Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package git-bug for openSUSE:Factory checked in at 2026-06-03 20:27:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/git-bug (Old) and /work/SRC/openSUSE:Factory/.git-bug.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "git-bug" Wed Jun 3 20:27:47 2026 rev:15 rq:1356943 version:0.10.1 Changes: -------- --- /work/SRC/openSUSE:Factory/git-bug/git-bug.changes 2026-05-18 17:48:20.537109713 +0200 +++ /work/SRC/openSUSE:Factory/.git-bug.new.1937/git-bug.changes 2026-06-03 20:29:59.812055367 +0200 @@ -1,0 +2,94 @@ +Mon Jun 1 06:55:42 UTC 2026 - Matej Cepl <[email protected]> + +- CVE-2026-39827: An authenticated SSH client that repeatedly + opened channels which were rejected by the server caused + unbounded memory growth, eventually crashing the server process + and affecting all connected users. Rejected channels are now + properly removed from the connection's internal state and + released for garbage collection. (bsc#1266174, GO-2026-5016) +- CVE-2026-39834: When writing data larger than 4GB in a single + Write call on an SSH channel, an integer overflow in the + internal payload size calculation caused the write loop to spin + indefinitely, sending empty packets without making progress. + The size comparison now uses int64 to prevent truncation. + (bsc#1266174, GO-2026-5020) +- CVE-2026-39828: When an SSH server authentication callback + returned PartialSuccessError with non-nil Permissions, those + permissions were silently discarded, potentially dropping + certificate restrictions such as force-command after a second + factor succeeded. Returning non-nil Permissions with + PartialSuccessError now results in a connection error. + (bsc#1266174, GO-2026-5014) +- CVE-2026-39829: The RSA and DSA public key parsers did not + enforce size limits on key parameters. A crafted public key + with an excessively large modulus or DSA parameter could cause + several minutes of CPU consumption during signature + verification. This could be triggered by unauthenticated + clients during public key authentication. RSA moduli are now + limited to 8192 bits, and DSA parameters are validated per FIPS + 186-2. (bsc#1266174, GO-2026-5018) +- CVE-2026-39831: The Verify() method for FIDO/U2F security key + types ([email protected], + [email protected]) did not check the User Presence + flag. Signatures generated without physical touch were + accepted, allowing unattended use of a hardware security key. + To restore the previous behavior, return a "no-touch-required" + extension in Permissions.Extensions from PublicKeyCallback. + (bsc#1266174, GO-2026-5019) +- CVE-2026-42508: Previously, a revoked 'SignatureKey' belonging + to a CA was not correctly checked for revocation. Now, both the + 'key' and 'key.SignatureKey' are checked for @revoked. + (bsc#1266174, GO-2026-5021) +- CVE-2026-39833: The in-memory keyring returned by NewKeyring() + silently accepted keys with the ConfirmBeforeUse constraint but + never enforced it. The key would sign without any confirmation + prompt, with no indication to the caller that the constraint + was not in effect. NewKeyring() now returns an error when + unsupported constraints are requested. (bsc#1266174, + GO-2026-5005) +- CVE-2026-39830: A malicious SSH peer could send unsolicited + global request responses to fill an internal buffer, blocking + the connection's read loop. The blocked goroutine could not be + released by calling Close(), resulting in a resource leak per + connection. Unsolicited global responses are now discarded. + (bsc#1266174, GO-2026-5017) +- CVE-2026-39832: When adding a key to a remote agent constraint + extensions such as [email protected] were + not serialized in the request. Destination restrictions were + silently stripped when forwarding keys, allowing unrestricted + use of the key on the remote host. The client now serializes + all constraint extensions. Additionally, the in-memory keyring + returned by NewKeyring() now rejects keys with unsupported + constraint extensions instead of silently ignoring them. + (bsc#1266174, GO-2026-5006) +- CVE-2026-46597: An incorrectly placed cast from bytes to int + allowed for server-side panic in the AES-GCM packet decoder for + well-crafted inputs. (bsc#1266174, GO-2026-5013) +- CVE-2026-46598: For certain crafted inputs, + a 'ed25519.PrivateKey' was created by casting malformed wire + bytes, leading to a panic when used. (bsc#1266174, + GO-2026-5033) +- CVE-2026-46595: Previously, CVE-2024-45337 fixed an + authorization bypass for misused ssh server configurations; if + any other type of callback is passed other than public key, + then the source-address validation would be skipped. + (bsc#1266174, GO-2026-5023) +- CVE-2026-39835: SSH servers which use CertChecker as a public + key callback without setting IsUserAuthority or IsHostAuthority + could be caused to panic by a client presenting a certificate. + CertChecker now returns an error instead of panicking when + these callbacks are nil. (bsc#1266174, GO-2026-5015) +- CVE-2026-25680: Parsing arbitrary HTML can consume excessive + CPU time, possibly leading to denial of service. (bsc#1267196, + GO-2026-5028). +- CVE-2026-25681, CVE-2026-27136, CVE-2026-42502, CVE-2026-42506: + Parsing arbitrary HTML which is then rendered using Render can + result in an unexpected HTML tree. This can be leveraged to + execute XSS attacks in applications that attempt to sanitize + input HTML before rendering. (bsc#1267157, GO-2026-5029, + GO-2026-5030, GO-2026-5027, GO-2026-5025) +- Revendoring to golang.org/x/[email protected], +golang.org/x/crypto/ssh/[email protected], and +golang.org/x/[email protected] + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git-bug.spec ++++++ --- /var/tmp/diff_new_pack.KQw5gO/_old 2026-06-03 20:30:01.468123951 +0200 +++ /var/tmp/diff_new_pack.KQw5gO/_new 2026-06-03 20:30:01.472124116 +0200 @@ -34,7 +34,7 @@ # Patch0: 501-export.patch BuildRequires: golang-packaging BuildRequires: git -BuildRequires: golang(API) = 1.22 +BuildRequires: golang(API) >= 1.25 %description git-bug is a bug tracker that: ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.KQw5gO/_old 2026-06-03 20:30:01.508125607 +0200 +++ /var/tmp/diff_new_pack.KQw5gO/_new 2026-06-03 20:30:01.512125772 +0200 @@ -1,5 +1,5 @@ -mtime: 1779102077 -commit: 6f40820460982b8bfb6d158b026abdef5db71b0f200472aa6889c72cddd3795e +mtime: 1780323133 +commit: 6f9b8ed6b3957a0b5f3ad2a3d364f0830623a923cc987631ca0265f3b29bd535 url: https://src.opensuse.org/mcepl/git-bug revision: factory ++++++ _service ++++++ --- /var/tmp/diff_new_pack.KQw5gO/_old 2026-06-03 20:30:01.540126932 +0200 +++ /var/tmp/diff_new_pack.KQw5gO/_new 2026-06-03 20:30:01.548127264 +0200 @@ -14,12 +14,13 @@ </service> <service name="set_version" mode="manual"/ --> <service name="go_modules" mode="manual"> - <param name="replace">golang.org/x/crypto=golang.org/x/[email protected]</param> + <param name="replace">golang.org/x/crypto=golang.org/x/[email protected]</param> <param name="replace">github.com/go-viper/mapstructure/v2=github.com/go-viper/mapstructure/[email protected]</param> <param name="replace">github.com/cloudflare/circl=github.com/cloudflare/[email protected]</param> <param name="replace">github.com/go-git/go-git/v5=github.com/go-git/go-git/[email protected]</param> - <param name="replace">golang.org/x/crypto/ssh=golang.org/x/crypto/[email protected]</param> - <param name="replace">golang.org/x/crypto/ssh/agent=golang.org/x/crypto/ssh/[email protected]</param> + <param name="replace">golang.org/x/crypto/ssh=golang.org/x/crypto/[email protected]</param> + <param name="replace">golang.org/x/crypto/ssh/agent=golang.org/x/crypto/ssh/[email protected]</param> + <param name="replace">golang.org/x/net=golang.org/x/[email protected]</param> </service> </services> ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-01 16:12:13.000000000 +0200 @@ -0,0 +1,10 @@ +_build.* +build.specials.obscpio +git-bug/ +*.obscpio +*.osc +.osc +.pbuild +_scmsync.obsinfo +_service:* +git-bug-*-build/ ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/git-bug/vendor.tar.gz /work/SRC/openSUSE:Factory/.git-bug.new.1937/vendor.tar.gz differ: char 21, line 1
