Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package velociraptor for openSUSE:Factory
checked in at 2024-05-30 15:33:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/velociraptor (Old)
and /work/SRC/openSUSE:Factory/.velociraptor.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "velociraptor"
Thu May 30 15:33:20 2024 rev:11 rq:1177630 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Factory/velociraptor/velociraptor.changes
2024-04-29 09:02:41.149969054 +0200
+++ /work/SRC/openSUSE:Factory/.velociraptor.new.24587/velociraptor.changes
2024-05-30 15:35:00.825845996 +0200
@@ -1,0 +2,9 @@
+Tue May 28 16:45:51 UTC 2024 - Antonio Teixeira <antonio.teixe...@suse.com>
+
+- Patches changes:
+ * Change CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
+ to update the follow-redirects package instead of patching directly.
+ * Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572)
+- Add a package-lock.json to the package
+
+-------------------------------------------------------------------
New:
----
CVE-2022-25883-npm-watch-semver-deps.patch
package-lock.json
BETA DEBUG BEGIN:
New: to update the follow-redirects package instead of patching directly.
* Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572)
- Add a package-lock.json to the package
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ velociraptor.spec ++++++
--- /var/tmp/diff_new_pack.gysvdB/_old 2024-05-30 15:35:03.453942178 +0200
+++ /var/tmp/diff_new_pack.gysvdB/_new 2024-05-30 15:35:03.457942324 +0200
@@ -93,14 +93,17 @@
Source9: %{projname}.obsinfo
Source10: system-user-velociraptor.sysusers
Source11: velociraptor-nodejs.spec.inc
+Source12: package-lock.json
%include %{_sourcedir}/velociraptor-nodejs.spec.inc
Patch1: vendor-build-fixes-for-SLE12.patch
Patch2: sdjournal-build-fix-for-SLE12.patch
Patch3: velociraptor-reproducible-timestamp.diff
-# CVE-2024-28849 - bsc#1221456 - follow-redirects: Drop Proxy-Athorization
across hosts
+# PATCH-FIX-UPSTREAM
CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch bsc#1221456 --
follow-redirects: Drop Proxy-Athorization across hosts
Patch4: CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
+# PATCH-FIX-UPSTREAM CVE-2022-25883-npm-watch-semver-deps.patch bsc#1212572 --
upgrade npm-watch
+Patch5: CVE-2022-25883-npm-watch-semver-deps.patch
BuildRequires: fileb0x
%if 0%{?suse_version}
BuildRequires: systemd-rpm-macros
@@ -243,6 +246,8 @@
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
# Set the version to something more specific than <next-tag>-dev
sed -ie "s/\([[:space:]]VERSION *= \).*/\1 \"%{VERSION}\"/"
constants/constants.go
@@ -263,13 +268,11 @@
# Note: There are dependencies on these that need to be resolved before
# removing them outright.
# rm -rf artifacts/definitions/Windows
-
%if %{build_server}
pushd gui/velociraptor
rm -f package-lock.json
-local-npm-registry %{_sourcedir} install
+local-npm-registry %{_sourcedir} install --include=dev --legacy-peer-deps
popd
-%patch -P 4 -p1
%endif
%build
++++++ CVE-2022-25883-npm-watch-semver-deps.patch ++++++
>From 76e999d0976ad6559574c92b79fe7432596d2d6c Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-...@snyk.io>
Date: Sat, 27 Apr 2024 00:20:54 +0000
Subject: [PATCH] fix: gui/velociraptor/package.json to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
---
gui/velociraptor/package.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: b/gui/velociraptor/package.json
===================================================================
--- a/gui/velociraptor/package.json
+++ b/gui/velociraptor/package.json
@@ -31,7 +31,7 @@
"lodash": "^4.17.21",
"moment": "^2.29.4",
"moment-timezone": "0.5.43",
- "npm-watch": "^0.11.0",
+ "npm-watch": "^0.12.0",
"prop-types": "^15.8.1",
"qs": "^6.11.2",
"query-string": "^6.14.1",
++++++ CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch ++++++
--- /var/tmp/diff_new_pack.gysvdB/_old 2024-05-30 15:35:03.501943934 +0200
+++ /var/tmp/diff_new_pack.gysvdB/_new 2024-05-30 15:35:03.505944081 +0200
@@ -1,24 +1,31 @@
-From c4f847f85176991f95ab9c88af63b1294de8649b Mon Sep 17 00:00:00 2001
-From: Ruben Verborgh <ru...@verborgh.org>
-Date: Thu, 14 Mar 2024 17:36:10 +0100
-Subject: [PATCH] Drop Proxy-Authorization across hosts.
-
----
- index.js | 2 +-
- 1 files changed, 1 insertions(+), 1 deletion(-)
-
-diff --git a/gui/velociraptor/node_modules/follow-redirects/index.js
b/gui/velociraptor/node_modules/follow-redirects/index.js
-index f58b933..c649cab 100644
---- a/gui/velociraptor/node_modules/follow-redirects/index.js
-+++ b/gui/velociraptor/node_modules/follow-redirects/index.js
-@@ -430,7 +430,7 @@ RedirectableRequest.prototype._processResponse = function
(response) {
- redirectUrlParts.protocol !== "https:" ||
- redirectUrlParts.host !== currentHost &&
- !isSubdomain(redirectUrlParts.host, currentHost)) {
-- removeMatchingHeaders(/^(?:authorization|cookie)$/i,
this._options.headers);
-+ removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i,
this._options.headers);
- }
-
- // Evaluate the beforeRedirect callback
-
+diff --git a/gui/velociraptor/package-lock.json
b/gui/velociraptor/package-lock.json
+index e6c46c00..2a6c8114 100644
+--- a/gui/velociraptor/package-lock.json
++++ b/gui/velociraptor/package-lock.json
+@@ -4750,9 +4750,9 @@
+ }
+ },
+ "node_modules/follow-redirects": {
+- "version": "1.15.2",
+- "resolved":
"https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz";,
+- "integrity":
"sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==",
++ "version": "1.15.6",
++ "resolved":
"https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz";,
++ "integrity":
"sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==",
+ "funding": [
+ {
+ "type": "individual",
+@@ -14720,9 +14720,9 @@
+ }
+ },
+ "follow-redirects": {
+- "version": "1.15.2",
+- "resolved":
"https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz";,
+- "integrity":
"sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA=="
++ "version": "1.15.6",
++ "resolved":
"https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz";,
++ "integrity":
"sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA=="
+ },
+ "for-each": {
+ "version": "0.3.3",
++++++ package-lock.json ++++++
++++ 19450 lines (skipped)
++++++ velociraptor-node_modules.obscpio ++++++
/work/SRC/openSUSE:Factory/velociraptor/velociraptor-node_modules.obscpio
/work/SRC/openSUSE:Factory/.velociraptor.new.24587/velociraptor-node_modules.obscpio
differ: char 79192355, line 262874
++++++ velociraptor-nodejs.spec.inc ++++++
++++ 1597 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/velociraptor/velociraptor-nodejs.spec.inc
++++ and
/work/SRC/openSUSE:Factory/.velociraptor.new.24587/velociraptor-nodejs.spec.inc
