Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package golang-github-prometheus-prometheus
for openSUSE:Factory checked in at 2024-07-03 20:29:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/golang-github-prometheus-prometheus (Old)
and
/work/SRC/openSUSE:Factory/.golang-github-prometheus-prometheus.new.18349 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "golang-github-prometheus-prometheus"
Wed Jul 3 20:29:20 2024 rev:45 rq:1184874 version:2.53.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/golang-github-prometheus-prometheus/golang-github-prometheus-prometheus.changes
2024-07-01 11:18:35.063156766 +0200
+++
/work/SRC/openSUSE:Factory/.golang-github-prometheus-prometheus.new.18349/golang-github-prometheus-prometheus.changes
2024-07-03 20:29:48.719992793 +0200
@@ -1,0 +2,7 @@
+Fri Jun 28 15:31:44 UTC 2024 - Witek Bedyk <[email protected]>
+
+- Bump go-retryablehttp to version 0.7.7
+ (CVE-2024-6104, bsc#1227038)
+- Add 0003-Bump-go-retryablehttp.patch
+
+-------------------------------------------------------------------
New:
----
0003-Bump-go-retryablehttp.patch
BETA DEBUG BEGIN:
New: (CVE-2024-6104, bsc#1227038)
- Add 0003-Bump-go-retryablehttp.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ golang-github-prometheus-prometheus.spec ++++++
--- /var/tmp/diff_new_pack.QqLghX/_old 2024-07-03 20:29:50.108043596 +0200
+++ /var/tmp/diff_new_pack.QqLghX/_new 2024-07-03 20:29:50.108043596 +0200
@@ -47,6 +47,8 @@
Patch1: 0001-Do-not-force-the-pure-Go-name-resolver.patch
# Lifted from Debian's prometheus package
Patch2: 0002-Default-settings.patch
+# https://github.com/prometheus/prometheus/pull/14345 (CVE-2024-6104)
+Patch3: 0003-Bump-go-retryablehttp.patch
BuildRequires: fdupes
%if 0%{?suse_version} == 1500 && 0%{?sle_version} < 150300
BuildRequires: firewall-macros
++++++ 0003-Bump-go-retryablehttp.patch ++++++
>From 4d25a94faa74e0a16e4bb7874c1d82faaf911d85 Mon Sep 17 00:00:00 2001
From: Daniel Mellado <[email protected]>
Date: Tue, 25 Jun 2024 16:31:03 +0200
Subject: [PATCH] Bump go-retryablehttp to fix basic auth creds leak
This PR updates go-retryablehttp to version 0.7.7, even if it's used as
an indirect import. Versions previous to that can didn't sanitize urls,
discussed at HDCSEC-2024-12 [1]
[1]
https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
Signed-off-by: Daniel Mellado <[email protected]>
---
go.mod | 4 ++--
go.sum | 9 ++++-----
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/go.mod b/go.mod
index ac8b4f469d0..ce2f0714a0a 100644
--- a/go.mod
+++ b/go.mod
@@ -146,10 +146,10 @@ require (
github.com/hashicorp/cronexpr v1.1.2 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
- github.com/hashicorp/go-hclog v1.5.0 // indirect
+ github.com/hashicorp/go-hclog v1.6.3 // indirect
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
- github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
+ github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
github.com/hashicorp/golang-lru v0.6.0 // indirect
github.com/hashicorp/serf v0.10.1 // indirect
diff --git a/go.sum b/go.sum
index 06db002f55b..956b9d89492 100644
--- a/go.sum
+++ b/go.sum
@@ -369,9 +369,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod
h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod
h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
github.com/hashicorp/go-cleanhttp v0.5.2
h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod
h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.9.2/go.mod
h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.5.0
h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
-github.com/hashicorp/go-hclog v1.5.0/go.mod
h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v1.6.3
h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod
h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
github.com/hashicorp/go-immutable-radix v1.0.0/go.mod
h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
github.com/hashicorp/go-immutable-radix v1.3.1
h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
github.com/hashicorp/go-immutable-radix v1.3.1/go.mod
h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
@@ -383,8 +382,8 @@ github.com/hashicorp/go-multierror v1.1.0/go.mod
h1:spPvp8C1qA32ftKqdAHm4hHTbPw+
github.com/hashicorp/go-multierror v1.1.1
h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
github.com/hashicorp/go-multierror v1.1.1/go.mod
h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
github.com/hashicorp/go-retryablehttp v0.5.3/go.mod
h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-retryablehttp v0.7.4
h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA=
-github.com/hashicorp/go-retryablehttp v0.7.4/go.mod
h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.7
h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod
h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
github.com/hashicorp/go-rootcerts v1.0.0/go.mod
h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
github.com/hashicorp/go-rootcerts v1.0.2
h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
github.com/hashicorp/go-rootcerts v1.0.2/go.mod
h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/golang-github-prometheus-prometheus/vendor.tar.gz
/work/SRC/openSUSE:Factory/.golang-github-prometheus-prometheus.new.18349/vendor.tar.gz
differ: char 5, line 1
