Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package forgejo for openSUSE:Factory checked in at 2025-03-24 13:28:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/forgejo (Old) and /work/SRC/openSUSE:Factory/.forgejo.new.2696 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "forgejo" Mon Mar 24 13:28:07 2025 rev:26 rq:1255423 version:10.0.3 Changes: -------- --- /work/SRC/openSUSE:Factory/forgejo/forgejo.changes 2025-03-17 22:21:40.308701408 +0100 +++ /work/SRC/openSUSE:Factory/.forgejo.new.2696/forgejo.changes 2025-03-24 13:28:29.462395912 +0100 @@ -1,0 +2,39 @@ +Sun Mar 23 17:10:56 UTC 2025 - Richard Rahl <rra...@opensuse.org> + +- update to 10.0.3: + * fix a regression which caused unnecessary escaping of URLs + * update dependencies +- fix url for the keyring + +------------------------------------------------------------------- +Fri Mar 21 16:23:17 UTC 2025 - Richard Rahl <rra...@opensuse.org> + +- update to 10.0.2: + * update of translations + * When migrating from a Forgejo version lower than v10, the TOTP secrets + found to be corrupted are now transparently removed + * replies to pending review comments no longer generate a notification + * consider public issues for project boards + * the rootless Forgejo image version label is not set + * do not allow SSH url for migration + * setting.Service.EnableInternalSignIn = false is disabling forgotten password + * show internal login prompt for account linking + * enable ssh mirrors in rootless Forgejo images + * render link in heading correctly in wiki TOC + * Update module github.com/redis/go-redis/v9 + * fix: consider issues in repository accessible via access table + * fix(api): miss-spelled description, corrected to public + * fix: revert issue rendering for <a> element + * chore(ci): ensure the manually cached Go can be run + * chore(ci): Get Go binary from GOROOT instead of hardcoded path + * fix: return 404 for empty repositories + * fix: delay deleting authorization token + * fix: native parsing of ssh certificate key + * fix(ui): hide extra PR property labels on title edit + * fix: always set stripped slashes on http request + * fix(ui): hide 'New migration' button on org pages with migrations disabled + * ui: update language stats layout and click behavior + * Update dependency go to v1.23.6 +- add patch fix-CVE-2025-22869.patch, fixing bsc#1239488, bsc#1239276, bsc#1234574 + +------------------------------------------------------------------- Old: ---- forgejo-src-10.0.1.tar.gz New: ---- fix-CVE-2025-22869.patch forgejo-src-10.0.3.tar.gz forgejo-src-10.0.3.tar.gz.asc forgejo.keyring vendor.tar.gz BETA DEBUG BEGIN: New: * Update dependency go to v1.23.6 - add patch fix-CVE-2025-22869.patch, fixing bsc#1239488, bsc#1239276, bsc#1234574 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ forgejo.spec ++++++ --- /var/tmp/diff_new_pack.POaBbg/_old 2025-03-24 13:28:33.582567584 +0100 +++ /var/tmp/diff_new_pack.POaBbg/_new 2025-03-24 13:28:33.582567584 +0100 @@ -30,16 +30,15 @@ %endif %endif Name: forgejo -Version: 10.0.1 +Version: 10.0.3 Release: 0 Summary: Self-hostable forge License: GPL-3.0-or-later Group: Development/Tools/Version Control URL: https://forgejo.org Source0: https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz -# something is broken with the verification, works fine manually -#Source1: https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz.asc -#Source2: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xeb114f5e6c0dc2bcdd183550a4b61a2dc5923710#/%{name}.keyring +Source1: https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz.asc +Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/EB114F5E6C0DC2BCDD183550A4B61A2DC5923710#/%{name}.keyring Source3: package-lock.json Source4: node_modules.spec.inc %include %{_sourcedir}/node_modules.spec.inc @@ -50,14 +49,17 @@ Source9: %{name}.te Source10: %{name}.apparmor Source11: %{name}.firewalld -Source13: forgejo-hooks-abstraction.apparmor Source12: forgejo-abstraction.apparmor +Source13: forgejo-hooks-abstraction.apparmor +# updated vendored go modules, for fix-CVE-2025-22869.patch +Source14: vendor.tar.gz Source98: README.SUSE Source99: get-sources.sh Patch0: custom-app.ini.patch Patch1: dont-strip.patch +Patch2: fix-CVE-2025-22869.patch BuildRequires: golang-packaging -BuildRequires: golang(API) = 1.23 +BuildRequires: golang(API) >= 1.23.6 ## node >= 20 %if 0%{?suse_version} == 1500 BuildRequires: nodejs-devel-default @@ -137,6 +139,7 @@ %prep %autosetup -p1 -n %{name}-src-%{version} +tar xf %{SOURCE14} -C %{_builddir}/%{name}-src-%{version}/ local-npm-registry %{_sourcedir} install --also=dev --legacy-peer-deps cp %{SOURCE98} . ++++++ fix-CVE-2025-22869.patch ++++++ diff -rub forgejo-src-10.0.3/go.mod forgejo-src-10.0.3-patched/go.mod --- forgejo-src-10.0.3/go.mod 2025-03-23 08:01:19.000000000 +0100 +++ forgejo-src-10.0.3-patched/go.mod 2025-03-23 17:58:38.109967946 +0100 @@ -101,13 +101,13 @@ github.com/yuin/goldmark v1.7.8 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc go.uber.org/mock v0.4.0 - golang.org/x/crypto v0.35.0 + golang.org/x/crypto v0.36.0 golang.org/x/image v0.23.0 golang.org/x/net v0.36.0 golang.org/x/oauth2 v0.27.0 - golang.org/x/sync v0.11.0 - golang.org/x/sys v0.30.0 - golang.org/x/text v0.22.0 + golang.org/x/sync v0.12.0 + golang.org/x/sys v0.31.0 + golang.org/x/text v0.23.0 google.golang.org/grpc v1.69.2 google.golang.org/protobuf v1.36.1 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df diff -rub forgejo-src-10.0.3/go.sum forgejo-src-10.0.3-patched/go.sum --- forgejo-src-10.0.3/go.sum 2025-03-23 08:01:19.000000000 +0100 +++ forgejo-src-10.0.3-patched/go.sum 2025-03-23 18:00:50.522104697 +0100 @@ -1507,6 +1507,8 @@ golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= +golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= +golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1682,6 +1684,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= +golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1773,6 +1777,8 @@ golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= +golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -1806,6 +1812,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= +golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= +golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= ++++++ forgejo-src-10.0.1.tar.gz -> forgejo-src-10.0.3.tar.gz ++++++ /work/SRC/openSUSE:Factory/forgejo/forgejo-src-10.0.1.tar.gz /work/SRC/openSUSE:Factory/.forgejo.new.2696/forgejo-src-10.0.3.tar.gz differ: char 29, line 1
