Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openbao for openSUSE:Factory checked in at 2026-04-21 12:44:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openbao (Old) and /work/SRC/openSUSE:Factory/.openbao.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openbao" Tue Apr 21 12:44:30 2026 rev:19 rq:1348362 version:2.5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/openbao/openbao.changes 2026-03-27 06:46:02.249385793 +0100 +++ /work/SRC/openSUSE:Factory/.openbao.new.11940/openbao.changes 2026-04-21 12:47:22.028761985 +0200 @@ -1,0 +2,64 @@ +Tue Apr 21 05:54:21 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 2.5.3: + * SECURITY + - auth/cert: Prevent token renewal with different-but-valid + certificate. GHSA-7ccv-rp6m-rffr / CVE-2026-39388. [GH-2932] + - auth/token: Prevent cross-namespace token renewal, revocation + by accessor. GHSA-p49j-v9wc-wg57 / CVE-2026-40264. [GH-2934] + - core: Disallow sys/generate-root/* by default due to + unauthenticated cancellation; use + disable_unauthed_generate_root_endpoints=false to temporarily + re-enable. Upstream HCSEC-2026-08 / CVE-2026-5807. [GH-2912] + - core: Forbid request path traversal using . and .. segments + by default. If required, set the unsafe_relative_paths. + Upstream HCSEC-2026-05 / CVE-2026-3605. [GH-2910] + - core/plugins: Validate and restrict downloaded plugin binary + size from OCI images; set plugin_download_max_size to limit + the size (defaults to 512MB). GHSA-r65v-xgwc-g56j / + CVE-2026-39396. [GH-2941] + - core/namespaces: Ensure lease revocation on namespace + re-deletion. GHSA-vv66-6rp4-wr4f. [GH-2935] + - database/postgresql: Correctly quote schema name in revoke + statement. GHSA-6vgr-cp5c-ffx3 / CVE-2026-39946. [GH-2931] + * BUG FIXES + - command/server: Refuse repeated startup if + self-initialization failed on initial run. [GH-2908] + - core: Fix namespace invalidation on standby when + disable_cache=true is set. [GH-2822] + - core: Loosen overly strict check for view path check, + strictly forbidding .. as a substring within path segments. + [GH-2910] + - secret/database, secret/openldap, secret/rabbitmq: Fix + dynamic secret requests failing with an "Internal Server + Error" on standby nodes [GH-2853] + * What's Changed + - Add note for direct install using the Arch Linux package + manager (#2718 by @hashworks) backported by @hashworks in + #2719 + - fix: some dynamic secret engines did not forward the request + to the primary (#2853 by @phil9909 ) backported by @phil9909 + in #2855 + - Fix namespace invalidation without caching (#2822 by + @cipherboy) backported by @phil9909 in #2856 + - Make self-init failures fatal (#2908 by @satoqz & #2195 + @KrzysztofKornalewski-Reply) backported by @satoqz in #2924 + - v2.5.3 dependency bumps by @satoqz in #2907 + - Forbid path traversal by default (#2910 @cipherboy) + backported by @satoqz in #2929 + - Check certificate match during renewal (#2932 by @cipherboy) + backported by @satoqz in #2937 + - Correctly quote schema name in PostgreSQL revoke (#2931 by + @cipherboy) backported by @satoqz in #2938 + - Prevent cross-namespace token accessor use (#2934 by + @cipherboy) backported by @satoqz in #2939 + - Additional v2.5.3 dependency bumps by @satoqz in #2930 + - Ensure lease revocation on namespace re-deletion (#2935 by + @cipherboy) backported by @satoqz in #2943 + - Validate downloaded plugin binary size (#2941 by @JanMa) + backported by @satoqz in #2944 + - Forbid generate-root by default (#2912 by @cipherboy) + backported by @cipherboy in #2945 + - Add release notes for v2.5.3 by @satoqz in #2946 + +------------------------------------------------------------------- Old: ---- openbao-2.5.2.obscpio ui-2.5.2.tar.gz New: ---- openbao-2.5.3.obscpio ui-2.5.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openbao.spec ++++++ --- /var/tmp/diff_new_pack.uMXEfK/_old 2026-04-21 12:47:30.941131679 +0200 +++ /var/tmp/diff_new_pack.uMXEfK/_new 2026-04-21 12:47:30.945131845 +0200 @@ -23,7 +23,7 @@ %define short_executable_name bao Name: openbao -Version: 2.5.2 +Version: 2.5.3 Release: 0 Summary: Manage, store, and distribute sensitive data License: MPL-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.uMXEfK/_old 2026-04-21 12:47:31.025135163 +0200 +++ /var/tmp/diff_new_pack.uMXEfK/_new 2026-04-21 12:47:31.033135495 +0200 @@ -2,7 +2,7 @@ <service name="obs_scm" mode="manual"> <param name="url">https://github.com/openbao/openbao</param> <param name="scm">git</param> - <param name="revision">v2.5.2</param> + <param name="revision">v2.5.3</param> <param name="package-meta">yes</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.uMXEfK/_old 2026-04-21 12:47:31.061136656 +0200 +++ /var/tmp/diff_new_pack.uMXEfK/_new 2026-04-21 12:47:31.069136988 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openbao/openbao</param> - <param name="changesrevision">932fcf892eba8d646a9bfc58a59ea3b2475b17fa</param></service></servicedata> + <param name="changesrevision">988c88d7ef54b4d4581629b229488dfba5e085ba</param></service></servicedata> (No newline at EOF) ++++++ openbao-2.5.2.obscpio -> openbao-2.5.3.obscpio ++++++ /work/SRC/openSUSE:Factory/openbao/openbao-2.5.2.obscpio /work/SRC/openSUSE:Factory/.openbao.new.11940/openbao-2.5.3.obscpio differ: char 49, line 1 ++++++ openbao.obsinfo ++++++ --- /var/tmp/diff_new_pack.uMXEfK/_old 2026-04-21 12:47:31.161140805 +0200 +++ /var/tmp/diff_new_pack.uMXEfK/_new 2026-04-21 12:47:31.169141137 +0200 @@ -1,5 +1,5 @@ name: openbao -version: 2.5.2 -mtime: 1774454556 -commit: 932fcf892eba8d646a9bfc58a59ea3b2475b17fa +version: 2.5.3 +mtime: 1776712412 +commit: 988c88d7ef54b4d4581629b229488dfba5e085ba ++++++ ui-2.5.2.tar.gz -> ui-2.5.3.tar.gz ++++++ /work/SRC/openSUSE:Factory/openbao/ui-2.5.2.tar.gz /work/SRC/openSUSE:Factory/.openbao.new.11940/ui-2.5.3.tar.gz differ: char 14, line 1 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/openbao/vendor.tar.gz /work/SRC/openSUSE:Factory/.openbao.new.11940/vendor.tar.gz differ: char 13, line 1
