File _patchinfo of Package patchinfo.18834
<patchinfo incident="18834"> <issue tracker="cve" id="2025-22869"/> <issue tracker="cve" id="2024-45337"/> <issue tracker="bnc" id="1234565">VUL-0: CVE-2024-45337: git-bug: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue> <issue tracker="bnc" id="1239494">VUL-0: CVE-2025-22869: git-bug: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue> <packager>mcepl</packager> <rating>moderate</rating> <category>security</category> <summary>Security update for git-bug</summary> <description>This update for git-bug fixes the following issues: - Update embedded golang.org/x/crypto/ssh to v0.35.0 (boo#1239494, CVE-2025-22869). - Update to version 0.8.0+git.1733745604.d499b6e: * fix typos in docs (#1266) - Bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, boo#1234565). - Update to version 0.8.0+git.1725552198.b0cc690: * build(deps): bump golang.org/x/term from 0.23.0 to 0.24.0 (#1261) * graphql: properly namespace Bug to make space for other entities (#1254) * refactor: rename github test repository: test-github-bridge (#1256) * build(deps-dev): bump the npm_and_yarn group across 1 directory with 4 updates (#1250) * core: make label a common type, in a similar fashion as for status (#1252) * chore: regenerate command completion and documentation (#1253) * feat: update references to the git-bug organization (#1249) * build(deps): bump github.com/vbauerster/mpb/v8 from 8.7.5 to 8.8.2 (#1248) * build(deps): bump golang.org/x/sys from 0.23.0 to 0.24.0 (#1242) * feat: add package to dev shell: delve (#1240) * build(deps): bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#1239) * build(deps): bump golang.org/x/text from 0.16.0 to 0.17.0 (#1237) * DOC: it is "new" not "configure" command (also was missing \) * build(deps): bump golang.org/x/sys from 0.22.0 to 0.23.0 * build(deps): bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 * build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 * fix: correct path for reusable workflow: lifecycle * feat: merge go directive and toolchain specification * feat: improved lifecycle management with stale-bot * build(deps): bump github.com/vbauerster/mpb/v8 from 8.7.4 to 8.7.5 * revert: "feat: increase operations per run for workflow: cron" * fix: run the presubmit pipeline for PRs * chore: remove refs to deprecated io/ioutil * fix: move codeql into an independent workflow * feat: bump node versions to 16.x, 18.x, and 20.x * feat: refactor pipelines into reusable workflows * build(deps): bump jsonwebtoken and @graphql-tools/prisma-loader * build(deps-dev): bump tough-cookie from 4.1.2 to 4.1.3 in /webui * build(deps): bump github.com/xanzy/go-gitlab from 0.106.0 to 0.107.0 * build(deps): bump graphql from 16.6.0 to 16.8.1 in /webui * build(deps-dev): bump undici from 5.11.0 to 5.28.4 in /webui * build(deps): bump @babel/traverse from 7.19.3 to 7.24.8 in /webui * build(deps): bump github.com/99designs/gqlgen from 0.17.36 to 0.17.49 * build(deps): bump github.com/dvsekhvalnov/jose2go from 1.5.0 to 1.6.0 * build(deps-dev): bump semver from 5.7.1 to 5.7.2 in /webui * build(deps-dev): bump word-wrap from 1.2.3 to 1.2.5 in /webui * build(deps-dev): bump express from 4.18.1 to 4.19.2 in /webui * build(deps-dev): bump ws from 7.5.9 to 7.5.10 in /webui * build(deps): bump golang.org/x/vuln from 1.1.2 to 1.1.3 * build(deps): bump github.com/go-git/go-git/v5 from 5.8.1 to 5.12.0 * build(deps-dev): bump undici from 5.11.0 to 5.26.3 in /webui * build(deps): bump github.com/vbauerster/mpb/v8 from 8.5.2 to 8.7.4 * build(deps): bump webpack from 5.74.0 to 5.76.1 in /webui * build(deps): bump github.com/go-git/go-billy/v5 from 5.4.1 to 5.5.0 * build(deps): bump ua-parser-js from 0.7.31 to 0.7.33 in /webui * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.15 to 2.5.16 * build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 * build(deps): bump json5 from 1.0.1 to 1.0.2 in /webui * build(deps): bump loader-utils from 2.0.2 to 2.0.4 in /webui * build(deps): bump minimatch and recursive-readdir in /webui * fix: add write for prs: stale/issue-and-pr * feat: allow for manual execution of workflow: cron * feat: increase operations per run for workflow: cron * fix: add missing `with` property to //.github/workflows:cron.yml * feat: add workflow for triaging stale issues and prs * feat: add initial editorconfig configuration file * feat: add a common file for git-blame ignored revisions * feat: add a commit message template * feat: add initial nix development shell * feat: update action library versions * feat: add concurrency limits to all pipelines * fix: bump to go v1.22.5 * fix: correct typo: acceps => accepts * build(deps): bump github.com/fatih/color from 1.16.0 to 1.17.0 (#1183) * build(deps): bump github.com/gorilla/mux from 1.8.0 to 1.8.1 (#1181) * build(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.1 (#1179) * build(deps): bump golang.org/x/vuln from 1.0.0 to 1.1.2 (#1171) * build(deps): bump golang.org/x/crypto from 0.21.0 to 0.25.0 (#1175) * build(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.5 to 2.0.7 (#1113) * build(deps): bump golang.org/x/text from 0.14.0 to 0.16.0 (#1173) * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.8 to 2.5.15 (#1164) * build(deps): bump github.com/hashicorp/go-retryablehttp (#1162) * build(deps): bump golang.org/x/net from 0.14.0 to 0.23.0 (#1166) * build(deps): bump golang.org/x/oauth2 from 0.11.0 to 0.21.0 (#1165) * build(deps): bump github.com/xanzy/go-gitlab from 0.90.0 to 0.106.0 (#1167) * build(deps): bump golang.org/x/sys from 0.11.0 to 0.14.0 (#1132) - Try reading git-bug.remote config value before defaulting to 'origin' when no explicit REMOTE argument. - Update to version 0.8.0+git.1713935544.6d051a2: * Update README.md * chore: fix some struct names in comments - Update to version 0.8.0+git.1697403397.1212f75: * fix openpgp handling to sign/check * api/graphql: regenerate after gqlgen upgrade * build(deps): bump github.com/99designs/gqlgen from 0.17.20 to 0.17.36 * build(deps): bump github.com/99designs/gqlgen from 0.17.20 to 0.17.36 * update to golang-lru v2 * build(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 1.0.2 * build(deps): bump golang.org/x/oauth2 from 0.8.0 to 0.11.0 * build(deps): bump github.com/mattn/go-isatty from 0.0.17 to 0.0.19 * build(deps): bump golang.org/x/sync from 0.1.0 to 0.3.0 * build(deps): bump github.com/fatih/color from 1.13.0 to 1.15.0 * build(deps): bump golang.org/x/vuln * build(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 * build(deps): bump github.com/cloudflare/circl from 1.3.1 to 1.3.3 * build(deps): bump golang.org/x/crypto from 0.5.0 to 0.12.0 * build(deps): bump github.com/vbauerster/mpb/v8 from 8.1.4 to 8.5.2 * codespell: no "with" means using codespellrc, add more opt out * build(deps): bump golang.org/x/term from 0.8.0 to 0.11.0 * build(deps): bump golang.org/x/sys from 0.8.0 to 0.11.0 * build(deps): bump golang.org/x/text from 0.9.0 to 0.12.0 * build(deps): bump github.com/xanzy/go-gitlab from 0.79.1 to 0.90.0 * build(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.4 * build(deps): bump golang.org/x/oauth2 from 0.4.0 to 0.8.0 * execenv: fix some cache building progress bar artifact * build(deps): bump github.com/go-git/go-billy/v5 from 5.4.0 to 5.4.1 * util: better IsRunning(pid) * webui: also teardown cleanly on SIGTERM * build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 * tools: fix how security tools are setup and launched * repo: improve support for gitdir indirection * build(deps): bump github.com/xanzy/go-gitlab from 0.78.0 to 0.79.1 * add more ideas in the feature matrix * cache: faster indexing by caping Bleve batch count * doc: add a feature matrix * chore: updated error message when detectGitPath fails * test: resolve changes for PR #1004, add unit test, fix issue uncovered by unit test * Add github workflow for codespell * [DATALAD RUNCMD] Run codespell -w * rudimentary codespell configuration * [DATALAD RUNCMD] Fix one ambigous overrided * build(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 * commands: add a helper to generate testing regex for CLI output * fix(#971): parse submodule .git files instead of