Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package opa for openSUSE:Factory checked in at 2025-12-17 18:39:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/opa (Old) and /work/SRC/openSUSE:Factory/.opa.new.1939 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "opa" Wed Dec 17 18:39:10 2025 rev:8 rq:1323268 version:1.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/opa/opa.changes 2025-11-27 15:22:46.016030747 +0100 +++ /work/SRC/openSUSE:Factory/.opa.new.1939/opa.changes 2025-12-17 18:39:22.926116602 +0100 @@ -1,0 +2,50 @@ +Wed Dec 17 07:01:10 UTC 2025 - Johannes Kastl <[email protected]> + +- Update to version 1.11.1: + This is a bugfix release: + * Memory exhaustion via forged gzip header + A crafted HTTP request any of OPA's HTTP endpoints would lead + OPA to use a large amount of memory, triggering an + out-of-memory process exit. + This weakness in OPA's HTTP API gzip handling is as old as the + gzip handling itself. A configurable limit was introduced in + v0.67.0, but it has been shown that this security measure + wasn't sufficient to avoid running out of memory in + memory-constrained setups. + Thanks to @thevilledev for reporting and fixing this issue. + It only applies to OPA running as server (as a binary or in a + container, as "sidecar"). To trigger an OOM process exit using + this weakness, an adversary must be able to send an HTTP + request directly to OPA. This would be the case if they are in + the same network, there is no proxy in front of OPA, or if OPA + was exposed to the internet, which is advised against. + By the nature of HTTP encodings, this would be effective before + token-based authentication and authorization policies, so these + measures do not protect against the attack vector. + If all OPA endpoints are using TLS-based authentication (mutual + TLS, "mTLS"), then an adversary cannot do harm with this + method. + Please note that while we're taking all of these issues + seriously, OPA isn't designed for adversary environments. It's + strongly advised not to expose any of its endpoints to the + public internet. Furthermore, available security measures + should be applied regardless, for a defense in depth approach. + See the documentation for the available means of authentication + and authorization in OPA. + Please also check out our Security Policy for reporting + critical issues and bugs. + https://www.openpolicyagent.org/security + * Decision Logs dropped (introduced in OPA v1.9.0) + When the decision logs buffer was uploaded, the buffer limit + inadvertently got reset to the default upload limit (32kb). + This causes logs to be dropped that shouldn't have been dropped. + This default is overridden by the configuration value + decision_logs.reporting.upload_size_limit_bytes, see the docs + on decision logs. + There's a Prometheus metric for dropped events, + counter_decision_logs_dropped_buffer_size_limit_bytes_exceeded, + and you can check that for unexpectedly high counts. + Reported by @johanneslarsson #8123, fixed by @sspaink. + The release is otherwise identical to v1.11.0. + +------------------------------------------------------------------- Old: ---- opa-1.11.0.obscpio New: ---- opa-1.11.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ opa.spec ++++++ --- /var/tmp/diff_new_pack.AU8Hfu/_old 2025-12-17 18:39:25.914242234 +0100 +++ /var/tmp/diff_new_pack.AU8Hfu/_new 2025-12-17 18:39:25.914242234 +0100 @@ -17,7 +17,7 @@ Name: opa -Version: 1.11.0 +Version: 1.11.1 Release: 0 Summary: Open source, general-purpose policy engine License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.AU8Hfu/_old 2025-12-17 18:39:25.958244085 +0100 +++ /var/tmp/diff_new_pack.AU8Hfu/_new 2025-12-17 18:39:25.962244252 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/open-policy-agent/opa</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.11.0</param> + <param name="revision">v1.11.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.AU8Hfu/_old 2025-12-17 18:39:25.982245094 +0100 +++ /var/tmp/diff_new_pack.AU8Hfu/_new 2025-12-17 18:39:25.986245262 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/open-policy-agent/opa</param> - <param name="changesrevision">45cbfa1d83841971d0db96b7803b5aeeae91020e</param></service></servicedata> + <param name="changesrevision">eb492e815bef45c43bcf093ac49e954ce6fb0915</param></service></servicedata> (No newline at EOF) ++++++ opa-1.11.0.obscpio -> opa-1.11.1.obscpio ++++++ ++++ 6937 lines of diff (skipped) ++++++ opa.obsinfo ++++++ --- /var/tmp/diff_new_pack.AU8Hfu/_old 2025-12-17 18:39:33.326553877 +0100 +++ /var/tmp/diff_new_pack.AU8Hfu/_new 2025-12-17 18:39:33.382556232 +0100 @@ -1,5 +1,5 @@ name: opa -version: 1.11.0 -mtime: 1764162114 -commit: 45cbfa1d83841971d0db96b7803b5aeeae91020e +version: 1.11.1 +mtime: 1765916875 +commit: eb492e815bef45c43bcf093ac49e954ce6fb0915 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/opa/vendor.tar.gz /work/SRC/openSUSE:Factory/.opa.new.1939/vendor.tar.gz differ: char 145, line 2
