openSUSE-SU-2025:20160-1

Опубликовано: 12 дек. 2025

Источник: suse-cvrf

Описание

Security update for hauler

This update for hauler fixes the following issues:

Update to version 1.3.1 (bsc#1251516, CVE-2025-47911, bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190, bsc#1248937, CVE-2025-58058):
- bump github.com/containerd/containerd (#474)
- another fix to tests for new tests (#472)
- fixed typo in testdata (#471)
- fixed/cleaned new tests (#470)
- trying a new way for hauler testing (#467)
- update for cosign v3 verify (#469)
- added digests view to info (#465)
- bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
- update oras-go to v1.2.7 for security patches (#464)
- update cosign to v3.0.2+hauler.1 (#463)
- fixed homebrew directory deprecation (#462)
- add registry logout command (#460)
Update to version 1.3.0:
- bump the go_modules group across 1 directory with 2 updates (#455)
- upgraded versions/dependencies/deprecations (#454)
- allow loading of docker tarballs (#452)
- bump the go_modules group across 1 directory with 2 updates (#449)
update to 1.2.5 (bsc#1246722, CVE-2025-46569):
- Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in the go_modules group across 1 directory (CVE-2025-46569)
- deprecate auth from hauler store copy
- Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the go_modules group across 1 directory
- Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 in the go_modules group across 1 directory
- upgraded go and dependencies versions
Update to version 1.2.5:
- upgraded go and dependencies versions (#444)
- Bump github.com/go-viper/mapstructure/v2 (#442)
- bump github.com/cloudflare/circl (#441)
- deprecate auth from hauler store copy (#440)
- Bump github.com/open-policy-agent/opa (#438)
update to 1.2.4 (CVE-2025-22872, bsc#1241804):
- Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group across 1 directory
- minor tests updates
Update to version 1.2.3:
- formatting and flag text updates
- add keyless signature verification (#434)
- bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
- add --only flag to hauler store copy (for images) (#429)
- fix tlog verification error/warning output (#428)
Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
- cleanup new tlog flag typos and add shorthand (#426)
- default public transparency log verification to false to be airgap friendly but allow override (#425)
- bump github.com/golang-jwt/jwt/v4 (#423)
- bump the go_modules group across 1 directory with 2 updates (#422)
- bump github.com/go-jose/go-jose/v3 (#417)
- bump github.com/go-jose/go-jose/v4 (#415)
- clear default manifest name if product flag used with sync (#412)
- updates for v1.2.0 (#408)
- fixed remote code (#407)
- added remote file fetch to load (#406)
- added remote and multiple file fetch to sync (#405)
- updated save flag and related logs (#404)
- updated load flag and related logs [breaking change] (#403)
- updated sync flag and related logs [breaking change] (#402)
- upgraded api update to v1/updated dependencies (#400)
- fixed consts for oci declarations (#398)
- fix for correctly grabbing platform post cosign 2.4 updates (#393)
- use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
- Bump the go_modules group across 1 directory with 2 updates (#385)
- replace mholt/archiver with mholt/archives (#384)
- forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
- cleaned up registry and improved logging (#378)
- Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
bump net/html dependencies (bsc#1235332, CVE-2024-45338)
Update to version 1.1.1:
- fixed cli desc for store env var (#374)
- updated versions for go/k8s/helm (#373)
- updated version flag to internal/flags (#369)
- renamed incorrectly named consts (#371)
- added store env var (#370)
- adding ignore errors and retries for continue on error/fail on error (#368)
- updated/fixed hauler directory (#354)
- standardize consts (#353)
- removed cachedir code (#355)
- removed k3s code (#352)
- updated dependencies for go, helm, and k8s (#351)
- [feature] build with boring crypto where available (#344)
- updated workflow to goreleaser builds (#341)
- added timeout to goreleaser workflow (#340)
- trying new workflow build processes (#337)
- improved workflow performance (#336)
- have extract use proper ref (#335)
- yet another workflow goreleaser fix (#334)
- even more workflow fixes (#333)
- added more fixes to github workflow (#332)
- fixed typo in hauler store save (#331)
- updates to fix build processes (#330)
- added integration tests for non hauler tarballs (#325)
- bump: golang >= 1.23.1 (#328)
- add platform flag to store save (#329)
- Update feature_request.md
- updated/standardize command descriptions (#313)
- use new annotation for 'store save' manifest.json (#324)
- enable docker load for hauler tarballs (#320)
- bump to cosign v2.2.3-carbide.3 for new annotation (#322)
- continue on error when adding images to store (#317)
- Update README.md (#318)
- fixed completion commands (#312)
- github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311)
- pages: enable go install hauler.dev/go/hauler (#310)
- Create CNAME
- pages: initial workflow (#309)
- testing and linting updates (#305)
- feat-273: TLS Flags (#303)
- added list-repos flag (#298)
- fixed hauler login typo (#299)
- updated cobra function for shell completion (#304)
- updated install.sh to remove github api (#293)
- fix image ref keys getting squashed when containing sigs/atts (#291)
- fix missing versin info in release build (#283)
- bump github.com/docker/docker in the go_modules group across 1 directory (#281)
- updated install script (install.sh) (#280)
- fix digest images being lost on load of hauls (Signed). (#259)
- feat: add readonly flag (#277)
- fixed makefile for goreleaser v2 changes (#278)
- updated goreleaser versioning defaults (#279)
- update feature_request.md (#274)
- updated old references
- updated actions workflow user
- added dockerhub to github actions workflow
- removed helm chart
- added debug container and workflow
- updated products flag description
- updated chart for release
- fixed workflow errors/warnings
- fixed permissions on testdata
- updated chart versions (will need to update again)
- last bit of fixes to workflow
- updated unit test workflow
- updated goreleaser deprecations
- added helm chart release job
- updated github template names
- updated imports (and go fmt)
- formatted gitignore to match dockerignore
- formatted all code (go fmt)
- updated chart tests for new features
- Adding the timeout flag for fileserver command
- Configure chart commands to use helm clients for OCI and private registry support
- Added some documentation text to sync command
- Bump golang.org/x/net from 0.17.0 to 0.23.0
- fix for dup digest smashing in cosign
- removed vagrant scripts
- last bit of updates and formatting of chart
- updated hauler testdata
- adding functionality and cleaning up
- added initial helm chart
- removed tag in release workflow
- updated/fixed image ref in release workflow
- updated/fixed platforms in release workflow
- updated/cleaned github actions (#222)
- Make Product Registry configurable (#194)
- updated fileserver directory name (#219)
- fix logging for files
- add extra info for the tempdir override flag
- tempdir override flag for load
- deprecate the cache flag instead of remove
- switch to using bci-golang as builder image
- fix: ensure /tmp for hauler store load
- added the copy back for now
- remove copy at the image sync not needed with cosign update
- removed misleading cache flag
- better logging when adding to store
- update to v2.2.3 of our cosign fork
- add: dockerignore
- add: Dockerfile
- Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
- Bump github.com/docker/docker
- updated and added new logos
- updated github files

