Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package alloy for openSUSE:Factory checked in at 2026-06-11 17:26:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/alloy (Old) and /work/SRC/openSUSE:Factory/.alloy.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "alloy" Thu Jun 11 17:26:53 2026 rev:36 rq:1358578 version:1.16.1 Changes: -------- --- /work/SRC/openSUSE:Factory/alloy/alloy.changes 2026-05-11 17:08:18.755873813 +0200 +++ /work/SRC/openSUSE:Factory/.alloy.new.1981/alloy.changes 2026-06-11 17:28:48.509972170 +0200 @@ -1,0 +2,7 @@ +Tue Jun 9 11:29:33 UTC 2026 - Witek Bedyk <[email protected]> + +- CVE-2026-41889: Fix SQL injection by bumping github.com/jackc/pgx + to version 5.9.2 (bsc#1265440) + - add patch 0003-Bump-jackc-pgx.patch + +------------------------------------------------------------------- New: ---- 0003-Bump-jackc-pgx.patch ----------(New B)---------- New: to version 5.9.2 (bsc#1265440) - add patch 0003-Bump-jackc-pgx.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ alloy.spec ++++++ --- /var/tmp/diff_new_pack.823NG3/_old 2026-06-11 17:28:50.446053359 +0200 +++ /var/tmp/diff_new_pack.823NG3/_new 2026-06-11 17:28:50.446053359 +0200 @@ -31,6 +31,7 @@ Source6: alloy.tmpfiles Patch1: 0001-Bump-sql_exporter.patch Patch2: 0002-Bump-Apache-Thrift.patch +Patch3: 0003-Bump-jackc-pgx.patch BuildRequires: go1.26 >= 1.26.2 BuildRequires: pkgconfig(libsystemd) BuildRequires: user(alloy) ++++++ 0003-Bump-jackc-pgx.patch ++++++ >From 18ada3b664fabecf5da766eee07e5306774a4a97 Mon Sep 17 00:00:00 2001 From: "renovate-sh-app[bot]" <219655108+renovate-sh-app[bot]@users.noreply.github.com> Date: Wed, 27 May 2026 12:57:49 -0400 Subject: [PATCH] fix(security/UNKNOWN): Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY] (#6326) | datasource | package | from | to | | ---------- | ----------------------- | ------ | ------ | | go | github.com/jackc/pgx/v5 | v5.8.0 | v5.9.2 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> (cherry picked from commit bf3ff2e22273e5ee22031dff7b2495bc7441b868) --- collector/go.mod | 4 ++-- collector/go.sum | 8 ++++---- extension/alloyengine/go.mod | 4 ++-- extension/alloyengine/go.sum | 8 ++++---- go.mod | 4 ++-- go.sum | 8 ++++---- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/collector/go.mod b/collector/go.mod index 74fb496f5..6df76ea2e 100644 --- a/collector/go.mod +++ b/collector/go.mod @@ -605,8 +605,8 @@ require ( github.com/ionos-cloud/sdk-go/v6 v6.3.6 // indirect github.com/itchyny/timefmt-go v0.1.7 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect - github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect - github.com/jackc/pgx/v5 v5.5.5 // indirect + github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect + github.com/jackc/pgx/v5 v5.9.2 // indirect github.com/jackc/puddle/v2 v2.2.2 // indirect github.com/jaegertracing/jaeger-idl v0.6.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect diff --git a/collector/go.sum b/collector/go.sum index 9e3103cb6..87f3be6bf 100644 --- a/collector/go.sum +++ b/collector/go.sum @@ -1419,11 +1419,11 @@ github.com/itchyny/timefmt-go v0.1.7/go.mod h1:5E46Q+zj7vbTgWY8o5YkMeYb4I6GeWLFn github.com/jackc/fake v0.0.0-20150926172116-812a484cc733/go.mod h1:WrMFNQdiFJ80sQsxDoMokWK1W5TQtxBFNpzWTD84ibQ= github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= -github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk= -github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= github.com/jackc/pgx v3.3.0+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I= -github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw= -github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A= +github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw= +github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4= github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jaegertracing/jaeger-idl v0.6.0 h1:LOVQfVby9ywdMPI9n3hMwKbyLVV3BL1XH2QqsP5KTMk= diff --git a/extension/alloyengine/go.mod b/extension/alloyengine/go.mod index 1b1c02978..bc075f7a4 100644 --- a/extension/alloyengine/go.mod +++ b/extension/alloyengine/go.mod @@ -522,8 +522,8 @@ require ( github.com/ionos-cloud/sdk-go/v6 v6.3.6 // indirect github.com/itchyny/timefmt-go v0.1.7 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect - github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect - github.com/jackc/pgx/v5 v5.5.5 // indirect + github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect + github.com/jackc/pgx/v5 v5.9.2 // indirect github.com/jackc/puddle/v2 v2.2.2 // indirect github.com/jaegertracing/jaeger-idl v0.6.