[AutoPR- Security] Patch telegraf for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39828, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680 [MEDIUM]

[azurelinux-security]

Auto Patch telegraf for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39828, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1130173&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch telegraf for CVE-2026-46598 (MEDIUM), CVE-2026-42502 (MEDIUM), CVE-2026-39835 (MEDIUM), CVE-2026-39828 (MEDIUM), CVE-2026-39827 (MEDIUM), CVE-2026-25681 (MEDIUM), CVE-2026-25680 (MEDIUM).

Change Log

• CVE-2026-46598
• CVE-2026-42502
• CVE-2026-39835
• CVE-2026-39828
• CVE-2026-39827
• CVE-2026-25681
• CVE-2026-25680

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-46598
• https://nvd.nist.gov/vuln/detail/CVE-2026-42502
• https://nvd.nist.gov/vuln/detail/CVE-2026-39835
• https://nvd.nist.gov/vuln/detail/CVE-2026-39828
• https://nvd.nist.gov/vuln/detail/CVE-2026-39827
• https://nvd.nist.gov/vuln/detail/CVE-2026-25681
• https://nvd.nist.gov/vuln/detail/CVE-2026-25680

Test Methodology

• Pipeline build id: Buddy Build URL

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-25680, CVE-2026-25681, CVE-2026-39827, CVE-2026-39828, CVE-2026-39835, CVE-2026-42502, CVE-2026-46598

PR #17583 — [AutoPR- Security] Patch telegraf for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39828, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680 [MEDIUM]
Package: telegraf | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 21 → 22
Patch entry	✅	Patch entries added: ['CVE-2026-25680.patch', 'CVE-2026-25681.patch', 'CVE-2026-39827.patch', 'CVE-2026-39828.patch', 'CVE-2026-39835.patch', 'CVE-2026-42502.patch', 'CVE-2026-46598.patch'] (covers ['CVE-2026-25680', 'CVE-2026-25681', 'CVE-2026-39827', 'CVE-2026-39828', 'CVE-2026-39835', 'CVE-2026-42502', 'CVE-2026-46598'])
Patch application	✅	%autosetup/%autopatch found in full spec — patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

Build log analysis was skipped (no build ID available).

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR applies the upstream html/parse.go change verbatim (in the vendored golang.org/x/net copy within telegraf): it adds cmp/slices imports, introduces attrCompare, sorts attributes before comparison, replaces the cubic attribute matching loop with slices.Equal, and sorts the attributes of the element being pushed. Aside from packaging/context (vendor path and patch file placement), the code changes match upstream exactly. | The PR patch applies the upstream fix to the vendored golang.org/x/net/html package in Telegraf, making the same changes to escape '>' within DOCTYPE PUBLIC/SYSTEM identifiers and renaming writeQuoted to writeDoctypeQuoted with added safety. It also includes the upstream test data file. Aside from path and context differences due to vendoring, the hunks match upstream content exactly. | The PR applies the upstream fix to the vendored golang.org/x/crypto/ssh/channel.go in Telegraf, changing channel.Reject to send the rejection, then remove the channel from the mux chanList, and return the error. This is functionally identical to upstream; the only omitted part is the new upstream test. Thus, it is an accurate backport of the security fix. | The PR backports the upstream fix to vendor/golang.org/x/crypto/ssh/server.go, adding the same guard that rejects non-nil Permissions when an authentication callback returns PartialSuccessError and updating the ServerConn.Permissions comment accordingly. It omits only upstream test changes and an unrelated test formatting tweak, making the functional fix equivalent to upstream. | The PR patch cleanly backports the upstream fix to Telegraf’s vendored golang.org/x/crypto/ssh code by adding nil checks for CertChecker.IsHostAuthority and CertChecker.IsUserAuthority, returning explicit errors instead of panicking. The inserted lines, error messages, and locations match upstream behavior; only file paths and line offsets differ due to vendoring. | The PR applies the core upstream fix to golang.org/x/net/html by adding the foster-parenting/namespace check in childTextNodesAreLiteral, ensuring raw-text elements are escaped when fostered into foreign content. It targets the vendored path in telegraf and omits only upstream test-related changes. | The PR backports the upstream fix by adding length checks for ed25519 private keys in parseEd25519Key and parseEd25519Cert to prevent panics on short inputs. The changes are applied to the vendored path (vendor/golang.org/x/crypto/ssh/agent/server.go) appropriate for the package layout, and the code added matches the upstream logic and error text. The upstream test addition is not included, which is typical for packaging patches.
• Missing hunks:
  • The upstream addition of TestMuxChannelRejectRemovesFromMux in ssh/mux_test.go is not included (expected omission for a vendor/package patch that does not ship or run upstream tests).
  • Addition of TestPartialSuccessWithNonNilPerms in ssh/server_test.go to verify the new behavior.
  • Whitespace/formatting-only changes in ssh/keys_test.go.
  • html/parse_test.go: addition to renderTestBlacklist to account for fostering-induced tree differences
  • html/render_test.go: new TestRenderFosteredForeignContent verifying escaped output for fostered elements
  • html/testdata/go/fostered_foreign_content.dat: new testdata file describing the expected parse tree
  • The upstream addition of TestParseEd25519KeyShortPanic in ssh/agent/server_test.go is not present.

