Accepting request 1235049 from security

- Fixes GHSA-4fg7-vxc8-qx5w - Update to version 0.11.1+0: * Fixed a security vulnerability that could allow an attacker to execute an arbitrary binary under certain conditions. Plugin names are now required to only contain alphanumeric characters or the four special characters +-._. * Replace the test `NoCallbacks` with the library version * Restrict set of valid characters for plugin names * Add tests for invalid plugin name chars Fixed: OBS-URL: https://build.opensuse.org/request/show/1235049 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rage-encryption?expand=0&rev=20
- Fixes GHSA-4fg7-vxc8-qx5w
2025-01-07 19:51:25 +00:00 · 2025-01-05 15:35:00 +00:00 · 2024-11-05 14:41:29 +00:00 · 2024-11-04 23:51:12 +00:00 · 2024-09-20 15:11:53 +00:00 · 2024-09-20 04:58:28 +00:00
7 changed files with 38 additions and 8 deletions
--- a/2
+++ b/2
@ -3,7 +3,7 @@
    <param name="url">https://github.com/str4d/rage.git</param>
    <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
    <param name="scm">git</param>
-    <param name="revision">v0.10.0</param>
+    <param name="revision">v0.11.1</param>
    <param name="match-tag">*</param>
    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
    <param name="versionrewrite-replacement">\1</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/str4d/rage.git</param>
-              <param name="changesrevision">5c82b234c6ad3a537b80e8671ae59875464dd53f</param></service></servicedata>
+              <param name="changesrevision">07808823074013acab5417de9d6ad176133312c6</param></service></servicedata>
--- a/rage-0.10.0+0.tar.gz
+++ b/rage-0.10.0+0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2a1eb1f73868b31bbb20e074b384f4b710572c98ebc1e31ad8fb3b35fdc234fd
-size 1646541
--- a/rage-0.11.1+0.tar.gz
+++ b/rage-0.11.1+0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c393108b925c50b7e819f3af64025d054a4de0eb8d4dbb89ac4b734c2837cd2c
+size 1666088
--- a/rage-encryption.changes
+++ b/rage-encryption.changes
@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Fri Dec 20 06:39:30 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
+
+- Fixes GHSA-4fg7-vxc8-qx5w
+- Update to version 0.11.1+0:
+  * Fixed a security vulnerability that could allow an attacker to
+    execute an arbitrary binary under certain conditions. Plugin
+    names are now required to only contain alphanumeric characters
+    or the four special characters +-._.
+  * Replace the test `NoCallbacks` with the library version
+  * Restrict set of valid characters for plugin names
+  * Add tests for invalid plugin name chars
+
+-------------------------------------------------------------------
+Sun Nov  3 19:04:23 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
+
+- Update to 0.11.0+0:
+  Added:
+  * Partial French translation!
+  Fixed:
+  * [Unix] Files can now be encrypted with rage --passphrase when
+    piped over stdin, without requiring an explicit - argument as
+    INPUT.
+
+-------------------------------------------------------------------
+Fri Sep 20 04:57:20 UTC 2024 - William Brown <william.brown@suse.com>
+
+- bsc#1229959 - RUSTSEC-2024-0006 - CVE-2024-43806
+  - rust-shlex: Multiple issues involving quote API
+
 -------------------------------------------------------------------
 Wed Sep  4 01:43:07 UTC 2024 - William Brown <william.brown@suse.com>

--- a/rage-encryption.spec
+++ b/rage-encryption.spec
@ -20,7 +20,7 @@

 Name:           rage-encryption
 #               This will be set by osc services, that will run after this.
-Version:        0.10.0+0
+Version:        0.11.1+0
 Release:        0
 Summary:        X25519-based, simple, modern, and secure file encryption tool
 #               If you know the license, put it's SPDX string here.
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:01bbc54ef2aff3935b8ef8c0462be718bceefa4e1076aa47ea43aff0b3b0bcbb
-size 28370756
+oid sha256:3434e8d3ecef00bac49d9e1b5ac35150ee0aae65fb35071c988195c4139fb76d
+size 28376778
Author	SHA256	Message	Date
Ana Guerrero	47ead6f81b	Accepting request 1235049 from security - Fixes GHSA-4fg7-vxc8-qx5w - Update to version 0.11.1+0: * Fixed a security vulnerability that could allow an attacker to execute an arbitrary binary under certain conditions. Plugin names are now required to only contain alphanumeric characters or the four special characters +-._. * Replace the test `NoCallbacks` with the library version * Restrict set of valid characters for plugin names * Add tests for invalid plugin name chars Fixed: OBS-URL: https://build.opensuse.org/request/show/1235049 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rage-encryption?expand=0&rev=20	2025-01-07 19:51:25 +00:00
c unix	a817f0b2f2	- Fixes GHSA-4fg7-vxc8-qx5w - Update to version 0.11.1+0: * Fixed a security vulnerability that could allow an attacker to execute an arbitrary binary under certain conditions. Plugin names are now required to only contain alphanumeric characters or the four special characters +-._. * Replace the test `NoCallbacks` with the library version * Restrict set of valid characters for plugin names * Add tests for invalid plugin name chars - Update to 0.11.0+0: Added: * Partial French translation! Fixed: * [Unix] Files can now be encrypted with rage --passphrase when piped over stdin, without requiring an explicit - argument as INPUT. - bsc#1229959 - RUSTSEC-2024-0006 - CVE-2024-43806 - rust-shlex: Multiple issues involving quote API - bsc#1229959 - RUSTSEC-2024-0006 - rust-shlex: Multiple issues involving quote API - Enable tests - Install all language manpages - Fix -keygen installing to -mount - Switch from obsoleted practices to modern ones: * %setup is now %autosetup * cargo_config is now part of vendor file * disabledrun is now manualrun - Update to version 0.10.0+0: Added: * Russian translation * rage-keygen -y IDENTITY_FILE to convert identity files to recipients. Changed: * MSRV is now 1.65.0. * Migrated from gumdrop to clap for argument parsing. * -R/--recipients-file and -i/--identity now support "read-once" files, like those used by process substitution (-i <(other_binary get-age-identity)) and named pipes. * The filename - (hyphen) is now treated as an explicit request to read from standard input when used with -R/--recipients-file or -i/--identity. It must only occur once across the -R/--recipients-file and -i/--identity flags, and the input file. It cannot be used if the input file is omitted. Fixed: * OpenSSH private keys passed to -i/--identity that contain invalid public keys are no longer ignored when encrypting, and instead cause an error. * Weak ssh-rsa public keys that are smaller than 2048 bits are now rejected. * rage-keygen no longer overwrites existing key files with the -o/--output flag. This was its behaviour prior to 0.6.0, but was unintentionally changed when rage was modified to overwrite existing files. Key file overwriting can still be achieved by omitting -o/--output and instead piping stdout to the file. * rage-keygen now prints fatal errors directly instead of them being hidden behind the RUST_LOG=error environment variable. It also now sets its return code appropriately instead of always returning 0. - bsc#1215657 - chosen ciphertext attack possible against aes-gcm * update vendor.tar.zst to contain aes-gcm >= 0.10.3 - Update to version 0.9.2+0: * CI: Ensure `apt` repository is up-to-date before installing build deps * CI: Build Linux releases using `ubuntu-20.04` runner * CI: Remove most uses of `actions-rs` actions - Update to version 0.9.2+0: * v0.9.2 * Fix changelog bugs and add missing entry * Document `PINENTRY_PROGRAM` environment variable * age: Add `Decryptor::new_async_buffered` * age: `impl AsyncBufRead for ArmoredReader` * Pre-initialize vectors when the capacity is known, or use arrays * Use `PINENTRY_PROGRAM` as environment variable for `pinentry` * Document why `impl AsyncWrite for StreamWriter` doesn't loop indefinitely * cargo update * cargo vet prune * Migrate to `cargo-vet 0.7` * build(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.1 * Correct spelling in documentation * build(deps): bump codecov/codecov-action