commit act for openSUSE:Factory

Source-Sync Fri, 21 Nov 2025 07:58:21 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package act for openSUSE:Factory checked in 
at 2025-11-21 16:56:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/act (Old)
 and      /work/SRC/openSUSE:Factory/.act.new.2061 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "act"

Fri Nov 21 16:56:11 2025 rev:13 rq:1318918 version:0.2.82

Changes:
--------
--- /work/SRC/openSUSE:Factory/act/act.changes  2025-11-09 21:12:07.081724945 
+0100
+++ /work/SRC/openSUSE:Factory/.act.new.2061/act.changes        2025-11-21 
16:57:02.135263519 +0100
@@ -1,0 +2,12 @@
+Sun Nov 16 20:31:41 UTC 2025 - Matthias Eliasson <[email protected]>
+
+- Security fix for bsc#1253608, CVE-2025-47913, GO-2025-4116
+- Add update-crypto-cve-2025-47913.patch: Update golang.org/x/crypto
+  from v0.37.0 to v0.43.0 to fix SSH agent DoS vulnerability where
+  SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed
+  response will panic and cause early termination of the client
+  process. Affects pkg/runner/action_cache.go which uses SSH agent
+  functions via go-git.
+- Regenerate vendor.tar.gz with updated dependencies 
+
+-------------------------------------------------------------------

New:
----
  update-crypto-cve-2025-47913.patch

----------(New B)----------
  New:- Security fix for bsc#1253608, CVE-2025-47913, GO-2025-4116
- Add update-crypto-cve-2025-47913.patch: Update golang.org/x/crypto
  from v0.37.0 to v0.43.0 to fix SSH agent DoS vulnerability where
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ act.spec ++++++
--- /var/tmp/diff_new_pack.KfvRVR/_old  2025-11-21 16:57:02.963298412 +0100
+++ /var/tmp/diff_new_pack.KfvRVR/_new  2025-11-21 16:57:02.967298581 +0100
@@ -32,6 +32,8 @@
 URL:            https://github.com/nektos/act
 Source0:        %{name}-%{version}.tar.xz
 Source1:        vendor.tar.gz
+# PATCH-FIX-UPSTREAM update-crypto-cve-2025-47913.patch bsc#1253608 
[email protected] -- Update golang.org/x/crypto to v0.43.0 to fix 
CVE-2025-47913 (GO-2025-4116)
+Patch0:         update-crypto-cve-2025-47913.patch
 BuildRequires:  golang-packaging
 BuildRequires:  golang(API) >= 1.16
 Requires:       (docker or podman)
@@ -44,6 +46,7 @@
 %prep
 %setup -q
 %setup -q -a1 %{SOURCE1}
+%patch -P 0 -p0
 sed -i 's_var version = \"v0.2.27-dev\"_var version = "%{version}"_g' main.go
 
 %build

++++++ update-crypto-cve-2025-47913.patch ++++++
From: Matthias Eliasson <[email protected]>
Date: Sat Nov 16 21:00:00 UTC 2025
Subject: Update golang.org/x/crypto to fix SSH agent DoS vulnerability
References: bsc#1253608
Upstream: no (dependency version update)

Update golang.org/x/crypto from v0.37.0 to v0.43.0 to fix CVE-2025-47913
(GO-2025-4116). SSH clients receiving SSH_AGENT_SUCCESS when expecting a
typed response will panic and cause early termination of the client process.

The vulnerability affects pkg/runner/action_cache.go which uses SSH agent
functions via go-git. The fix was introduced in golang.org/x/crypto v0.43.0.

See:
- https://pkg.go.dev/vuln/GO-2025-4116
- https://go.dev/issue/75178
- https://go.dev/cl/700295

This also updates related golang.org/x dependencies to maintain compatibility:
- golang.org/x/term: v0.35.0 -> v0.36.0
- golang.org/x/net: v0.39.0 -> v0.45.0
- golang.org/x/sync: v0.13.0 -> v0.17.0
- golang.org/x/sys: v0.36.0 -> v0.37.0
- golang.org/x/text: v0.24.0 -> v0.30.0

---
 go.mod | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- go.mod.orig
+++ go.mod
@@ -29,7 +29,7 @@ require (
        github.com/stretchr/testify v1.11.1
        github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928
        go.etcd.io/bbolt v1.4.3
-       golang.org/x/term v0.35.0
+       golang.org/x/term v0.36.0
        gopkg.in/yaml.v3 v3.0.1
        gotest.tools/v3 v3.5.2
 )
@@ -100,12 +100,12 @@ require (
        go.opentelemetry.io/otel/metric v1.33.0 // indirect
        go.opentelemetry.io/otel/sdk v1.28.0 // indirect
        go.opentelemetry.io/otel/trace v1.33.0 // indirect
-       golang.org/x/crypto v0.37.0 // indirect
+       golang.org/x/crypto v0.43.0 // indirect
        golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-       golang.org/x/net v0.39.0 // indirect
-       golang.org/x/sync v0.13.0 // indirect
-       golang.org/x/sys v0.36.0 // indirect
-       golang.org/x/text v0.24.0 // indirect
+       golang.org/x/net v0.45.0 // indirect
+       golang.org/x/sync v0.17.0 // indirect
+       golang.org/x/sys v0.37.0 // indirect
+       golang.org/x/text v0.30.0 // indirect
        golang.org/x/time v0.6.0 // indirect
        google.golang.org/genproto/googleapis/api 
v0.0.0-20240814211410-ddb44dafa142 // indirect
        gopkg.in/warnings.v0 v0.1.2 // indirect

++++++ vendor.tar.gz ++++++
++++ 2730 lines of diff (skipped)

commit act for openSUSE:Factory

Reply via email to