openSUSE-SU-2025:0021-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:0021-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2025:0021-1
Related
Published
2025-01-22T10:02:08Z
Modified
2025-01-22T10:02:08Z
Summary
Security update for gh
Details

This update for gh fixes the following issues:

  • Update to version 2.65.0:

    • Bump cli/go-gh for indirect security vulnerability
    • Panic mustParseTrackingRef if format is incorrect
    • Move trackingRef into pr create package
    • Make tryDetermineTrackingRef tests more respective of reality
    • Rework tryDetermineTrackingRef tests
    • Avoid pointer return from determineTrackingBranch
    • Doc determineTrackingBranch
    • Don't use pointer for determineTrackingBranch branchConfig
    • Panic if tracking ref can't be reconstructed
    • Document and rework pr create tracking branch lookup
    • Upgrade generated workflows
    • Fixed test for stdout in non-tty use case of repo fork
    • Fix test
    • Alternative: remove LocalBranch from BranchConfig
    • Set LocalBranch even if the git config fails
    • Add test for permissions check for security and analysis edits (#1)
    • print repo url to stdout
    • Update pkg/cmd/auth/login/login.go
    • Move mention of classic token to correct line
    • Separate type decrarations
    • Add mention of classic token in gh auth login docs
    • Update pkg/cmd/repo/create/create.go
    • docs(repo): make explicit which branch is used when creating a repo
    • fix(repo fork): add non-TTY output when fork is newly created
    • Move api call to editRun
    • Complete get -> list renaming
    • Better error testing for autolink TestListRun
    • Decode instead of unmarshal
    • Use 'list' instead of 'get' for autolink list type and method
    • Remove NewAutolinkClient
    • Break out autolink list json fields test
    • PR nits
    • Refactor autolink subcommands into their own packages
    • Whitespace
    • Refactor out early return in test code
    • Add testing for AutoLinkGetter
    • Refactor autolink list and test to use http interface for simpler testing
    • Apply PR comment changes
    • Introduce repo autolinks list commands
    • Remove release discussion posts and clean up related block in deployment yml
    • Extract logic into helper function
    • add pending status for workflow runs
    • Feat: Allow setting securityandanalysis settings in gh repo edit
    • Upgrade golang.org/x/net to v0.33.0
    • Document SmartBaseRepoFunc
    • Document BaseRepoFunc
    • Update releasing.md
    • Document how to set gh-merge-base

  • Update to version 2.64.0:

