openSUSE Build Service

Security update for git-bug

This update for git-bug fixes the following issues:

- Fix CVE-2026-1229 and CVE-2026-41506
- CVE-2026-1229: CIRCL has an incorrect calculation in
secp384r1 CombinedMult (boo#1265416, GO-2026-4550) update
github.com/cloudflare/circl to v1.6.3
- CVE-2026-41506: HTTP authentication credential leak when
following redirects during smart-HTTP clone and fetch
operations (boo#1264955, GO-2026-4910),
update github.com/go-git/go-git/v5 to v5.17.1

- Revendor to include fixed version of depending libraries:
- GO-2025-4116 (CVE-2025-47913, boo#1253506) upgrade
golang.org/x/crypto to v0.43.0
- GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
github.com/go-viper/mapstructure/v2 to v2.4.0
- GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
- GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
github.com/cloudflare/circl to v1.6.1
- GO-2025-4134 (CVE-2025-58181, boo#1253930) upgrade
golang.org/x/crypto/ssh to v0.45.0
- GO-2025-4135 (CVE-2025-47914, boo#1254084) upgrade
golang.org/x/crypto/ssh/agent to v0.45.0

Submitted by Matej Cepl (mcepl)

Fixed bugs

VUL-0: CVE-2026-41506: git-bug: github.com/go-git/go-git/v5: HTTP authentication credential leak when following redirects during smart-HTTP clone and fetch operations

bnc#1253506

VUL-0: CVE-2025-47913: TRACKERBUG: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or

bnc#1254084

VUL-0: CVE-2025-47914: git-bug: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read

bnc#1265416

VUL-0: CVE-2026-1229: git-bug: github.com/cloudflare/circl: the CombinedMult function in the ecc/p384 package produces an incorrect value for specific inputs

bnc#1253930

VUL-0: CVE-2025-58181: git-bug: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption

Places

Fixed bugs

Selected Binaries

Places