diff --git a/git-bug b/git-bug index 22bb247..2390ae6 160000 --- a/git-bug +++ b/git-bug @@ -1 +1 @@ -Subproject commit 22bb247e7303abaf3920bfdd3fac20cb48e2de2e884bd34eb8ae813afec73b2a +Subproject commit 2390ae6ceea5fe7d3bcf4286e25b81f87bfd2ecb02bcfe4aa49e5facfeb575ab diff --git a/patchinfo.20251203090227587250.187004354831441/_patchinfo b/patchinfo.20251203090227587250.187004354831441/_patchinfo new file mode 100644 index 0000000..7eb8c2f --- /dev/null +++ b/patchinfo.20251203090227587250.187004354831441/_patchinfo @@ -0,0 +1,106 @@ + + VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or + VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or + VUL-0: CVE-2025-47911: git-bug: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents + VUL-0: CVE-2025-47914: git-bug: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read + + VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh + VUL-0: CVE-2024-45337: git-bug: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto + VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read + VUL-0: CVE-2025-58190: git-bug: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input + VUL-0: CVE-2025-22869: git-bug: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh + VUL-0: CVE-2024-45337: TRACKERBUG: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto + VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents + VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption + VUL-0: CVE-2025-58181: git-bug: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption + mcepl + important + security + Security update for git-bug + This update for git-bug fixes the following issues: + +Changes in git-bug: + +- Revendor to include fixed version of depending libraries: + - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade + golang.org/x/crypto to v0.43.0 + - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade + github.com/go-viper/mapstructure/v2 to v2.4.0 + - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous + - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade + github.com/cloudflare/circl to v1.6.1 + - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade + golang.org/x/crypto/ssh to v0.45.0 + - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade + golang.org/x/crypto/ssh/agent to v0.45.0 + +- Revendor to include golang.org/x/net/html v 0.45.0 to prevent + possible DoS by various algorithms with quadratic complexity + when parsing HTML documents (bsc#1251463, CVE-2025-47911 and + bsc#1251664, CVE-2025-58190). + +Update to version 0.10.1: + + - cli: ignore missing sections when removing configuration (ddb22a2f) + +Update to version 0.10.0: + + - bridge: correct command used to create a new bridge (9942337b) + - web: simplify header navigation (7e95b169) + - webui: remark upgrade + gfm + syntax highlighting (6ee47b96) + - BREAKING CHANGE: dev-infra: remove gokart (89b880bd) + +Update to version 0.10.0: + + - bridge: correct command used to create a new bridge (9942337b) + - web: simplify header navigation (7e95b169) + - web: remark upgrade + gfm + syntax highlighting (6ee47b96) + +Update to version 0.9.0: + + - completion: remove errata from string literal (aa102c91) + - tui: improve readability of the help bar (23be684a) + +Update to version 0.8.1+git.1746484874.96c7a111: + + * docs: update install, contrib, and usage documentation (#1222) + * fix: resolve the remote URI using url.*.insteadOf (#1394) + * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376) + * chore: gofmt simplify gitlab/export_test.go (#1392) + * fix: checkout repo before setting up go environment (#1390) + * feat: bump to go v1.24.2 (#1389) + * chore: update golang.org/x/net (#1379) + * fix: use -0700 when formatting time (#1388) + * fix: use correct url for gitlab PATs (#1384) + * refactor: remove depdendency on pnpm for auto-label action (#1383) + * feat: add action: auto-label (#1380) + * feat: remove lifecycle/frozen (#1377) + * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378) + * feat: support new exclusion label: lifecycle/pinned (#1375) + * fix: refactor how gitlab title changes are detected (#1370) + * revert: "Create Dependabot config file" (#1374) + * refactor: rename //:git-bug.go to //:main.go (#1373) + * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361) + * fix: set GitLastTag to an empty string when git-describe errors (#1355) + * chore: update go-git to v5@masterupdate_mods (#1284) + * refactor: Directly swap two variables to optimize code (#1272) + * Update README.md Matrix link to new room (#1275) + +- Update to version 0.8.0+git.1742269202.0ab94c9: + * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312) + +- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494, + CVE-2025-22869). + +- Add missing Requires to completion subpackages. + +Update to version 0.8.0+git.1733745604.d499b6e: + + * fix typos in docs (#1266) + * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289) + +- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565). + + git-bug + +