openSUSE Security Update: Security update for git-cliff
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2024:0130-1
Rating:             important
References:         #1223218 
Cross-References:   CVE-2024-32650
CVSS scores:
                    CVE-2024-32650 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP5
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for git-cliff fixes the following issues:

   - update to 2.2.2:
     * (changelog) Allow adding custom context
     * (changelog) Ignore empty lines when using split_commits
     * (parser) Allow matching empty commit body
     * Documentation updates

   - update to 2.2.1:
     * Make rendering errors more verbose
     * Support detecting config from project manifest
     * Make the bump version rules configurable
     * bug fixes and documentation updates
   - CVE-2024-32650: rust-rustls: Infinite loop with proper client input
     fixes (boo#1223218)

   - Update to version 2.1.2:
     * feat(npm): add programmatic API for TypeScript
     * chore(fixtures): enable verbose logging for output
     * refactor(clippy): apply clippy suggestions
     * refactor(changelog): do not output to stdout when prepend is used
     * feat(args): add `--tag-pattern` argument
     * fix(config): fix commit parser regex in the default config
     * fix(github): sanitize the GitHub token in debug logs
     * chore(config): add animation to the header of the changelog
     * refactor(clippy): apply clippy suggestions
     * docs(security): update security policy
     * chore(project): add readme to core package
     * chore(embed): do not allow missing docs
     * chore(config): skip dependabot commits for dev updates
     * docs(readme): mention RustLab 2023 talk
     * chore(config): revamp the configuration files
     * chore(docker): update versions in Dockerfile
     * chore(example): use full links in GitHub templates
     * chore(project): bump MSRV to 1.74.1
     * revert(config): use postprocessors for checking the typos
     * feat(template): support using PR labels in the GitHub template
     * docs(configuration): fix typo
     * feat(args): add `--no-exec` flag for skipping command execution
     * chore(command): explicitly set the directory of command to current dir
     * refactor(ci): use hardcoded workspace members for cargo-msrv command
     * refactor(ci): simplify cargo-msrv installation
     * refactor(clippy): apply clippy suggestions
     * refactor(config): use postprocessors for checking the typos
     * chore(project): update copyright years
     * chore(github): update templates about GitHub integration
     * feat(changelog): set the timestamp of the previous release
     * feat(template): support using PR title in the GitHub template
     * feat(changelog): improve skipping via `.cliffignore` and
       `--skip-commit`
     * chore(changelog): disable the default behavior of next-version
     * fix(git): sort commits in topological order
     * test(changelog): use the correct version for missing tags
     * chore(changelog): use 0.1.0 as default next release if no tag is found
     * feat(github)!: support integration with GitHub repos
     * refactor(changelog): support `--bump` for processed releases
     * fix(cli): fix broken pipe when stdout is interrupted
     * test(fixtures): update the bumped value output to add prefix
     * feat(changelog): support tag prefixes with `--bump`
     * feat(changelog)!: set tag to `0.0.1` via `--bump` if no tags exist
     * fix(commit): trim the trailing newline from message
     * docs(readme): use the raw link for the animation
     * chore(example): remove limited commits example
     * feat(args): add `-x` short argument for `--context`
     * revert(deps): bump actions/upload-pages-artifact from 2 to 3
     * revert(deps): bump actions/deploy-pages from 3 to 4
     * chore(dependabot): group the dependency updates for creating less PRs
     * feat(parser): support using SHA1 of the commit
     * feat(commit): add merge_commit flag to the context
     * chore(mergify): don't update PRs for the main branch
     * fix(links): skip checking the GitHub commit URLs
     * fix(changelog): fix previous version links
     * feat(parser): support using regex scope values
     * test(fixture): update the date for example test fixture
     * docs(fixtures): add instructions for adding new fixtures
     * feat(args): support initialization with built-in templates
     * feat(changelog)!: support templating in the footer
     * feat(args): allow returning the bumped version
     * test(fixture): add test fixture for bumping version
     * fix: allow version bump with a single previous release
     * fix(changelog): set the correct previous tag when a custom tag is given
     * feat(args): set `CHANGELOG.md` as default missing value for output
       option
     * refactor(config): remove unnecessary newline from configs

   - Update to version 1.4.0:
     * Support bumping the semantic version via `--bump`
     * Add 'typos' check
     * Log the output of failed external commands -
     * breaking change: Support regex in 'tag_pattern' configuration
     * Add field and value matchers to the commit parser

