Accepting request 1173668 from network:cluster

- Make sure, digest values handled by the Go library
  github.com/opencontainers/go-digest and used throughout the
  Go-implemented containers ecosystem are always validated. This
  prevents attackers from triggering unexpected authenticated
  registry accesses.
  * Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
    (CVE-2024-3727, bsc#1224114).

OBS-URL: https://build.opensuse.org/request/show/1173668
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=28

Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch

@@ -0,0 +1,41 @@
+From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+Date: Fri May 10 15:29:32 2024 +0000
+Subject: Bump github.com/containers/image/v5 from 5.30.0 to 5.30.1
+Patch-mainline: Upstream
+Git-repo: https://github.com/apptainer/apptainer
+Git-commit: 37bcd30d64a934fa78acc838745f5868a4800706
+References: bsc#1224114
+
+Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.30.0 to 5.30.1.
+- [Release notes](https://github.com/containers/image/releases)
+- [Commits](https://github.com/containers/image/compare/v5.30.0...v5.30.1)
+
+
+Signed-off-by: Egbert Eich <eich@suse.de>
+---
+updated-dependencies:
+- dependency-name: github.com/containers/image/v5
+  dependency-type: direct:production
+  update-type: version-update:semver-patch
+...
+
+Signed-off-by: dependabot[bot] <support@github.com>---
+ go.mod | 2 +-
+ go.sum | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+diff --git a/go.mod b/go.mod
+index 8ee607d04..e540f5658 100644
+--- a/go.mod
++++ b/go.mod
+@@ -21 +21 @@ require (
+-	github.com/containers/image/v5 v5.30.0
++	github.com/containers/image/v5 v5.30.1
+diff --git a/go.sum b/go.sum
+index 5747de20d..73e76ddd9 100644
+--- a/go.sum
++++ b/go.sum
+@@ -88,2 +88,2 @@ github.com/containernetworking/plugins v1.4.1/go.mod h1:n6FFGKcaY4o2o5msgu/UImto
+-github.com/containers/image/v5 v5.30.0 h1:CmHeSwI6W2kTRWnUsxATDFY5TEX4b58gPkaQcEyrLIA=
+-github.com/containers/image/v5 v5.30.0/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk=
++github.com/containers/image/v5 v5.30.1 h1:AKrQMgOKI1oKx5FW5eoU2xoNyzACajHGx1O3qxobvFM=
++github.com/containers/image/v5 v5.30.1/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk=

apptainer.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon May 13 05:36:38 UTC 2024 - Egbert Eich <eich@suse.com>
+
+- Make sure, digest values handled by the Go library
+  github.com/opencontainers/go-digest and used throughout the
+  Go-implemented containers ecosystem are always validated. This
+  prevents attackers from triggering unexpected authenticated
+  registry accesses.
+  * Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
+    (CVE-2024-3727, bsc#1224114).
+ 
 -------------------------------------------------------------------
 Fri Mar 15 11:20:14 UTC 2024 - Christian Goll <cgoll@suse.com>
 

apptainer.spec

@@ -42,6 +42,7 @@ Source5:        Leap.def
 Source20:       %{name}-rpmlintrc
 Source21:       vendor.tar.gz
 Patch1:         Remove-signatures-from-Docker-images.patch
+Patch100:       Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
 BuildRequires:  cryptsetup
 BuildRequires:  fdupes
 BuildRequires:  gcc

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c9ae840ef26b9d9b04ddba942207a1823655b6622fa20e55708ee764803509cd
-size 11976052
+oid sha256:ee7bc9e64e18a61a55e3e148c78b00adb2ea0d4e038038dee43cf338f76ac4c3
+size 12333938