 +1,42 @@
+From 3d941cd2d0897d204a2f36fe70eb6011892461d9 Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Mon, 17 Feb 2025 10:19:48 +0800
+Subject: [PATCH] backport-fix-cve-2022-34038
+
+---
+ pkg/ioutil/pagewriter.go | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/pkg/ioutil/pagewriter.go b/pkg/ioutil/pagewriter.go
+index cf9a8dc..10d921d 100644
+--- a/pkg/ioutil/pagewriter.go
++++ b/pkg/ioutil/pagewriter.go
+@@ -16,6 +16,7 @@ package ioutil
+ 
+ import (
+ 	"io"
++	"fmt"
+ )
+ 
+ var defaultBufferBytes = 128 * 1024
+@@ -38,9 +39,17 @@ type PageWriter struct {
+ 	bufWatermarkBytes int
+ }
+ 
++// Assert will panic with a given formatted message if the given condition is false.
++func Assert(condition bool, msg string, v int) {
++       if !condition {
++               panic(fmt.Sprintf("assertion failed:" +msg, v))
++       }
++}
++
+ // NewPageWriter creates a new PageWriter. pageBytes is the number of bytes
+ // to write per page. pageOffset is the starting offset of io.Writer.
+ func NewPageWriter(w io.Writer, pageBytes, pageOffset int) *PageWriter {
++	Assert(pageBytes > 0, "pageBytes %d is an invalid value, it must be greater than 0", pageBytes)
+ 	return &PageWriter{
+ 		w:                 w,
+ 		pageOffset:        pageOffset,
+-- 
+2.46.0
+

