!85 sync patch from openEuler-24.03-LTS

From: @li_ning_jie 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch

@@ -19,7 +19,7 @@ index 73328a7..1907f99 100644
  func checkSupportArch() {
  	// TODO qualify arm64
 -	if runtime.GOARCH == "amd64" || runtime.GOARCH == "ppc64le" {
-+	if runtime.GOARCH == "amd64" || runtime.GOARCH == "ppc64le" || runtime.GOARCH == "arm64" {
++	if runtime.GOARCH == "amd64" || runtime.GOARCH == "ppc64le" || runtime.GOARCH == "arm64" || runtime.GOARCH == "riscv64" {
  		return
  	}
  	// unsupported arch only configured via environment variable

0007-fix-CVE-2022-34038.patch

@@ -0,0 +1,43 @@
+From 10fdd367a2095806b025c1c54d30886369b3d586 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Fri, 19 Apr 2024 11:11:10 +0800
+Subject: [PATCH] fix CVE-2022-34038
+
+---
+ pkg/ioutil/pagewriter.go | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/pkg/ioutil/pagewriter.go b/pkg/ioutil/pagewriter.go
+index cf9a8dc..4daaa9d 100644
+--- a/pkg/ioutil/pagewriter.go
++++ b/pkg/ioutil/pagewriter.go
+@@ -16,6 +16,7 @@ package ioutil
+ 
+ import (
+ 	"io"
++	"fmt"
+ )
+ 
+ var defaultBufferBytes = 128 * 1024
+@@ -38,9 +39,18 @@ type PageWriter struct {
+ 	bufWatermarkBytes int
+ }
+ 
++// Assert will panic with a given formatted message if the given condition is false.
++func Assert(condition bool, msg string, v int) {
++	if !condition {
++		panic(fmt.Sprintf("assertion failed: "+msg, v))
++	}
++}
++
+ // NewPageWriter creates a new PageWriter. pageBytes is the number of bytes
+ // to write per page. pageOffset is the starting offset of io.Writer.
+ func NewPageWriter(w io.Writer, pageBytes, pageOffset int) *PageWriter {
++	// If pageBytes is 0 or less, it will trigger a panic directly
++	Assert(pageBytes > 0, "pageBytes %d is an invalid value, it must be greater than 0", pageBytes)
+ 	return &PageWriter{
+ 		w:                 w,
+ 		pageOffset:        pageOffset,
+-- 
+2.20.1
+

