[AutoPR- Security] Patch telegraf for CVE-2026-5160 [MEDIUM] (#16757)

azurelinux-security · web-flow · commit 368421402df7 · 2026-04-22T11:46:40.000+05:30
diff --git a/SPECS/telegraf/CVE-2026-5160.patch b/SPECS/telegraf/CVE-2026-5160.patch
@@ -0,0 +1,60 @@
+From 3898b6266943f5e1c4723ebab278674c2d70468d Mon Sep 17 00:00:00 2001
+From: yuin <yuin@inforno.net>
+Date: Thu, 19 Mar 2026 15:21:23 +0900
+Subject: [PATCH] fix: prevent XSS by escaping dangerous URLs in links and
+ images
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9.patch
+---
+ .../yuin/goldmark/renderer/html/html.go          | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/vendor/github.com/yuin/goldmark/renderer/html/html.go b/vendor/github.com/yuin/goldmark/renderer/html/html.go
+index 8738c2a1..cfcd02ab 100644
+--- a/vendor/github.com/yuin/goldmark/renderer/html/html.go
++++ b/vendor/github.com/yuin/goldmark/renderer/html/html.go
+@@ -558,12 +558,14 @@ func (r *Renderer) renderAutoLink(
+ 		return ast.WalkContinue, nil
+ 	}
+ 	_, _ = w.WriteString(`<a href="`)
+-	url := n.URL(source)
++	url := util.URLEscape(n.URL(source), false)
+ 	label := n.Label(source)
+ 	if n.AutoLinkType == ast.AutoLinkEmail && !bytes.HasPrefix(bytes.ToLower(url), []byte("mailto:")) {
+ 		_, _ = w.WriteString("mailto:")
+ 	}
+-	_, _ = w.Write(util.EscapeHTML(util.URLEscape(url, false)))
++	if r.Unsafe || !IsDangerousURL(url) {
++		_, _ = w.Write(util.EscapeHTML(url))
++	}
+ 	if n.Attributes() != nil {
+ 		_ = w.WriteByte('"')
+ 		RenderAttributes(w, n, LinkAttributeFilter)
+@@ -633,8 +635,9 @@ func (r *Renderer) renderLink(w util.BufWriter, source []byte, node ast.Node, en
+ 	n := node.(*ast.Link)
+ 	if entering {
+ 		_, _ = w.WriteString("<a href=\"")
+-		if r.Unsafe || !IsDangerousURL(n.Destination) {
+-			_, _ = w.Write(util.EscapeHTML(util.URLEscape(n.Destination, true)))
++		dest := util.URLEscape(n.Destination, true)
++		if r.Unsafe || !IsDangerousURL(dest) {
++			_, _ = w.Write(util.EscapeHTML(dest))
+ 		}
+ 		_ = w.WriteByte('"')
+ 		if n.Title != nil {
+@@ -676,8 +679,9 @@ func (r *Renderer) renderImage(w util.BufWriter, source []byte, node ast.Node, e
+ 	}
+ 	n := node.(*ast.Image)
+ 	_, _ = w.WriteString("<img src=\"")
+-	if r.Unsafe || !IsDangerousURL(n.Destination) {
+-		_, _ = w.Write(util.EscapeHTML(util.URLEscape(n.Destination, true)))
++	dest := util.URLEscape(n.Destination, true)
++	if r.Unsafe || !IsDangerousURL(dest) {
++		_, _ = w.Write(util.EscapeHTML(dest))
+ 	}
+ 	_, _ = w.WriteString(`" alt="`)
+ 	_, _ = w.Write(nodeToHTMLText(n, source))
+-- 
+2.45.4
+
diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.31.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -37,6 +37,7 @@ Patch20:        CVE-2026-4645.patch
 Patch21:        cisco_telegraf_bug61041768.patch
 Patch22:        CVE-2026-29785.patch
 Patch23:        CVE-2026-33216.patch
+Patch24:        CVE-2026-5160.patch
 
 BuildRequires:  golang
 BuildRequires:  systemd-devel
@@ -101,6 +102,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Mon Apr 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-19
+- Patch for CVE-2026-5160
+
 * Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-18
 - Patch for CVE-2026-33216, CVE-2026-29785
 