   - Update to version 1.2.0:
     * Update clap and clap extras to v4
     * Make the fields of Signature public
     * Add a custom configuration file for the repository
     * Support placing configuration inside pyproject.toml
     * Generate SBOM/provenance for the Docker image
     * Support using regex group values
     * [breaking] Nested environment config overrides
     * Set max of limit_commits to the number of commits
     * Set the node cache dependency path
     * Use the correct argument in release script

   - Update to version 1.1.2:
     * Do not skip all tags when skip_tags is empty (#136)
     * Allow saving context to a file (#138)
     * Derive the tag order from commits instead of timestamp (#139)
     * Use timestamp for deriving the tag order (#139)

   - Update to version 1.1.1:
     * Relevant change: Update README.md about the NPM package
     * Fix type casting in base NPM package
     * Rename the package on Windows
     * Disable liquid parsing in README.md by using raw blocks
     * Support for generating changelog for multiple git repositories
     * Publish binaries for more platforms/architectures

   - Update to version 1.0.0:
     * Bug Fixes
       - Fix test fixture failures
     * Documentation
       - Fix GitHub badges in README.md
     * Features
       - [breaking] Replace --date-order by --topo-order
       - Allow running with --prepend and --output
       - [breaking] Use current time for --tag argument
       - Include completions and mangen in binary releases
       - Publish Debian package via release workflow
     * Miscellaneous Tasks
       - Run all test fixtures
       - Remove deprecated set-output usage
       - Update actions/checkout to v3
       - Comment out custom commit preprocessor
     * Refactor
       - Apply clippy suggestions
     * Styling
       - Update README.md about the styling of footer field


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP5:

      zypper in -t patch openSUSE-2024-130=1



Package List:

   - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

      git-cliff-2.2.2-bp155.2.3.1

   - openSUSE Backports SLE-15-SP5 (noarch):

      git-cliff-bash-completion-2.2.2-bp155.2.3.1
      git-cliff-fish-completion-2.2.2-bp155.2.3.1
      git-cliff-zsh-completion-2.2.2-bp155.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2024-32650.html
   https://bugzilla.suse.com/1223218

