diff --git a/CVE-2024-45337-bump-go-crypto.patch b/CVE-2024-45337-bump-go-crypto.patch deleted file mode 100644 index ed61eff..0000000 --- a/CVE-2024-45337-bump-go-crypto.patch +++ /dev/null @@ -1,232 +0,0 @@ -From fc24dafc5962715b46bcf37091d7f388ded5aa4b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= -Date: Mon, 16 Dec 2024 18:02:51 +0100 -Subject: [PATCH 1/3] build(deps): move from github.com/xanzy/go-gitlab to - gitlab.com/gitlab-org/api/client-go - ---- - bridge/gitlab/config.go | 2 +- - bridge/gitlab/event.go | 2 +- - bridge/gitlab/export.go | 2 +- - bridge/gitlab/export_test.go | 4 ++-- - bridge/gitlab/gitlab.go | 2 +- - bridge/gitlab/gitlab_api.go | 2 +- - bridge/gitlab/import.go | 2 +- - go.mod | 23 +++++++++++++---------- - go.sum | 28 ++++++++++++++-------------- - 9 files changed, 35 insertions(+), 32 deletions(-) - ---- a/bridge/gitlab/config.go -+++ b/bridge/gitlab/config.go -@@ -8,7 +8,7 @@ import ( - "strings" - - "github.com/pkg/errors" -- "github.com/xanzy/go-gitlab" -+ "gitlab.com/gitlab-org/api/client-go" - - "github.com/git-bug/git-bug/bridge/core" - "github.com/git-bug/git-bug/bridge/core/auth" ---- a/bridge/gitlab/event.go -+++ b/bridge/gitlab/event.go -@@ -5,7 +5,7 @@ import ( - "strings" - "time" - -- "github.com/xanzy/go-gitlab" -+ "gitlab.com/gitlab-org/api/client-go" - - "github.com/git-bug/git-bug/util/text" - ) ---- a/bridge/gitlab/export.go -+++ b/bridge/gitlab/export.go -@@ -8,7 +8,7 @@ import ( - "time" - - "github.com/pkg/errors" -- "github.com/xanzy/go-gitlab" -+ "gitlab.com/gitlab-org/api/client-go" - - "github.com/git-bug/git-bug/bridge/core" - "github.com/git-bug/git-bug/bridge/core/auth" ---- a/bridge/gitlab/export_test.go -+++ b/bridge/gitlab/export_test.go -@@ -9,7 +9,7 @@ import ( - "testing" - "time" - -- "github.com/xanzy/go-gitlab" -+ "gitlab.com/gitlab-org/api/client-go" - - "github.com/git-bug/git-bug/entity" - "github.com/git-bug/git-bug/entity/dag" -@@ -319,6 +319,6 @@ func deleteRepository(ctx context.Contex - return err - } - -- _, err = client.Projects.DeleteProject(project, gitlab.WithContext(ctx)) -+ _, err = client.Projects.DeleteProject(project, nil, gitlab.WithContext(ctx)) - return err - } ---- a/bridge/gitlab/gitlab.go -+++ b/bridge/gitlab/gitlab.go -@@ -3,7 +3,7 @@ package gitlab - import ( - "time" - -- "github.com/xanzy/go-gitlab" -+ "gitlab.com/gitlab-org/api/client-go" - - "github.com/git-bug/git-bug/bridge/core" - "github.com/git-bug/git-bug/bridge/core/auth" ---- a/bridge/gitlab/gitlab_api.go -+++ b/bridge/gitlab/gitlab_api.go -@@ -5,7 +5,7 @@ import ( - "time" - - "github.com/git-bug/git-bug/util/text" -- "github.com/xanzy/go-gitlab" -+ "gitlab.com/gitlab-org/api/client-go" - ) - - // Issues returns a channel with gitlab project issues, ascending order. ---- a/bridge/gitlab/import.go -+++ b/bridge/gitlab/import.go -@@ -6,7 +6,7 @@ import ( - "strconv" - "time" - -- "github.com/xanzy/go-gitlab" -+ "gitlab.com/gitlab-org/api/client-go" - - "github.com/git-bug/git-bug/bridge/core" - "github.com/git-bug/git-bug/bridge/core/auth" ---- a/go.mod -+++ b/go.mod -@@ -35,12 +35,19 @@ require ( - github.com/stretchr/testify v1.9.0 - github.com/vbauerster/mpb/v8 v8.8.2 - github.com/vektah/gqlparser/v2 v2.5.16 -- github.com/xanzy/go-gitlab v0.107.0 -- golang.org/x/crypto v0.26.0 -+ gitlab.com/gitlab-org/api/client-go v0.116.0 -+ golang.org/x/crypto v0.31.0 - golang.org/x/oauth2 v0.22.0 -- golang.org/x/sync v0.8.0 -- golang.org/x/sys v0.25.0 -- golang.org/x/text v0.17.0 -+ golang.org/x/sync v0.10.0 -+ golang.org/x/sys v0.28.0 -+ golang.org/x/text v0.21.0 -+) -+ -+require ( -+ github.com/google/go-querystring v1.1.0 // indirect -+ github.com/hashicorp/go-cleanhttp v0.5.2 // indirect -+ github.com/hashicorp/go-retryablehttp v0.7.7 // indirect -+ golang.org/x/time v0.3.0 // indirect - ) - - require ( -@@ -78,12 +85,9 @@ require ( - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/golang/snappy