Pull request for security update for git-bug #258
2
git-bug
2
git-bug
Submodule git-bug updated: 22bb247e73...2390ae6cee
106
patchinfo.20251203090227587250.187004354831441/_patchinfo
Normal file
106
patchinfo.20251203090227587250.187004354831441/_patchinfo
Normal file
@@ -0,0 +1,106 @@
|
||||
<patchinfo>
|
||||
<issue tracker="bnc" id="1253506">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
|
||||
<issue tracker="cve" id="2025-47913">VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or</issue>
|
||||
<issue tracker="bnc" id="1251463">VUL-0: CVE-2025-47911: git-bug: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
|
||||
<issue tracker="bnc" id="1254084">VUL-0: CVE-2025-47914: git-bug: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
|
||||
<issue tracker="cve" id="2025-58190"/>
|
||||
<issue tracker="cve" id="2025-22869">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
|
||||
<issue tracker="bnc" id="1234565">VUL-0: CVE-2024-45337: git-bug: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
|
||||
<issue tracker="cve" id="2025-47914">VUL-0: CVE-2025-47914: TRACKERBUG: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
|
||||
<issue tracker="bnc" id="1251664">VUL-0: CVE-2025-58190: git-bug: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
|
||||
<issue tracker="bnc" id="1239494">VUL-0: CVE-2025-22869: git-bug: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
|
||||
<issue tracker="cve" id="2024-45337">VUL-0: CVE-2024-45337: TRACKERBUG: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
|
||||
<issue tracker="cve" id="2025-47911">VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
|
||||
<issue tracker="cve" id="2025-58181">VUL-0: CVE-2025-58181: TRACKERBUG: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
|
||||
<issue tracker="bnc" id="1253930">VUL-0: CVE-2025-58181: git-bug: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
|
||||
<packager>mcepl</packager>
|
||||
<rating>important</rating>
|
||||
<category>security</category>
|
||||
<summary>Security update for git-bug</summary>
|
||||
<description>This update for git-bug fixes the following issues:
|
||||
|
||||
Changes in git-bug:
|
||||
|
||||
- Revendor to include fixed version of depending libraries:
|
||||
- GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
|
||||
golang.org/x/crypto to v0.43.0
|
||||
- GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
|
||||
github.com/go-viper/mapstructure/v2 to v2.4.0
|
||||
- GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
|
||||
- GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
|
||||
github.com/cloudflare/circl to v1.6.1
|
||||
- GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
|
||||
golang.org/x/crypto/ssh to v0.45.0
|
||||
- GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
|
||||
golang.org/x/crypto/ssh/agent to v0.45.0
|
||||
|
||||
- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
|
||||
possible DoS by various algorithms with quadratic complexity
|
||||
when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
|
||||
bsc#1251664, CVE-2025-58190).
|
||||
|
||||
Update to version 0.10.1:
|
||||
|
||||
- cli: ignore missing sections when removing configuration (ddb22a2f)
|
||||
|
||||
Update to version 0.10.0:
|
||||
|
||||
- bridge: correct command used to create a new bridge (9942337b)
|
||||
- web: simplify header navigation (7e95b169)
|
||||
- webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
|
||||
- BREAKING CHANGE: dev-infra: remove gokart (89b880bd)
|
||||
|
||||
Update to version 0.10.0:
|
||||
|
||||
- bridge: correct command used to create a new bridge (9942337b)
|
||||
- web: simplify header navigation (7e95b169)
|
||||
- web: remark upgrade + gfm + syntax highlighting (6ee47b96)
|
||||
|
||||
Update to version 0.9.0:
|
||||
|
||||
- completion: remove errata from string literal (aa102c91)
|
||||
- tui: improve readability of the help bar (23be684a)
|
||||
|
||||
Update to version 0.8.1+git.1746484874.96c7a111:
|
||||
|
||||
* docs: update install, contrib, and usage documentation (#1222)
|
||||
* fix: resolve the remote URI using url.*.insteadOf (#1394)
|
||||
* build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
|
||||
* chore: gofmt simplify gitlab/export_test.go (#1392)
|
||||
* fix: checkout repo before setting up go environment (#1390)
|
||||
* feat: bump to go v1.24.2 (#1389)
|
||||
* chore: update golang.org/x/net (#1379)
|
||||
* fix: use -0700 when formatting time (#1388)
|
||||
* fix: use correct url for gitlab PATs (#1384)
|
||||
* refactor: remove depdendency on pnpm for auto-label action (#1383)
|
||||
* feat: add action: auto-label (#1380)
|
||||
* feat: remove lifecycle/frozen (#1377)
|
||||
* build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
|
||||
* feat: support new exclusion label: lifecycle/pinned (#1375)
|
||||
* fix: refactor how gitlab title changes are detected (#1370)
|
||||
* revert: "Create Dependabot config file" (#1374)
|
||||
* refactor: rename //:git-bug.go to //:main.go (#1373)
|
||||
* build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
|
||||
* fix: set GitLastTag to an empty string when git-describe errors (#1355)
|
||||
* chore: update go-git to v5@masterupdate_mods (#1284)
|
||||
* refactor: Directly swap two variables to optimize code (#1272)
|
||||
* Update README.md Matrix link to new room (#1275)
|
||||
|
||||
- Update to version 0.8.0+git.1742269202.0ab94c9:
|
||||
* deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
|
||||
|
||||
- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
|
||||
CVE-2025-22869).
|
||||
|
||||
- Add missing Requires to completion subpackages.
|
||||
|
||||
Update to version 0.8.0+git.1733745604.d499b6e:
|
||||
|
||||
* fix typos in docs (#1266)
|
||||
* build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
|
||||
|
||||
- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).
|
||||
</description>
|
||||
<package>git-bug</package>
|
||||
<seperate_build_arch/>
|
||||
</patchinfo>
|
||||
Reference in New Issue
Block a user