from 3.1.1 to 3.1.4 * StreamWriter AsyncWrite: fix usage with futures::io::copy() * rage: Use `Decryptor::new_buffered` * age: Add `Decryptor::new_buffered` * age: `impl BufRead for ArmoredReader` * Update Homebrew formula to v0.9.1 * feat/pinentry: Use env var to define pinentry binary - As per https://en.opensuse.org/openSUSE:Package_description_guidelines mention distinctive characteristics that offset this solution from e.g. gpg. - Update to version 0.9.1+0: * ssh: Fix parsing of OpenSSH private key format * ssh: Support `aes256-gcm@openssh.com` ciphers for encrypted keys * ssh: Add `aes256-gcm@openssh.com` cipher to test cases * ssh: Extract common key material derivation logic for encrypted keys * ssh: Use associated constants for key and IV sizes * ssh: Add test cases for encrypted keys - Add shell completions for fish and zsh. - bsc#1207039 - CVE-2023-22895 - update bzip2 crate - Update of vendored dependencies - Update of vendored dependencies - Do not have the main package recommend the bash-completion sub-package, but rather have the subpackage supplement the combination of tage-encryption and bash-completion. - Update to version 0.9.0+0: * v0.9.0 * use pkcs1 crate to parse RSAPrivateKey ASN.1 object * qa: Add workflow that runs `cargo vet --locked` * qa: Import `cargo vet` audits from Firefox and zcashd * qa: Add `crypto-reviewed` criteria or `cargo vet` * qa: `cargo vet init` - Set minimum rust requirement to 1.59 - Update to version 0.8.1+0: * v0.8.1 * Revert updates to `dashmap` and `indexmap` * cargo update * age: Add passphrase to scrypt_work_factor_23 testkit test file * age: Reject invalid or non-canonical X25519 recipient stanzas * age: Require "contributory" behaviour for X25519 recipient stanzas * age: Add testkit test files from reference impl * Update Homebrew formula to v0.8.0 - Update to version 0.8.0+0: * v0.8.0 * age: Allow ciphertexts that encrypt the empty plaintext * Update Italian translation * Don't allow -i/--identity with passphrase-encrypted files * age: Require the last STREAM chunk to be non-empty * age: Return correct response encoding for `confirm` command * age: Base64-decode metadata arguments to "confirm" message * age: Extract "confirm" command handling into a helper function - Automatic update of vendored dependencies - Update to resolve bsc#1196972 CVE-2022-24713 - Regex DOS - switched to vendored_licenses_packager as build dependency - define macro "rust_tier1_arches" if undefined - Add specific lock file path to _service for cargo audit to prevent confusion with the lock files in the fuzz folders. - Update to version 0.7.1 * Fixed a bug where non-canonical recipient stanza bodies in an age file header would cause rage to crash instead of being rejected * vendor.tar.xz updated from source code Cargo.lock file - Added: * binary rage-mount * bash-completion for rage, rage-keygen and rage-mount * manual pages for rage, rage-keygen and rage-mount * Licenses files * Licenses files of vendored crates extracted with script "vendored_licenses_packager.sh" * README and CHANGELOG files * possibility to build without cargo-packaging for "older" distros - Update to version 0.7.0~git0.c93b914: * v0.7.0 * cargo update fuzz* * Update lockfiles for fuzzers * rage: Pin clap to 3.0.0-beta.2 * CI: Add bitrot check to ensure examples and benchmarks still compile * console 0.15 * age: Re-export `secrecy` crate * age-core: Improve crate documentation * age-core: Re-export `secrecy` crate * age-core: Add `plugin::Error` enum - Initial commit of rage OBS-URL: https://build.opensuse.org/package/show/security/rage-encryption?expand=0&rev=39	2025-01-05 15:35:00 +00:00
Ana Guerrero	d28ec3bef5	Accepting request 1221281 from security OBS-URL: https://build.opensuse.org/request/show/1221281 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rage-encryption?expand=0&rev=19	2024-11-05 14:41:29 +00:00
William Brown	64e2495384	- Update to 0.11.0+0: Added: * Partial French translation! Fixed: * [Unix] Files can now be encrypted with rage --passphrase when piped over stdin, without requiring an explicit - argument as INPUT. OBS-URL: https://build.opensuse.org/package/show/security/rage-encryption?expand=0&rev=37	2024-11-04 23:51:12 +00:00
Ana Guerrero	22e2643e3b	Accepting request 1202074 from security OBS-URL: https://build.opensuse.org/request/show/1202074 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rage-encryption?expand=0&rev=18	2024-09-20 15:11:53 +00:00
William Brown	97153d1f30	- bsc#1229959 - RUSTSEC-2024-0006 - CVE-2024-43806 - rust-shlex: Multiple issues involving quote API OBS-URL: https://build.opensuse.org/package/show/security/rage-encryption?expand=0&rev=35	2024-09-20 04:58:28 +00:00