v0.0.4 // indirect -- github.com/google/go-querystring v1.1.0 // indirect - github.com/google/uuid v1.6.0 // indirect - github.com/gorilla/websocket v1.5.3 // indirect - github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect -- github.com/hashicorp/go-cleanhttp v0.5.2 // indirect -- github.com/hashicorp/go-retryablehttp v0.7.7 // indirect - github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect - github.com/kevinburke/ssh_config v1.2.0 // indirect -@@ -117,8 +121,7 @@ require ( - golang.org/x/mod v0.19.0 // indirect - golang.org/x/net v0.27.0 // indirect - golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4 // indirect -- golang.org/x/term v0.24.0 -- golang.org/x/time v0.5.0 // indirect -+ golang.org/x/term v0.27.0 - golang.org/x/tools v0.23.0 // indirect - golang.org/x/vuln v1.1.3 - google.golang.org/protobuf v1.34.2 // indirect ---- a/go.sum -+++ b/go.sum -@@ -311,8 +311,6 @@ github.com/vektah/gqlparser/v2 v2.5.16/g - github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= - github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= - github.com/willf/bitset v1.1.10/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= --github.com/xanzy/go-gitlab v0.107.0 h1:P2CT9Uy9yN9lJo3FLxpMZ4xj6uWcpnigXsjvqJ6nd2Y= --github.com/xanzy/go-gitlab v0.107.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY= - github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= - github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= - github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= -@@ -322,6 +320,8 @@ github.com/yuin/goldmark v1.4.13/go.mod - github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= - github.com/zclconf/go-cty v1.15.0 h1:tTCRWxsexYUmtt/wVxgDClUe+uQusuI443uL6e+5sXQ= - github.com/zclconf/go-cty v1.15.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= -+gitlab.com/gitlab-org/api/client-go v0.116.0 h1:Dy534gtZPMrnm3fAcmQRMadrcoUyFO4FQ4rXlSAdHAw= -+gitlab.com/gitlab-org/api/client-go v0.116.0/go.mod h1:B29OfnZklmaoiR7uHANh9jTyfWEgmXvZLVEnosw2Dx0= - go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= - go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0= - go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ= -@@ -331,8 +331,8 @@ golang.org/x/crypto v0.0.0-2021092115510 - golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= - golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= - golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= --golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= --golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= -+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= -+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -@@ -357,8 +357,8 @@ golang.org/x/sync v0.0.0-20180314180146- - golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= - golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= - golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= --golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= --golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= -+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= - golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= - golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= - golang.org/x/sys v0.0.0-20181221143128-b4a75ba826a6/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -@@ -379,8 +379,8 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1 - golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= - golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= - golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= --golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= --golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= -+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4 h1:ka7TMW0Mo8QYTXm2hXSQ9fFUXS7Zln3S4pe9aq4JC7w= - golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4/go.mod