Список пакетов

openSUSE Leap 16.0

hauler-1.3.1-bp160.1.1

Ссылки

https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1235332
SUSE Bug 1235332
https://bugzilla.suse.com/1241184
SUSE Bug 1241184
https://bugzilla.suse.com/1241804
SUSE Bug 1241804
https://bugzilla.suse.com/1246722
SUSE Bug 1246722
https://bugzilla.suse.com/1248937
SUSE Bug 1248937
https://bugzilla.suse.com/1251516
SUSE Bug 1251516
https://bugzilla.suse.com/1251651
SUSE Bug 1251651
https://bugzilla.suse.com/1251891
SUSE Bug 1251891
https://www.suse.com/security/cve/CVE-2024-0406/
SUSE CVE CVE-2024-0406 page
https://www.suse.com/security/cve/CVE-2024-45338/
SUSE CVE CVE-2024-45338 page
https://www.suse.com/security/cve/CVE-2025-11579/
SUSE CVE CVE-2025-11579 page
https://www.suse.com/security/cve/CVE-2025-22872/
SUSE CVE CVE-2025-22872 page
https://www.suse.com/security/cve/CVE-2025-46569/
SUSE CVE CVE-2025-46569 page
https://www.suse.com/security/cve/CVE-2025-47911/
SUSE CVE CVE-2025-47911 page
https://www.suse.com/security/cve/CVE-2025-58058/
SUSE CVE CVE-2025-58058 page
https://www.suse.com/security/cve/CVE-2025-58190/
SUSE CVE CVE-2025-58190 page

Описание

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.