Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package vexctl for openSUSE:Factory checked in at 2026-02-19 14:21:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vexctl (Old) and /work/SRC/openSUSE:Factory/.vexctl.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vexctl" Thu Feb 19 14:21:33 2026 rev:7 rq:1333820 version:0.4.1+git78.f951e3a Changes: -------- --- /work/SRC/openSUSE:Factory/vexctl/vexctl.changes 2026-02-16 13:18:10.836217217 +0100 +++ /work/SRC/openSUSE:Factory/.vexctl.new.1977/vexctl.changes 2026-02-19 14:22:06.775566543 +0100 @@ -1,0 +2,52 @@ +Wed Feb 18 15:57:58 UTC 2026 - Jeff Kowalczyk <[email protected]> + +- Update to version 0.4.1+git78.f951e3a: + * Bump chainguard-dev/actions from 1.6.1 to 1.6.2 in the all group +- Security vulnerability advisements: Go code or dependencies cited + in CVE reports are addressed or closed in this or previous + releases. Eventually vexctl will be used to provide structured + data documents with these use-specific advisements in a + standardized computer readable format. + * Fix bsc#1239186 CVE-2025-22868: vexctl: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 + - govulncheck reports current version not affected by this CVE + - golang.org/x/oauth2/jws is not used in current version + * Fix bsc#1234486 CVE-2024-45337: vexctl: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto + - govulncheck reports current version not affected by this CVE + - golang.org/x/crypto/ssh is not used in current version + * Fix bsc#1237611 CVE-2025-27144: vexctl: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service + - govulncheck reports current version not affected by this CVE + - github.com/go-jose/go-jose/v4 v4.1.3 + * Fix bsc#1238683 CVE-2025-22870: vexctl: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs + - govulncheck reports current version not affected by this CVE + - golang.org/x/net/proxy is not used in current version + * Fix bsc#1239323 CVE-2025-22869: vexctl: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh + - govulncheck reports current version not affected by this CVE + - golang.org/x/crypto/ssh is not used in current version + * Fix bsc#1240444 CVE-2025-30204: vexctl: github.com/golang-jwt/jwt/v4: jwt-go allows excessive memory allocation during header parsing + - govulncheck reports current version not affected by this CVE + - github.com/golang-jwt/jwt/v4 v4.5.2 + * Fix bsc#1253802 CVE-2025-58181: vexctl: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption + - govulncheck reports current version not affected by this CVE + - golang.org/x/crypto/ssh is not used in current version + * Fix bsc#1256535 CVE-2026-22772: vexctl: github.com/sigstore/fulcio: bypass MetaIssuer URL validation bypass can trigger SSRF to arbitrary internal services + - govulncheck reports current version not affected by this CVE + - github.com/sigstore/fulcio v1.8.5 + * Fix bsc#1257138 CVE-2026-24137: vexctl: github.com/sigstore/sigstore/pkg/tuf: legacy TUF client allows for arbitrary file writes with target cache path traversal + - govulncheck incorrectly reports current version affected by this CVE + - github.com/theupdateframework/go-tuf v0.7.0 + - Upstream github.com/sigstore/sigstore provides negative + security advisory: go-tuf v0.7.0 is not affected by the + vulnerability. I've discussed this with the go-tuf + maintainers and they'll be updated the GHSA. We will not be + updating this Sigstore TUF client to go-tuf v2 as we have + already rewritten the client. Use + https://pkg.go.dev/github.com/sigstore/sigstore-go/pkg/tuf + instead, which is based on go-tuf v2. Link: + https://github.com/sigstore/sigstore/issues/1857#issuecomment-2407159536 + - NB: This negative security advisory is exactly the use case + for vexctl and openVEX documents. Wide adoption across the Go + ecosystem is pending waiting for updated purl (Package URL) + specification for precise spelling of Go module versions. + https://github.com/package-url/purl-spec/pull/338 + +------------------------------------------------------------------- Old: ---- vexctl-0.4.1+git76.10d7a2e.tar.gz New: ---- vexctl-0.4.1+git78.f951e3a.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vexctl.spec ++++++ --- /var/tmp/diff_new_pack.EA6lLE/_old 2026-02-19 14:22:07.795608912 +0100 +++ /var/tmp/diff_new_pack.EA6lLE/_new 2026-02-19 14:22:07.795608912 +0100 @@ -17,7 +17,7 @@ Name: vexctl -Version: 0.4.1+git76.10d7a2e +Version: 0.4.1+git78.f951e3a Release: 0 Summary: CLI tool to create, transform and attest VEX metadata License: Apache-2.0 ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.EA6lLE/_old 2026-02-19 14:22:07.847611072 +0100 +++ /var/tmp/diff_new_pack.EA6lLE/_new 2026-02-19 14:22:07.851611238 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openvex/vexctl.git</param> - <param name="changesrevision">10d7a2ef85e66b87f6cf62e67fd18aaab1f4909f</param></service></servicedata> + <param name="changesrevision">f951e3ab2e2def090d0ece75e819a383825d52b3</param></service></servicedata> (No newline at EOF) ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/vexctl/vendor.tar.gz /work/SRC/openSUSE:Factory/.vexctl.new.1977/vendor.tar.gz differ: char 117, line 1 ++++++ vexctl-0.4.1+git76.10d7a2e.tar.gz -> vexctl-0.4.1+git78.f951e3a.tar.gz ++++++ /work/SRC/openSUSE:Factory/vexctl/vexctl-0.4.1+git76.10d7a2e.tar.gz /work/SRC/openSUSE:Factory/.vexctl.new.1977/vexctl-0.4.1+git78.f951e3a.tar.gz differ: char 12, line 1
