Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package netbird for openSUSE:Factory checked in at 2026-02-20 17:43:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netbird (Old) and /work/SRC/openSUSE:Factory/.netbird.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netbird" Fri Feb 20 17:43:55 2026 rev:10 rq:1334084 version:0.65.3 Changes: -------- --- /work/SRC/openSUSE:Factory/netbird/netbird.changes 2026-02-18 17:08:18.960931304 +0100 +++ /work/SRC/openSUSE:Factory/.netbird.new.1977/netbird.changes 2026-02-20 17:52:28.288151850 +0100 @@ -1,0 +2,58 @@ +Thu Feb 19 21:56:07 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 0.65.3: + 🛡️ Security Fix: Race Condition in Role Update Validation + + What was affected + + A race condition in the user role validation logic could allow + permission checks to succeed based on stale role data. Under very + specific timing conditions, concurrent requests during a role + change (e.g., while an admin was being demoted to user) could + bypass role validation when changing another users role. + + Exploit Potential + + If an administrator account was being demoted while + simultaneously performing acocunt ownership transfer actions, a + race window existed where the system could treat the user as + having elevated permissions to change owners. + + In a coordinated scenario involving two administrator accounts, + this could potentially allow privilege escalation — for example, + promoting a user to Owner during the demotion window. + + Conditions Required + + Exploitation required: + + - Two administrator accounts. + - One administrator being actively demoted. + - Concurrent ownership transfer requests executed precisely + during the demotion process. + - Precise timing to trigger the race condition. + - This issue required intentional coordination and timing, making + it unlikely to occur accidentally and will require access to + two admin accounts. + + - Client & Mobile Improvements + - Batched macOS DNS domains to avoid truncation issues. #5368 + - Ensured route settlement on iOS before handling DNS + responses. #5360 + - Added logging of lock acquisition time in message handling + for improved observability. #5393 + - Relay Improvements + - Reduced QUIC initial packet size to 1280 bytes (IPv6 minimum + MTU) for better compatibility. #5374 + - Management Improvements + - Fixed possible race condition on user role change. #5395 + - Added docker login step in management tests. #5323 + - Self-Hosted Updates + - Added a migration script for upgrading from pre-v0.65.0 to + post-v0.65.0 combined setup. #5350 + - Removed unused configuration example from self-hosted setup. + #5383 + - Miscellaneous + - Updated timestamp format to include milliseconds. #5387 + +------------------------------------------------------------------- Old: ---- netbird-0.65.2.obscpio New: ---- netbird-0.65.3.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netbird.spec ++++++ --- /var/tmp/diff_new_pack.ftamAj/_old 2026-02-20 17:52:30.064226252 +0100 +++ /var/tmp/diff_new_pack.ftamAj/_new 2026-02-20 17:52:30.068226419 +0100 @@ -32,7 +32,7 @@ %bcond_with stub_config Name: netbird -Version: 0.65.2 +Version: 0.65.3 Release: 0 Summary: Mesh VPN based on WireGuard License: AGPL-3.0-only AND BSD-3-Clause ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ftamAj/_old 2026-02-20 17:52:30.140229436 +0100 +++ /var/tmp/diff_new_pack.ftamAj/_new 2026-02-20 17:52:30.144229603 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/netbirdio/netbird.git</param> <param name="scm">git</param> <param name="package-meta">yes</param> - <param name="revision">refs/tags/v0.65.2</param> + <param name="revision">refs/tags/v0.65.3</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">disable</param> ++++++ netbird-0.65.2.obscpio -> netbird-0.65.3.obscpio ++++++ ++++ 3051 lines of diff (skipped) ++++++ netbird.obsinfo ++++++ --- /var/tmp/diff_new_pack.ftamAj/_old 2026-02-20 17:52:33.880386114 +0100 +++ /var/tmp/diff_new_pack.ftamAj/_new 2026-02-20 17:52:33.884386282 +0100 @@ -1,5 +1,5 @@ name: netbird -version: 0.65.2 -mtime: 1771354394 -commit: e9b2a6e80892ade6925e156690f86e758d42ceee +version: 0.65.3 +mtime: 1771525127 +commit: f117fc7509268944e307adaf05b6225d790f7600 ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/netbird/vendor.tar.zst /work/SRC/openSUSE:Factory/.netbird.new.1977/vendor.tar.zst differ: char 7, line 1
