Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package istioctl for openSUSE:Factory checked in at 2026-06-28 21:11:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/istioctl (Old) and /work/SRC/openSUSE:Factory/.istioctl.new.11887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "istioctl" Sun Jun 28 21:11:16 2026 rev:52 rq:1362201 version:1.30.2 Changes: -------- --- /work/SRC/openSUSE:Factory/istioctl/istioctl.changes 2026-06-05 15:03:31.184300237 +0200 +++ /work/SRC/openSUSE:Factory/.istioctl.new.11887/istioctl.changes 2026-06-28 21:12:39.910497326 +0200 @@ -1,0 +2,79 @@ +Sun Jun 28 15:17:49 UTC 2026 - Johannes Kastl <[email protected]> + +- update to 1.30.2: + https://istio.io/latest/news/releases/1.30.x/announcing-1.30.2/ + No istioctl-related changes + Security updates + https://istio.io/latest/news/security/istio-security-2026-005/ + Envoy CVEs + * GHSA-p7c7-7c47-pwch: (CVSS score 7.5): Fixed a + denial-of-service vulnerability in the HTTP/3 stack via QPACK + blocked decoding. When a QPACK header block was blocked waiting + for dynamic table updates, the HEADERS payload bytes were + released from QUIC receive-flow-control accounting while still + retained in an internal decoder heap buffer, allowing a remote + attacker to drive unbounded memory growth and trigger an + out-of-memory condition. + * CVE-2026-47692: (CVSS score 4.8): Fixed a bug where passthrough + TLVs combined with added TLVs could exceed the maximum length, + resulting in a mismatch between the size reported in the header + and the number of bytes written. This could allow a smuggled + request from the host writing the PROXY protocol header to the + upstream host. + * CVE-2026-47207: (CVSS score 6.5): Fixed a bug where the + ext_proc server sends unexpected ProcessingResponses to Envoy. + * CVE-2026-47205: (CVSS score 5.9): Fixed a use-after-free crash + in the ext_authz filter when per-route service overrides are + active and the downstream connection resets during an in-flight + authorization check. + * CVE-2026-47220: (CVSS score 7.5): Fixed a crash bug in the + %REQUESTED_SERVER_NAME% formatter where the host or original + host is not set correctly but the formatter is configured to + access the host value. + * CVE-2026-47221: (CVSS score 5.9): Fixed an issue when handling + HTTP 303 internal redirects for body-less requests. The + redirect handling code attempted to drain a request body buffer + that was never allocated, causing a segmentation fault. + * CVE-2026-48044: (CVSS score 7.5): Fixed a memory exhaustion + vulnerability in the Zstd decompressor where the + MaxInflateRatio limit was only checked after each input slice + was fully processed, allowing a maliciously crafted compressed + payload to expand to hundreds of MB within a single process() + call. The inflate ratio limit is now enforced inside the inner + decompression loop, matching the gzip and brotli decompressors + and aborting decompression as soon as the threshold is + breached. + * CVE-2026-48090: (CVSS score 5.9): Fixed a bug where the + asynchronous token change callback could be triggered after the + filter had been torn down (onDestroy() had been called), which + could lead to accessing dangling pointers and result in + UAF/crash. + * CVE-2026-47778: (CVSS score 4.4): Fixed an issue where Envoy + could fail to validate the Subject Alternative Name (SAN) of a + peer certificate if the SAN contained an embedded NUL byte. + Previously, the SAN parsing was vulnerable to NUL byte + truncation in some configurations, potentially leading to + incorrect trust decisions. + * CVE-2026-47204: (CVSS score 6.5): Fixed a crash or + use-after-free when gRPC stats filter performs stat tracking on + a direct response route. + * CVE-2026-48497: (CVSS score 5.9): Fixed sanity checking of the + query name length to avoid abnormal process termination. Use + ENVOY_BUG in case the sanity check fails. + * CVE-2026-48706: (CVSS score 5.9): Fixed a TcpStatsdSink buffer + overflow issue with a large stats name. + * CVE-2026-48743: (CVSS score 7.5): Fixed HTTP/3 headers-only + request and response content-length validation and reset stream + if inconsistent. The change is guarded by runtime guard + envoy.reloadable_features.quic_validate_headers_only_content_length. + * CVE-2026-47775: (CVSS score 6.8): Addressed a padding oracle in + the OAuth2 filter’s AES-256-CBC cookie decryption. The filter + now supports AES-256-GCM encryption with a gcm. algorithm + marker, which authenticates the ciphertext and removes the + oracle. + * CVE-2026-48042: (CVSS score 7.5): Limited JSON nesting depth to + 1000. The limit could be relaxed to 10K by setting the + envoy.reloadable_features.limit_json_parser_nesting_depth to + false. + +------------------------------------------------------------------- Old: ---- istioctl-1.30.1.obscpio New: ---- istioctl-1.30.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ istioctl.spec ++++++ --- /var/tmp/diff_new_pack.3yvbKL/_old 2026-06-28 21:12:40.758526001 +0200 +++ /var/tmp/diff_new_pack.3yvbKL/_new 2026-06-28 21:12:40.758526001 +0200 @@ -17,7 +17,7 @@ Name: istioctl -Version: 1.30.1 +Version: 1.30.2 Release: 0 Summary: CLI for the istio servic mesh in Kubernetes License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.3yvbKL/_old 2026-06-28 21:12:40.798527354 +0200 +++ /var/tmp/diff_new_pack.3yvbKL/_new 2026-06-28 21:12:40.802527489 +0200 @@ -1,9 +1,9 @@ <services> <service name="obs_scm" mode="manual"> - <param name="url">https://github.com/istio/istio</param> + <param name="url">https://github.com/istio/istio.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">1.30.1</param> + <param name="revision">refs/tags/1.30.2</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">disable</param> <param name="filename">istioctl</param> ++++++ istioctl-1.30.1.obscpio -> istioctl-1.30.2.obscpio ++++++ ++++ 2877 lines of diff (skipped) ++++++ istioctl.obsinfo ++++++ --- /var/tmp/diff_new_pack.3yvbKL/_old 2026-06-28 21:12:45.946701435 +0200 +++ /var/tmp/diff_new_pack.3yvbKL/_new 2026-06-28 21:12:45.958701841 +0200 @@ -1,5 +1,5 @@ name: istioctl -version: 1.30.1 -mtime: 1780583148 -commit: 10229c76f2854420eeac94906ffff949b9aab746 +version: 1.30.2 +mtime: 1782261093 +commit: f888ab4c8a0c3d0427bb0053fbebbe6b1f7e9a91 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/istioctl/vendor.tar.gz /work/SRC/openSUSE:Factory/.istioctl.new.11887/vendor.tar.gz differ: char 13, line 1