0008-fix-CVE-2023-32082.patch

@@ -0,0 +1,255 @@
+From 99f3aac02a570b11bac83fcdf9b92501b25dce5c Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Tue, 23 Apr 2024 16:15:29 +0800
+Subject: [PATCH] fix CVE-2023-32082
+
+---
+ etcdserver/v3_server.go        | 28 ++++++++++-
+ integration/v3_auth_test.go    | 91 ++++++++++++++++++++++++++++++++--
+ pkg/ioutil/pagewriter_test.go  |  2 +-
+ tests/e2e/ctl_v3_auth_test.go  | 49 ++++++++++++++++++
+ tests/e2e/ctl_v3_lease_test.go |  8 +++
+ 5 files changed, 171 insertions(+), 7 deletions(-)
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index 1fa8e4e..dee5c20 100644
+--- a/etcdserver/v3_server.go
++++ b/etcdserver/v3_server.go
+@@ -298,7 +298,33 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e
+ 	return -1, ErrCanceled
+ }
+ 
+-func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
++func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (error, uint64) {
++	rev := s.AuthStore().Revision()
++	if !s.AuthStore().IsAuthEnabled() {
++		return nil, rev
++	}
++	authInfo, err := s.AuthInfoFromCtx(ctx)
++	if err != nil {
++		return err, rev
++	}
++	if authInfo == nil {
++		return auth.ErrUserEmpty, rev
++	}
++
++	l := s.lessor.Lookup(leaseID)
++	if l != nil {
++		for _, key := range l.Keys() {
++			if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil {
++				return err, 0
++			}
++		}
++	}
++
++
++	return nil, rev
++}
++
++func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
+ 	if s.Leader() == s.ID() {
+ 		// primary; timetolive directly from leader
+ 		le := s.lessor.Lookup(lease.LeaseID(r.ID))
+diff --git a/integration/v3_auth_test.go b/integration/v3_auth_test.go
+index ee386ff..b473053 100644
+--- a/integration/v3_auth_test.go
++++ b/integration/v3_auth_test.go
+@@ -150,12 +150,10 @@ func testV3AuthWithLeaseRevokeWithRoot(t *testing.T, ccfg ClusterConfig) {
+ 	// wait for lease expire
+ 	time.Sleep(3 * time.Second)
+ 
+-	tresp, terr := api.Lease.LeaseTimeToLive(
++	tresp, terr := rootc.TimeToLive(
+ 		context.TODO(),
+-		&pb.LeaseTimeToLiveRequest{
+-			ID:   int64(leaseID),
+-			Keys: true,
+-		},
++		leaseID,
++		clientv3.WithAttachedKeys(),
+ 	)
+ 	if terr != nil {
+ 		t.Error(terr)
+@@ -394,3 +392,86 @@ func TestV3AuthOldRevConcurrent(t *testing.T) {
+ 	}
+ 	wg.Wait()
+ }
++
++func TestV3AuthWithLeaseTimeToLive(t *testing.T) {
++	integration.BeforeTest(t)
++	clus := integration.NewCluster(t, &integration.ClusterConfig{Size: 1})
++	defer clus.Terminate(t)
++
++	users := []user{
++		{
++			name:     "user1",
++			password: "user1-123",
++			role:     "role1",
++			key:      "k1",
++			end:      "k3",
++		},
++		{
++			name:     "user2",
++			password: "user2-123",
++			role:     "role2",
++			key:      "k2",
++			end:      "k4",
++		},
++	}
++	authSetupUsers(t, integration.ToGRPC(clus.Client(0)).Auth, users)
++
++	authSetupRoot(t, integration.ToGRPC(clus.Client(0)).Auth)
++
++	user1c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user1", Password: "user1-123"})
++	if cerr != nil {
++		t.Fatal(cerr)
++	}
++	defer user1c.Close()
++
++	user2c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user2", Password: "user2-123"})
++	if cerr != nil {
++		t.Fatal(cerr)
++	}
++	defer user2c.Close()
++
++	leaseResp, err := user1c.Grant(context.TODO(), 90)
++	if err != nil {
++		t.Fatal(err)
++	}
++	leaseID := leaseResp.ID
++	_, err = user1c.Put(context.TODO(), "k1", "val", clientv3.WithLease(leaseID))
++	if err != nil {
++		t.Fatal(err)
++	}
++	// k2 can be accessed from both user1 and user2
++	_, err = user1c.Put(context.TODO(), "k2", "val", clientv3.WithLease(leaseID))
++	if err != nil {
++		t.Fatal(err)
++	}
++
++	_, err = user1c.TimeToLive(context.TODO(), leaseID)
++	if err != nil {
++		t.Fatal(err)
++	}
++
