Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package golang-github-prometheus-prometheus for openSUSE:Factory checked in at 2024-07-03 20:29:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/golang-github-prometheus-prometheus (Old) and /work/SRC/openSUSE:Factory/.golang-github-prometheus-prometheus.new.18349 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "golang-github-prometheus-prometheus" Wed Jul 3 20:29:20 2024 rev:45 rq:1184874 version:2.53.0 Changes: -------- --- /work/SRC/openSUSE:Factory/golang-github-prometheus-prometheus/golang-github-prometheus-prometheus.changes 2024-07-01 11:18:35.063156766 +0200 +++ /work/SRC/openSUSE:Factory/.golang-github-prometheus-prometheus.new.18349/golang-github-prometheus-prometheus.changes 2024-07-03 20:29:48.719992793 +0200 @@ -1,0 +2,7 @@ +Fri Jun 28 15:31:44 UTC 2024 - Witek Bedyk <witold.bedyk@suse.com> + +- Bump go-retryablehttp to version 0.7.7 + (CVE-2024-6104, bsc#1227038) +- Add 0003-Bump-go-retryablehttp.patch + +------------------------------------------------------------------- New: ---- 0003-Bump-go-retryablehttp.patch BETA DEBUG BEGIN: New: (CVE-2024-6104, bsc#1227038) - Add 0003-Bump-go-retryablehttp.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ golang-github-prometheus-prometheus.spec ++++++ --- /var/tmp/diff_new_pack.QqLghX/_old 2024-07-03 20:29:50.108043596 +0200 +++ /var/tmp/diff_new_pack.QqLghX/_new 2024-07-03 20:29:50.108043596 +0200 @@ -47,6 +47,8 @@ Patch1: 0001-Do-not-force-the-pure-Go-name-resolver.patch # Lifted from Debian's prometheus package Patch2: 0002-Default-settings.patch +# https://github.com/prometheus/prometheus/pull/14345 (CVE-2024-6104) +Patch3: 0003-Bump-go-retryablehttp.patch BuildRequires: fdupes %if 0%{?suse_version} == 1500 && 0%{?sle_version} < 150300 BuildRequires: firewall-macros ++++++ 0003-Bump-go-retryablehttp.patch ++++++ From 4d25a94faa74e0a16e4bb7874c1d82faaf911d85 Mon Sep 17 00:00:00 2001 From: Daniel Mellado <dmellado@redhat.com> Date: Tue, 25 Jun 2024 16:31:03 +0200 Subject: [PATCH] Bump go-retryablehttp to fix basic auth creds leak This PR updates go-retryablehttp to version 0.7.7, even if it's used as an indirect import. Versions previous to that can didn't sanitize urls, discussed at HDCSEC-2024-12 [1] [1] https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basi... Signed-off-by: Daniel Mellado <dmellado@redhat.com> --- go.mod | 4 ++-- go.sum | 9 ++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index ac8b4f469d0..ce2f0714a0a 100644 --- a/go.mod +++ b/go.mod @@ -146,10 +146,10 @@ require ( github.com/hashicorp/cronexpr v1.1.2 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-hclog v1.5.0 // indirect + github.com/hashicorp/go-hclog v1.6.3 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-retryablehttp v0.7.4 // indirect + github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/golang-lru v0.6.0 // indirect github.com/hashicorp/serf v0.10.1 // indirect diff --git a/go.sum b/go.sum index 06db002f55b..956b9d89492 100644 --- a/go.sum +++ b/go.sum @@ -369,9 +369,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= -github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= @@ -383,8 +382,8 @@ github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= -github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA= -github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= +github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/golang-github-prometheus-prometheus/vendor.tar.gz /work/SRC/openSUSE:Factory/.golang-github-prometheus-prometheus.new.18349/vendor.tar.gz differ: char 5, line 1