Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package istioctl for openSUSE:Factory 
checked in at 2026-06-28 21:11:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/istioctl (Old)
 and      /work/SRC/openSUSE:Factory/.istioctl.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "istioctl"

Sun Jun 28 21:11:16 2026 rev:52 rq:1362201 version:1.30.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/istioctl/istioctl.changes        2026-06-05 
15:03:31.184300237 +0200
+++ /work/SRC/openSUSE:Factory/.istioctl.new.11887/istioctl.changes     
2026-06-28 21:12:39.910497326 +0200
@@ -1,0 +2,79 @@
+Sun Jun 28 15:17:49 UTC 2026 - Johannes Kastl 
<[email protected]>
+
+- update to 1.30.2:
+  https://istio.io/latest/news/releases/1.30.x/announcing-1.30.2/
+  No istioctl-related changes
+  Security updates
+  https://istio.io/latest/news/security/istio-security-2026-005/
+  Envoy CVEs
+  * GHSA-p7c7-7c47-pwch: (CVSS score 7.5): Fixed a
+    denial-of-service vulnerability in the HTTP/3 stack via QPACK
+    blocked decoding. When a QPACK header block was blocked waiting
+    for dynamic table updates, the HEADERS payload bytes were
+    released from QUIC receive-flow-control accounting while still
+    retained in an internal decoder heap buffer, allowing a remote
+    attacker to drive unbounded memory growth and trigger an
+    out-of-memory condition.
+  * CVE-2026-47692: (CVSS score 4.8): Fixed a bug where passthrough
+    TLVs combined with added TLVs could exceed the maximum length,
+    resulting in a mismatch between the size reported in the header
+    and the number of bytes written. This could allow a smuggled
+    request from the host writing the PROXY protocol header to the
+    upstream host.
+  * CVE-2026-47207: (CVSS score 6.5): Fixed a bug where the
+    ext_proc server sends unexpected ProcessingResponses to Envoy.
+  * CVE-2026-47205: (CVSS score 5.9): Fixed a use-after-free crash
+    in the ext_authz filter when per-route service overrides are
+    active and the downstream connection resets during an in-flight
+    authorization check.
+  * CVE-2026-47220: (CVSS score 7.5): Fixed a crash bug in the
+    %REQUESTED_SERVER_NAME% formatter where the host or original
+    host is not set correctly but the formatter is configured to
+    access the host value.
+  * CVE-2026-47221: (CVSS score 5.9): Fixed an issue when handling
+    HTTP 303 internal redirects for body-less requests. The
+    redirect handling code attempted to drain a request body buffer
+    that was never allocated, causing a segmentation fault.
+  * CVE-2026-48044: (CVSS score 7.5): Fixed a memory exhaustion
+    vulnerability in the Zstd decompressor where the
+    MaxInflateRatio limit was only checked after each input slice
+    was fully processed, allowing a maliciously crafted compressed
+    payload to expand to hundreds of MB within a single process()
+    call. The inflate ratio limit is now enforced inside the inner
+    decompression loop, matching the gzip and brotli decompressors
+    and aborting decompression as soon as the threshold is
+    breached.
+  * CVE-2026-48090: (CVSS score 5.9): Fixed a bug where the
+    asynchronous token change callback could be triggered after the
+    filter had been torn down (onDestroy() had been called), which
+    could lead to accessing dangling pointers and result in
+    UAF/crash.
+  * CVE-2026-47778: (CVSS score 4.4): Fixed an issue where Envoy
+    could fail to validate the Subject Alternative Name (SAN) of a
+    peer certificate if the SAN contained an embedded NUL byte.
+    Previously, the SAN parsing was vulnerable to NUL byte
+    truncation in some configurations, potentially leading to
+    incorrect trust decisions.
+  * CVE-2026-47204: (CVSS score 6.5): Fixed a crash or
+    use-after-free when gRPC stats filter performs stat tracking on
+    a direct response route.
+  * CVE-2026-48497: (CVSS score 5.9): Fixed sanity checking of the
+    query name length to avoid abnormal process termination. Use
+    ENVOY_BUG in case the sanity check fails.
+  * CVE-2026-48706: (CVSS score 5.9): Fixed a TcpStatsdSink buffer
+    overflow issue with a large stats name.
+  * CVE-2026-48743: (CVSS score 7.5): Fixed HTTP/3 headers-only
+    request and response content-length validation and reset stream
+    if inconsistent. The change is guarded by runtime guard
+    envoy.reloadable_features.quic_validate_headers_only_content_length.
+  * CVE-2026-47775: (CVSS score 6.8): Addressed a padding oracle in
+    the OAuth2 filter’s AES-256-CBC cookie decryption. The filter
+    now supports AES-256-GCM encryption with a gcm. algorithm
+    marker, which authenticates the ciphertext and removes the
+    oracle.
+  * CVE-2026-48042: (CVSS score 7.5): Limited JSON nesting depth to
+    1000. The limit could be relaxed to 10K by setting the
+    envoy.reloadable_features.limit_json_parser_nesting_depth to
+    false.
+
+-------------------------------------------------------------------

Old:
----
  istioctl-1.30.1.obscpio

New:
----
  istioctl-1.30.2.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ istioctl.spec ++++++
--- /var/tmp/diff_new_pack.3yvbKL/_old  2026-06-28 21:12:40.758526001 +0200
+++ /var/tmp/diff_new_pack.3yvbKL/_new  2026-06-28 21:12:40.758526001 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           istioctl
-Version:        1.30.1
+Version:        1.30.2
 Release:        0
 Summary:        CLI for the istio servic mesh in Kubernetes
 License:        Apache-2.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.3yvbKL/_old  2026-06-28 21:12:40.798527354 +0200
+++ /var/tmp/diff_new_pack.3yvbKL/_new  2026-06-28 21:12:40.802527489 +0200
@@ -1,9 +1,9 @@
 <services>
   <service name="obs_scm" mode="manual">
-    <param name="url">https://github.com/istio/istio</param>
+    <param name="url">https://github.com/istio/istio.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">1.30.1</param>
+    <param name="revision">refs/tags/1.30.2</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">disable</param>
     <param name="filename">istioctl</param>

++++++ istioctl-1.30.1.obscpio -> istioctl-1.30.2.obscpio ++++++
++++ 2877 lines of diff (skipped)

++++++ istioctl.obsinfo ++++++
--- /var/tmp/diff_new_pack.3yvbKL/_old  2026-06-28 21:12:45.946701435 +0200
+++ /var/tmp/diff_new_pack.3yvbKL/_new  2026-06-28 21:12:45.958701841 +0200
@@ -1,5 +1,5 @@
 name: istioctl
-version: 1.30.1
-mtime: 1780583148
-commit: 10229c76f2854420eeac94906ffff949b9aab746
+version: 1.30.2
+mtime: 1782261093
+commit: f888ab4c8a0c3d0427bb0053fbebbe6b1f7e9a91
 

++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/istioctl/vendor.tar.gz 
/work/SRC/openSUSE:Factory/.istioctl.new.11887/vendor.tar.gz differ: char 13, 
line 1

Reply via email to