Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rekor for openSUSE:Factory checked
in at 2025-04-14 12:58:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rekor (Old)
and /work/SRC/openSUSE:Factory/.rekor.new.1907 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rekor"
Mon Apr 14 12:58:11 2025 rev:26 rq:1268974 version:1.3.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/rekor/rekor.changes 2025-01-28
15:00:29.465313593 +0100
+++ /work/SRC/openSUSE:Factory/.rekor.new.1907/rekor.changes 2025-04-14
12:58:14.443892449 +0200
@@ -1,0 +2,20 @@
+Fri Apr 11 18:10:26 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 1.3.10:
+ * Features
+ - Added --client-signing-algorithms flag (#1974)
+ * Fixes / Misc
+ - emit unpopulated values when marshalling (#2438)
+ - pkg/api: better logs when algorithm registry rejects a key
+ (#2429)
+ - chore: improve mysql readiness checks (#2397)
+ - Added --client-signing-algorithms flag (#1974)
+ * Security fixes (over the last releases):
+ - CVE-2024-6104: rekor: hashicorp/go-retryablehttp: url might write
sensitive information to log file (bsc#1227053)
+ - CVE-2023-45288: rekor: golang.org/x/net/http2: close connections when
receiving too many headers (bsc#1236519)
+ - CVE-2025-27144: rekor:
gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3:
Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237638)
+ - CVE-2025-22868: rekor: golang.org/x/oauth2/jws: Unexpected memory
consumption during token parsing in golang.org/x/oauth2 (bsc#1239191)
+ - CVE-2025-22869: rekor: golang.org/x/crypto/ssh: Denial of Service in the
Key Exchange of golang.org/x/crypto/ssh (bsc#1239327)
+ - CVE-2025-30204: rekor: github.com/golang-jwt/jwt/v5: jwt-go allows
excessive memory allocation during header parsing (bsc#1240468)
+
+-------------------------------------------------------------------
Old:
----
rekor-1.3.9.obscpio
New:
----
rekor-1.3.10.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rekor.spec ++++++
--- /var/tmp/diff_new_pack.NpqLHM/_old 2025-04-14 12:58:15.435934108 +0200
+++ /var/tmp/diff_new_pack.NpqLHM/_new 2025-04-14 12:58:15.435934108 +0200
@@ -19,7 +19,7 @@
%define apps cli server
Name: rekor
-Version: 1.3.9
+Version: 1.3.10
Release: 0
Summary: Supply Chain Transparency Log
License: Apache-2.0
@@ -27,16 +27,27 @@
Source: %{name}-%{version}.tar.gz
Source1: vendor.tar.zst
Source2: rekor-zypper-verify.sh
+BuildRequires: go >= 1.23.6
BuildRequires: golang-packaging
BuildRequires: zstd
-BuildRequires: golang(API)
%description
-Rekor's goals are to provide an immutable tamper resistant ledger of metadata
generated within a software projects supply chain. Rekor will enable software
maintainers and build systems to record signed metadata to an immutable record.
Other parties can then query said metadata to enable them to make informed
decisions on trust and non-repudiation of an object's lifecycle. For more
details visit the sigstore website
+Rekor's goals are to provide an immutable tamper resistant ledger of metadata
+generated within a software projects supply chain. Rekor will enable software
+maintainers and build systems to record signed metadata to an immutable record.
+Other parties can then query said metadata to enable them to make informed
+decisions on trust and non-repudiation of an object's lifecycle. For more
+details visit the sigstore website
-The Rekor project provides a restful API based server for validation and a
transparency log for storage. A CLI application is available to make and verify
entries, query the transparency log for inclusion proof, integrity verification
of the transparency log or retrieval of entries by either public key or
artifact.
+The Rekor project provides a restful API based server for validation and a
+transparency log for storage. A CLI application is available to make and verify
+entries, query the transparency log for inclusion proof, integrity verification
+of the transparency log or retrieval of entries by either public key or
+artifact.
-Rekor fulfils the signature transparency role of sigstore's software signing
infrastructure. However, Rekor can be run on its own and is designed to be
extensible to working with different manifest schemas and PKI tooling.
+Rekor fulfils the signature transparency role of sigstore's software signing
+infrastructure. However, Rekor can be run on its own and is designed to be
+extensible to working with different manifest schemas and PKI tooling.
%prep
%autosetup -p1 -a1
++++++ _service ++++++
--- /var/tmp/diff_new_pack.NpqLHM/_old 2025-04-14 12:58:15.467935452 +0200
+++ /var/tmp/diff_new_pack.NpqLHM/_new 2025-04-14 12:58:15.467935452 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/sigstore/rekor</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v1.3.9</param>
+ <param name="revision">v1.3.10</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.NpqLHM/_old 2025-04-14 12:58:15.487936292 +0200
+++ /var/tmp/diff_new_pack.NpqLHM/_new 2025-04-14 12:58:15.487936292 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/sigstore/rekor</param>
- <param
name="changesrevision">b67ee82b1d4bddf70d8e9dc9db54163e8928d775</param></service></servicedata>
+ <param
name="changesrevision">4118a64b4b9c228a968b2d935a00807ca1b33aed</param></service></servicedata>
(No newline at EOF)
++++++ rekor-1.3.9.obscpio -> rekor-1.3.10.obscpio ++++++
++++ 3497 lines of diff (skipped)
++++++ rekor.obsinfo ++++++
--- /var/tmp/diff_new_pack.NpqLHM/_old 2025-04-14 12:58:15.791949058 +0200
+++ /var/tmp/diff_new_pack.NpqLHM/_new 2025-04-14 12:58:15.795949227 +0200
@@ -1,5 +1,5 @@
name: rekor
-version: 1.3.9
-mtime: 1737995333
-commit: b67ee82b1d4bddf70d8e9dc9db54163e8928d775
+version: 1.3.10
+mtime: 1744388461
+commit: 4118a64b4b9c228a968b2d935a00807ca1b33aed
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/rekor/vendor.tar.zst
/work/SRC/openSUSE:Factory/.rekor.new.1907/vendor.tar.zst differ: char 7, line 1
