Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rekor for openSUSE:Factory checked in at 2026-01-30 18:31:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rekor (Old) and /work/SRC/openSUSE:Factory/.rekor.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rekor" Fri Jan 30 18:31:23 2026 rev:31 rq:1330066 version:1.5.0 Changes: -------- --- /work/SRC/openSUSE:Factory/rekor/rekor.changes 2025-11-17 12:25:46.559836280 +0100 +++ /work/SRC/openSUSE:Factory/.rekor.new.1995/rekor.changes 2026-01-30 18:34:34.464473858 +0100 @@ -1,0 +2,75 @@ +Thu Jan 22 06:00:54 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.5.0: + This release fixes the following security issues: + + - GHSA-4c4x-jm2x-pf9j / CVE-2026-24117 / bsc#1257135: Fixed Server-Side Request Forgery (SSRF) via provided public key URL + - GHSA-273p-m2cw-6833 / CVE-2026-23831 / bsc#1257132: Fixed lack of input validation thatg can cause a thread crash + - GHSA-j5w8-q4qc-rx2x / CVE-2025-58181 / bsc#1253817: Fixed golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption + + Note that this drops support for fetching public keys via URL + when querying the search API. + * Vulnerability Fixes + - Handle malformed COSE and DSSE entries (#2729) + - Drop support for fetching public keys by URL in the search + index (#2731) + * Features + - Add support for a custom TLS config for clients (#2709) + * Dependencies + - build(deps): Bump github.com/redis/go-redis/v9 from 9.14.1 to + 9.17.2 (#2706) + - build(deps): Bump google.golang.org/api from 0.256.0 to + 0.259.0 (#2723) + - build(deps): Bump golang.org/x/net from 0.47.0 to 0.48.0 + (#2722) + - build(deps): Bump github.com/sigstore/sigstore from 1.9.5 to + 1.10.3 (#2724) + - build(deps): Bump the all group across 1 directory with 3 + updates (#2727) + - build(deps): Bump the all group with 2 updates (#2728) + - build(deps): Bump google.com/cloudsdktool/google-cloud-cli + (#2726) + - build(deps): Bump google.com/cloudsdktool/google-cloud-cli + (#2720) + - build(deps): Bump + github.com/sigstore/sigstore/pkg/signature/kms/azure (#2716) + - build(deps): Bump golang.org/x/sync from 0.18.0 to 0.19.0 + (#2715) + - build(deps): Bump actions/upload-artifact from 5.0.0 to 6.0.0 + (#2714) + - build(deps): Bump + github.com/sigstore/sigstore/pkg/signature/kms/hashivault + (#2717) + - build(deps): Bump + github.com/sigstore/sigstore/pkg/signature/kms/aws (#2718) + - build(deps): Bump sigstore/scaffolding/trillian_log_signer + (#2713) + - build(deps): Bump sigstore/scaffolding/trillian_log_server + (#2712) + - build(deps): Bump google.com/cloudsdktool/google-cloud-cli + (#2711) + - build(deps): Bump the all group across 1 directory with 4 + updates (#2707) + - build(deps): Bump golang from 1.25.4 to 1.25.5 in the all + group (#2703) + - build(deps): Bump the all group across 1 directory with 4 + updates (#2708) + - build(deps): Bump google.com/cloudsdktool/google-cloud-cli + - build(deps): Bump golang from `e68f6a0` to `6981837` + - build(deps): Bump sigstore/scaffolding/trillian_log_signer + - build(deps): Bump sigstore/scaffolding/trillian_log_server + - build(deps): Bump google.golang.org/api from 0.254.0 to + 0.256.0 + - build(deps): Bump the all group with 2 updates + - build(deps): Bump github/codeql-action in the all group + - build(deps): Bump the all group with 3 updates (#2692) + - build(deps): Bump the all group with 2 updates + - build(deps): Bump golangci/golangci-lint-action from 8.0.0 to + 9.1.0 + - build(deps): Bump actions/checkout from 5.0.0 to 6.0.0 + - build(deps): Bump golang.org/x/crypto from 0.43.0 to 0.45.0 + - build(deps): Bump golang.org/x/crypto in /hack/tools + - build(deps): Bump golang from `6ca9eb0` to `e68f6a0` + - build(deps): Bump google.com/cloudsdktool/google-cloud-cli + +------------------------------------------------------------------- Old: ---- rekor-1.4.3.obscpio New: ---- rekor-1.5.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rekor.spec ++++++ --- /var/tmp/diff_new_pack.3lgPcr/_old 2026-01-30 18:34:36.432556373 +0100 +++ /var/tmp/diff_new_pack.3lgPcr/_new 2026-01-30 18:34:36.444556877 +0100 @@ -1,7 +1,7 @@ # # spec file for package rekor # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define apps cli server Name: rekor -Version: 1.4.3 +Version: 1.5.0 Release: 0 Summary: Supply Chain Transparency Log License: Apache-2.0 @@ -27,9 +27,9 @@ Source: %{name}-%{version}.tar.gz Source1: vendor.tar.zst Source2: rekor-zypper-verify.sh -BuildRequires: go >= 1.23.6 BuildRequires: golang-packaging BuildRequires: zstd +BuildRequires: golang(API) >= 1.25 %description Rekor's goals are to provide an immutable tamper resistant ledger of metadata ++++++ _service ++++++ --- /var/tmp/diff_new_pack.3lgPcr/_old 2026-01-30 18:34:36.740569288 +0100 +++ /var/tmp/diff_new_pack.3lgPcr/_new 2026-01-30 18:34:36.780570965 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/sigstore/rekor</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.4.3</param> + <param name="revision">v1.5.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.3lgPcr/_old 2026-01-30 18:34:37.004580356 +0100 +++ /var/tmp/diff_new_pack.3lgPcr/_new 2026-01-30 18:34:37.052582369 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/sigstore/rekor</param> - <param name="changesrevision">cb5b1d5f364a8437e1c6c857b200283e2dcc2b29</param></service></servicedata> + <param name="changesrevision">fe9717fd6ee4cfecedc30e5fd64c9872bc2ac61c</param></service></servicedata> (No newline at EOF) ++++++ rekor-1.4.3.obscpio -> rekor-1.5.0.obscpio ++++++ ++++ 1687 lines of diff (skipped) ++++++ rekor.obsinfo ++++++ --- /var/tmp/diff_new_pack.3lgPcr/_old 2026-01-30 18:34:39.572688029 +0100 +++ /var/tmp/diff_new_pack.3lgPcr/_new 2026-01-30 18:34:39.604689370 +0100 @@ -1,5 +1,5 @@ name: rekor -version: 1.4.3 -mtime: 1763153780 -commit: cb5b1d5f364a8437e1c6c857b200283e2dcc2b29 +version: 1.5.0 +mtime: 1769044642 +commit: fe9717fd6ee4cfecedc30e5fd64c9872bc2ac61c ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/rekor/vendor.tar.zst /work/SRC/openSUSE:Factory/.rekor.new.1995/vendor.tar.zst differ: char 5, line 1