0008-backport-fix-CVE-2023-32082.patch

@@ -0,0 +1,160 @@
+From a813426b143c11dcda7fc8402bf66fee7b348470 Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Mon, 17 Feb 2025 13:44:51 +0800
+Subject: [PATCH] backport fix cve-2023-32082
+
+---
+ etcdserver/v3_server.go        | 51 +++++++++++++++++++++++++++++++++-
+ tests/e2e/ctl_v3_auth_test.go  | 49 ++++++++++++++++++++++++++++++++
+ tests/e2e/ctl_v3_lease_test.go |  9 ++++++
+ 3 files changed, 108 insertions(+), 1 deletion(-)
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index 1fa8e4e..93b2bc1 100644
+--- a/etcdserver/v3_server.go
++++ b/etcdserver/v3_server.go
+@@ -298,7 +298,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e
+ 	return -1, ErrCanceled
+ }
+ 
+-func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
++func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (error, uint64) {
++	rev := s.AuthStore().Revision()
++	if !s.AuthStore().IsAuthEnabled() {
++		return nil, rev
++	}
++	authInfo, err := s.AuthInfoFromCtx(ctx)
++	if err != nil {
++		return err, rev
++	}
++	if authInfo == nil {
++		return auth.ErrUserEmpty, rev
++	}
++
++	l := s.lessor.Lookup(leaseID)
++	if l != nil {
++		for _, key := range l.Keys() {
++			if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil {
++				return err, 0
++			}
++		}
++	}
++
++	return nil, rev
++}
++
++func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
+ 	if s.Leader() == s.ID() {
+ 		// primary; timetolive directly from leader
+ 		le := s.lessor.Lookup(lease.LeaseID(r.ID))
+@@ -345,6 +370,30 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR
+ 	return nil, ErrCanceled
+ }
+ 
++func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
++	var rev uint64
++	var err error
++	if r.Keys {
++		// check RBAC permission only if Keys is true
++		err, rev = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID))
++		if err != nil {
++			return nil, err
++		}
++	}
++
++	resp, err := s.leaseTimeToLive(ctx, r)
++	if err != nil {
++		return nil, err
++	}
++
++	if r.Keys {
++		if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() {
++			return nil, auth.ErrAuthOldRevision
++		}
++	}
++	return resp, nil
++}
++
+ func (s *EtcdServer) LeaseLeases(ctx context.Context, r *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) {
+ 	ls := s.lessor.Leases()
+ 	lss := make([]*pb.LeaseStatus, len(ls))
+diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go
+index 2142394..728eafa 100644
+--- a/tests/e2e/ctl_v3_auth_test.go
++++ b/tests/e2e/ctl_v3_auth_test.go
+@@ -69,6 +69,55 @@ func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCf
+ func TestCtlV3AuthCertCNAndUsernameNoPassword(t *testing.T) {
+ 	testCtl(t, authTestCertCNAndUsernameNoPassword, withCfg(configClientTLSCertAuth))
+ }
++func TestCtlV3AuthLeaseTimeToLive(t *testing.T)     { testCtl(t, authTestLeaseTimeToLive) }
++
++func authTestLeaseTimeToLive(cx ctlCtx) {
++	if err := authEnable(cx); err != nil {
++		cx.t.Fatal(err)
++	}
++	cx.user, cx.pass = "root", "root"
++
++	authSetupTestUser(cx)
++
++	cx.user = "test-user"
++	cx.pass = "pass"
++
++	leaseID, err := ctlV3LeaseGrant(cx, 10)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++
++	err = ctlV3Put(cx, "foo", "val", leaseID)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++
++	err = ctlV3LeaseTimeToLive(cx, leaseID, true)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++
++	cx.user = "root"
++	cx.pass = "root"
++	err = ctlV3Put(cx, "bar", "val", leaseID)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++
++	cx.user = "test-user"
++	cx.pass = "pass"
++	// the lease is attached to bar, which test-user cannot access
++	err = ctlV3LeaseTimeToLive(cx, leaseID, true)
++	if err == nil {
++		cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar")
++	}
++
++	// without --keys, access should be allowed
++	err = ctlV3LeaseTimeToLive(cx, leaseID, false)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++}
+ 
+ func authEnableTest(cx ctlCtx) {
+ 	if err := authEnable(cx); err != nil {
+diff --git a/tests/e2e/ctl_v3_lease_test.go b/tests/e2e/ctl_v3_lease_test.go
+index 608b8ca..f90b1a5 100644
+--- a/tests/e2e/ctl_v3_lease_test.go
++++ b/tests/e2e/ctl_v3_lease_test.go
+@@ -294,3 +294,12 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error {
+ 	cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID)
+ 	return spawnWithExpect(cmdArgs, fmt.Sprintf("lease %s revoked", leaseID))
+ }
++
++func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error {
++	cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID)
++	if withKeys {
++		cmdArgs = append(cmdArgs, "--keys")
++	}
++	return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID))
++}
++
+-- 
+2.46.0
+