h1:amNmu/SBSm2GAF3X+9U2C0epLocdh+r5Z+7oMYO5cLM= - golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -@@ -390,8 +390,8 @@ golang.org/x/term v0.2.0/go.mod h1:TVmDH - golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= - golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= - golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= --golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= --golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= -+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= -+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= - golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= - golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= - golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -@@ -402,10 +402,10 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+ - golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= - golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= --golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= --golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= --golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= --golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= -+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= -+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= -+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= -+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= - golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= - golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= - golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= diff --git a/CVE-2025-22869-bump-go-crypto-ssh.patch b/CVE-2025-22869-bump-go-crypto-ssh.patch new file mode 100644 index 0000000..b262451 --- /dev/null +++ b/CVE-2025-22869-bump-go-crypto-ssh.patch @@ -0,0 +1,103 @@ +--- + go.mod | 14 ++++++++------ + go.sum | 20 ++++++++++---------- + 2 files changed, 18 insertions(+), 16 deletions(-) + +Index: git-bug-0.8.0+git.1742269202.0ab94c9/go.mod +=================================================================== +--- git-bug-0.8.0+git.1742269202.0ab94c9.orig/go.mod 2025-03-18 04:40:02.000000000 +0100 ++++ git-bug-0.8.0+git.1742269202.0ab94c9/go.mod 2025-03-25 16:42:47.276480680 +0100 +@@ -1,6 +1,8 @@ + module github.com/git-bug/git-bug + +-go 1.22.5 ++go 1.23.0 ++ ++toolchain go1.24.1 + + // https://github.com/praetorian-inc/gokart/pull/84 + replace github.com/praetorian-inc/gokart v0.5.1 => github.com/selesy/gokart v0.5.2-rc1 +@@ -36,11 +38,11 @@ + github.com/vbauerster/mpb/v8 v8.8.2 + github.com/vektah/gqlparser/v2 v2.5.16 + gitlab.com/gitlab-org/api/client-go v0.116.0 +- golang.org/x/crypto v0.31.0 ++ golang.org/x/crypto v0.35.0 + golang.org/x/oauth2 v0.22.0 +- golang.org/x/sync v0.10.0 +- golang.org/x/sys v0.28.0 +- golang.org/x/text v0.21.0 ++ golang.org/x/sync v0.11.0 ++ golang.org/x/sys v0.30.0 ++ golang.org/x/text v0.22.0 + ) + + require ( +@@ -121,7 +123,7 @@ + golang.org/x/mod v0.19.0 // indirect + golang.org/x/net v0.27.0 // indirect + golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4 // indirect +- golang.org/x/term v0.27.0 ++ golang.org/x/term v0.29.0 + golang.org/x/tools v0.23.0 // indirect + golang.org/x/vuln v1.1.3 + google.golang.org/protobuf v1.34.2 // indirect +Index: git-bug-0.8.0+git.1742269202.0ab94c9/go.sum +=================================================================== +--- git-bug-0.8.0+git.1742269202.0ab94c9.orig/go.sum 2025-03-18 04:40:02.000000000 +0100 ++++ git-bug-0.8.0+git.1742269202.0ab94c9/go.sum 2025-03-25 16:42:47.278128567 +0100 +@@ -331,8 +331,8 @@ + golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= + golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= + golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= ++golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= ++golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +@@ -357,8 +357,8 @@ + golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= ++golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= + golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181221143128-b4a75ba826a6/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -379,8 +379,8 @@ + golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= ++golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= + golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4 h1:ka7TMW0Mo8QYTXm2hXSQ9fFUXS7Zln3S4pe9aq4JC7w= + golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4/go.mod h1:amNmu/SBSm2GAF3X+9U2C0epLocdh+r5Z+7oMYO5cLM= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +@@ -390,8 +390,8 @@ + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= + golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= ++golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= ++golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= + golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +@@ -402,8 +402,8 @@ + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= + golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= ++golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= ++golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= + golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= + golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/_service b/_service index 4215177..77f1305 100644 --- a/_service +++ b/_service @@ -1,7 +1,7 @@ 0.8.0+git - https://github.com/MichaelMure/git-bug.git + https://github.com/git-bug/git-bug.git git enable mcepl@cepl.eu diff --git a/_servicedata b/_servicedata index bb7f728..b7c0bf9 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,6 @@ https://github.com/MichaelMure/git-bug.git - d499b6e9d3333334614924669b74640a2d0b5485 \ No newline at end of file + d499b6e9d3333334614924669b74640a2d0b5485 + https://github.com/git-bug/git-bug.git + 0ab94c9b7ac53ca9ab56febcf5cc3f26959e8b8a \ No newline at end of file diff --git a/git-bug-0.8.0+git.1733745604.d499b6e.obscpio b/git-bug-0.8.0+git.1733745604.d499b6e.obscpio deleted file mode 100644 index 299848a..0000000 --- a/git-bug-0.8.0+git.1733745604.d499b6e.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2f683251b338ba457ddc5b1b5c7f5874c6b93f24c6919e5366f5d097c6f3e68b -size 7206413 diff --git a/git-bug-0.8.0+git.1742269202.0ab94c9.obscpio b/git-bug-0.8.0+git.1742269202.0ab94c9.obscpio new file mode 100644 index 0000000..9fe0c0a --- /dev/null +++ b/git-bug-0.8.0+git.1742269202.0ab94c9.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eac693d55f8f3c2e8e839e2e8381c5955dc6548aa004d6185db80ee68e6c5e0d +size 7206925 diff --git a/git-bug.changes b/git-bug.changes index d6e5602..91c61a8 100644 --- a/git-bug.changes +++ b/git-bug.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue Mar 25 15:29:50 UTC 2025 - mcepl@cepl.eu + +- Update to version 0.8.0+git.1742269202.0ab94c9: + * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312) +- Remove upstreamed CVE-2024-45337-bump-go-crypto.patch + (apparently upstream still didn’t see the other one). + +------------------------------------------------------------------- +Thu Mar 13 17:02:33 UTC 2025 - mcepl@cepl.eu + +- Add CVE-2025-22869-bump-go-crypto-ssh.patch to update + golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494, + CVE-2025-22869). + ------------------------------------------------------------------- Wed Jan 22 16:32:25 UTC 2025 - Matej Cepl diff --git a/git-bug.obsinfo b/git-bug.obsinfo index 0fbb008..8e35472 100644 --- a/git-bug.obsinfo +++ b/git-bug.obsinfo @@ -1,4 +1,4 @@ name: git-bug -version: 0.8.0+git.1733745604.d499b6e -mtime: 1733745604 -commit: d499b6e9d3333334614924669b74640a2d0b5485 +version: 0.8.0+git.1742269202.0ab94c9 +mtime: 1742269202 +commit: 0ab94c9b7ac53ca9ab56febcf5cc3f26959e8b8a diff --git a/git-bug.spec b/git-bug.spec index 0fec399..7359b9b 100644 --- a/git-bug.spec +++ b/git-bug.spec @@ -17,7 +17,7 @@ Name: git-bug -Version: 0.8.0+git.1733745604.d499b6e +Version: 0.8.0+git.1742269202.0ab94c9 Release: 0 Summary: Distributed, offline-first bug tracker embedded in git, with bridges License: MIT @@ -28,10 +28,10 @@ Source1: vendor.tar.gz # PATCH-FIX-UPSTREAM remote-config.patch gh#MichaelMure/git-bug!1076 mcepl@suse.com # try reading git-bug.remote config value before defaulting to 'origin' when no explicit REMOTE argument Patch0: remote-config.patch -# PATCH-FIX-UPSTREAM CVE-2024-45337-bump-go-crypto.patch bsc#1234565 mcepl@suse.com -# bump golang.org/x/crypto from v0.26.0 to v0.31.0 -Patch1: CVE-2024-45337-bump-go-crypto.patch -BuildRequires: golang(API) = 1.22 +# PATCH-FIX-UPSTREAM CVE-2025-22869-bump-go-crypto-ssh.patch bsc#1239494 mcepl@suse.com +# bump golang.org/x/crypto to v0.35.0 +Patch2: CVE-2025-22869-bump-go-crypto-ssh.patch +BuildRequires: golang(API) = 1.23 # # PATCH-FEATURE-UPSTREAM 501-export.patch gh#MichaelMure/git-bug!501 mcepl@suse.com # # add a command to export bugs as raw operations # Patch0: 501-export.patch diff --git a/remote-config.patch b/remote-config.patch index 45b73d4..8bc6fd6 100644 --- a/remote-config.patch +++ b/remote-config.patch @@ -10,9 +10,11 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before repository/config.go | 11 +++++++++++ 3 files changed, 33 insertions(+), 10 deletions(-) ---- a/commands/pull.go -+++ b/commands/pull.go -@@ -8,6 +8,7 @@ import ( +Index: git-bug-0.8.0+git.1742269202.0ab94c9/commands/pull.go +=================================================================== +--- git-bug-0.8.0+git.1742269202.0ab94c9.orig/commands/pull.go 2025-03-18 04:40:02.000000000 +0100 ++++ git-bug-0.8.0+git.1742269202.0ab94c9/commands/pull.go 2025-03-25 16:36:27.048924722 +0100 +@@ -8,6 +8,7 @@ "github.com/git-bug/git-bug/commands/completion" "github.com/git-bug/git-bug/commands/execenv" "github.com/git-bug/git-bug/entity" @@ -20,7 +22,7 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before ) func newPullCommand(env *execenv.Env) *cobra.Command { -@@ -25,13 +26,18 @@ func newPullCommand(env *execenv.Env) *c +@@ -25,13 +26,18 @@ } func runPull(env *execenv.Env, args []string) error { @@ -44,9 +46,11 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before } env.Out.Println("Fetching remote ...") ---- a/commands/push.go -+++ b/commands/push.go -@@ -7,6 +7,7 @@ import ( +Index: git-bug-0.8.0+git.1742269202.0ab94c9/commands/push.go +=================================================================== +--- git-bug-0.8.0+git.1742269202.0ab94c9.orig/commands/push.go 2025-03-18 04:40:02.000000000 +0100 ++++ git-bug-0.8.0+git.1742269202.0ab94c9/commands/push.go 2025-03-25 16:36:27.049118817 +0100 +@@ -7,6 +7,7 @@ "github.com/git-bug/git-bug/commands/completion" "github.com/git-bug/git-bug/commands/execenv" @@ -54,7 +58,7 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before ) func newPushCommand(env *execenv.Env) *cobra.Command { -@@ -24,13 +25,18 @@ func newPushCommand(env *execenv.Env) *c +@@ -24,13 +25,18 @@ } func runPush(env *execenv.Env, args []string) error { @@ -78,9 +82,11 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before } stdout, err := env.Backend.Push(remote) ---- a/repository/config.go -+++ b/repository/config.go -@@ -60,6 +60,17 @@ type ConfigWrite interface { +Index: git-bug-0.8.0+git.1742269202.0ab94c9/repository/config.go +=================================================================== +--- git-bug-0.8.0+git.1742269202.0ab94c9.orig/repository/config.go 2025-03-18 04:40:02.000000000 +0100 ++++ git-bug-0.8.0+git.1742269202.0ab94c9/repository/config.go 2025-03-25 16:36:27.049354801 +0100 +@@ -60,6 +60,17 @@ RemoveAll(keyPrefix string) error } diff --git a/vendor.tar.gz b/vendor.tar.gz index 49d7b88..266fd36 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e608cc4c6464f470427de2fe11b3f8c22e6760daefd68d3f166a3d22f2a6bf9a -size 7864722 +oid sha256:b3d4eedd9c7468028055ec50887bf7590ba49473fb2bd7f368fc78a0e120d60b +size 7873892