Cve 2024 45337 Crypto Bump #2

Closed
mcepl wants to merge 1 commits from mcepl:CVE-2024-45337-crypto-bump into factory
8 changed files with 262 additions and 15 deletions

View File

@ -0,0 +1,232 @@
From fc24dafc5962715b46bcf37091d7f388ded5aa4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Mon, 16 Dec 2024 18:02:51 +0100
Subject: [PATCH 1/3] build(deps): move from github.com/xanzy/go-gitlab to
gitlab.com/gitlab-org/api/client-go
---
bridge/gitlab/config.go | 2 +-
bridge/gitlab/event.go | 2 +-
bridge/gitlab/export.go | 2 +-
bridge/gitlab/export_test.go | 4 ++--
bridge/gitlab/gitlab.go | 2 +-
bridge/gitlab/gitlab_api.go | 2 +-
bridge/gitlab/import.go | 2 +-
go.mod | 23 +++++++++++++----------
go.sum | 28 ++++++++++++++--------------
9 files changed, 35 insertions(+), 32 deletions(-)
--- a/bridge/gitlab/config.go
+++ b/bridge/gitlab/config.go
@@ -8,7 +8,7 @@ import (
"strings"
"github.com/pkg/errors"
- "github.com/xanzy/go-gitlab"
+ "gitlab.com/gitlab-org/api/client-go"
"github.com/git-bug/git-bug/bridge/core"
"github.com/git-bug/git-bug/bridge/core/auth"
--- a/bridge/gitlab/event.go
+++ b/bridge/gitlab/event.go
@@ -5,7 +5,7 @@ import (
"strings"
"time"
- "github.com/xanzy/go-gitlab"
+ "gitlab.com/gitlab-org/api/client-go"
"github.com/git-bug/git-bug/util/text"
)
--- a/bridge/gitlab/export.go
+++ b/bridge/gitlab/export.go
@@ -8,7 +8,7 @@ import (
"time"
"github.com/pkg/errors"
- "github.com/xanzy/go-gitlab"
+ "gitlab.com/gitlab-org/api/client-go"
"github.com/git-bug/git-bug/bridge/core"
"github.com/git-bug/git-bug/bridge/core/auth"
--- a/bridge/gitlab/export_test.go
+++ b/bridge/gitlab/export_test.go
@@ -9,7 +9,7 @@ import (
"testing"
"time"
- "github.com/xanzy/go-gitlab"
+ "gitlab.com/gitlab-org/api/client-go"
"github.com/git-bug/git-bug/entity"
"github.com/git-bug/git-bug/entity/dag"
@@ -319,6 +319,6 @@ func deleteRepository(ctx context.Contex
return err
}
- _, err = client.Projects.DeleteProject(project, gitlab.WithContext(ctx))
+ _, err = client.Projects.DeleteProject(project, nil, gitlab.WithContext(ctx))
return err
}
--- a/bridge/gitlab/gitlab.go
+++ b/bridge/gitlab/gitlab.go
@@ -3,7 +3,7 @@ package gitlab
import (
"time"
- "github.com/xanzy/go-gitlab"
+ "gitlab.com/gitlab-org/api/client-go"
"github.com/git-bug/git-bug/bridge/core"
"github.com/git-bug/git-bug/bridge/core/auth"
--- a/bridge/gitlab/gitlab_api.go
+++ b/bridge/gitlab/gitlab_api.go
@@ -5,7 +5,7 @@ import (
"time"
"github.com/git-bug/git-bug/util/text"
- "github.com/xanzy/go-gitlab"
+ "gitlab.com/gitlab-org/api/client-go"
)
// Issues returns a channel with gitlab project issues, ascending order.
--- a/bridge/gitlab/import.go
+++ b/bridge/gitlab/import.go
@@ -6,7 +6,7 @@ import (
"strconv"
"time"
- "github.com/xanzy/go-gitlab"
+ "gitlab.com/gitlab-org/api/client-go"
"github.com/git-bug/git-bug/bridge/core"
"github.com/git-bug/git-bug/bridge/core/auth"
--- a/go.mod
+++ b/go.mod
@@ -35,12 +35,19 @@ require (
github.com/stretchr/testify v1.9.0
github.com/vbauerster/mpb/v8 v8.8.2
github.com/vektah/gqlparser/v2 v2.5.16
- github.com/xanzy/go-gitlab v0.107.0
- golang.org/x/crypto v0.26.0
+ gitlab.com/gitlab-org/api/client-go v0.116.0
+ golang.org/x/crypto v0.31.0
golang.org/x/oauth2 v0.22.0
- golang.org/x/sync v0.8.0
- golang.org/x/sys v0.25.0
- golang.org/x/text v0.17.0
+ golang.org/x/sync v0.10.0
+ golang.org/x/sys v0.28.0
+ golang.org/x/text v0.21.0
+)
+
+require (
+ github.com/google/go-querystring v1.1.0 // indirect
+ github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+ github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+ golang.org/x/time v0.3.0 // indirect
)
require (
@@ -78,12 +85,9 @@ require (
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
- github.com/google/go-querystring v1.1.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/gorilla/websocket v1.5.3 // indirect
github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
- github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
- github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
@@ -117,8 +121,7 @@ require (
golang.org/x/mod v0.19.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4 // indirect
- golang.org/x/term v0.24.0
- golang.org/x/time v0.5.0 // indirect
+ golang.org/x/term v0.27.0
golang.org/x/tools v0.23.0 // indirect
golang.org/x/vuln v1.1.3
google.golang.org/protobuf v1.34.2 // indirect
--- a/go.sum
+++ b/go.sum
@@ -311,8 +311,6 @@ github.com/vektah/gqlparser/v2 v2.5.16/g
github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
github.com/willf/bitset v1.1.10/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
-github.com/xanzy/go-gitlab v0.107.0 h1:P2CT9Uy9yN9lJo3FLxpMZ4xj6uWcpnigXsjvqJ6nd2Y=
-github.com/xanzy/go-gitlab v0.107.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY=
github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
@@ -322,6 +320,8 @@ github.com/yuin/goldmark v1.4.13/go.mod
github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.15.0 h1:tTCRWxsexYUmtt/wVxgDClUe+uQusuI443uL6e+5sXQ=
github.com/zclconf/go-cty v1.15.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
+gitlab.com/gitlab-org/api/client-go v0.116.0 h1:Dy534gtZPMrnm3fAcmQRMadrcoUyFO4FQ4rXlSAdHAw=
+gitlab.com/gitlab-org/api/client-go v0.116.0/go.mod h1:B29OfnZklmaoiR7uHANh9jTyfWEgmXvZLVEnosw2Dx0=
go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0=
go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ=
@@ -331,8 +331,8 @@ golang.org/x/crypto v0.0.0-2021092115510
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -357,8 +357,8 @@ golang.org/x/sync v0.0.0-20180314180146-
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181221143128-b4a75ba826a6/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -379,8 +379,8 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4 h1:ka7TMW0Mo8QYTXm2hXSQ9fFUXS7Zln3S4pe9aq4JC7w=
golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4/go.mod h1:amNmu/SBSm2GAF3X+9U2C0epLocdh+r5Z+7oMYO5cLM=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -390,8 +390,8 @@ golang.org/x/term v0.2.0/go.mod h1:TVmDH
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
-golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -402,10 +402,10 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/MichaelMure/git-bug.git</param>
<param name="changesrevision">b0cc690854e501af9d91e2f09366263d629ceeaa</param></service></servicedata>
<param name="changesrevision">d499b6e9d3333334614924669b74640a2d0b5485</param></service></servicedata>

