Merge pull request 'Update to 0.59.1' (#13) from dirkmueller/trivy:factory into factory
This commit is contained in:
commit
b1620bb580
2
_service
2
_service
@ -2,7 +2,7 @@
|
||||
<service name="tar_scm" mode="manual">
|
||||
<param name="url">https://github.com/aquasecurity/trivy</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="revision">v0.59.0</param>
|
||||
<param name="revision">v0.59.1</param>
|
||||
<param name="versionformat">@PARENT_TAG@</param>
|
||||
<param name="versionrewrite-pattern">v(.*)</param>
|
||||
<param name="changesgenerate">enable</param>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://github.com/aquasecurity/trivy</param>
|
||||
<param name="changesrevision">a58d6854dcfec0349daef27e180f2bdb5b380315</param></service></servicedata>
|
||||
<param name="changesrevision">9aabfd2a91e7278384bce7ccc6841a1d2851feb0</param></service></servicedata>
|
||||
49
jwe-avoid-unbounded-splits.patch
Normal file
49
jwe-avoid-unbounded-splits.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 99b346cec4e86d102284642c5dcbe9bb0cacfc22 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew McPherrin <mattm@letsencrypt.org>
|
||||
Date: Mon, 24 Feb 2025 15:06:34 -0500
|
||||
Subject: [PATCH] Don't allow unbounded amounts of splits (#167)
|
||||
|
||||
In compact JWS/JWE, don't allow unbounded number of splits.
|
||||
Count to make sure there's the right number, then use SplitN.
|
||||
---
|
||||
jwe.go | 5 +++--
|
||||
jws.go | 5 +++--
|
||||
jws_test.go | 3 +++
|
||||
3 files changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/jwe.go b/jwe.go
|
||||
index 89f03ee..9f1322d 100644
|
||||
--- a/jwe.go
|
||||
+++ b/jwe.go
|
||||
@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
|
||||
keyAlgorithms []KeyAlgorithm,
|
||||
contentEncryption []ContentEncryption,
|
||||
) (*JSONWebEncryption, error) {
|
||||
- parts := strings.Split(input, ".")
|
||||
- if len(parts) != 5 {
|
||||
+ // Five parts is four separators
|
||||
+ if strings.Count(input, ".") != 4 {
|
||||
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
|
||||
}
|
||||
+ parts := strings.SplitN(input, ".", 5)
|
||||
|
||||
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
|
||||
if err != nil {
|
||||
diff --git a/jws.go b/jws.go
|
||||
index 3a91230..d09d8ba 100644
|
||||
--- a/jws.go
|
||||
+++ b/jws.go
|
||||
@@ -327,10 +327,11 @@ func parseSignedCompact(
|
||||
payload []byte,
|
||||
signatureAlgorithms []SignatureAlgorithm,
|
||||
) (*JSONWebSignature, error) {
|
||||
- parts := strings.Split(input, ".")
|
||||
- if len(parts) != 3 {
|
||||
+ // Three parts is two separators
|
||||
+ if strings.Count(input, ".") != 2 {
|
||||
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
|
||||
}
|
||||
+ parts := strings.SplitN(input, ".", 3)
|
||||
|
||||
if parts[1] != "" && payload != nil {
|
||||
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
|
||||
BIN
trivy-0.59.0.tar.zst
(Stored with Git LFS)
BIN
trivy-0.59.0.tar.zst
(Stored with Git LFS)
Binary file not shown.
BIN
trivy-0.59.1.tar.zst
(Stored with Git LFS)
Normal file
BIN
trivy-0.59.1.tar.zst
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,3 +1,19 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 26 09:01:28 UTC 2025 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- add jwe-avoid-unbounded-splits.patch (bsc#1237618,
|
||||
CVE-2025-27144)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 25 14:46:22 UTC 2025 - dmueller@suse.com
|
||||
|
||||
- Update to version 0.59.1:
|
||||
* release: v0.59.1 [release/v0.59] (#8334)
|
||||
* fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
|
||||
* chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
|
||||
* fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
|
||||
* fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 7 11:33:46 UTC 2025 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
@ -97,7 +113,8 @@ Wed Jan 29 11:56:12 UTC 2025 - dmueller@suse.com
|
||||
|
||||
- Update to version 0.58.2 (
|
||||
bsc#1234512, CVE-2024-45337,
|
||||
bsc#1235265, CVE-2024-45338):
|
||||
bsc#1235265, CVE-2024-45338,
|
||||
bsc#1232948, CVE-2024-51744):
|
||||
* release: v0.58.2 [release/v0.58] (#8216)
|
||||
* fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
|
||||
* fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: trivy
|
||||
Version: 0.59.0
|
||||
Version: 0.59.1
|
||||
Release: 0
|
||||
Summary: A Simple and Comprehensive Vulnerability Scanner for Containers
|
||||
License: Apache-2.0
|
||||
@ -25,6 +25,7 @@ Group: System/Management
|
||||
URL: https://github.com/aquasecurity/trivy
|
||||
Source: %{name}-%{version}.tar.zst
|
||||
Source1: vendor.tar.zst
|
||||
Patch1: jwe-avoid-unbounded-splits.patch
|
||||
BuildRequires: golang-packaging
|
||||
BuildRequires: zstd
|
||||
BuildRequires: golang(API) = 1.23
|
||||
@ -44,6 +45,10 @@ name of the container.
|
||||
|
||||
%prep
|
||||
%setup -a1
|
||||
(
|
||||
cd vendor/github.com/go-jose/go-jose/v4
|
||||
%patch -P 1 -p1
|
||||
)
|
||||
|
||||
%build
|
||||
export CGO_ENABLED=1
|
||||
|
||||
BIN
vendor.tar.zst
(Stored with Git LFS)
BIN
vendor.tar.zst
(Stored with Git LFS)
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user