++	_, err = user2c.TimeToLive(context.TODO(), leaseID)
++	if err != nil {
++		t.Fatal(err)
++	}
++
++	_, err = user2c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys())
++	if err == nil {
++		t.Fatal("timetolive from user2 should be failed with permission denied")
++	}
++
++	rootc, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "root", Password: "123"})
++	if cerr != nil {
++		t.Fatal(cerr)
++	}
++	defer rootc.Close()
++
++	if _, err := rootc.RoleRevokePermission(context.TODO(), "role1", "k1", "k3"); err != nil {
++		t.Fatal(err)
++	}
++
++	_, err = user1c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys())
++	if err == nil {
++		t.Fatal("timetolive from user2 should be failed with permission denied")
++	}
++}
+diff --git a/pkg/ioutil/pagewriter_test.go b/pkg/ioutil/pagewriter_test.go
+index 1061069..ee2fa0d 100644
+--- a/pkg/ioutil/pagewriter_test.go
++++ b/pkg/ioutil/pagewriter_test.go
+@@ -37,7 +37,7 @@ func TestPageWriterRandom(t *testing.T) {
+ 	if cw.writeBytes > n {
+ 		t.Fatalf("wrote %d bytes to io.Writer, but only wrote %d bytes", cw.writeBytes, n)
+ 	}
+-	if n-cw.writeBytes > pageBytes {
++	if maxPendingBytes := pageBytes + defaultBufferBytes; n-cw.writeBytes > maxPendingBytes {
+ 		t.Fatalf("got %d bytes pending, expected less than %d bytes", n-cw.writeBytes, pageBytes)
+ 	}
+ 	t.Logf("total writes: %d", cw.writes)
+diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go
+index 2142394..ca2524b 100644
+--- a/tests/e2e/ctl_v3_auth_test.go
++++ b/tests/e2e/ctl_v3_auth_test.go
+@@ -69,6 +69,7 @@ func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCf
+ func TestCtlV3AuthCertCNAndUsernameNoPassword(t *testing.T) {
+ 	testCtl(t, authTestCertCNAndUsernameNoPassword, withCfg(configClientTLSCertAuth))
+ }
++func TestCtlV3AuthLeaseTimeToLive(t *testing.T) { testCtl(t, authTestLeaseTimeToLive) }
+ 
+ func authEnableTest(cx ctlCtx) {
+ 	if err := authEnable(cx); err != nil {
+@@ -1130,3 +1131,51 @@ func authTestJWTExpire(cx ctlCtx) {
+ 		cx.t.Error(err)
+ 	}
+ }
++
++func authTestLeaseTimeToLive(cx ctlCtx) {
++	if err := authEnable(cx); err != nil {
++		cx.t.Fatal(err)
++	}
++	cx.user, cx.pass = "root", "root"
++
++	authSetupTestUser(cx)
++
++	cx.user = "test-user"
++	cx.pass = "pass"
++
++	leaseID, err := ctlV3LeaseGrant(cx, 10)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++
++	err = ctlV3Put(cx, "foo", "val", leaseID)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++
++	err = ctlV3LeaseTimeToLive(cx, leaseID, true)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++
++	cx.user = "root"
++	cx.pass = "root"
++	err = ctlV3Put(cx, "bar", "val", leaseID)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++
++	cx.user = "test-user"
++	cx.pass = "pass"
++	// the lease is attached to bar, which test-user cannot access
++	err = ctlV3LeaseTimeToLive(cx, leaseID, true)
++	if err == nil {
++		cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar")
++	}
++
++	// without --keys, access should be allowed
++	err = ctlV3LeaseTimeToLive(cx, leaseID, false)
++	if err != nil {
++		cx.t.Fatal(err)
++	}
++}
+diff --git a/tests/e2e/ctl_v3_lease_test.go b/tests/e2e/ctl_v3_lease_test.go
+index 608b8ca..64d2579 100644
+--- a/tests/e2e/ctl_v3_lease_test.go
++++ b/tests/e2e/ctl_v3_lease_test.go
+@@ -294,3 +294,11 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error {
+ 	cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID)
+ 	return spawnWithExpect(cmdArgs, fmt.Sprintf("lease %s revoked", leaseID))
+ }
++
++func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error {
++	cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID)
++	if withKeys {
++		cmdArgs = append(cmdArgs, "--keys")
++	}
++	return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID))
++}
+-- 
+2.20.1
+

