Overview

File _patchinfo of Package patchinfo.40076

<patchinfo incident="40076">
  <issue tracker="bnc" id="1047218">trackerbug: packages do not build reproducibly from including build time</issue>
  <issue tracker="bnc" id="1240511">VUL-0: CVE-2025-30204: amber-cli: github.com/golang-jwt/jwt/v4,github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing</issue>
  <issue tracker="cve" id="2025-30204"/>
  <packager>aplanas</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for amber-cli</summary>
  <description>This update for amber-cli fixes the following issues:

- Update to version 1.13.1+git20250329.c2e3bb8:
  * CVE-2025-30204: Fixed jwt-go excessive memory 
    allocation during header parsing (bsc#1240511)
  * jwt version upgrade (#174)
  * Update policy size limit to 20k (#173)
  * Update tenant user model with latest changes (#172)
  * Fix/workflow (#171)
  * Upgrade GO version to 1.23.6 (#170)
  * Update golang jwt dependency (#169)
  * Update TMS roles struct (#167)
  * Update jwt dependency version (#165)
  * Add changes to support JWT (#163)
  * Update roles struct to be in sync with TMS (#164)
  * go upgrade to 1.22.7 (#162)
  * CASSINI-22266: Added permissions in ci workflow files (#153)
  * Add check for missing Security.md file (#150)
  * Go version upgrade to 1.22.5 (#148)
  * CLI changes (#140)
  * Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7 (#147)
  * Update product model to include multiple plan IDs (#146)
  * Updated the help section (#145)
  * Mark policy type field as not required (#144)
  * Upgrade/goversion 1.22.3 (#143)
  * Remove policy type and attestation type check for policy creation (#142)
  * Go version upgrade  1.22.2 (#141)
  * Fix error message to include the correct set of characters (#138)
  * UT coverage 80.9% (#137)
  * Fix push installer workflow (#136)
  * 3rd party versions upgrade (#133)
  * GO version upgrade to 1.22.0 (#132)
  * Fix/go version 1.21.6 (#127)
  * Update API key validation regex as per latest changes (#125)
  * Update API key validation regex as per latest changes (#124)
  * dependency version upgrade (#123)
  * Update tag create model (#121)
  * CASSINI-10113: Add scans in CI (#99)
  * corrected minor check condition (#120)
  * Add check to validate env variable before setting (#119)
  * Add version-check script (#118)
  * Add file path check for invalid characters (#116)
  * Update compoenent version (#117)
  * Update README as per suggestions (#113) (#115)
  * Added HTTP scheme validation to avoid API Key leakage (#108)
  * CASSINI-10987 Golang version upgrade to 1.21.4 (#114)
  * Update policy model as per the latest changes (#109)
  * Remove branch info from on schedule (#106)
  * Add BDBA scan to CI (#104)
  * Update CLI URL (#105)
  * updated licenses (#102)
  * Updated version of all components to v1.0.0 for GA (#100)
  * Validate the email id input before requesting list of users (#98)
  * Remove redundant print statements (#97)
  * Request ID and trace ID should be visible on the console for errors as well (#96)
  * Update sample policy as per token profile update changes (#95)
  * Update CLI name from tenantclt to inteltrustauthority (#93)
  * Update the headers for request and trace id (#94)
  * cassini-9466-Go version update to 1.20.6 (#91)
  * Add retry logic to client in tenant CLI (#92)
  * Add request-id optional parameter for each command (#90)

- Override build date with SOURCE_DATE_EPOCH (bsc#1047218)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places