    • add test for different SAN and SourceRepositoryURI values
    • add test for signerRepo and tenant
    • add some more fields to test that san, sanregex are set properly
    • Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6
    • update san and sanregex configuration for readability
    • reduce duplication when creating policy content
    • tweak output of build policy info
    • Name conditionals in PR finder
    • Support pr view for intra-org forks
    • Return err instead of silentError in merge queue check
    • linting pointed out this var is no longer used
    • Removed fun, but inaccessible ASCII header
    • further tweaks to the long description
    • Exit on pr merge with -d and merge queue
    • Addressed PR review feedback; expanded Long command help string, used ghrepo, clarified some abbreviations
    • Update pkg/cmd/attestation/inspect/inspect.go
    • Update gh auth commands to point to GitHub Docs
    • Reformat ext install long
    • Mention Windows quirk in ext install help text
    • Fix error mishandling in local ext install
    • Assert on err msg directly in ext install tests
    • Clarify hosts in ext install help text
    • Bump golang.org/x/crypto from 0.29.0 to 0.31.0
    • Removed now redundant file
    • minor tweak to language
    • go mod tidy
    • Deleted no-longer-used code.
    • deleted now-invalid tests, added a tiny patina of new testing.
    • Tightened up docs, deleted dead code, improved printing
    • fix file name creation on windows
    • wording
    • hard code expected digest
    • fix download test
    • use bash shell with integration tests
    • simplify var creation
    • update integration test scripts
    • fix: list branches in square brackets in gh codespace
    • try nesting scripts
    • run all tests in a single script
    • windows for loop syntax
    • use replaceAll
    • update expected file path on windows
    • run integration tests with windows specific syntax
    • run all attestation cmd integration tests automatically
    • Bump actions/attest-build-provenance from 1.4.4 to 2.1.0
    • Improve error handling in apt setup script
    • use different file name for attestation files on windows
    • test(gh run): assert branch names are enclosed in square brackets
    • docs: enhance help text and prompt for rename command
    • Revert 'Confirm auto-detected base branch'
    • Confirm auto-detected base branch
    • Merge changes from #10004
    • Set gh-merge-base from issue develop
    • Open PR against gh-merge-base
    • Refactor extension executable error handling
    • fix: list branches in square brackets in gh run view (#10038)
    • docs: update description of command
    • style: reformat files
    • docs: update sentence case
    • use github owned oci image
    • docs: add mention of scopes help topic in auth refresh command help
    • docs: add mention of scopes help topic in auth login command help
    • docs: add help topic for auth scopes
    • docs: improve help for browse command
    • docs: improve docs for browse command as of #5352
    • fix package reference
    • add gh attestation verify integration test for oci bundles
    • add integration test for bundle-from-oci option
    • update tests
    • update tests
    • move content of veriy policy options function into enforcement criteria
    • comment
    • try switch statement
    • remove duplicate err checking
    • get bundle issuer in another func
    • more logic updating to remove nesting
    • inverse logic for less nesting
    • remove unneeded nesting
    • wip, linting, getting tests to pass
    • wording
    • var naming
    • drop table view
    • order policy info so relevant info is printed next to each other
    • Update pkg/cmd/attestation/verification/policy.go
    • Update pkg/cmd/attestation/verification/policy.go
    • Update pkg/cmd/attestation/verification/policy.go
    • wip: added new printSummaryInspection
    • Improve error handling for missing executable
    • experiment with table output
    • Assert stderr is empty in manager_test.go
    • Update error message wording
    • Change: exit zero, still print warning to stderr
    • wording
    • Improve docs on installing extensions
    • Update language for missing extension executable
    • Update test comments about Windows behavior
    • wording
    • wording
    • wording
    • add newlines for additional policy info
    • Document requirements for local extensions
    • Warn when installing local ext with no executable
    • wording
    • formatting
    • print policy information before verifying
    • add initial policy info method
    • more wip poking around, now with table printing
    • wip, gh at inspect will check the signature on the bundle
    • wip: inspect now prints various bundle fields in a nice json

  • Update to version 2.63.2:

    • include alg with digest when fetching bundles from OCI
    • Error for mutually exclusive json and watch flags
    • Use safepaths for run download
    • Use consistent slice ordering in run download tests
    • Consolidate logic for isolating artifacts
    • Fix PR checkout panic when base repo is not in remotes
    • When renaming an existing remote in gh repo fork, log the change
    • Improve DNF version clarity in install steps
    • Fix formatting in client_test.go comments for linter
    • Expand logic and tests to handle edge cases
    • Refactor download testing, simpler file descends
    • Bump github.com/gabriel-vasile/mimetype from 1.4.6 to 1.4.7
    • Improve test names so there is no repetition
    • Second attempt to address exploit

  • Update to version 2.63.0:

    • Add checkout test that uses ssh git remote url
    • Rename backwards compatible credentials pattern
    • Fix CredentialPattern doc typos
    • Remove TODOs
    • Fix typos and add tests for CredentialPatternFrom* functions
    • Add SSH remote todo
    • General cleanup and docs
    • Allow repo sync fetch to use insecure credentials pattern
    • Allow client fetch to use insecure credentials pattern
    • Allow client push to use insecure credential pattern
    • Allow client pull to use insecure credential pattern
    • Allow opt-in to insecure pattern
    • Support secure credential pattern
    • Refactor error handling for missing 'workflow' scope in createRelease
    • ScopesResponder wraps StatusScopesResponder
    • Refactor workflow scope checking
    • pr feedback
    • pr feedback
    • Update pkg/cmd/attestation/verify/attestationintegrationtest.go
    • Apply suggestions from code review
    • Refactor command documentation to use heredoc
    • pr feedback
    • remove unused test file
    • undo change
    • add more testing testing fixtures
    • update test with new test bundle
    • naming
    • update test
    • update test
    • Fix README.md code block formatting
    • clean up
    • wrap sigstore and cert ext verification into a single function
    • Adding option to return baseRefOid in pr view
    • verify cert extensions function should return filtered result list
    • pr feedback
    • Update pkg/cmd/attestation/download/download.go
    • fix function param calls
    • Update pkg/cmd/attestation/verification/extensions.go
    • Formatting fix
    • Updated formatting to be more clear
    • Updated markdown syntax for a note.
    • Added a section on manual verification of the relases.
    • Handle missing 'workflow' scope in createRelease
    • Modify push prompt on repo create when bare
    • Doc push behaviour for bare repo create
    • Push --mirror on bare repo create
    • Add acceptance test for bare repo create
    • Doc isLocalRepo and git.Client IsLocalRepo differences
    • Use errWithExitCode interface in repo create isLocalRepo
    • Backfill repo creation failure tests
    • Support bare repo creation
    • use logger println method
    • simplify verifyCertExtensions
    • rename type
    • refactor fetch attestations funcs

  • Update to version 2.62.0

    • CVE-2024-52308: remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands (boo#1233387, GHSA-p2h2-3vg9-4p87)
    • Check extension for latest version when executed
    • Shorten extension release checking from 3s to 1s

  • includes changes from 2.61.0:

    • Enhance gh repo edit command to inform users about consequences of changing visibility and ensure users are intentional before making irreversible changes

  • Update to version 2.60.1:

    • Note token redaction in Acceptance test README
    • Refactor gpg-key delete to align with ssh-key delete
    • Add acceptance tests for org command
    • Adjust environment help for host and tokens (#9809)
    • Add SSH Key Acceptance test
    • Add Acceptance test for label command
    • Add acceptance test for gpg-key
    • Update go-internal to redact more token types in Acceptance tests
    • Address PR feedback
    • Clarify gh is available for GitHub Enterprise Cloud
    • Remove comment from gh auth logout
    • Add acceptance tests for auth-setup-git and formattedStringToEnv helper func
    • Use forked testscript for token redaction
    • Use new GitHub preview terms in working-with-us.md
    • Use new GitHub previews terminology in attestation
    • Test json flags for repo view and list
    • Clean up auth-login-logout acceptance test with native functionality
    • Add --token flag to gh auth login to accept a PAT as a flag
    • Setup acceptance testing for auth and tests for auth-token and auth-status
    • Update variable testscripts based on secret
    • Check extOwner for no value instead
    • Fix tests for invalid extension name
    • Refactor to remove code duplication
    • Linting: now that mockDataGenerator has an embedded mock, we ought to have pointer receivers in its funcs.
    • Minor tweaks, added backoff to getTrustDomain
    • added test for verifying we do 3 retries when fetching attestations.
    • Fix single quote not expanding vars
    • Added constant backoff retry to getAttestations.
    • Address @williammartin PR feedback
    • wip: added test that fails in the absence of a backoff.
    • add validation for local ext install
    • feat: add ArchivedAt field to Repository struct
    • Refactor gh secret testscript
    • Wrap true in '' in repo-fork-sync
    • Rename acceptance test directory from repos to repo
    • Remove unnecessary flags from repo-delete testscript
    • Replace LICENSE Makefile README.md acceptance api bin build cmd context docs git go.mod go.sum internal pkg script share test utils commands with
    • Wrap boolean strings in '' so it is clear they are strings
    • Remove unnecessary gh auth setup-git steps
    • Cleanup some inconsistencies and improve collapse some functionality
    • Add acceptance tests for repo deploy-key add/list/delete
    • Add acceptance tests for repo-fork and repo-sync
    • Add acceptance test for repo-set-default
    • Add acceptance test for repo-edit
    • Add acceptance tests for repo-list and repo-rename
    • Acceptance testing for repo-archive and repo-unarchive
    • Add acceptance test for repo-clone
    • Added acceptance test for repo-delete
    • Added test function for repos and repo-create test
    • Implement acceptance tests for search commands
    • Remove . from test case for TestTitleSurvey
    • Clean up Title Survey empty title message code
    • Add missing test to trigger acceptance tests
    • Add acceptance tests for gh variable
    • Minor polish / consistency
    • Fix typo in custom command doc
    • Refactor env2upper, env2lower; add docs
    • Update secret note about potential failure
    • Add testscripts for gh secret, helper cmds
    • Remove stdout assertion from release
    • Rename test files
    • Add acceptance tests for release commands
    • Implement basic API acceptance test
    • Remove unnecesary mkdir from download Acceptance test
    • Remove empty stdout checks
    • Adjust sleeps to echos in Acceptance workflows
    • Use regex assert for enable disable workflow Acceptance test
    • Watch for run to end for cancel Acceptance test
    • Include startedAt, completedAt in run steps data
    • Rewrite a sentence in CONTRIBUTING.md
    • Add filtered content output to docs
    • sleep 10s before checking for workflow run
    • Update run-rerun.txtar
    • Create cache-list-delete.txtar
    • Create run-view.txtar
    • Create run-rerun.txtar
    • Create run-download.txtar
    • Create run-delete.txtar
    • Remove IsTenancy and relevant tests from gists as they are unsupported
    • Remove unnecessary code branches
    • Add ghe.com to tests describing ghec data residency
    • Remove comment
    • auth: Removed redundant ghauth.IsTenancy(host) check
    • Use go-gh/auth package for IsEnterprise, IsTenancy, and NormalizeHostname
    • Upgrade go-gh version to 2.11.0
    • Add test coverage to places where IsEnterprise incorrectly covers Tenancy
    • Fix issue creation with metadata regex
    • Create run-cancel.txtar
    • Create workflow-run.txtar
    • Create workflow-view.txtar
    • implement workflow enable/disable acceptance test
    • implement base workflow list acceptance test
    • Add comment to acceptance make target
    • Resolve PR feedback
    • Acceptance test issue command
    • Support GHACCEPTANCESCRIPT
    • Ensure Acceptance defer failures are debuggable
    • Add acceptance task to makefile
    • build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.5 to 1.4.6
    • Ensure pr create with metadata has assignment
    • Document sharedCmds func in acceptance tests
    • Correct testscript description in Acceptance readme
    • Add link to testscript pkg documentation
    • Add VSCode extension links to Acceptance README
    • Fix GHHOST / GHACCEPTANCE_HOST misuse
    • Acceptance test PR list
    • Support skipping Acceptance test cleanup
    • Acceptance test PR creation with metadata
    • Suggest using legacy PAT for acceptance tests
    • Add host recommendation to Acceptance test docs
    • Don't append remaining text if more matches
    • Highlight matches in table and content
    • Split all newlines, and output no-color to non-TTY
    • Print filtered gists similar to code search
    • Show progress when filtering
    • Simplify description
    • Disallow use of --include-content without --filter
    • Improve help docs
    • Refactor filtering into existing gist list
    • Improve performance
    • Add gist search command
    • Fix api tests after function signature changes
    • Return nil instead of empty objects when err
    • Fix license list and view tests
    • Validate required env vars not-empty for Acceptance tests
    • Add go to test instructions in Acceptance README
    • Apply suggestions from code review
    • Error if acceptance tests are targeting github or cli orgs
    • Add codecoverage to Acceptance README
    • Isolate acceptance env vars
    • Add Writing Tests section to Acceptance README
    • Add Debug and Authoring sections to Acceptance README
    • Acceptance test PR comment
    • Acceptance test PR merge and rebase
    • Note syntax highlighting support for txtar files
    • Refactor acceptance test environment handling
    • Add initial acceptance test README
    • Use txtar extension for testscripts
    • Support targeting other hosts in acceptance tests
    • Use stdout2env in PR acceptance tests
    • Acceptance test PR checkout
    • Add pr view test script
    • Initial testscript introduction
    • While we're at it, let's ensure VerifyCertExtensions can't be tricked the same way.
    • Add examples for creating .gitignore files
    • Update help for license view
    • Refactor http error handling
    • implement --web flag for license view
    • Fix license view help doc, add LICENSE.md example
    • Update help and fix heredoc indentation
    • Add SPDX ID to license list output
    • Fix ExactArgs invocation
    • Add Long for license list indicating limitations
    • Update function names
    • Reverse repo/shared package name change
    • If provided with zero attestations to verify, the LiveSigstoreVerifier.Verify func should return an error.
    • Bump cli/oauth to 1.1.1
    • Add test coverage for TitleSurvey change
    • Fix failing test for pr and issue create
    • Make the X in the error message red and print with io writer
    • Handle errors from parsing hostname in auth flow
    • Apply suggestions from code review
    • Refactor tests and add new tests
    • Move API calls to queries_repo.go
    • Allow user to override markdown wrap width via $GH_MDWIDTH from environment
    • Add handling of empty titles for Issues and PRs
    • Print the login URL even when opening a browser
    • Apply suggestions from code review
    • Update SECURITY.md
    • Fix typo and wordsmithing
    • fix typo
    • Remove trailing space from heading
    • Revise wording
    • Update docs to allow community submitted designs
    • Implement license view
    • Implement gitignore view
    • implement gitignore list
    • Update license table headings and tests
    • Fix ListLicenseTemplates doc
    • fix output capitalization
    • Cleanup rendering and tests
    • Remove json output option
    • Divide shared repo package and add queries tests
    • First pass at implementing gh repo license list
    • Emit a log message when extension installation falls back to a darwin-amd64 binary on an Apple Silicon macOS machine