openSUSE: 2024:0130-1 important: git-cliff Advisory Security Update

May 18, 2024
An update that fixes one vulnerability is now available

Description

This update for git-cliff fixes the following issues: - update to 2.2.2: * (changelog) Allow adding custom context * (changelog) Ignore empty lines when using split_commits * (parser) Allow matching empty commit body * Documentation updates - update to 2.2.1: * Make rendering errors more verbose * Support detecting config from project manifest * Make the bump version rules configurable * bug fixes and documentation updates - CVE-2024-32650: rust-rustls: Infinite loop with proper client input fixes (boo#1223218) - Update to version 2.1.2: * feat(npm): add programmatic API for TypeScript * chore(fixtures): enable verbose logging for output * refactor(clippy): apply clippy suggestions * refactor(changelog): do not output to stdout when prepend is used * feat(args): add `--tag-pattern` argument * fix(config): fix commit parser regex in the default config * fix(github): sanitize the GitHub token in debug logs * chore(config): add animation to the header of the changelog * refactor(clippy): apply clippy suggestions * docs(security): update security policy * chore(project): add readme to core package * chore(embed): do not allow missing docs * chore(config): skip dependabot commits for dev updates * docs(readme): mention RustLab 2023 talk * chore(config): revamp the configuration files * chore(docker): update versions in Dockerfile * chore(example): use full links in GitHub templates * chore(project): bump MSRV to 1.74.1 * revert(config): use postprocessors for checking the typos * feat(template): support using PR labels in the GitHub template * docs(configuration): fix typo * feat(args): add `--no-exec` flag for skipping command execution * chore(command): explicitly set the directory of command to current dir * refactor(ci): use hardcoded workspace members for cargo-msrv command * refactor(ci): simplify cargo-msrv installation * refactor(clippy): apply clippy suggestions * refactor(config): use postprocessors for checking the typos * chore(project): update copyright years * chore(github): update templates about GitHub integration * feat(changelog): set the timestamp of the previous release * feat(template): support using PR title in the GitHub template * feat(changelog): improve skipping via `.cliffignore` and `--skip-commit` * chore(changelog): disable the default behavior of next-version * fix(git): sort commits in topological order * test(changelog): use the correct version for missing tags * chore(changelog): use 0.1.0 as default next release if no tag is found * feat(github)!: support integration with GitHub repos * refactor(changelog): support `--bump` for processed releases * fix(cli): fix broken pipe when stdout is interrupted * test(fixtures): update the bumped value output to add prefix * feat(changelog): support tag prefixes with `--bump` * feat(changelog)!: set tag to `0.0.1` via `--bump` if no tags exist * fix(commit): trim the trailing newline from message * docs(readme): use the raw link for the animation * chore(example): remove limited commits example * feat(args): add `-x` short argument for `--context` * revert(deps): bump actions/upload-pages-artifact from 2 to 3 * revert(deps): bump actions/deploy-pages from 3 to 4 * chore(dependabot): group the dependency updates for creating less PRs * feat(parser): support using SHA1 of the commit * feat(commit): add merge_commit flag to the context * chore(mergify): don't update PRs for the main branch * fix(links): skip checking the GitHub commit URLs * fix(changelog): fix previous version links * feat(parser): support using regex scope values * test(fixture): update the date for example test fixture * docs(fixtures): add instructions for adding new fixtures * feat(args): support initialization with built-in templates * feat(changelog)!: support templating in the footer * feat(args): allow returning the bumped version * test(fixture): add test fixture for bumping version * fix: allow version bump with a single previous release * fix(changelog): set the correct previous tag when a custom tag is given * feat(args): set `CHANGELOG.md` as default missing value for output option * refactor(config): remove unnecessary newline from configs - Update to version 1.4.0: * Support bumping the semantic version via `--bump` * Add 'typos' check * Log the output of failed external commands - * breaking change: Support regex in 'tag_pattern' configuration * Add field and value matchers to the commit parser - Update to version 1.2.0: * Update clap and clap extras to v4 * Make the fields of Signature public * Add a custom configuration file for the repository * Support placing configuration inside pyproject.toml * Generate SBOM/provenance for the Docker image * Support using regex group values * [breaking] Nested environment config overrides * Set max of limit_commits to the number of commits * Set the node cache dependency path * Use the correct argument in release script - Update to version 1.1.2: * Do not skip all tags when skip_tags is empty (#136) * Allow saving context to a file (#138) * Derive the tag order from commits instead of timestamp (#139) * Use timestamp for deriving the tag order (#139) - Update to version 1.1.1: * Relevant change: Update README.md about the NPM package * Fix type casting in base NPM package * Rename the package on Windows * Disable liquid parsing in README.md by using raw blocks * Support for generating changelog for multiple git repositories * Publish binaries for more platforms/architectures - Update to version 1.0.0: * Bug Fixes - Fix test fixture failures * Documentation - Fix GitHub badges in README.md * Features - [breaking] Replace --date-order by --topo-order - Allow running with --prepend and --output - [breaking] Use current time for --tag argument - Include completions and mangen in binary releases - Publish Debian package via release workflow * Miscellaneous Tasks - Run all test fixtures - Remove deprecated set-output usage - Update actions/checkout to v3 - Comment out custom commit preprocessor * Refactor - Apply clippy suggestions * Styling - Update README.md about the styling of footer field

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-130=1


Package List

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): git-cliff-2.2.2-bp155.2.3.1 - openSUSE Backports SLE-15-SP5 (noarch): git-cliff-bash-completion-2.2.2-bp155.2.3.1 git-cliff-fish-completion-2.2.2-bp155.2.3.1 git-cliff-zsh-completion-2.2.2-bp155.2.3.1


References

https://www.suse.com/security/cve/CVE-2024-32650.html https://bugzilla.suse.com/1223218


Severity
Announcement ID: openSUSE-SU-2024:0130-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP5 .

Related News

8.Locks HexConnections CodeGlobe Esm H170
2 - 4 min read
Canonical has made headlines with its groundbreaking long-term support (LTS) service offering to extend far beyond Ubuntu deb packages, promising 12
14.Lock Code WorldMap Esm H170
2 - 4 min read
Government agencies are drawing attention to an issue plaguing open-source communities: memory-unsafe languages. A study entitled " Exploring Memory
11.Locks IsometricPattern Esm H170
2 - 3 min read
Cybersecurity threats continue to emerge regularly, and Promon's security team recently identified one such novel threat, Snowblind. This malware
32.Lock Code Circular Esm H170
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its
6.EmailConnection Touch Esm H170
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
20.Lock AbstractDigital Circular Esm H170
2 - 3 min read
Google has released fixes for a high-severity Chromium security flaw ( CVE-2024-5274 ) impacting its widely used Chrome browser and other
20.Lock AbstractDigital Circular Esm H170
2 - 4 min read
The recent discovery of a backdoor in Linux's xz compression tool has shed light on cybercriminals' ingenious methods of gaining entry and remaining
19.Laptop Bed Esm H170
2 - 4 min read
Wordfence security researchers recently shed light on an infamous supply chain attack that may have affected as many as 36,000 WordPress websites.

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved