Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package alloy for openSUSE:Factory checked in at 2026-05-11 16:57:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/alloy (Old) and /work/SRC/openSUSE:Factory/.alloy.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "alloy" Mon May 11 16:57:56 2026 rev:35 rq:1352374 version:1.16.1 Changes: -------- --- /work/SRC/openSUSE:Factory/alloy/alloy.changes 2026-05-04 12:51:26.536354178 +0200 +++ /work/SRC/openSUSE:Factory/.alloy.new.1966/alloy.changes 2026-05-11 17:08:18.755873813 +0200 @@ -1,0 +2,17 @@ +Wed May 6 14:48:09 UTC 2026 - Witek Bedyk <[email protected]> + +- Update to version 1.16.1 + * Bug Fixes + logging: Fix startup deadlock when components log before + logging config is evaluated + Update to Beyla 3.9.8 + Migrate from Docker to Moby + +------------------------------------------------------------------- +Wed May 6 12:42:22 UTC 2026 - Witek Bedyk <[email protected]> + +- CVE-2026-41602: Fix Integer Overflow or Wraparound vulnerability in Apache + Thrift (bsc#1263530) + * Add 0002-Bump-Apache-Thrift.patch + +------------------------------------------------------------------- @@ -133,0 +151 @@ + * CVE-2026-34986: Fix panic in JWE decryption (bsc#1262955) Old: ---- alloy-1.16.0.tar.gz ui-1.16.0.tar.gz New: ---- 0002-Bump-Apache-Thrift.patch alloy-1.16.1.tar.gz ui-1.16.1.tar.gz ----------(New B)---------- New: Thrift (bsc#1263530) * Add 0002-Bump-Apache-Thrift.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ alloy.spec ++++++ --- /var/tmp/diff_new_pack.CXAXoX/_old 2026-05-11 17:08:25.432148509 +0200 +++ /var/tmp/diff_new_pack.CXAXoX/_new 2026-05-11 17:08:25.436148674 +0200 @@ -17,7 +17,7 @@ Name: alloy -Version: 1.16.0 +Version: 1.16.1 Release: 0 Summary: OpenTelemetry Collector distribution with programmable pipelines License: Apache-2.0 @@ -30,6 +30,7 @@ Source5: prepare_webassets_and_vendor_go_modules.sh Source6: alloy.tmpfiles Patch1: 0001-Bump-sql_exporter.patch +Patch2: 0002-Bump-Apache-Thrift.patch BuildRequires: go1.26 >= 1.26.2 BuildRequires: pkgconfig(libsystemd) BuildRequires: user(alloy) ++++++ 0001-Bump-sql_exporter.patch ++++++ ++++ 1628 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/alloy/0001-Bump-sql_exporter.patch ++++ and /work/SRC/openSUSE:Factory/.alloy.new.1966/0001-Bump-sql_exporter.patch ++++++ 0002-Bump-Apache-Thrift.patch ++++++ >From 2cc4b805e00c403abcbbf8d4bc6102ad5f3c3b5b Mon Sep 17 00:00:00 2001 From: Witek Bedyk <[email protected]> Date: Wed, 6 May 2026 15:35:56 +0200 Subject: [PATCH] Bump Apache Thrift to 0.23.0 --- collector/go.mod | 2 +- collector/go.sum | 4 ++-- extension/alloyengine/go.mod | 2 +- go.mod | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/collector/go.mod b/collector/go.mod index d0dc40e86..0261a621c 100644 --- a/collector/go.mod +++ b/collector/go.mod @@ -290,7 +290,7 @@ require ( github.com/antchfx/xpath v1.3.6 // indirect github.com/apache/arrow-go/v18 v18.4.0 // indirect github.com/apache/arrow/go/v12 v12.0.1 // indirect - github.com/apache/thrift v0.22.0 // indirect + github.com/apache/thrift v0.23.0 // indirect github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect github.com/armon/go-metrics v0.4.1 // indirect github.com/aws/aws-msk-iam-sasl-signer-go v1.0.4 // indirect diff --git a/collector/go.sum b/collector/go.sum index e0f39b9a6..cd2346fce 100644 --- a/collector/go.sum +++ b/collector/go.sum @@ -496,8 +496,8 @@ github.com/apache/arrow-go/v18 v18.4.0 h1:/RvkGqH517iY8bZKc4FD5/kkdwXJGjxf28JIXb github.com/apache/arrow-go/v18 v18.4.0/go.mod h1:Aawvwhj8x2jURIzD9Moy72cF0FyJXOpkYpdmGRHcw14= github.com/apache/arrow/go/v12 v12.0.1 h1:JsR2+hzYYjgSUkBSaahpqCetqZMr76djX80fF/DiJbg= github.com/apache/arrow/go/v12 v12.0.1/go.mod h1:weuTY7JvTG/HDPtMQxEUp7pU73vkLWMLpY67QwZ/WWw= -github.com/apache/thrift v0.22.0 h1:r7mTJdj51TMDe6RtcmNdQxgn9XcyfGDOzegMDRg47uc= -github.com/apache/thrift v0.22.0/go.mod h1:1e7J/O1Ae6ZQMTYdy9xa3w9k+XHWPfRvdPyJeynQ+/g= +github.com/apache/thrift v0.23.0 h1:wKR6YnefQSEnxpEfmgTPuJibNG4bF0p2TK34tHLWi3s= +github.com/apache/thrift v0.23.0/go.mod h1:zPt6WxgvTOM6hF92y8C+MkEM5LMxZuk4JcQOiU4Esvs= github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ= github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= diff --git a/extension/alloyengine/go.mod b/extension/alloyengine/go.mod index f16e3a53e..32b8b76ea 100644 --- a/extension/alloyengine/go.mod +++ b/extension/alloyengine/go.mod @@ -208,7 +208,7 @@ require ( github.com/antchfx/xpath v1.3.6 // indirect github.com/apache/arrow-go/v18 v18.4.0 // indirect github.com/apache/arrow/go/v12 v12.0.1 // indirect - github.com/apache/thrift v0.22.0 // indirect + github.com/apache/thrift v0.23.0 // indirect github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect github.com/armon/go-metrics v0.4.1 // indirect github.com/aws/aws-msk-iam-sasl-signer-go v1.0.4 // indirect diff --git a/go.mod b/go.mod index 000455d5a..be1531d44 100644 --- a/go.mod +++ b/go.mod @@ -477,7 +477,7 @@ require ( github.com/antchfx/xmlquery v1.5.0 // indirect github.com/antchfx/xpath v1.3.6 // indirect github.com/apache/arrow-go/v18 v18.4.0 // indirect - github.com/apache/thrift v0.22.0 // indirect + github.com/apache/thrift v0.23.0 // indirect github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect github.com/armon/go-metrics v0.4.1 // indirect github.com/aws/aws-msk-iam-sasl-signer-go v1.0.4 // indirect -- 2.51.0 ++++++ alloy-1.16.0.tar.gz -> alloy-1.16.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/alloy/alloy-1.16.0.tar.gz /work/SRC/openSUSE:Factory/.alloy.new.1966/alloy-1.16.1.tar.gz differ: char 25, line 2 ++++++ prepare_webassets_and_vendor_go_modules.sh ++++++ --- /var/tmp/diff_new_pack.CXAXoX/_old 2026-05-11 17:08:25.620156245 +0200 +++ /var/tmp/diff_new_pack.CXAXoX/_new 2026-05-11 17:08:25.636156903 +0200 @@ -57,6 +57,7 @@ echo "##########" echo "Vendoring the go modules" patch --no-backup-if-mismatch -p1 -i ${working_directory}/0001-Bump-sql_exporter.patch +patch --no-backup-if-mismatch -p1 -i ${working_directory}/0002-Bump-Apache-Thrift.patch pushd collector/ || exit 31 go mod download || exit 33 go mod vendor || exit 35 ++++++ ui-1.16.0.tar.gz -> ui-1.16.1.tar.gz ++++++ ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/alloy/vendor.tar.gz /work/SRC/openSUSE:Factory/.alloy.new.1966/vendor.tar.gz differ: char 13, line 1
