Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package opentofu for openSUSE:Factory checked in at 2026-05-15 23:55:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/opentofu (Old) and /work/SRC/openSUSE:Factory/.opentofu.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "opentofu" Fri May 15 23:55:12 2026 rev:47 rq:1353298 version:1.11.8 Changes: -------- --- /work/SRC/openSUSE:Factory/opentofu/opentofu.changes 2026-05-11 17:10:01.540103551 +0200 +++ /work/SRC/openSUSE:Factory/.opentofu.new.1966/opentofu.changes 2026-05-15 23:56:04.739453547 +0200 @@ -1,0 +2,13 @@ +Fri May 15 06:48:46 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.11.8: + * SECURITY ADVISORIES: + Previous releases in the v1.11 series could potentially take an + excessive amount of time and send extraneous data to an HTTP2 + server that specifies a maximum frame size of zero. This is now + fixed. (#4094) + An attacker that can coerce an operator to install a dependency + from an attacker-controlled server could use this to cause + unexpected resource consumption during tofu init. + +------------------------------------------------------------------- Old: ---- opentofu-1.11.7.obscpio New: ---- opentofu-1.11.8.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ opentofu.spec ++++++ --- /var/tmp/diff_new_pack.184pzw/_old 2026-05-15 23:56:06.023506404 +0200 +++ /var/tmp/diff_new_pack.184pzw/_new 2026-05-15 23:56:06.023506404 +0200 @@ -19,7 +19,7 @@ %define executable_name tofu Name: opentofu -Version: 1.11.7 +Version: 1.11.8 Release: 0 Summary: Declaratively manage your cloud infrastructure License: MPL-2.0 @@ -29,7 +29,7 @@ Source1: vendor.tar.gz Source99: opentofu-rpmlintrc BuildRequires: bash-completion -BuildRequires: go1.25 >= 1.25.9 +BuildRequires: go1.25 >= 1.25.10 BuildRequires: golang-packaging # See: https://github.com/hashicorp/opentofu/issues/22807 ExcludeArch: %{ix86} %{arm} ++++++ _service ++++++ --- /var/tmp/diff_new_pack.184pzw/_old 2026-05-15 23:56:06.071508380 +0200 +++ /var/tmp/diff_new_pack.184pzw/_new 2026-05-15 23:56:06.075508545 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/opentofu/opentofu/</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.11.7</param> + <param name="revision">v1.11.8</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.184pzw/_old 2026-05-15 23:56:06.095509368 +0200 +++ /var/tmp/diff_new_pack.184pzw/_new 2026-05-15 23:56:06.099509533 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/opentofu/opentofu/</param> - <param name="changesrevision">398c818dcf617837724e3137e4682062574d1019</param></service></servicedata> + <param name="changesrevision">4bd8c80bbd5ca649869bd0f3443b88ae876bc89c</param></service></servicedata> (No newline at EOF) ++++++ opentofu-1.11.7.obscpio -> opentofu-1.11.8.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opentofu-1.11.7/CHANGELOG.md new/opentofu-1.11.8/CHANGELOG.md --- old/opentofu-1.11.7/CHANGELOG.md 2026-05-11 12:46:32.000000000 +0200 +++ new/opentofu-1.11.8/CHANGELOG.md 2026-05-14 10:48:00.000000000 +0200 @@ -1,6 +1,15 @@ The v1.11.x release series is supported until **August 1 2026**. -## 1.11.8 (Unreleased) +## 1.11.9 (Unreleased) + +## 1.11.8 + +SECURITY ADVISORIES: + +* Previous releases in the v1.11 series could potentially take an excessive amount of time and send extraneous data to an HTTP2 server that specifies a maximum frame size of zero. This is now fixed. ([#4094](https://github.com/opentofu/opentofu/issues/4094)) + + An attacker that can coerce an operator to install a dependency from an attacker-controlled server could use this to cause unexpected resource consumption during `tofu init`. + ## 1.11.7 BUG FIXES: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opentofu-1.11.7/go.mod new/opentofu-1.11.8/go.mod --- old/opentofu-1.11.7/go.mod 2026-05-11 12:46:32.000000000 +0200 +++ new/opentofu-1.11.8/go.mod 2026-05-14 10:48:00.000000000 +0200 @@ -1,6 +1,6 @@ module github.com/opentofu/opentofu -go 1.25.9 +go 1.25.10 // At the time of adding this configuration, the new Go feature introduced here https://github.com/golang/go/issues/67061, // was having a good amount of issues linked to, affecting AWS Firewall, GCP various services and a lot more. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opentofu-1.11.7/version/VERSION new/opentofu-1.11.8/version/VERSION --- old/opentofu-1.11.7/version/VERSION 2026-05-11 12:46:32.000000000 +0200 +++ new/opentofu-1.11.8/version/VERSION 2026-05-14 10:48:00.000000000 +0200 @@ -1 +1 @@ -1.11.7 +1.11.8 ++++++ opentofu.obsinfo ++++++ --- /var/tmp/diff_new_pack.184pzw/_old 2026-05-15 23:56:10.919707954 +0200 +++ /var/tmp/diff_new_pack.184pzw/_new 2026-05-15 23:56:10.923708118 +0200 @@ -1,5 +1,5 @@ name: opentofu -version: 1.11.7 -mtime: 1778496392 -commit: 398c818dcf617837724e3137e4682062574d1019 +version: 1.11.8 +mtime: 1778748480 +commit: 4bd8c80bbd5ca649869bd0f3443b88ae876bc89c ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/opentofu/vendor.tar.gz /work/SRC/openSUSE:Factory/.opentofu.new.1966/vendor.tar.gz differ: char 135, line 1
