Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package woodpecker for openSUSE:Factory checked in at 2026-05-12 19:29:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/woodpecker (Old) and /work/SRC/openSUSE:Factory/.woodpecker.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "woodpecker" Tue May 12 19:29:57 2026 rev:25 rq:1352735 version:3.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/woodpecker/woodpecker.changes 2026-05-04 12:53:51.286313385 +0200 +++ /work/SRC/openSUSE:Factory/.woodpecker.new.1966/woodpecker.changes 2026-05-12 19:31:55.736166768 +0200 @@ -1,0 +2,8 @@ +Tue May 12 11:32:57 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 3.14.1: + * Security + - Server: make sure agent_id can not be spoofed by agent + [#6567] + +------------------------------------------------------------------- Old: ---- web-3.14.0.tar.gz woodpecker-3.14.0.obscpio New: ---- web-3.14.1.tar.gz woodpecker-3.14.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ woodpecker.spec ++++++ --- /var/tmp/diff_new_pack.mkV9kk/_old 2026-05-12 19:31:56.864213475 +0200 +++ /var/tmp/diff_new_pack.mkV9kk/_new 2026-05-12 19:31:56.868213640 +0200 @@ -26,7 +26,7 @@ %define server_executable_name woodpecker-server Name: woodpecker -Version: 3.14.0 +Version: 3.14.1 Release: 0 Summary: Simple yet powerful CI/CD engine with great extensibility License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.mkV9kk/_old 2026-05-12 19:31:56.932216290 +0200 +++ /var/tmp/diff_new_pack.mkV9kk/_new 2026-05-12 19:31:56.936216456 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/woodpecker-ci/woodpecker</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v3.14.0</param> + <param name="revision">v3.14.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.mkV9kk/_old 2026-05-12 19:31:56.960217450 +0200 +++ /var/tmp/diff_new_pack.mkV9kk/_new 2026-05-12 19:31:56.964217615 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/woodpecker-ci/woodpecker</param> - <param name="changesrevision">af313aad3479a2c111584f289c47746e5023b3b5</param></service></servicedata> + <param name="changesrevision">48e1ece20057e59de4e8e3fe25fc1f3a41e8a020</param></service></servicedata> (No newline at EOF) ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/woodpecker/vendor.tar.gz /work/SRC/openSUSE:Factory/.woodpecker.new.1966/vendor.tar.gz differ: char 13, line 1 ++++++ web-3.14.0.tar.gz -> web-3.14.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/woodpecker/web-3.14.0.tar.gz /work/SRC/openSUSE:Factory/.woodpecker.new.1966/web-3.14.1.tar.gz differ: char 30, line 1 ++++++ woodpecker-3.14.0.obscpio -> woodpecker-3.14.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/woodpecker-3.14.0/CHANGELOG.md new/woodpecker-3.14.1/CHANGELOG.md --- old/woodpecker-3.14.0/CHANGELOG.md 2026-05-01 11:24:44.000000000 +0200 +++ new/woodpecker-3.14.1/CHANGELOG.md 2026-05-12 13:07:45.000000000 +0200 @@ -1,5 +1,17 @@ # Changelog +## [3.14.1](https://github.com/woodpecker-ci/woodpecker/releases/tag/v3.14.1) - 2026-05-12 + +### ❤️ Special thanks the security researchers and those who fixed them ❤️ + +- Thanks to **Shivam Kumar ([@shivamkumarcyber](https://github.com/shivamkumarcyber))** and + **Ranganatha Rao Sridhar (Praetorian)** _independently finding and reporting the bug_ +- And [@6543](https://github.com/6543) _fixing the bugs and orchestrating the communication_ + +### 🔒 Security + +- Server: make sure agent_id can not be spoofed by agent [[#6567](https://github.com/woodpecker-ci/woodpecker/pull/6567)] + ## [3.14.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v3.14.0) - 2026-05-01 ### ❤️ Thanks to all contributors! ❤️ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/woodpecker-3.14.0/docs/package.json new/woodpecker-3.14.1/docs/package.json --- old/woodpecker-3.14.0/docs/package.json 2026-05-01 11:24:44.000000000 +0200 +++ new/woodpecker-3.14.1/docs/package.json 2026-05-12 13:07:45.000000000 +0200 @@ -2,6 +2,7 @@ "name": "woodpecker", "version": "0.0.0", "private": true, + "packageManager": "[email protected]", "scripts": { "start": "cd ../ && make generate-docs && cd docs && docusaurus start", "build": "pnpm build:woodpecker-plugins && docusaurus build", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/woodpecker-3.14.0/flake.lock new/woodpecker-3.14.1/flake.lock --- old/woodpecker-3.14.0/flake.lock 2026-05-01 11:24:44.000000000 +0200 +++ new/woodpecker-3.14.1/flake.lock 2026-05-12 13:07:45.000000000 +0200 @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1775662680, - "narHash": "sha256-N6F+lC0JNTcj9qP6hneP28xkM62C2ld4kexRv9VuTsg=", + "lastModified": 1778351894, + "narHash": "sha256-7r2iJchc8Ujmld6pd3nQFXE504Ur1apvZaZBdoA/YD4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "81df7a1e2eefe78b4727c8f3d66293300bf193d1", + "rev": "2e8afb433747d87eba54496f93f90f41ee1adeab", "type": "github" }, "original": { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/woodpecker-3.14.0/server/rpc/authorizer.go new/woodpecker-3.14.1/server/rpc/authorizer.go --- old/woodpecker-3.14.0/server/rpc/authorizer.go 2026-05-01 11:24:44.000000000 +0200 +++ new/woodpecker-3.14.1/server/rpc/authorizer.go 2026-05-12 13:07:45.000000000 +0200 @@ -140,7 +140,7 @@ return ctx, status.Errorf(codes.Unauthenticated, "access token is invalid: %v", err) } - md.Append("agent_id", fmt.Sprintf("%d", claims.AgentID)) + md.Set("agent_id", fmt.Sprintf("%d", claims.AgentID)) return metadata.NewIncomingContext(ctx, md), nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/woodpecker-3.14.0/web/package.json new/woodpecker-3.14.1/web/package.json --- old/woodpecker-3.14.0/web/package.json 2026-05-01 11:24:44.000000000 +0200 +++ new/woodpecker-3.14.1/web/package.json 2026-05-12 13:07:45.000000000 +0200 @@ -3,6 +3,7 @@ "author": "Woodpecker CI", "version": "0.0.0", "license": "Apache-2.0", + "packageManager": "[email protected]", "type": "module", "engines": { "node": ">=20" ++++++ woodpecker.obsinfo ++++++ --- /var/tmp/diff_new_pack.mkV9kk/_old 2026-05-12 19:31:59.740332559 +0200 +++ /var/tmp/diff_new_pack.mkV9kk/_new 2026-05-12 19:31:59.756333221 +0200 @@ -1,5 +1,5 @@ name: woodpecker -version: 3.14.0 -mtime: 1777627484 -commit: af313aad3479a2c111584f289c47746e5023b3b5 +version: 3.14.1 +mtime: 1778584065 +commit: 48e1ece20057e59de4e8e3fe25fc1f3a41e8a020