0009-fix-CVE-2021-28235.patch

@@ -0,0 +1,131 @@
+From 3b6de877f048f3875b48f36a66d10a7156106236 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Wed, 24 Apr 2024 09:28:16 +0800
+Subject: [PATCH] fix CVE-2021-28235
+
+---
+ etcdserver/v3_server.go                |  7 ++++
+ tests/e2e/ctl_v3_auth_security_test.go | 57 ++++++++++++++++++++++++++
+ tests/e2e/ctl_v3_test.go               |  6 +++
+ tests/e2e/util.go                      |  9 ++++
+ 4 files changed, 79 insertions(+)
+ create mode 100644 tests/e2e/ctl_v3_auth_security_test.go
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index dee5c20..6ef9e61 100644
+--- a/etcdserver/v3_server.go
++++ b/etcdserver/v3_server.go
+@@ -431,6 +431,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
+ 
+ 	lg := s.getLogger()
+ 
++	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++	defer func() {
++		if r != nil {
++			r.Password = ""
++		}
++	}()
++
+ 	var resp proto.Message
+ 	for {
+ 		checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)
+diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
+new file mode 100644
+index 0000000..754fa4b
+--- /dev/null
++++ b/tests/e2e/ctl_v3_auth_security_test.go
+@@ -0,0 +1,57 @@
++// Copyright 2023 The etcd Authors
++//
++// Licensed under the Apache License, Version 2.0 (the "License");
++// you may not use this file except in compliance with the License.
++// You may obtain a copy of the License at
++//
++//     http://www.apache.org/licenses/LICENSE-2.0
++//
++// Unless required by applicable law or agreed to in writing, software
++// distributed under the License is distributed on an "AS IS" BASIS,
++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++// See the License for the specific language governing permissions and
++// limitations under the License.
++
++//go:build !cluster_proxy
++
++package e2e
++
++import (
++	"strings"
++	"testing"
++
++	"github.com/stretchr/testify/require"
++
++	"go.etcd.io/etcd/tests/v3/framework/e2e"
++)
++
++// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++func TestAuth_CVE_2021_28235(t *testing.T) {
++	testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug"))
++}
++
++func authTest_CVE_2021_28235(cx ctlCtx) {
++	// create root user with root role
++	rootPass := "changeme123"
++	err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
++	require.NoError(cx.t, err)
++	err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
++	require.NoError(cx.t, err)
++	err = ctlV3AuthEnable(cx)
++	require.NoError(cx.t, err)
++
++	// issue a put request
++	cx.user, cx.pass = "root", rootPass
++	err = ctlV3Put(cx, "foo", "bar", "")
++	require.NoError(cx.t, err)
++
++	// GET /debug/requests
++	httpEndpoint := cx.epc.Procs[0].EndpointsHTTP()[0]
++	req := e2e.CURLReq{Endpoint: "/debug/requests?fam=grpc.Recv.etcdserverpb.Auth&b=0&exp=1", Timeout: 5}
++	respData, err := curl(httpEndpoint, "GET", req, e2e.ClientNonTLS)
++	require.NoError(cx.t, err)
++
++	if strings.Contains(respData, rootPass) {
++		cx.t.Errorf("The root password is included in the request.\n %s", respData)
++	}
++}
+diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go
+index 04f5a65..74b1838 100644
+--- a/tests/e2e/ctl_v3_test.go
++++ b/tests/e2e/ctl_v3_test.go
+@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption {
+ 	return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) }
+ }
+ 
++func withLogLevel(logLevel string) ctlOption {
++	return func(cx *ctlCtx) {
++		cx.cfg.LogLevel = logLevel
++	}
++}
++
+ func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
+ 	defer testutil.AfterTest(t)
+ 
+diff --git a/tests/e2e/util.go b/tests/e2e/util.go
+index ce7289a..3b772c0 100644
+--- a/tests/e2e/util.go
++++ b/tests/e2e/util.go
+@@ -108,3 +108,12 @@ func closeWithTimeout(p *expect.ExpectProcess, d time.Duration) error {
+ func toTLS(s string) string {
+ 	return strings.Replace(s, "http://", "https://", 1)
+ }
++
++func curl(endpoint string, method string, curlReq e2e.CURLReq, connType e2e.ClientConnType) (string, error) {
++	args := e2e.CURLPrefixArgs(endpoint, e2e.ClientConfig{ConnectionType: connType}, false, method, curlReq)
++	lines, err := e2e.RunUtilCompletion(args, nil)
++	if err != nil {
++		return "", err
++	}
++	return strings.Join(lines, "\n"), nil
++}
+-- 
+2.20.1
+

