[AUTO-CHERRYPICK] [AutoPR- Security] Patch telegraf for CVE-2026-4645 [HIGH] - branch 3.0-dev (#16335)

CBL-Mariner-Bot · azurelinux-security · jslobodzian · web-flow · commit bc53f7f1d892 · 2026-03-30T22:22:30.000-04:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/telegraf/CVE-2026-4645.patch b/SPECS/telegraf/CVE-2026-4645.patch
@@ -0,0 +1,34 @@
+From 77ef55ce21fd12b8bd995e1eace449ca6cf8087a Mon Sep 17 00:00:00 2001
+From: zhengchun <zhengchunster@gmail.com>
+Date: Sat, 21 Feb 2026 21:32:17 +0800
+Subject: [PATCH] fix #121
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494.patch
+---
+ vendor/github.com/antchfx/xpath/query.go | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/vendor/github.com/antchfx/xpath/query.go b/vendor/github.com/antchfx/xpath/query.go
+index fe6f4885..14177d2f 100644
+--- a/vendor/github.com/antchfx/xpath/query.go
++++ b/vendor/github.com/antchfx/xpath/query.go
+@@ -965,15 +965,6 @@ type logicalQuery struct {
+ }
+ 
+ func (l *logicalQuery) Select(t iterator) NodeNavigator {
+-	// When a XPath expr is logical expression.
+-	node := t.Current().Copy()
+-	val := l.Evaluate(t)
+-	switch val.(type) {
+-	case bool:
+-		if val.(bool) == true {
+-			return node
+-		}
+-	}
+ 	return nil
+ }
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.31.0
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -31,9 +31,10 @@ Patch16:        CVE-2025-47911.patch
 Patch17:        CVE-2025-58190.patch
 Patch18:        CVE-2026-2303.patch
 Patch19:        CVE-2026-26014.patch
+Patch20:        CVE-2026-4645.patch
 # Patch added based on customer request https://microsoft.visualstudio.com/OS/_workitems/edit/61041768
 # Fix was introduced 1.37.2, this patch can be removed once we update to 1.37.2 or later
-Patch20:        cisco_telegraf_bug61041768.patch
+Patch21:        cisco_telegraf_bug61041768.patch
 
 BuildRequires:  golang
 BuildRequires:  systemd-devel
@@ -98,9 +99,12 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
-* Fri Feb 27 2026 Sindhu Karri <lakarri@microsoft.com> - 1.31.0-16
+* Fri Mar 27 2026 Sindhu Karri <lakarri@microsoft.com> - 1.31.0-17
 - Added patch to fix the issue reported in https://microsoft.visualstudio.com/OS/_workitems/edit/61041768
   Fix in telegraf to support cisco telemetry plugin that collects telemetry data from cisco NXOS switches.
+  
+* Fri Mar 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-16
+- Patch for CVE-2026-4645
 
 * Fri Feb 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-15
 - Patch for CVE-2026-26014, CVE-2026-2303, CVE-2025-58190, CVE-2025-47911