0009-backport-fix-CVE-2021-28235.patch

@@ -0,0 +1,141 @@
+From 5608bf772250843426cc2fa357fac0a55316ad37 Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Mon, 17 Feb 2025 14:46:45 +0800
+Subject: [PATCH] backport fix cve-2021-28235
+
+---
+ etcdserver/v3_server.go                |  7 ++++
+ tests/e2e/ctl_v3_auth_security_test.go | 58 ++++++++++++++++++++++++++
+ tests/e2e/ctl_v3_test.go               |  6 +++
+ tests/e2e/util.go                      | 11 +++++
+ 4 files changed, 82 insertions(+)
+ create mode 100644 tests/e2e/ctl_v3_auth_security_test.go
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index 93b2bc1..8d8bd9c 100644
+--- a/etcdserver/v3_server.go
++++ b/etcdserver/v3_server.go
+@@ -453,6 +453,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
+ 	}
+ 
+ 	lg := s.getLogger()
++	
++	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++	defer func() {
++		if r != nil {
++			r.Password = ""
++		}
++	}()
+ 
+ 	var resp proto.Message
+ 	for {
+diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
+new file mode 100644
+index 0000000..b63a15f
+--- /dev/null
++++ b/tests/e2e/ctl_v3_auth_security_test.go
+@@ -0,0 +1,58 @@
++// Copyright 2023 The etcd Authors
++//
++// Licensed under the Apache License, Version 2.0 (the "License");
++// you may not use this file except in compliance with the License.
++// You may obtain a copy of the License at
++//
++//     http://www.apache.org/licenses/LICENSE-2.0
++//
++// Unless required by applicable law or agreed to in writing, software
++// distributed under the License is distributed on an "AS IS" BASIS,
++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++// See the License for the specific language governing permissions and
++// limitations under the License.
++
++//go:build !cluster_proxy
++
++package e2e
++
++import (
++	"strings"
++	"testing"
++
++	"github.com/stretchr/testify/require"
++
++	"go.etcd.io/etcd/tests/v3/framework/e2e"
++)
++
++// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++func TestAuth_CVE_2021_28235(t *testing.T) {
++	testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug"))
++}
++
++func authTest_CVE_2021_28235(cx ctlCtx) {
++	// create root user with root role
++	rootPass := "changeme123"
++	err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
++	require.NoError(cx.t, err)
++	err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
++	require.NoError(cx.t, err)
++	err = ctlV3AuthEnable(cx)
++	require.NoError(cx.t, err)
++
++	// issue a put request
++	cx.user, cx.pass = "root", rootPass
++	err = ctlV3Put(cx, "foo", "bar", "")
++	require.NoError(cx.t, err)
++
++	// GET /debug/requests
++	httpEndpoint := cx.epc.Procs[0].EndpointsHTTP()[0]
++	req := e2e.CURLReq{Endpoint: "/debug/requests?fam=grpc.Recv.etcdserverpb.Auth&b=0&exp=1", Timeout: 5}
++	respData, err := curl(httpEndpoint, "GET", req, e2e.ClientNonTLS)
++	require.NoError(cx.t, err)
++
++	if strings.Contains(respData, rootPass) {
++		cx.t.Errorf("The root password is included in the request.\n %s", respData)
++	}
++}
++
+diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go
+index 04f5a65..74b1838 100644
+--- a/tests/e2e/ctl_v3_test.go
++++ b/tests/e2e/ctl_v3_test.go
+@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption {
+ 	return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) }
+ }
+ 
++func withLogLevel(logLevel string) ctlOption {
++	return func(cx *ctlCtx) {
++		cx.cfg.LogLevel = logLevel
++	}
++}
++
+ func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
+ 	defer testutil.AfterTest(t)
+ 
+diff --git a/tests/e2e/util.go b/tests/e2e/util.go
+index ce7289a..0e41225 100644
+--- a/tests/e2e/util.go
++++ b/tests/e2e/util.go
+@@ -17,6 +17,7 @@ package e2e
+ import (
+ 	"encoding/json"
+ 	"fmt"
++	"string"
+ 	"math/rand"
+ 	"strings"
+ 	"time"
+@@ -108,3 +109,13 @@ func closeWithTimeout(p *expect.ExpectProcess, d time.Duration) error {
+ func toTLS(s string) string {
+ 	return strings.Replace(s, "http://", "https://", 1)
+ }
++
++func curl(endpoint string, method string, curlReq e2e.CURLReq, connType e2e.ClientConnType) (string, error) {
++	args := e2e.CURLPrefixArgs(endpoint, e2e.ClientConfig{ConnectionType: connType}, false, method, curlReq)
++	lines, err := e2e.RunUtilCompletion(args, nil)
++	if err != nil {
++		return "", err
++	}
++	return strings.Join(lines, "\n"), nil
++}
++
+-- 
+2.46.0
+