0010-fix-CVE-2021-44716.patch

@@ -0,0 +1,57 @@
+From 6b06b626969f252e520b1b8f8c3cd1f515835484 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Tue, 7 May 2024 09:29:47 +0800
+Subject: [PATCH] fix CVE-2021-44716
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., foo-bar => Foo-Bar). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., content-type), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+---
+ vendor/golang.org/x/net/http2/server.go | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index 5e01ce9..5253650 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -723,7 +723,15 @@ func (sc *serverConn) canonicalHeader(v string) string {
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}
+ 	return cv
+ }
+ 
+-- 
+2.20.1
+

0011-fix-CVE-2022-3064.patch

@@ -0,0 +1,141 @@
+From 429f477455b84ede9651f79eb15e78a129a660e9 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Thu, 9 May 2024 19:25:53 +0800
+Subject: [PATCH] fix CVE-2022-3064
+
+Improve heuristics preventing CPU/memory abuse (#515)
+This addresses the following items:
+
+==== Parse time of excessively deep nested or indented documents
+
+Parsing these documents is non-linear; limiting stack depth to 10,000 keeps parse times of pathological documents sub-second (~.25 seconds in benchmarks)
+
+==== Alias node expansion limits
+
+The current limit allows 10,000% expansion, which is too permissive for large documents.
+
+Limiting to 10% expansion for larger documents allows callers to use input size as an effective way to limit resource usage. Continuing to allow larger expansion rates (up to the current 10,000% limit) for smaller documents does not unduly affect memory use.
+
+This change bounds decode operations from alias expansion to ~400,000 operations for small documents (worst-case ~100-150MB) or 10% of the input document for large documents, whichever is greater.
+liggitt authored and niemeyer committed on Oct 3, 2019
+---
+ vendor/gopkg.in/yaml.v2/decode.go   | 38 +++++++++++++++++++++++++++++
+ vendor/gopkg.in/yaml.v2/scannerc.go | 16 ++++++++++++
+ 2 files changed, 54 insertions(+)
+
+diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
+index e4e56e2..5310876 100644
+--- a/vendor/gopkg.in/yaml.v2/decode.go
++++ b/vendor/gopkg.in/yaml.v2/decode.go
+@@ -229,6 +229,10 @@ type decoder struct {
+ 	mapType reflect.Type
+ 	terrors []string
+ 	strict  bool
++
++	decodeCount int
++	aliasCount  int
++	aliasDepth  int
+ }
+ 
+ var (
+@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
+ 	return out, false, false
+ }
+ 
++const (
++	// 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion
++	alias_ratio_range_low = 400000
++	// 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion
++	alias_ratio_range_high = 4000000
++	// alias_ratio_range is the range over which we scale allowed alias ratios
++	alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low)
++)
++
++func allowedAliasRatio(decodeCount int) float64 {
++	switch {
++	case decodeCount <= alias_ratio_range_low:
++		// allow 99% to come from alias expansion for small-to-medium documents
++		return 0.99
++	case decodeCount >= alias_ratio_range_high:
++		// allow 10% to come from alias expansion for very large documents
++		return 0.10
++	default:
++		// scale smoothly from 99% down to 10% over the range.
++		// this maps to 396,000 - 400,000 allowed alias-driven decodes over the range.
++		// 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps).
++		return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range)
++	}
++}
++
+ func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
++	d.decodeCount++
++	if d.aliasDepth > 0 {
++		d.aliasCount++
++	}
++	if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) {
++		failf("document contains excessive aliasing")
++	}
+ 	switch n.kind {
+ 	case documentNode:
+ 		return d.document(n, out)
+@@ -353,7 +389,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) {
+ 		failf("anchor '%s' value contains itself", n.value)
+ 	}
+ 	d.aliases[n] = true
++	d.aliasDepth++
+ 	good = d.unmarshal(n.alias, out)
++	d.aliasDepth--
+ 	delete(d.aliases, n)
+ 	return good
+ }
+diff --git a/vendor/gopkg.in/yaml.v2/scannerc.go b/vendor/gopkg.in/yaml.v2/scannerc.go
+index 077fd1d..570b8ec 100644
+--- a/vendor/gopkg.in/yaml.v2/scannerc.go
++++ b/vendor/gopkg.in/yaml.v2/scannerc.go
+@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_flow_level limits the flow_level
++const max_flow_level = 10000
++
+ // Increase the flow level and resize the simple key list if needed.
+ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 	// Reset the simple key on the next level.
+@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 
+ 	// Increase the flow level.
+ 	parser.flow_level++
++	if parser.flow_level > max_flow_level {
++		return yaml_parser_set_scanner_error(parser,
++			"while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++			fmt.Sprintf("exceeded max depth of %d", max_flow_level))
++	}
+ 	return true
+ }
+ 
+@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_indents limits the indents stack size
++const max_indents = 10000
++
+ // Push the current indentation level to the stack and set the new level
+ // the current column is greater than the indentation level.  In this case,
+ // append or insert the specified token into the token queue.
+@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
+ 		// indentation level.
+ 		parser.indents = append(parser.indents, parser.indent)
+ 		parser.indent = column
++		if len(parser.indents) > max_indents {
++			return yaml_parser_set_scanner_error(parser,
++				"while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++				fmt.Sprintf("exceeded max depth of %d", max_indents))
++		}
+ 
+ 		// Create a token and insert it into the queue.
+ 		token := yaml_token_t{
+-- 
+2.20.1
+

