Pull request for security update for go-sendxmpp #329
Submodule go-sendxmpp updated: 3ac86d2091...a7e7d705d1
95
patchinfo.20260116150132416590.93181000773252/_patchinfo
Normal file
95
patchinfo.20260116150132416590.93181000773252/_patchinfo
Normal file
@@ -0,0 +1,95 @@
|
||||
<patchinfo>
|
||||
<issue tracker="cve" id="2025-58190"/>
|
||||
<issue tracker="bnc" id="1241814">VUL-0: CVE-2025-22872: go-sendxmpp: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction</issue>
|
||||
<issue tracker="cve" id="2025-22872">VUL-0: CVE-2025-22872: TRACKERBUG: golang.org/x/net/html: tags incorrectly interpreted by tokenizer can lead to content being placed in the wrong scope during</issue>
|
||||
<issue tracker="bnc" id="1251677">VUL-0: CVE-2025-58190: go-sendxmpp: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
|
||||
<issue tracker="bnc" id="1251461">VUL-0: CVE-2025-47911: go-sendxmpp: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
|
||||
<issue tracker="cve" id="2025-47911">VUL-0: CVE-2025-47911: TRACKERBUG: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
|
||||
<packager>fstrba</packager>
|
||||
<rating>moderate</rating>
|
||||
<category>security</category>
|
||||
<summary>Security update for go-sendxmpp</summary>
|
||||
<description>This update for go-sendxmpp fixes the following issues:
|
||||
|
||||
Changes in go-sendxmpp:
|
||||
|
||||
- Update to 0.15.1:
|
||||
Added
|
||||
* Add XEP-0359 Origin-ID to messages (requires go-xmpp >= v0.2.18).
|
||||
Changed
|
||||
* HTTP upload: Ignore timeouts on disco IQs as some components do
|
||||
not reply.
|
||||
- Upgrades the embedded golang.org/x/net to 0.46.0
|
||||
* Fixes: bsc#1251461, CVE-2025-47911: various algorithms with
|
||||
quadratic complexity when parsing HTML documents
|
||||
* Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption
|
||||
by 'html.ParseFragment' when processing specially crafted input
|
||||
|
||||
- Update to 0.15.0:
|
||||
Added:
|
||||
* Add flag --verbose to show debug information.
|
||||
* Add flag --recipients to specify recipients by file.
|
||||
* Add flag --retry-connect to try after a waiting time if the connection fails.
|
||||
* Add flag --retry-connect-max to specify the amount of retry attempts.
|
||||
* Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.
|
||||
* Add support for punycode domains.
|
||||
Changed:
|
||||
* Update gopenpgp library to v3.
|
||||
* Improve error detection for MUC joins.
|
||||
* Don't try to connect to other SRV record targets if error contains 'auth-failure'.
|
||||
* Remove support for old SSDP version (via go-xmpp v0.2.15).
|
||||
* Http-upload: Stop checking other disco items after finding upload component.
|
||||
* Increase default TLS version to 1.3.
|
||||
- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0
|
||||
|
||||
- Update to 0.14.1:
|
||||
* Use prettier date format for error messages.
|
||||
* Update XEP-0474 to version 0.4.0 (requires go-xmpp >= 0.2.10).
|
||||
|
||||
- Update to 0.14.0:
|
||||
Added:
|
||||
* Add --fast-invalidate to allow invalidating the FAST token.
|
||||
Changed:
|
||||
* Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.
|
||||
* Delete legacy Ox private key directory if it's empty.
|
||||
* Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp >= 0.2.9).
|
||||
* Print debug output to stdout, not stderr (requires go-xmpp >= 0.2.9).
|
||||
* Show RECV: and SEND: prefix for debug output (requires go-xmpp >= 0.2.9).
|
||||
* Delete stored fast token if --fast-invalidate and --fast-off are set.
|
||||
* Show error when FAST creds are stored but non-FAST mechanism is requested.
|
||||
|
||||
- Update to 0.13.0:
|
||||
Added:
|
||||
* Add --anonymous to support anonymous authentication (requires go-xmpp >= 0.2.8).
|
||||
* Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp >= 0.2.8).
|
||||
* Add support for see-other-host stream error (requires go-xmpp >= 0.2.8).
|
||||
Changed:
|
||||
* Don't automatically try other auth mechanisms if FAST authentication fails.
|
||||
|
||||
- Update to 0.12.1:
|
||||
Changed:
|
||||
* Print error instead of quitting if a message of type error is received.
|
||||
* Allow upload of multiple files.
|
||||
Added:
|
||||
* Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.
|
||||
|
||||
- Update to 0.12.0:
|
||||
Added:
|
||||
* Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv >= 0.3.3).
|
||||
* Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp >= 0.2.5).
|
||||
Changed:
|
||||
* Disable PLAIN authentication per default.
|
||||
* Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires
|
||||
go-xmpp >= 0.2.5).
|
||||
|
||||
- Update to 0.11.4:
|
||||
* Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp >= 0.2.4).
|
||||
|
||||
- Update to 0.11.3:
|
||||
* Add go-xmpp library version to --version output (requires go-xmpp >= 0.2.2).
|
||||
* Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp >= v0.2.3).
|
||||
* [gocritic]: Improve code quality.
|
||||
</description>
|
||||
<package>go-sendxmpp</package>
|
||||
<seperate_build_arch/>
|
||||
</patchinfo>
|
||||
Reference in New Issue
Block a user