Detailed analysis

Comparison of hunks:

• Imports: PR adds "cmp" and "slices" exactly as upstream does.
• New helper: PR defines attrCompare(a, b Attribute) using cmp.Or and cmp.Compare on Namespace, Key, and Val, identical to upstream.
• In addFormattingElement: PR sorts the local attr slice with slices.SortFunc(attr, attrCompare) prior to searching, exactly as upstream.
• Noah's Ark clause loop: PR removes the length check and nested attribute comparison loops and replaces them with if !slices.Equal(n.Attr, attr) { continue }, matching upstream logic.
• After the search: PR retrieves top := p.top(), sorts top.Attr with slices.SortFunc(top.Attr, attrCompare), and appends top to p.afe, identical to upstream, to ensure future comparisons operate on sorted attributes.
• File/path context: Upstream modifies html/parse.go; the PR applies the same changes to vendor/golang.org/x/net/html/parse.go and wraps them in a SPEC patch file with additional metadata (Signed-off-by, Upstream-reference). No functional differences are introduced.

No upstream hunks are missing; only packaging-related differences exist. The functional risk is low as this is a straight adoption of upstream's fix. One operational consideration is that the change introduces dependencies on the standard library packages cmp and slices, which require a sufficiently recent Go toolchain (Go 1.21+). Assuming the build environment meets that requirement, the patch should be safe and equivalent.

Comparison shows the PR patch mirrors the upstream commit 4ece7b612ad44ad6c4d5e0d5d4df9c18cc211905. In vendor/golang.org/x/net/html/render.go, calls to writeQuoted in the DOCTYPE rendering paths are replaced by writeDoctypeQuoted for both PUBLIC and SYSTEM identifiers. The function definition is updated from writeQuoted to writeDoctypeQuoted, with identical comment and logic changes: it still selects single or double quotes based on the presence of '"', now explicitly errors if both quote types are present, and replaces all '>' characters with '>' before writing to avoid abrupt-doctype-system-identifier parse errors. The surrounding context line offsets differ slightly (e.g., childTextNodesAreLiteral at ~251 vs ~267), consistent with version differences in the vendored file, but the code changes themselves match. The test data file html/testdata/go/doctype_named_entity.dat is added under the vendor path with identical contents to upstream. No hunks from the upstream patch are missing or altered. The change is narrowly scoped to DOCTYPE identifier rendering and is consistent with upstream, so regression risk is low; only invalid cases (identifiers containing both quote types) will now error during rendering, and '>' characters are safely escaped in DOCTYPE identifiers as intended.

Comparison shows the core functional hunk is identical to upstream: in channel.Reject, the PR replaces return ch.sendMessage(reject) with assigning err := ch.sendMessage(reject), then unconditionally calls ch.mux.chanList.remove(ch.localId), and finally return err. The inline comments match upstream, including the rationale to not call ch.close() to avoid a race with the mux loop. Line numbers differ slightly (upstream around line 530; PR at 536) due to context differences, but the surrounding context matches and the change is applied to the correct vendored path vendor/golang.org/x/crypto/ssh/channel.go. The PR does not include the upstream test addition (mux_test.go), which is normal for a packaging/vendor patch. The commit message and metadata largely mirror upstream; the filename mentions CVE-2026-39827 while the content references CVE-2026-3982, but this does not affect functionality. Overall, the PR is a faithful backport of the upstream fix, addressing the memory leak by removing rejected channels from the mux channel list. Given it matches upstream logic and is narrowly scoped, the regression risk is low.

Scope and intent: Upstream changed two areas: (1) a comment on ServerConn.Permissions clarifying that only final successful authentication permissions are preserved and that permissions must be nil with PartialSuccessError, and (2) a runtime check in the server authentication loop that returns an error if a callback returns a PartialSuccessError along with non-nil Permissions. Upstream also added a unit test and made a minor formatting change in an unrelated test.

PR contents: The PR applies the same functional changes to vendor/golang.org/x/crypto/ssh/server.go within the telegraf package. Specifically:

• It updates the Permissions field comment on ServerConn to match upstream semantics.
• In the user authentication loop, when authErr is a *PartialSuccessError, it adds the guard:
  if perms != nil { return nil, errors.New("ssh: permissions must be nil when returning PartialSuccessError") }
  along with the same explanatory comments. The error string is identical to upstream.

