File project.diff of Package netbird
--- _service.orig
+++ _service
@@ -3,7 +3,7 @@
<param name="url">https://github.com/netbirdio/netbird.git</param>
<param name="scm">git</param>
<param name="package-meta">yes</param>
- <param name="revision">refs/tags/v0.65.2</param>
+ <param name="revision">refs/tags/v0.65.3</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">disable</param>
--- netbird.changes.orig
+++ netbird.changes
@@ -1,4 +1,62 @@
-------------------------------------------------------------------
+Thu Feb 19 21:56:07 UTC 2026 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 0.65.3:
+ 🛡️ Security Fix: Race Condition in Role Update Validation
+
+ What was affected
+
+ A race condition in the user role validation logic could allow
+ permission checks to succeed based on stale role data. Under very
+ specific timing conditions, concurrent requests during a role
+ change (e.g., while an admin was being demoted to user) could
+ bypass role validation when changing another users role.
+
+ Exploit Potential
+
+ If an administrator account was being demoted while
+ simultaneously performing acocunt ownership transfer actions, a
+ race window existed where the system could treat the user as
+ having elevated permissions to change owners.
+
+ In a coordinated scenario involving two administrator accounts,
+ this could potentially allow privilege escalation — for example,
+ promoting a user to Owner during the demotion window.
+
+ Conditions Required
+
+ Exploitation required:
+
+ - Two administrator accounts.
+ - One administrator being actively demoted.
+ - Concurrent ownership transfer requests executed precisely
+ during the demotion process.
+ - Precise timing to trigger the race condition.
+ - This issue required intentional coordination and timing, making
+ it unlikely to occur accidentally and will require access to
+ two admin accounts.
+
+ - Client & Mobile Improvements
+ - Batched macOS DNS domains to avoid truncation issues. #5368
+ - Ensured route settlement on iOS before handling DNS
+ responses. #5360
+ - Added logging of lock acquisition time in message handling
+ for improved observability. #5393
+ - Relay Improvements
+ - Reduced QUIC initial packet size to 1280 bytes (IPv6 minimum
+ MTU) for better compatibility. #5374
+ - Management Improvements
+ - Fixed possible race condition on user role change. #5395
+ - Added docker login step in management tests. #5323
+ - Self-Hosted Updates
+ - Added a migration script for upgrading from pre-v0.65.0 to
+ post-v0.65.0 combined setup. #5350
+ - Removed unused configuration example from self-hosted setup.
+ #5383
+ - Miscellaneous
+ - Updated timestamp format to include milliseconds. #5387
+
+-------------------------------------------------------------------
Tue Feb 17 22:27:47 UTC 2026 - Marcus Rueckert <mrueckert@suse.de>
- Update to 0.65.2:
--- netbird.obsinfo.orig
+++ netbird.obsinfo
@@ -1,4 +1,4 @@
name: netbird
-version: 0.65.2
-mtime: 1771354394
-commit: e9b2a6e80892ade6925e156690f86e758d42ceee
+version: 0.65.3
+mtime: 1771525127
+commit: f117fc7509268944e307adaf05b6225d790f7600
--- netbird.spec.orig
+++ netbird.spec
@@ -32,7 +32,7 @@
%bcond_with stub_config
Name: netbird
-Version: 0.65.2
+Version: 0.65.3
Release: 0
Summary: Mesh VPN based on WireGuard
License: AGPL-3.0-only AND BSD-3-Clause
