Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2024:0226-1

Опубликовано: 27 июл. 2024
Источник: suse-cvrf

Описание

Security update for gh

This update for gh fixes the following issues:

Update to version 2.53.0:

  • CVE-2024-6104: gh: hashicorp/go-retryablehttp: url might write sensitive information to log file (boo#1227035)

  • Disable TestGetTrustedRoot/successfully_verifies_TUF_root test due to https://github.com/cli/cli/issues/8928

  • Rename package directory and files

  • Rename package name to update_branch

  • Rename gh pr update to gh pr update-branch

  • Add test case for merge conflict error

  • Handle merge conflict error

  • Return error if PR is not mergeable

  • Replace literals with consts for Mergeable field values

  • Add separate type for PullRequest.Mergeable field

  • Remove unused flag

  • Print message on stdout instead of stderr

  • Raise error if editor is used in non-tty mode

  • Add tests for JSON field support on issue and pr view commands

  • docs: Update documentation for gh repo create to clarify owner

  • Ensure PR does not panic when stateReason is requested

  • Enable to use --web even though editor is enabled by config

  • Add editor hint message

  • Use prefer_editor_prompt config by issue create

  • Add prefer_editor_prompt config

  • Add issue create --editor

  • Update create.go

  • gh attestation trusted-root subcommand (#9206)

  • Fetch variable selected repo relationship when required

  • Add createdAt field to tests

  • Add createdAt field to Variable type

  • Add test for exporting as JSON

  • Add test for JSON output

  • Only populate selected repo information for JSON output

  • Add test to verify JSON exporter gets set

  • Add --json option support

  • Use Variable type defined in shared package

  • Add tests for JSON output

  • Move Variable type and PopulateSelectedRepositoryInformation func to shared

  • Fix query parameter name

  • Update tests to account for ref comparison step

  • Improve query variable names

  • Check if PR branch is already up-to-date

  • Add ComparePullRequestBaseBranchWith function

  • Run go mod tidy

  • Add test to verify --repo requires non-empty selector

  • Require non-empty selector when --repo override is used

  • Run go mod tidy

  • Register update command

  • Add tests for pr update command

  • Add pr update command

  • Add UpdatePullRequestBranch method

  • Upgrade shurcooL/githubv4

Update to version 2.52.0:

  • Attestation Verification - Buffer Fix
  • Remove beta note from attestation top level command
  • Removed beta note from gh at download.
  • Removed beta note from gh at verify, clarified reusable workflows use case.
  • add -a flag to gh run list

Список пакетов

SUSE Package Hub 15 SP6
gh-2.53.0-bp156.2.6.1
gh-bash-completion-2.53.0-bp156.2.6.1
gh-fish-completion-2.53.0-bp156.2.6.1
gh-zsh-completion-2.53.0-bp156.2.6.1
openSUSE Leap 15.6
gh-2.53.0-bp156.2.6.1
gh-bash-completion-2.53.0-bp156.2.6.1
gh-fish-completion-2.53.0-bp156.2.6.1
gh-zsh-completion-2.53.0-bp156.2.6.1

Ссылки

Описание

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Затронутые продукты
SUSE Package Hub 15 SP6:gh-2.53.0-bp156.2.6.1
SUSE Package Hub 15 SP6:gh-bash-completion-2.53.0-bp156.2.6.1
SUSE Package Hub 15 SP6:gh-fish-completion-2.53.0-bp156.2.6.1
SUSE Package Hub 15 SP6:gh-zsh-completion-2.53.0-bp156.2.6.1
Ссылки
Уязвимость openSUSE-SU-2024:0226-1