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect diff --git a/extension/alloyengine/go.sum b/extension/alloyengine/go.sum index 30d1d8f83..f1b9c5b9b 100644 --- a/extension/alloyengine/go.sum +++ b/extension/alloyengine/go.sum @@ -1447,11 +1447,11 @@ github.com/itchyny/timefmt-go v0.1.7/go.mod h1:5E46Q+zj7vbTgWY8o5YkMeYb4I6GeWLFn github.com/jackc/fake v0.0.0-20150926172116-812a484cc733/go.mod h1:WrMFNQdiFJ80sQsxDoMokWK1W5TQtxBFNpzWTD84ibQ= github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= -github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk= -github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= github.com/jackc/pgx v3.3.0+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I= -github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw= -github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A= +github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw= +github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4= github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jaegertracing/jaeger-idl v0.6.0 h1:LOVQfVby9ywdMPI9n3hMwKbyLVV3BL1XH2QqsP5KTMk= diff --git a/go.mod b/go.mod index f9cb6f773..0f7e65fd7 100644 --- a/go.mod +++ b/go.mod @@ -682,7 +682,7 @@ require ( github.com/ionos-cloud/sdk-go/v6 v6.3.6 // indirect github.com/itchyny/timefmt-go v0.1.7 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect - github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect + github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jcmturner/aescts/v2 v2.0.0 // indirect github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect @@ -1052,7 +1052,7 @@ require ( github.com/google/go-github/v62 v62.0.0 // indirect github.com/h2non/filetype v1.1.3 // indirect github.com/invopop/jsonschema v0.13.0 // indirect - github.com/jackc/pgx/v5 v5.5.5 // indirect + github.com/jackc/pgx/v5 v5.9.2 // indirect github.com/jackc/puddle/v2 v2.2.2 // indirect github.com/klauspost/crc32 v1.3.0 // indirect github.com/leodido/go-urn v1.4.0 // indirect diff --git a/go.sum b/go.sum index 55bbb777b..081427053 100644 --- a/go.sum +++ b/go.sum @@ -1457,11 +1457,11 @@ github.com/itchyny/timefmt-go v0.1.7/go.mod h1:5E46Q+zj7vbTgWY8o5YkMeYb4I6GeWLFn github.com/jackc/fake v0.0.0-20150926172116-812a484cc733/go.mod h1:WrMFNQdiFJ80sQsxDoMokWK1W5TQtxBFNpzWTD84ibQ= github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= -github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk= -github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= github.com/jackc/pgx v3.3.0+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I= -github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw= -github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A= +github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw= +github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4= github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jaegertracing/jaeger-idl v0.6.0 h1:LOVQfVby9ywdMPI9n3hMwKbyLVV3BL1XH2QqsP5KTMk= -- 2.51.0 ++++++ prepare_webassets_and_vendor_go_modules.sh ++++++ --- /var/tmp/diff_new_pack.823NG3/_old 2026-06-11 17:28:50.590059398 +0200 +++ /var/tmp/diff_new_pack.823NG3/_new 2026-06-11 17:28:50.594059565 +0200 @@ -58,6 +58,7 @@ echo "Vendoring the go modules" patch --no-backup-if-mismatch -p1 -i ${working_directory}/0001-Bump-sql_exporter.patch patch --no-backup-if-mismatch -p1 -i ${working_directory}/0002-Bump-Apache-Thrift.patch +patch --no-backup-if-mismatch -p1 -i ${working_directory}/0003-Bump-jackc-pgx.patch pushd collector/ || exit 31 go mod download || exit 33 go mod vendor || exit 35 ++++++ ui-1.16.1.tar.gz ++++++ ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/alloy/vendor.tar.gz /work/SRC/openSUSE:Factory/.alloy.new.1981/vendor.tar.gz differ: char 13, line 1
