Release 1312 patch 6 with latest security changes

[pnpavlov]

Summary

Release new 1312 release patch that addresses latest high and critical severity security findings. The patch should include latest published kernel patch. The number should be included in the release note, together with a summary of the vulnerabilities addressed.

Tasks:

• [x] @Akendo confirm only kernel needs to be included, but no golang & containerd.
• [x] @Akendo Support in creating IAM profile.
• [x] @Vincinator build latest 6.1 kernel package
• [x] @Vincinator build latest golang and rebuild containerd, dockerd, runc.
• [x] @fwilhe complete stage 1 of the build process.
• [ ] @fwilhe complete stage2 of the build process.
• [ ] @fwilhe publish the release note including information about the fixes included (package from - to information + venerability references).
• [ ] @pnpavlov inform @MrBatschner that the patch is ready for consumption.

[Vincinator]

6.1.95 conflicts with intel fpga drivers.

I started the update-dfl.sh script locally

[Vincinator]

previous step is done, now running prepare-source script to check patch compatibility, or if I need to fix patches.

[Akendo]

I've checked the rootfs and see that we have to update the Golang packages as well. Since we're affect. Also, we have docker still present that needs to be updated too. Hence, we need to upgrade Golang for 1312 as well.

bin/containerd (gobinary)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.5            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤

[Akendo]

We need to set up a new set of credential for the remaining weeks until 1312 reaches EOL.

[Vincinator]

Re-triggered build pipeline for 1312.6 https://github.com/gardenlinux/gardenlinux/actions/runs/9738980245

Since we disabled IMDSv1, we needed to adapt some tests, and port them to rel-1312.

This re-run includes changes to the tests, so that they should now work with IMDSv2 on AWS. On other cloud platforms just metadata service is checked for availability.

[pnpavlov]

Relevant changes:

• https://github.com/gardenlinux/glci/pull/85

[Vincinator]

newer version #2189

[pnpavlov]

We will publish directly patch 7 and skip 6