0010-backport-fix-CVE-2023-39325.patch

@@ -0,0 +1,131 @@
+From 31f47cbf4b06ae00b58ffa554706bbc26b17e948 Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Tue, 18 Feb 2025 16:22:42 +0800
+Subject: [PATCH] backport fix cve-2023-39325
+
+---
+ vendor/golang.org/x/net/http2/server.go | 68 +++++++++++++++++++++++--
+ 1 file changed, 65 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index 5e01ce9ab..f447050c8 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -521,9 +521,11 @@ type serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers					uint32	// number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*stream
++	unstartedHandlers           []unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	headerTableSize             uint32
+@@ -895,6 +897,8 @@ func (sc *serverConn) serve() {
+ 					return
+ 				case gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -940,6 +944,7 @@ var (
+ 	idleTimerMsg        = new(serverMessage)
+ 	shutdownTimerMsg    = new(serverMessage)
+ 	gracefulShutdownMsg = new(serverMessage)
++	handlerDoneMsg		= new(serverMessage)
+ )
+ 
+ func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
+@@ -1880,8 +1885,9 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	//go sc.runHandler(rw, req, handler)
++	//return sc.sch
++	return sc.scheduleHandler(id,rw,req,handler)
+ }
+ 
+ func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
+@@ -2124,8 +2130,64 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r
+ 	return rw, req, nil
+ }
+ 
++type unstartedHandler struct {
++	streamID uint32
++	rw       *responseWriter
++	req      *http.Request
++	handler  func(http.ResponseWriter, *http.Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		//return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm))
++		return ConnectionError(ErrCodeEnhanceYourCalm)
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++
++func (sc *serverConn)handlerDone(){
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ // Run on its own goroutine.
+ func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
++	defer sc.sendServeMsg(handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+@@ -2879,7 +2941,7 @@ func (sc *serverConn) startPush(msg *startPushRequest) {
+ 			// Should not happen, since we've already validated msg.url.
+ 			panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
+ 		}
+-
++		sc.curHandlers++
+ 		go sc.runHandler(rw, req, sc.handler.ServeHTTP)
+ 		return promisedID, nil
+ 	}
+-- 
+2.25.1
+

etcd.spec

@@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*
 
 Name:           etcd
-Release:        4
+Release:        9
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system
 
 # Upstream license specification: Apache-2.0
@@ -46,6 +46,14 @@ Source10:       genmanpages.sh
 # update grpc-go version to v1.32.0
 Patch1:         0001-Convert-int-to-string-using-strconv.Itoa.patch
 Patch2:		0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch
+Patch3:		0003-etcd-3.4.14-sw.patch
+Patch4:         0004-backport-Suppress-noisy-basic-auth-token-deletion-log.patch
+Patch5:         0005-backport-fix-CVE-2022-3064.patch
+Patch6:         0006-backport-fix-CVE-2022-41723.patch
+Patch7:         0007-backport-fix-CVE-2022-34038.patch
+Patch8:         0008-backport-fix-CVE-2023-32082.patch
+Patch9:         0009-backport-fix-CVE-2021-28235.patch
+Patch10:        0010-backport-fix-CVE-2023-39325.patch
 
 BuildRequires:  golang
 BuildRequires:  python3-devel
@@ -63,6 +71,16 @@ Requires(pre):  shadow-utils
 %forgesetup
 %patch1 -p1
 %patch2 -p1
+%ifarch sw_64
+%patch3 -p1
+%endif
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 # For compatibility
 cp -aR etcdserver/api/snap snap
 cp -aR etcdserver/api/membership etcdserver/membership
@@ -148,6 +166,30 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif
 
 %changelog
+* Thu Feb 20 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-9
+- Type:CVES
+- CVES:CVE-2022-41723 CVE-2022-34038  CVE-2023-32082 CVE-2021-28235 CVE-2023-39325
+- SUG:NA
+- DESC: Batch fix sync failed cves for openEuler-22.03-LTS-SP1 branch
+
+* Thu Feb 13 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-8
+- Type:CVE
+- CVE:CVE-2022-3064
+- SUG:NA
+- DESC: backport fix CVE-2022-3064
+
+* Tue Feb 11 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-7
+- Type:CVE
+- CVE:CVE-2022-24675 CVE-2022-28327 CVE-2022-24921 CVE-2021-44717 CVE-2021-33195
+- SUG:NA
+- DESC: Batch fix cve through rebuild and sync release
+
+* Wed Jul 17 2024 guojunding <guojunding@kylinos.cn> - 3.4.14-6
+- Suppress noisy basic auth token deletion log
+
+* Wed Oct 19 2022 wuzx<wuzx1226@qq.com> - 3.4.14-5
+- add sw64 patch
+
 * Wed Sep 2021 jikui <jikui2@huawei.com> - 3.4.14-4
 - modify build flags for secure compilation options