Context differences: Line numbers differ (upstream around lines ~242 and ~824 vs vendor at ~196 and ~748), consistent with a backport to a slightly different vendored version. The surrounding context (userAuthLoop, failureMsg, handling of partialSuccessReturned) matches, indicating the hunk is applied in the correct location with the same behavior.

Omissions: The PR does not include the new upstream test (ssh/server_test.go) and the formatting change in ssh/keys_test.go, which do not affect runtime behavior. This is typical in vendor/backport patches where only the functional fix is included.

Risk: Low. The change is a straightforward guard to prevent misuse; it only alters behavior when a server-side authentication callback incorrectly returns non-nil Permissions with PartialSuccessError. This may cause such misuses to fail fast (intended by the fix), but does not affect correct usages. No additional code paths are modified, and the error message is identical, aiding debugging and parity with upstream behavior.

Conclusion: Functionally equivalent to upstream; a clean backport of the security fix without tests.

Comparison shows the PR introduces exactly the same two safeguards as upstream: (1) in CertChecker.CheckHostKey, before calling IsHostAuthority, it checks for nil and returns errors.New("ssh: cannot verify certificate, IsHostAuthority not set"); (2) in CertChecker.Authenticate, before calling IsUserAuthority, it checks for nil and returns errors.New("ssh: cannot verify certificate, IsUserAuthority not set"). The error strings match upstream verbatim. The PR applies these changes to vendor/golang.org/x/crypto/ssh/certs.go within Telegraf, whereas upstream modifies ssh/certs.go in the x/crypto repository; line numbers differ (offsets ~342/369 vs 348/375 upstream) consistent with version differences. No other modifications are present. Upstream did not alter imports, implying the errors package is already imported in the target file, which is typical for this file; the PR similarly does not change imports. There are no missing hunks, as upstream only added these six lines in total. Functionally, this prevents a nil pointer dereference and instead returns a clear error, which is a minimal and low-risk behavior change. Context lines around the insertions match the expected locations (immediately after checking cert.CertType), so the backport is safe and equivalent.

Core code change comparison: Upstream modifies html/render.go::childTextNodesAreLiteral to handle fostered elements from HTML into foreign namespaces. Specifically, for tags that normally permit literal text (iframe, noembed, noframes, noscript, plaintext, script, style, xmp), it walks up ancestors until it finds a node with a non-empty namespace; if that ancestor is not an HTML integration point, it returns false (thus not treating child text as literal, causing escaping). The PR introduces the exact same logic and comments into vendor/golang.org/x/net/html/render.go under telegraf's vendored dependencies, with identical control flow, tag list, and use of htmlIntegrationPoint. Context lines and function signature match, indicating a clean application to the vendored version. Differences: The PR does not include upstream's test updates (parse_test.go change to renderTestBlacklist, new render_test.go test, and new testdata file). This is typical for packaging backports and does not affect runtime behavior. No other upstream hunks are missing from production code. As a result, the PR is a faithful backport of the functional fix, with low risk: it narrowly changes rendering behavior for foster-parented raw-text elements in foreign content to prevent unescaped output (the security issue) and relies on existing htmlIntegrationPoint semantics without altering other code paths.

Core security fix comparison:

• Upstream adds in ssh/agent/server.go two checks to validate that k.Priv has length ed25519.PrivateKeySize before casting to ed25519.PrivateKey, returning fmt.Errorf("agent: bad ED25519 key size: %d", len(k.Priv)) if not. These are in parseEd25519Key and parseEd25519Cert.
• The PR adds the exact same checks and error messages in the corresponding functions but within the vendored path vendor/golang.org/x/crypto/ssh/agent/server.go. Context line offsets differ (-267/-333 vs. -270/-336), consistent with a different vendored version, but the inserted logic is identical.

What is added/removed/modified:

• Added: Two length checks and early returns in parseEd25519Key and parseEd25519Cert, matching upstream exactly.
• Not included: The upstream test (server_test.go) that verifies no panic and that a short key is not accepted.
• Path differences: Upstream modifies ssh/agent/server.go; PR modifies vendor/golang.org/x/crypto/ssh/agent/server.go, appropriate for vendored dependencies in telegraf.

Justification for missing hunks:

• Tests are commonly omitted from distribution backport patches applied to vendored sources. The functional fix is present.

Risk and completeness:

• The change is minimal and matches upstream exactly, ensuring that only correctly sized ed25519 private keys (64 bytes) are accepted, preventing a panic at priv[32:] in Public(). This is unlikely to introduce regressions, as ed25519.PrivateKey in Go is defined as 64 bytes. Any code relying on accepting malformed/short keys would have been incorrect. Therefore, risk is low.
• Context differences suggest a backport to a slightly different source snapshot, but the surrounding code patterns align, making the insertion safe.

---

Verdict

✅ APPROVED — All checks passed. Ready to merge.