etcd.spec

@@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*
 
 Name:           etcd
-Release:        8
+Release:        14
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system
 
 # Upstream license specification: Apache-2.0
@@ -50,6 +50,11 @@ Patch3:         0003-etcd-Add-sw64-architecture.patch
 Patch4:         0004-fix-CVE-2023-45288.patch
 Patch5:         0005-fix-CVE-2022-41723.patch
 Patch6:         0006-fix-CVE-2023-39325.patch
+Patch7:         0007-fix-CVE-2022-34038.patch
+Patch8:         0008-fix-CVE-2023-32082.patch
+Patch9:         0009-fix-CVE-2021-28235.patch
+Patch10:        0010-fix-CVE-2021-44716.patch
+Patch11:        0011-fix-CVE-2022-3064.patch
 
 BuildRequires:  golang
 BuildRequires:  python3-devel
@@ -70,6 +75,11 @@ Requires(pre):  shadow-utils
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
 %ifarch sw_64
 %patch3 -p1
 %endif
@@ -158,19 +168,55 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif
 
 %changelog
-* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-8
+* Thu May 09 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-14
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-3064
+
+* Tue May 07 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-13
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2021-44716
+
+* Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-12
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2021-28235
+
+* Tue Apr 23 2024 laokz <zhangkai@iscas.ac.cn> - 3.4.14-11
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: add riscv64 to avoid unsupported arch error
+
+* Mon Apr 22 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-10
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2023-32082
+
+* Fri Apr 19 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-34038
+
+* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-8
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC: fix CVE-2023-39325
 
-* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-7
+* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-7
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC: fix CVE-2022-41723
 
-* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-6
+* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-6
 - Type:bugfix
 - CVE:NA
 - SUG:NA