Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package velociraptor for openSUSE:Factory checked in at 2024-05-30 15:33:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/velociraptor (Old) and /work/SRC/openSUSE:Factory/.velociraptor.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "velociraptor" Thu May 30 15:33:20 2024 rev:11 rq:1177630 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/velociraptor/velociraptor.changes 2024-04-29 09:02:41.149969054 +0200 +++ /work/SRC/openSUSE:Factory/.velociraptor.new.24587/velociraptor.changes 2024-05-30 15:35:00.825845996 +0200 @@ -1,0 +2,9 @@ +Tue May 28 16:45:51 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com> + +- Patches changes: + * Change CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch + to update the follow-redirects package instead of patching directly. + * Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572) +- Add a package-lock.json to the package + +------------------------------------------------------------------- New: ---- CVE-2022-25883-npm-watch-semver-deps.patch package-lock.json BETA DEBUG BEGIN: New: to update the follow-redirects package instead of patching directly. * Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572) - Add a package-lock.json to the package BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ velociraptor.spec ++++++ --- /var/tmp/diff_new_pack.gysvdB/_old 2024-05-30 15:35:03.453942178 +0200 +++ /var/tmp/diff_new_pack.gysvdB/_new 2024-05-30 15:35:03.457942324 +0200 @@ -93,14 +93,17 @@ Source9: %{projname}.obsinfo Source10: system-user-velociraptor.sysusers Source11: velociraptor-nodejs.spec.inc +Source12: package-lock.json %include %{_sourcedir}/velociraptor-nodejs.spec.inc Patch1: vendor-build-fixes-for-SLE12.patch Patch2: sdjournal-build-fix-for-SLE12.patch Patch3: velociraptor-reproducible-timestamp.diff -# CVE-2024-28849 - bsc#1221456 - follow-redirects: Drop Proxy-Athorization across hosts +# PATCH-FIX-UPSTREAM CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch bsc#1221456 -- follow-redirects: Drop Proxy-Athorization across hosts Patch4: CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch +# PATCH-FIX-UPSTREAM CVE-2022-25883-npm-watch-semver-deps.patch bsc#1212572 -- upgrade npm-watch +Patch5: CVE-2022-25883-npm-watch-semver-deps.patch BuildRequires: fileb0x %if 0%{?suse_version} BuildRequires: systemd-rpm-macros @@ -243,6 +246,8 @@ %patch -P 1 -p1 %patch -P 2 -p1 %patch -P 3 -p1 +%patch -P 4 -p1 +%patch -P 5 -p1 # Set the version to something more specific than <next-tag>-dev sed -ie "s/\([[:space:]]VERSION *= \).*/\1 \"%{VERSION}\"/" constants/constants.go @@ -263,13 +268,11 @@ # Note: There are dependencies on these that need to be resolved before # removing them outright. # rm -rf artifacts/definitions/Windows - %if %{build_server} pushd gui/velociraptor rm -f package-lock.json -local-npm-registry %{_sourcedir} install +local-npm-registry %{_sourcedir} install --include=dev --legacy-peer-deps popd -%patch -P 4 -p1 %endif %build ++++++ CVE-2022-25883-npm-watch-semver-deps.patch ++++++ From 76e999d0976ad6559574c92b79fe7432596d2d6c Mon Sep 17 00:00:00 2001 From: snyk-bot <snyk-bot@snyk.io> Date: Sat, 27 Apr 2024 00:20:54 +0000 Subject: [PATCH] fix: gui/velociraptor/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795 --- gui/velociraptor/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: b/gui/velociraptor/package.json =================================================================== --- a/gui/velociraptor/package.json +++ b/gui/velociraptor/package.json @@ -31,7 +31,7 @@ "lodash": "^4.17.21", "moment": "^2.29.4", "moment-timezone": "0.5.43", - "npm-watch": "^0.11.0", + "npm-watch": "^0.12.0", "prop-types": "^15.8.1", "qs": "^6.11.2", "query-string": "^6.14.1", ++++++ CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch ++++++ --- /var/tmp/diff_new_pack.gysvdB/_old 2024-05-30 15:35:03.501943934 +0200 +++ /var/tmp/diff_new_pack.gysvdB/_new 2024-05-30 15:35:03.505944081 +0200 @@ -1,24 +1,31 @@ -From c4f847f85176991f95ab9c88af63b1294de8649b Mon Sep 17 00:00:00 2001 -From: Ruben Verborgh <ruben@verborgh.org> -Date: Thu, 14 Mar 2024 17:36:10 +0100 -Subject: [PATCH] Drop Proxy-Authorization across hosts. - ---- - index.js | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -diff --git a/gui/velociraptor/node_modules/follow-redirects/index.js b/gui/velociraptor/node_modules/follow-redirects/index.js -index f58b933..c649cab 100644 ---- a/gui/velociraptor/node_modules/follow-redirects/index.js -+++ b/gui/velociraptor/node_modules/follow-redirects/index.js -@@ -430,7 +430,7 @@ RedirectableRequest.prototype._processResponse = function (response) { - redirectUrlParts.protocol !== "https:" || - redirectUrlParts.host !== currentHost && - !isSubdomain(redirectUrlParts.host, currentHost)) { -- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); -+ removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers); - } - - // Evaluate the beforeRedirect callback - +diff --git a/gui/velociraptor/package-lock.json b/gui/velociraptor/package-lock.json +index e6c46c00..2a6c8114 100644 +--- a/gui/velociraptor/package-lock.json ++++ b/gui/velociraptor/package-lock.json +@@ -4750,9 +4750,9 @@ + } + }, + "node_modules/follow-redirects": { +- "version": "1.15.2", +- "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz", +- "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==", ++ "version": "1.15.6", ++ "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz", ++ "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==", + "funding": [ + { + "type": "individual", +@@ -14720,9 +14720,9 @@ + } + }, + "follow-redirects": { +- "version": "1.15.2", +- "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz", +- "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==" ++ "version": "1.15.6", ++ "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz", ++ "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==" + }, + "for-each": { + "version": "0.3.3", ++++++ package-lock.json ++++++ ++++ 19450 lines (skipped) ++++++ velociraptor-node_modules.obscpio ++++++ /work/SRC/openSUSE:Factory/velociraptor/velociraptor-node_modules.obscpio /work/SRC/openSUSE:Factory/.velociraptor.new.24587/velociraptor-node_modules.obscpio differ: char 79192355, line 262874 ++++++ velociraptor-nodejs.spec.inc ++++++ ++++ 1597 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/velociraptor/velociraptor-nodejs.spec.inc ++++ and /work/SRC/openSUSE:Factory/.velociraptor.new.24587/velociraptor-nodejs.spec.inc