Binary file not shown.

BIN
git-bug-0.8.0+git.1733745604.d499b6e.obscpio (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Dec 17 13:53:28 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update to version 0.8.0+git.1733745604.d499b6e:
* fix typos in docs (#1266)
* build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
- Add CVE-2024-45337-bump-go-crypto.patch to bump
golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for
CVE-2024-45337, bsc#1234565).
-------------------------------------------------------------------
Thu Oct 03 18:28:47 UTC 2024 - mcepl@cepl.eu

View File

@ -1,4 +1,4 @@
name: git-bug
version: 0.8.0+git.1725552198.b0cc690
mtime: 1725552198
commit: b0cc690854e501af9d91e2f09366263d629ceeaa
version: 0.8.0+git.1733745604.d499b6e
mtime: 1733745604
commit: d499b6e9d3333334614924669b74640a2d0b5485

View File

@ -1,7 +1,7 @@
#
# spec file for package git-bug
#
# Copyright (c) 2022 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,22 +17,26 @@
Name: git-bug
Version: 0.8.0+git.1725552198.b0cc690
Version: 0.8.0+git.1733745604.d499b6e
Release: 0
Summary: Distributed, offline-first bug tracker embedded in git, with bridges
License: MIT
URL: https://github.com/MichaelMure/git-bug
# Source0: https://github.com/MichaelMure/%%{name}/archive/refs/tags/v%%{version}.tar.gz#/git-bug-%%{version}.tar.gz
Source0: git-bug-%{version}.tar.gz
Source1: vendor.tar.gz
# PATCH-FIX-UPSTREAM remote-config.patch gh#MichaelMure/git-bug!1076 mcepl@suse.com
# try reading git-bug.remote config value before defaulting to 'origin' when no explicit REMOTE argument
Patch0: remote-config.patch
Source1: vendor.tar.gz
# PATCH-FIX-UPSTREAM CVE-2024-45337-bump-go-crypto.patch bsc#1234565 mcepl@suse.com
# bump golang.org/x/crypto from v0.26.0 to v0.31.0
Patch1: CVE-2024-45337-bump-go-crypto.patch
BuildRequires: golang(API) = 1.22
# # PATCH-FEATURE-UPSTREAM 501-export.patch gh#MichaelMure/git-bug!501 mcepl@suse.com
# # add a command to export bugs as raw operations
# Patch0: 501-export.patch
BuildRequires: golang-packaging
BuildRequires: golang(API) = 1.22
BuildRequires: git
%description
git-bug is a bug tracker that:
@ -86,7 +90,7 @@ zsh shell completions for git-bug
%autosetup -p1 -a1
%build
go build -v -x -mod=vendor -buildmode=pie
%make_build build
%install
install -Dm755 git-bug %{buildroot}%{_bindir}/git-bug
@ -101,7 +105,8 @@ install -Dm0644 misc/completion/zsh/git-bug \
%{buildroot}%{_sysconfdir}/zsh_completion.d/git-bug
%check
go test -v -s TestValidateUsername -mod=vendor -bench=. ./...
# before we mark network requiring tests (gh#git-bug/git-bug#1313)
%make_build test || true
%files
%license LICENSE

BIN
vendor.tar.gz (Stored with Git LFS)

Binary file not shown.