Overview

File _patchinfo of Package patchinfo.19198

<patchinfo incident="19198">
  <issue tracker="bnc" id="1251664">VUL-0: CVE-2025-58190: git-bug: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
  <issue tracker="cve" id="2025-58190"/>
  <issue tracker="bnc" id="1251463">VUL-0: CVE-2025-47911: git-bug: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
  <issue tracker="cve" id="2025-47911"/>
  <packager>mcepl</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for git-bug</summary>
  <description>This update for git-bug fixes the following issues:

- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
  possible DoS by various algorithms with quadratic complexity
  when parsing HTML documents (boo#1251463, CVE-2025-47911 and
  boo#1251664, CVE-2025-58190).

- Update to version 0.10.1:
  - cli: ignore missing sections when removing configuration (ddb22a2f)

- Update to version 0.10.0:
  - bridge: correct command used to create a new bridge (9942337b)
  - web: simplify header navigation (7e95b169)
  - webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
  - BREAKING CHANGE: dev-infra: remove gokart (89b880bd)

- Update to version 0.10.0
  - bridge: correct command used to create a new bridge (9942337b)
  - web: simplify header navigation (7e95b169)
  - web: remark upgrade + gfm + syntax highlighting (6ee47b96)

- Update to version 0.9.0:
  - completion: remove errata from string literal (aa102c91)
  - tui: improve readability of the help bar (23be684a)

- Update to version 0.8.1+git.1746484874.96c7a111:
  * docs: update install, contrib, and usage documentation (#1222)
  * fix: resolve the remote URI using url.*.insteadOf (#1394)
  * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
  * chore: gofmt simplify gitlab/export_test.go (#1392)
  * fix: checkout repo before setting up go environment (#1390)
  * feat: bump to go v1.24.2 (#1389)
  * chore: update golang.org/x/net (#1379)
  * fix: use -0700 when formatting time (#1388)
  * fix: use correct url for gitlab PATs (#1384)
  * refactor: remove depdendency on pnpm for auto-label action (#1383)
  * feat: add action: auto-label (#1380)
  * feat: remove lifecycle/frozen (#1377)
  * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
  * feat: support new exclusion label: lifecycle/pinned (#1375)
  * fix: refactor how gitlab title changes are detected (#1370)
  * revert: "Create Dependabot config file" (#1374)
  * refactor: rename //:git-bug.go to //:main.go (#1373)
  * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
  * fix: set GitLastTag to an empty string when git-describe errors (#1355)
  * chore: update go-git to v5@masterupdate_mods (#1284)
  * refactor: Directly swap two variables to optimize code (#1272)
  * Update README.md Matrix link to new room (#1275)

- Update to version 0.8.0+git.1742269202.0ab94c9:
  * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places