Update submodules from pool/git-bug#8 and create patchinfo.20251203090227587250.187004354831441/_patchinfo

Merging
PR: products/PackageHub!247
2025-12-03 10:03:05 +01:00 · 2025-12-01 13:15:42 +00:00 · 2025-12-01 13:15:18 +00:00 · 2025-11-28 09:40:55 +00:00
3 changed files with 136 additions and 1 deletions
--- a/0Backports/Backports.productcompose
+++ b/0Backports/Backports.productcompose
@@ -149,6 +149,8 @@ packagesets:
  - kernel-livepatch-6_12_0-160000_5-rt
  - kernel-livepatch-6_12_0-160000_6-default
  - kernel-livepatch-6_12_0-160000_6-rt
+  - kernel-livepatch-6_12_0-160000_7-default
+  - kernel-livepatch-6_12_0-160000_7-rt
  - kernel-rt-livepatch
  - kernel-rt-livepatch-devel
  - krb5-mini
@@ -1922,6 +1924,27 @@ packagesets:
  - java-21-openjdk-javadoc
  - java-21-openjdk-jmods
  - java-21-openjdk-src
+  - java-22-openjdk
+  - java-22-openjdk-demo
+  - java-22-openjdk-devel
+  - java-22-openjdk-headless
+  - java-22-openjdk-javadoc
+  - java-22-openjdk-jmods
+  - java-22-openjdk-src
+  - java-23-openjdk
+  - java-23-openjdk-demo
+  - java-23-openjdk-devel
+  - java-23-openjdk-headless
+  - java-23-openjdk-javadoc
+  - java-23-openjdk-jmods
+  - java-23-openjdk-src
+  - java-24-openjdk
+  - java-24-openjdk-demo
+  - java-24-openjdk-devel
+  - java-24-openjdk-headless
+  - java-24-openjdk-javadoc
+  - java-24-openjdk-jmods
+  - java-24-openjdk-src
  - java-cup
  - java-cup-manual
  - javacc
@@ -7932,6 +7955,8 @@ packagesets:
  - kernel-kvmsmall
  - kernel-kvmsmall-devel
  - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
  - libLLVMSPIRVLib19
  - libatopology2
  - libdpdk-25
@@ -8043,6 +8068,8 @@ packagesets:
  - grub2-s390x-emu
  - kernel-default-livepatch
  - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
  - kernel-zfcpdump
  - kiwi-settings
  - libHBAAPI2
@@ -8182,6 +8209,8 @@ packagesets:
  - kernel-kvmsmall-devel
  - kernel-kvmsmall-vdso
  - kernel-livepatch-6_12_0-160000_5-default
+  - kernel-livepatch-6_12_0-160000_6-default
+  - kernel-livepatch-6_12_0-160000_7-default
  - kiwi-pxeboot
  - kubevirt-virtctl
  - libFLAC++10-x86-64-v3
--- a/2
+++ b/2
--- a/patchinfo.20251203090227587250.187004354831441/_patchinfo
+++ b/patchinfo.20251203090227587250.187004354831441/_patchinfo
@@ -0,0 +1,106 @@
+<patchinfo>
+  <issue tracker="bnc" id="1253506">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="cve" id="2025-47913">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
+  <issue tracker="bnc" id="1251463">VUL-0: CVE-2025-47911: git-bug: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1254084">VUL-0: CVE-2025-47914: git-bug: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <issue tracker="bnc" id="1234565">VUL-0: CVE-2024-45337: git-bug: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
+  <issue tracker="cve" id="2025-47914">VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
+  <issue tracker="bnc" id="1251664">VUL-0: CVE-2025-58190: git-bug: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1239494">VUL-0: CVE-2025-22869: git-bug: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
+  <issue tracker="cve" id="2024-45337">VUL-0: CVE-2024-45337: TRACKERBUG: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
+  <issue tracker="cve" id="2025-47911">VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="cve" id="2025-58181">VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <issue tracker="bnc" id="1253930">VUL-0: CVE-2025-58181: git-bug: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
+  <packager>mcepl</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for git-bug</summary>
+  <description>This update for git-bug fixes the following issues:
+
+Changes in git-bug:
+
+- Revendor to include fixed version of depending libraries:
+  - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
+    golang.org/x/crypto to v0.43.0
+  - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
+    github.com/go-viper/mapstructure/v2 to v2.4.0
+  - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
+  - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
+    github.com/cloudflare/circl to v1.6.1
+  - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
+    golang.org/x/crypto/ssh to v0.45.0
+  - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
+    golang.org/x/crypto/ssh/agent to v0.45.0
+
+- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
+  possible DoS by various algorithms with quadratic complexity
+  when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
+  bsc#1251664, CVE-2025-58190).
