diff --git a/go-sendxmpp b/go-sendxmpp index 3ac86d2..a7e7d70 160000 --- a/go-sendxmpp +++ b/go-sendxmpp @@ -1 +1 @@ -Subproject commit 3ac86d2091607066150bbbb8eef8804c815e11f81377f0b9e27abc98a781500b +Subproject commit a7e7d705d106ad958669773f3fdf3a90547e5d6e5f472d36575f9ed6238878bc diff --git a/patchinfo.20260116150132416590.93181000773252/_patchinfo b/patchinfo.20260116150132416590.93181000773252/_patchinfo new file mode 100644 index 0000000..be6691d --- /dev/null +++ b/patchinfo.20260116150132416590.93181000773252/_patchinfo @@ -0,0 +1,95 @@ + + + VUL-0: CVE-2025-22872: go-sendxmpp: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction + VUL-0: CVE-2025-22872: TRACKERBUG: golang.org/x/net/html: tags incorrectly interpreted by tokenizer can lead to content being placed in the wrong scope during + VUL-0: CVE-2025-58190: go-sendxmpp: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input + VUL-0: CVE-2025-47911: go-sendxmpp: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents + VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents + fstrba + moderate + security + Security update for go-sendxmpp + This update for go-sendxmpp fixes the following issues: + +Changes in go-sendxmpp: + +- Update to 0.15.1: + Added + * Add XEP-0359 Origin-ID to messages (requires go-xmpp >= v0.2.18). + Changed + * HTTP upload: Ignore timeouts on disco IQs as some components do + not reply. +- Upgrades the embedded golang.org/x/net to 0.46.0 + * Fixes: bsc#1251461, CVE-2025-47911: various algorithms with + quadratic complexity when parsing HTML documents + * Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption + by 'html.ParseFragment' when processing specially crafted input + +- Update to 0.15.0: + Added: + * Add flag --verbose to show debug information. + * Add flag --recipients to specify recipients by file. + * Add flag --retry-connect to try after a waiting time if the connection fails. + * Add flag --retry-connect-max to specify the amount of retry attempts. + * Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys. + * Add support for punycode domains. + Changed: + * Update gopenpgp library to v3. + * Improve error detection for MUC joins. + * Don't try to connect to other SRV record targets if error contains 'auth-failure'. + * Remove support for old SSDP version (via go-xmpp v0.2.15). + * Http-upload: Stop checking other disco items after finding upload component. + * Increase default TLS version to 1.3. +- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0 + +- Update to 0.14.1: + * Use prettier date format for error messages. + * Update XEP-0474 to version 0.4.0 (requires go-xmpp >= 0.2.10). + +- Update to 0.14.0: + Added: + * Add --fast-invalidate to allow invalidating the FAST token. + Changed: + * Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys. + * Delete legacy Ox private key directory if it's empty. + * Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp >= 0.2.9). + * Print debug output to stdout, not stderr (requires go-xmpp >= 0.2.9). + * Show RECV: and SEND: prefix for debug output (requires go-xmpp >= 0.2.9). + * Delete stored fast token if --fast-invalidate and --fast-off are set. + * Show error when FAST creds are stored but non-FAST mechanism is requested. + +- Update to 0.13.0: + Added: + * Add --anonymous to support anonymous authentication (requires go-xmpp >= 0.2.8). + * Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp >= 0.2.8). + * Add support for see-other-host stream error (requires go-xmpp >= 0.2.8). + Changed: + * Don't automatically try other auth mechanisms if FAST authentication fails. + +- Update to 0.12.1: + Changed: + * Print error instead of quitting if a message of type error is received. + * Allow upload of multiple files. + Added: + * Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user. + +- Update to 0.12.0: + Added: + * Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv >= 0.3.3). + * Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp >= 0.2.5). + Changed: + * Disable PLAIN authentication per default. + * Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires + go-xmpp >= 0.2.5). + +- Update to 0.11.4: + * Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp >= 0.2.4). + +- Update to 0.11.3: + * Add go-xmpp library version to --version output (requires go-xmpp >= 0.2.2). + * Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp >= v0.2.3). + * [gocritic]: Improve code quality. + + go-sendxmpp + +