erroring * docs(commands): try to make cleaned argument use more obvious * style: resolve PR comments * version: code cleanup, fix some edge cases * dirty should be bool * commands: different pattern to detect changed flags * style: clean up linter complaints * build(deps): bump github.com/xanzy/go-gitlab from 0.77.0 to 0.78.0 * fix(commands): replace missing import * fix(commands): create env.Env once for all Cobra commands * commands: remove compact style for "bug", as the width adaptive default renderer cover that usage * command: adapt the output of the bug list to the terminal size * execenv: move terminal detection to Out, introduce the compagnion In * feat: use isatty to detect a Termios instead * feat: detect os.Stdin/os.Stdout mode * New approach to define the version * build(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 * repo: don't forget to close a file * repo: temporary use a fork of go-git due to https://github.com/go-git/go-git/pull/659 * Fixed version info be set when go install * added EventMentionedInCommit * add wipe sub-command that remove local bugs and identities * commands: add a nice terminal progress bar when building the cache * properly close files in edge cases in various places * repo: check error when closing a repo in tests * fix(commands): run tests in ./commands/... without ANSI color * build(deps): bump github.com/go-git/go-git/v5 from 5.5.1 to 5.5.2 * chore(TestCache): cleanup per PR review * build(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 * build(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 * refactor(TestCache): guarantee test caches are closed when tests finish * fix(TestCache): eliminate hanging Windows tests * style(TestCache): remove empty trailing line from function * test(cache): close second instance of RepoCache * ci: use Go 1.19.4 and setup-go@v3 * fix: resolve Go vulnerabilities * fix(972): use prerelease of GoKart with repaired panic * build(deps): bump github.com/go-git/go-billy/v5 from 5.3.1 to 5.4.0 * fix: keyrings must return keys with entities/identities * commands: share JSON creation * CI: remove lint security step as it's crashing * commands: don't double build the lamport clocks * build(deps): bump github.com/mattn/go-isatty from 0.0.16 to 0.0.17 * feat: upgrade go-git to v5.1.1 * commands: generic "select" code, move bug completion in bugcmd * cache: simplify cache building events handling * commands: move bug specific input code into commands/bug/input * cache: tie the last printf in an event to make the core print free * cache: fix some bugs after refactor * github: cleanup test token when test is done * cache: generic withSnapshot, some cleanup * cache: tie up the refactor up to compiling * repository: return specific error on object not found, accept multiple namespace to push/pull * build(deps): bump github.com/99designs/keyring from 1.2.1 to 1.2.2 * repo: proper reduced interface for full-text indexing * doc/README: normalize verb tense and fix typo * build(deps): bump github.com/xanzy/go-gitlab from 0.76.0 to 0.77.0 * build(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 * fix: remove repeated use of the same fmt.Errorf() calls * feat: wrap ErrMultipleConfigEntry to report duplicate key * feat: wrap ErrNoConfigEntry to report missing key * benchmark-action: make it work? * gha: add a workflow to continuously run benchmarks * build(deps): bump github.com/xanzy/go-gitlab from 0.74.0 to 0.76.0 * commands: reorg into different packages * release: don't build for darwin/386 as support has been removed in golang * GHA: add a release workflow to build and upload binaries * webui: pack into binary * gogit: fix incorrect loader handling * github: sanitize rate limit waiting time * go-git: concurrent loading of clocks * github: fix rate limiting * build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 * core: bubble up the comment ID when created, or edited the first comment * build(deps): bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0 * build(deps): bump golang.org/x/text from 0.3.7 to 0.4.0 </description> </patchinfo>
