Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package goshs for openSUSE:Factory checked in at 2026-04-14 17:49:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/goshs (Old) and /work/SRC/openSUSE:Factory/.goshs.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "goshs" Tue Apr 14 17:49:09 2026 rev:4 rq:1346500 version:2.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/goshs/goshs.changes 2026-03-14 22:24:23.298084496 +0100 +++ /work/SRC/openSUSE:Factory/.goshs.new.21863/goshs.changes 2026-04-14 17:49:44.687074402 +0200 @@ -1,0 +2,49 @@ +Mon Apr 13 19:37:42 UTC 2026 - Martin Hauke <[email protected]> + +- Update to version 2.0.0 + Highlights + * SMB server with NTLM hash capture and optional quick hash + cracking. + * DNS server to receive and log incoming DNS queries. + * SMTP server to receive emails and attachments. + * Redirect endpoint for HTTP 3xx redirects with custom headers. + * File-based ACLs for per-directory authentication and access + control. + * Share links with time and download limits, QR codes, and + token-based access WebDAV, SFTP, Basic Auth, Certificate Auth, + Let’s Encrypt, and much more + Security Fixes + * Fix GHSA-7qx6-f23w-3w7f + Unauthenticated Open Redirect, Arbitrary HTTP Response Header + Injection, Missing CSRF, and Invisible-Mode Bypass in goshs + `/?redirect` endpoint + * Fix GHSA-7h3j-592v-jcrp + Public collaborator feed leaks .goshs ACL credentials and + enables unauthorized access. + * Fix GHSA-jrq5-hg6x-j6g3 + CSRF in state-changing GET routes enables authenticated file + deletion and directory creation + * Fix GHSA-c29w-qq4m-2gcv + Empty-username SFTP password authentication bypass in goshs + * Fix GHSA-5h6h-7rc9-3824 + SFTP root escape via prefix-based path validation in goshs + * Fix CVE-2026-40189 (boo#1261996), GHSA-wvhv-qcqf-f3cx + File-based ACL authorization bypass in goshs state-changing + routes. + * Fix CVE-2026-40188 (boo#1261995), GHSA-2943-crp8-38xx + Missing Write Protection for Parametric Data Values + * Fix CVE-2026-35393 (boo#1261608), GHSA-jg56-wf8x-qrv5 + Improper Limitation of a Pathname to a Restricted Directory + ('Path Traversal') in goshs POST multipart upload + * Fix CVE-2026-35392 (boo#1261607), GHSA-g8mv-vp7j-qp64 + Improper Limitation of a Pathname to a Restricted Directory + ('Path Traversal') in goshs PUT Upload + * Fix CVE-2026-35471 (boo#1261609), GHSA-6qcc-6q27-whp8 + Improper Limitation of a Pathname to a Restricted Directory + ('Path Traversal') in goshs deleteFile() + * Fix GHSA-jgfx-74g2-9r6g + Auth Bypass via Share Token +- Add patch: + * gosh-fix-test.patch + +------------------------------------------------------------------- Old: ---- goshs-1.1.4.tar.gz New: ---- gosh-fix-test.patch goshs-2.0.0.tar.gz ----------(New B)---------- New:- Add patch: * gosh-fix-test.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ goshs.spec ++++++ --- /var/tmp/diff_new_pack.Nt3qMw/_old 2026-04-14 17:49:46.639155090 +0200 +++ /var/tmp/diff_new_pack.Nt3qMw/_new 2026-04-14 17:49:46.643155255 +0200 @@ -16,7 +16,7 @@ # Name: goshs -Version: 1.1.4 +Version: 2.0.0 Release: 0 Summary: A simple HTTP server License: MIT @@ -25,6 +25,7 @@ #Git-Clone: https://github.com/patrickhener/goshs.git Source: https://github.com/patrickhener/goshs/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: vendor.tar.gz +Patch0: gosh-fix-test.patch BuildRequires: go >= 1.24.1 BuildRequires: golang-packaging # shared-mime-info needed for tests ++++++ gosh-fix-test.patch ++++++ diff --git a/smtpserver/session_test.go b/smtpserver/session_test.go index 14ebf26..b8dfc74 100644 --- a/smtpserver/session_test.go +++ b/smtpserver/session_test.go @@ -97,7 +97,7 @@ func TestDeriveFilename_KnownTypes(t *testing.T) { {"application/pdf", "attachment.pdf"}, {"application/zip", "attachment.zip"}, {"text/plain", "attachment.txt"}, - {"video/mp4", "attachment.mpg4"}, + {"video/mp4", "attachment.mp4"}, } for _, tc := range tests { got := deriveFilename(tc.mime) ++++++ goshs-1.1.4.tar.gz -> goshs-2.0.0.tar.gz ++++++ ++++ 37602 lines of diff (skipped) ++++++ vendor.tar.gz ++++++ ++++ 35067 lines of diff (skipped)
