Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rekor for openSUSE:Factory checked 
in at 2025-04-14 12:58:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rekor (Old)
 and      /work/SRC/openSUSE:Factory/.rekor.new.1907 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rekor"

Mon Apr 14 12:58:11 2025 rev:26 rq:1268974 version:1.3.10

Changes:
--------
--- /work/SRC/openSUSE:Factory/rekor/rekor.changes      2025-01-28 
15:00:29.465313593 +0100
+++ /work/SRC/openSUSE:Factory/.rekor.new.1907/rekor.changes    2025-04-14 
12:58:14.443892449 +0200
@@ -1,0 +2,20 @@
+Fri Apr 11 18:10:26 UTC 2025 - Johannes Kastl 
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 1.3.10:
+  * Features
+    - Added --client-signing-algorithms flag (#1974)
+  * Fixes / Misc
+    - emit unpopulated values when marshalling (#2438)
+    - pkg/api: better logs when algorithm registry rejects a key
+      (#2429)
+    - chore: improve mysql readiness checks (#2397)
+    - Added --client-signing-algorithms flag (#1974)
+  * Security fixes (over the last releases):
+    - CVE-2024-6104: rekor: hashicorp/go-retryablehttp: url might write 
sensitive information to log file (bsc#1227053)
+    - CVE-2023-45288: rekor: golang.org/x/net/http2: close connections when 
receiving too many headers (bsc#1236519)
+    - CVE-2025-27144: rekor: 
gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3:
 Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237638)
+    - CVE-2025-22868: rekor: golang.org/x/oauth2/jws: Unexpected memory 
consumption during token parsing in golang.org/x/oauth2 (bsc#1239191)
+    - CVE-2025-22869: rekor: golang.org/x/crypto/ssh: Denial of Service in the 
Key Exchange of golang.org/x/crypto/ssh (bsc#1239327)
+    - CVE-2025-30204: rekor: github.com/golang-jwt/jwt/v5: jwt-go allows 
excessive memory allocation during header parsing (bsc#1240468)
+
+-------------------------------------------------------------------

Old:
----
  rekor-1.3.9.obscpio

New:
----
  rekor-1.3.10.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rekor.spec ++++++
--- /var/tmp/diff_new_pack.NpqLHM/_old  2025-04-14 12:58:15.435934108 +0200
+++ /var/tmp/diff_new_pack.NpqLHM/_new  2025-04-14 12:58:15.435934108 +0200
@@ -19,7 +19,7 @@
 %define apps cli server
 
 Name:           rekor
-Version:        1.3.9
+Version:        1.3.10
 Release:        0
 Summary:        Supply Chain Transparency Log
 License:        Apache-2.0
@@ -27,16 +27,27 @@
 Source:         %{name}-%{version}.tar.gz
 Source1:        vendor.tar.zst
 Source2:        rekor-zypper-verify.sh
+BuildRequires:  go >= 1.23.6
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
-BuildRequires:  golang(API)
 
 %description
-Rekor's goals are to provide an immutable tamper resistant ledger of metadata 
generated within a software projects supply chain. Rekor will enable software 
maintainers and build systems to record signed metadata to an immutable record. 
Other parties can then query said metadata to enable them to make informed 
decisions on trust and non-repudiation of an object's lifecycle. For more 
details visit the sigstore website
+Rekor's goals are to provide an immutable tamper resistant ledger of metadata
+generated within a software projects supply chain. Rekor will enable software
+maintainers and build systems to record signed metadata to an immutable record.
+Other parties can then query said metadata to enable them to make informed
+decisions on trust and non-repudiation of an object's lifecycle. For more
+details visit the sigstore website
 
-The Rekor project provides a restful API based server for validation and a 
transparency log for storage. A CLI application is available to make and verify 
entries, query the transparency log for inclusion proof, integrity verification 
of the transparency log or retrieval of entries by either public key or 
artifact.
+The Rekor project provides a restful API based server for validation and a
+transparency log for storage. A CLI application is available to make and verify
+entries, query the transparency log for inclusion proof, integrity verification
+of the transparency log or retrieval of entries by either public key or
+artifact.
 
-Rekor fulfils the signature transparency role of sigstore's software signing 
infrastructure. However, Rekor can be run on its own and is designed to be 
extensible to working with different manifest schemas and PKI tooling.
+Rekor fulfils the signature transparency role of sigstore's software signing
+infrastructure. However, Rekor can be run on its own and is designed to be
+extensible to working with different manifest schemas and PKI tooling.
 
 %prep
 %autosetup -p1 -a1

++++++ _service ++++++
--- /var/tmp/diff_new_pack.NpqLHM/_old  2025-04-14 12:58:15.467935452 +0200
+++ /var/tmp/diff_new_pack.NpqLHM/_new  2025-04-14 12:58:15.467935452 +0200
@@ -3,7 +3,7 @@
     <param name="url">https://github.com/sigstore/rekor</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v1.3.9</param>
+    <param name="revision">v1.3.10</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.NpqLHM/_old  2025-04-14 12:58:15.487936292 +0200
+++ /var/tmp/diff_new_pack.NpqLHM/_new  2025-04-14 12:58:15.487936292 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/sigstore/rekor</param>
-              <param 
name="changesrevision">b67ee82b1d4bddf70d8e9dc9db54163e8928d775</param></service></servicedata>
+              <param 
name="changesrevision">4118a64b4b9c228a968b2d935a00807ca1b33aed</param></service></servicedata>
 (No newline at EOF)
 

++++++ rekor-1.3.9.obscpio -> rekor-1.3.10.obscpio ++++++
++++ 3497 lines of diff (skipped)

++++++ rekor.obsinfo ++++++
--- /var/tmp/diff_new_pack.NpqLHM/_old  2025-04-14 12:58:15.791949058 +0200
+++ /var/tmp/diff_new_pack.NpqLHM/_new  2025-04-14 12:58:15.795949227 +0200
@@ -1,5 +1,5 @@
 name: rekor
-version: 1.3.9
-mtime: 1737995333
-commit: b67ee82b1d4bddf70d8e9dc9db54163e8928d775
+version: 1.3.10
+mtime: 1744388461
+commit: 4118a64b4b9c228a968b2d935a00807ca1b33aed
 

++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/rekor/vendor.tar.zst 
/work/SRC/openSUSE:Factory/.rekor.new.1907/vendor.tar.zst differ: char 7, line 1

Reply via email to