+
+Update to version 0.10.1:
+
+  - cli: ignore missing sections when removing configuration (ddb22a2f)
+
+Update to version 0.10.0:
+
+  - bridge: correct command used to create a new bridge (9942337b)
+  - web: simplify header navigation (7e95b169)
+  - webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
+  - BREAKING CHANGE: dev-infra: remove gokart (89b880bd)
+
+Update to version 0.10.0:
+
+  - bridge: correct command used to create a new bridge (9942337b)
+  - web: simplify header navigation (7e95b169)
+  - web: remark upgrade + gfm + syntax highlighting (6ee47b96)
+
+Update to version 0.9.0:
+
+  - completion: remove errata from string literal (aa102c91)
+  - tui: improve readability of the help bar (23be684a)
+
+Update to version 0.8.1+git.1746484874.96c7a111:
+
+  * docs: update install, contrib, and usage documentation (#1222)
+  * fix: resolve the remote URI using url.*.insteadOf (#1394)
+  * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
+  * chore: gofmt simplify gitlab/export_test.go (#1392)
+  * fix: checkout repo before setting up go environment (#1390)
+  * feat: bump to go v1.24.2 (#1389)
+  * chore: update golang.org/x/net (#1379)
+  * fix: use -0700 when formatting time (#1388)
+  * fix: use correct url for gitlab PATs (#1384)
+  * refactor: remove depdendency on pnpm for auto-label action (#1383)
+  * feat: add action: auto-label (#1380)
+  * feat: remove lifecycle/frozen (#1377)
+  * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
+  * feat: support new exclusion label: lifecycle/pinned (#1375)
+  * fix: refactor how gitlab title changes are detected (#1370)
+  * revert: "Create Dependabot config file" (#1374)
+  * refactor: rename //:git-bug.go to //:main.go (#1373)
+  * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
+  * fix: set GitLastTag to an empty string when git-describe errors (#1355)
+  * chore: update go-git to v5@masterupdate_mods (#1284)
+  * refactor: Directly swap two variables to optimize code (#1272)
+  * Update README.md Matrix link to new room (#1275)
+
+- Update to version 0.8.0+git.1742269202.0ab94c9:
+  * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
+
+- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
+  CVE-2025-22869).
+
+- Add missing Requires to completion subpackages.
+
+Update to version 0.8.0+git.1733745604.d499b6e:
+
+  * fix typos in docs (#1266)
+  * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
+
+- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).
+</description>
+  <package>git-bug</package>
+  <seperate_build_arch/>
+</patchinfo>
Author	SHA256	Message	Date
Marcus Meissner	fe1490e4c7	Update submodules from pool/git-bug#8 and create patchinfo.20251203090227587250.187004354831441/_patchinfo	2025-12-03 10:03:05 +01:00
AutoGits PR Review Bot	f528a0f52a	Merging PR: products/PackageHub!247	2025-12-01 13:15:42 +00:00
AutoGits PR Review Bot	f3c5c2bccf	Merging PR: products/PackageHub!246	2025-12-01 13:15:18 +00:00
Marcus Meissner	f82b6807a3	hide several javas, mcphost and livepatches	2025-11-28 09:40:55 +00:00