openSUSE-SU-2024:0130-1: important: Security update for git-cliff
openSUSE Security Update: Security update for git-cliff ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0130-1 Rating: important References: #1223218 Cross-References: CVE-2024-32650 CVSS scores: CVE-2024-32650 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for git-cliff fixes the following issues: - update to 2.2.2: * (changelog) Allow adding custom context * (changelog) Ignore empty lines when using split_commits * (parser) Allow matching empty commit body * Documentation updates - update to 2.2.1: * Make rendering errors more verbose * Support detecting config from project manifest * Make the bump version rules configurable * bug fixes and documentation updates - CVE-2024-32650: rust-rustls: Infinite loop with proper client input fixes (boo#1223218) - Update to version 2.1.2: * feat(npm): add programmatic API for TypeScript * chore(fixtures): enable verbose logging for output * refactor(clippy): apply clippy suggestions * refactor(changelog): do not output to stdout when prepend is used * feat(args): add `--tag-pattern` argument * fix(config): fix commit parser regex in the default config * fix(github): sanitize the GitHub token in debug logs * chore(config): add animation to the header of the changelog * refactor(clippy): apply clippy suggestions * docs(security): update security policy * chore(project): add readme to core package * chore(embed): do not allow missing docs * chore(config): skip dependabot commits for dev updates * docs(readme): mention RustLab 2023 talk * chore(config): revamp the configuration files * chore(docker): update versions in Dockerfile * chore(example): use full links in GitHub templates * chore(project): bump MSRV to 1.74.1 * revert(config): use postprocessors for checking the typos * feat(template): support using PR labels in the GitHub template * docs(configuration): fix typo * feat(args): add `--no-exec` flag for skipping command execution * chore(command): explicitly set the directory of command to current dir * refactor(ci): use hardcoded workspace members for cargo-msrv command * refactor(ci): simplify cargo-msrv installation * refactor(clippy): apply clippy suggestions * refactor(config): use postprocessors for checking the typos * chore(project): update copyright years * chore(github): update templates about GitHub integration * feat(changelog): set the timestamp of the previous release * feat(template): support using PR title in the GitHub template * feat(changelog): improve skipping via `.cliffignore` and `--skip-commit` * chore(changelog): disable the default behavior of next-version * fix(git): sort commits in topological order * test(changelog): use the correct version for missing tags * chore(changelog): use 0.1.0 as default next release if no tag is found * feat(github)!: support integration with GitHub repos * refactor(changelog): support `--bump` for processed releases * fix(cli): fix broken pipe when stdout is interrupted * test(fixtures): update the bumped value output to add prefix * feat(changelog): support tag prefixes with `--bump` * feat(changelog)!: set tag to `0.0.1` via `--bump` if no tags exist * fix(commit): trim the trailing newline from message * docs(readme): use the raw link for the animation * chore(example): remove limited commits example * feat(args): add `-x` short argument for `--context` * revert(deps): bump actions/upload-pages-artifact from 2 to 3 * revert(deps): bump actions/deploy-pages from 3 to 4 * chore(dependabot): group the dependency updates for creating less PRs * feat(parser): support using SHA1 of the commit * feat(commit): add merge_commit flag to the context * chore(mergify): don't update PRs for the main branch * fix(links): skip checking the GitHub commit URLs * fix(changelog): fix previous version links * feat(parser): support using regex scope values * test(fixture): update the date for example test fixture * docs(fixtures): add instructions for adding new fixtures * feat(args): support initialization with built-in templates * feat(changelog)!: support templating in the footer * feat(args): allow returning the bumped version * test(fixture): add test fixture for bumping version * fix: allow version bump with a single previous release * fix(changelog): set the correct previous tag when a custom tag is given * feat(args): set `CHANGELOG.md` as default missing value for output option * refactor(config): remove unnecessary newline from configs - Update to version 1.4.0: * Support bumping the semantic version via `--bump` * Add 'typos' check * Log the output of failed external commands - * breaking change: Support regex in 'tag_pattern' configuration * Add field and value matchers to the commit parser - Update to version 1.2.0: * Update clap and clap extras to v4 * Make the fields of Signature public * Add a custom configuration file for the repository * Support placing configuration inside pyproject.toml * Generate SBOM/provenance for the Docker image * Support using regex group values * [breaking] Nested environment config overrides * Set max of limit_commits to the number of commits * Set the node cache dependency path * Use the correct argument in release script - Update to version 1.1.2: * Do not skip all tags when skip_tags is empty (#136) * Allow saving context to a file (#138) * Derive the tag order from commits instead of timestamp (#139) * Use timestamp for deriving the tag order (#139) - Update to version 1.1.1: * Relevant change: Update README.md about the NPM package * Fix type casting in base NPM package * Rename the package on Windows * Disable liquid parsing in README.md by using raw blocks * Support for generating changelog for multiple git repositories * Publish binaries for more platforms/architectures - Update to version 1.0.0: * Bug Fixes - Fix test fixture failures * Documentation - Fix GitHub badges in README.md * Features - [breaking] Replace --date-order by --topo-order - Allow running with --prepend and --output - [breaking] Use current time for --tag argument - Include completions and mangen in binary releases - Publish Debian package via release workflow * Miscellaneous Tasks - Run all test fixtures - Remove deprecated set-output usage - Update actions/checkout to v3 - Comment out custom commit preprocessor * Refactor - Apply clippy suggestions * Styling - Update README.md about the styling of footer field Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-130=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): git-cliff-2.2.2-bp155.2.3.1 - openSUSE Backports SLE-15-SP5 (noarch): git-cliff-bash-completion-2.2.2-bp155.2.3.1 git-cliff-fish-completion-2.2.2-bp155.2.3.1 git-cliff-zsh-completion-2.2.2-bp155.2.3.1 References: https://www.suse.com/security/cve/CVE-2024-32650.html https://bugzilla.suse.com/1223218
participants (1)
-
opensuse-security@opensuse.org