Security update for git-cliff SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0130-1 Final 1 1 2024-05-18T12:51:03Z current 2024-05-18T12:51:03Z 2024-05-18T12:51:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git-cliff This update for git-cliff fixes the following issues: - update to 2.2.2: * (changelog) Allow adding custom context * (changelog) Ignore empty lines when using split_commits * (parser) Allow matching empty commit body * Documentation updates - update to 2.2.1: * Make rendering errors more verbose * Support detecting config from project manifest * Make the bump version rules configurable * bug fixes and documentation updates - CVE-2024-32650: rust-rustls: Infinite loop with proper client input fixes (boo#1223218) - Update to version 2.1.2: * feat(npm): add programmatic API for TypeScript * chore(fixtures): enable verbose logging for output * refactor(clippy): apply clippy suggestions * refactor(changelog): do not output to stdout when prepend is used * feat(args): add `--tag-pattern` argument * fix(config): fix commit parser regex in the default config * fix(github): sanitize the GitHub token in debug logs * chore(config): add animation to the header of the changelog * refactor(clippy): apply clippy suggestions * docs(security): update security policy * chore(project): add readme to core package * chore(embed): do not allow missing docs * chore(config): skip dependabot commits for dev updates * docs(readme): mention RustLab 2023 talk * chore(config): revamp the configuration files * chore(docker): update versions in Dockerfile * chore(example): use full links in GitHub templates * chore(project): bump MSRV to 1.74.1 * revert(config): use postprocessors for checking the typos * feat(template): support using PR labels in the GitHub template * docs(configuration): fix typo * feat(args): add `--no-exec` flag for skipping command execution * chore(command): explicitly set the directory of command to current dir * refactor(ci): use hardcoded workspace members for cargo-msrv command * refactor(ci): simplify cargo-msrv installation * refactor(clippy): apply clippy suggestions * refactor(config): use postprocessors for checking the typos * chore(project): update copyright years * chore(github): update templates about GitHub integration * feat(changelog): set the timestamp of the previous release * feat(template): support using PR title in the GitHub template * feat(changelog): improve skipping via `.cliffignore` and `--skip-commit` * chore(changelog): disable the default behavior of next-version * fix(git): sort commits in topological order * test(changelog): use the correct version for missing tags * chore(changelog): use 0.1.0 as default next release if no tag is found * feat(github)!: support integration with GitHub repos * refactor(changelog): support `--bump` for processed releases * fix(cli): fix broken pipe when stdout is interrupted * test(fixtures): update the bumped value output to add prefix * feat(changelog): support tag prefixes with `--bump` * feat(changelog)!: set tag to `0.0.1` via `--bump` if no tags exist * fix(commit): trim the trailing newline from message * docs(readme): use the raw link for the animation * chore(example): remove limited commits example * feat(args): add `-x` short argument for `--context` * revert(deps): bump actions/upload-pages-artifact from 2 to 3 * revert(deps): bump actions/deploy-pages from 3 to 4 * chore(dependabot): group the dependency updates for creating less PRs * feat(parser): support using SHA1 of the commit * feat(commit): add merge_commit flag to the context * chore(mergify): don't update PRs for the main branch * fix(links): skip checking the GitHub commit URLs * fix(changelog): fix previous version links * feat(parser): support using regex scope values * test(fixture): update the date for example test fixture * docs(fixtures): add instructions for adding new fixtures * feat(args): support initialization with built-in templates * feat(changelog)!: support templating in the footer * feat(args): allow returning the bumped version * test(fixture): add test fixture for bumping version * fix: allow version bump with a single previous release * fix(changelog): set the correct previous tag when a custom tag is given * feat(args): set `CHANGELOG.md` as default missing value for output option * refactor(config): remove unnecessary newline from configs - Update to version 1.4.0: * Support bumping the semantic version via `--bump` * Add 'typos' check * Log the output of failed external commands - * breaking change: Support regex in 'tag_pattern' configuration * Add field and value matchers to the commit parser - Update to version 1.2.0: * Update clap and clap extras to v4 * Make the fields of Signature public * Add a custom configuration file for the repository * Support placing configuration inside pyproject.toml * Generate SBOM/provenance for the Docker image * Support using regex group values * [breaking] Nested environment config overrides * Set max of limit_commits to the number of commits * Set the node cache dependency path * Use the correct argument in release script - Update to version 1.1.2: * Do not skip all tags when skip_tags is empty (#136) * Allow saving context to a file (#138) * Derive the tag order from commits instead of timestamp (#139) * Use timestamp for deriving the tag order (#139) - Update to version 1.1.1: * Relevant change: Update README.md about the NPM package * Fix type casting in base NPM package * Rename the package on Windows * Disable liquid parsing in README.md by using raw blocks * Support for generating changelog for multiple git repositories * Publish binaries for more platforms/architectures - Update to version 1.0.0: * Bug Fixes - Fix test fixture failures * Documentation - Fix GitHub badges in README.md * Features - [breaking] Replace --date-order by --topo-order - Allow running with --prepend and --output - [breaking] Use current time for --tag argument - Include completions and mangen in binary releases - Publish Debian package via release workflow * Miscellaneous Tasks - Run all test fixtures - Remove deprecated set-output usage - Update actions/checkout to v3 - Comment out custom commit preprocessor * Refactor - Apply clippy suggestions * Styling - Update README.md about the styling of footer field The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-130 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RLZMKRAPDN7C43S56JAGULAWF4RXGB2S/ E-Mail link for openSUSE-SU-2024:0130-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223218 SUSE Bug 1223218 https://www.suse.com/security/cve/CVE-2024-32650/ SUSE CVE CVE-2024-32650 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 git-cliff-2.2.2-bp155.2.3.1 git-cliff-bash-completion-2.2.2-bp155.2.3.1 git-cliff-fish-completion-2.2.2-bp155.2.3.1 git-cliff-zsh-completion-2.2.2-bp155.2.3.1 git-cliff-2.2.2-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 git-cliff-bash-completion-2.2.2-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 git-cliff-fish-completion-2.2.2-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 git-cliff-zsh-completion-2.2.2-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 git-cliff-2.2.2-bp155.2.3.1 as a component of openSUSE Leap 15.5 git-cliff-bash-completion-2.2.2-bp155.2.3.1 as a component of openSUSE Leap 15.5 git-cliff-fish-completion-2.2.2-bp155.2.3.1 as a component of openSUSE Leap 15.5 git-cliff-zsh-completion-2.2.2-bp155.2.3.1 as a component of openSUSE Leap 15.5 Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11. CVE-2024-32650 SUSE Package Hub 15 SP5:git-cliff-2.2.2-bp155.2.3.1 SUSE Package Hub 15 SP5:git-cliff-bash-completion-2.2.2-bp155.2.3.1 SUSE Package Hub 15 SP5:git-cliff-fish-completion-2.2.2-bp155.2.3.1 SUSE Package Hub 15 SP5:git-cliff-zsh-completion-2.2.2-bp155.2.3.1 openSUSE Leap 15.5:git-cliff-2.2.2-bp155.2.3.1 openSUSE Leap 15.5:git-cliff-bash-completion-2.2.2-bp155.2.3.1 openSUSE Leap 15.5:git-cliff-fish-completion-2.2.2-bp155.2.3.1 openSUSE Leap 15.5:git-cliff-zsh-completion-2.2.2-bp155.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RLZMKRAPDN7C43S56JAGULAWF4RXGB2S/ https://www.suse.com/security/cve/CVE-2024-32650.html CVE-2024-32650 https://bugzilla.suse.com/1223211 SUSE Bug 1223211