From d7bcf5b155a77cd25e3573d3b22c98767f5206757d1133866d50b6cb780794d3 Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Mon, 5 Jan 2026 10:13:46 +0100 Subject: [PATCH] - Fix CVEs * GO-2025-4135 (CVE-2025-47914) SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. * GO-2025-4116 (CVE-2025-47913) SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. * GO-2025-4134 (CVE-2025-58181, bsc#1253952). SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. Signed-off-by: Egbert Eich --- _service | 7 +++++++ mcphost-0.32.0-vendor.tar.gz | 3 --- mcphost.changes | 36 ++++++++++++++++++++++++++++++++++- mcphost.spec | 37 +++++++++++------------------------- vendor.tar.gz | 3 +++ 5 files changed, 56 insertions(+), 30 deletions(-) create mode 100644 _service delete mode 100644 mcphost-0.32.0-vendor.tar.gz create mode 100644 vendor.tar.gz diff --git a/_service b/_service new file mode 100644 index 0000000..af8273c --- /dev/null +++ b/_service @@ -0,0 +1,7 @@ + + + + golang.org/x/crypto=golang.org/x/crypto@v0.45.0 + + + diff --git a/mcphost-0.32.0-vendor.tar.gz b/mcphost-0.32.0-vendor.tar.gz deleted file mode 100644 index e74e574..0000000 --- a/mcphost-0.32.0-vendor.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fc958b52d71db6c32fe3910357dd18b5e482a3d7139623fec673e178deab6212 -size 11514276 diff --git a/mcphost.changes b/mcphost.changes index 6684b75..1bff913 100644 --- a/mcphost.changes +++ b/mcphost.changes @@ -1,12 +1,46 @@ +------------------------------------------------------------------- +Fri Jan 2 17:24:56 UTC 2026 - Egbert Eich + +- Fix CVEs + * GO-2025-4135 (CVE-2025-47914) + SSH Agent servers do not validate the size of messages + when processing new identity requests, which may cause + the program to panic if the message is malformed due to + an out of bounds read. + * GO-2025-4116 (CVE-2025-47913) + SSH clients receiving SSH_AGENT_SUCCESS when expecting a + typed response will panic and cause early termination of + the client process. + * GO-2025-4134 (CVE-2025-58181, bsc#1253952). + SSH servers parsing GSSAPI authentication + requests do not validate the number of mechanisms + specified in the request, allowing an attacker to cause + unbounded memory consumption. + ------------------------------------------------------------------- Wed Dec 10 11:52:10 UTC 2025 - Darragh O'Reilly - Update to 0.32.0 + Feat: Add option to require approval before tool. + Bump github.com/cloudwego/eino to fix panic. + Changes to 0.31.4: + Update dependencies. + Changes to 0.31.3: + Fix format & update models. + Changes to 0.31.2: + Fix: suppress health check logging to debug output only/ + Changes to 0.31.1: + Update dependency update mcp-go. ------------------------------------------------------------------- Wed Nov 5 10:17:13 UTC 2025 - Sai Karthik Karra -- Add shell completions & basic %check during build time +- Add shell completions & basic %check during build time. + +------------------------------------------------------------------- +Fri Oct 24 11:26:42 UTC 2025 - Ana Guerrero + +- Modernise packaging ------------------------------------------------------------------- Fri Oct 10 12:43:31 UTC 2025 - Egbert Eich diff --git a/mcphost.spec b/mcphost.spec index a34529a..a523bb7 100644 --- a/mcphost.spec +++ b/mcphost.spec @@ -14,28 +14,16 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # -%global provider github -%global provider_tld com -%global project mark3labs -%global repo mcphost -%global import_path %{provider}.%{provider_tld}/%{project}/%{repo} -%global name %{provider}-%{provider_tld}-%{project}-%{repo} -%{!?goprep: %define goprep go version #} -%{!?gobuild: %define gobuild go build -buildmode=pie -mod=vendor} -%{!?goinstall: %define goinstall install -D -m 0755 %{repo} %{buildroot}%{_bindir}/%{repo}} -Name: %repo +Name: mcphost Version: 0.32.0 -Release: 4.mge +Release: 0 Summary: A CLI host application for the Model Context Protocol (MCP) -License: MIT and Apache-2.0 and BSD-2-Clause and BSD-3-Clause +License: MIT and Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause URL: https://github.com/mark3labs/mcphost -Source0: https://%{import_path}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Source1: %{name}-%{version}-vendor.tar.gz -BuildRequires: go >= 1.24 -%if 0%{?suse_version} >= 1500 -BuildRequires: golang-packaging -%endif +Source0: https://github.com/mark3labs/mcphost/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: vendor.tar.gz +BuildRequires: golang(API) >= 1.24 %description A CLI host application that enables Large Language Models (LLMs) to interact @@ -74,18 +62,15 @@ Supplements: (%{name} and fish) The official fish completion script for %{name}, generated during the build. %prep -# Setup the main source code -%setup -q -n %{name}-%{version} -%setup -q -D -T -a 1 -n %{name}-%{version} - -sed -i -e "s/go1.24.5/go1.24/g" go.mod -%{goprep} %{import_path} +%autosetup -a 1 %build -%{gobuild} +go build \ + -mod=vendor \ + -buildmode=pie %install -%{goinstall} +install -D -m 0755 %{name} "%{buildroot}%{_bindir}/%{name}" # Build the shell autocomplete files %{buildroot}/%{_bindir}/%{name} completion bash > %{name}-autocomplete.bash diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..92639ba --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:892f290db7cbaf6efb3415fc4004ae1cc451de652cbe745047deaf7da14e95e3 +size 11343509 -- 2.51.1