  • Update to version 2.58.0:

    • build(deps): bump github.com/theupdateframework/go-tuf/v2
    • Include dnf5 commands
    • Add GPG key instructions to appropriate sections
    • Update docs language to remove possible confusion around 'where you log in'
    • Change conditional in promptForHostname to better reflect prompter changes
    • Shorten language on Authenticate with a GitHub host.
    • Update language on docstring for gh auth login
    • Change prompts for gh auth login to reflect change from GHE to Other
    • Sentence case 'Other' option in hostname prompt
    • build(deps): bump github.com/henvic/httpretty from 0.1.3 to 0.1.4
    • Add documentation explaining how to use hostname for gh auth login
    • Replace 'GitHub Enterprise Server' with 'other' in gh auth login prompt
    • fix tenant-awareness for trusted-root command
    • Fix test
    • Update pkg/cmd/extension/manager.go
    • Update comment formatting
    • Use new HasActiveToken method in trustedroot.go
    • Add HasActiveToken method to AuthConfig interface
    • Add HasActiveToken to AuthConfig.
    • Improve error presentation
    • Improve the suggested command for creating an issue when an extension doesn't have a binary for your platform
    • Update pkg/cmd/attestation/trustedroot/trustedroot_test.go
    • build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.4 to 2.0.5
    • enforce auth for tenancy
    • disable auth check for att trusted-root cmd
    • better error for att verify custom issuer mismatch
    • Enhance gh repo create docs, fix random cmd link
References

Affected packages

SUSE:Package Hub 15 SP6 / gh

Package

Name
gh
Purl
pkg:rpm/suse/gh&distro=SUSE%20Package%20Hub%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.65.0-bp156.2.17.1

Ecosystem specific 

{
    "binaries": [
        {
            "gh-fish-completion": "2.65.0-bp156.2.17.1",
            "gh": "2.65.0-bp156.2.17.1",
            "gh-bash-completion": "2.65.0-bp156.2.17.1",
            "gh-zsh-completion": "2.65.0-bp156.2.17.1"
        }
    ]
}

openSUSE:Leap 15.6 / gh

Package

Name
gh
Purl
pkg:rpm/opensuse/gh&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.65.0-bp156.2.17.1

Ecosystem specific 

{
    "binaries": [
        {
            "gh-fish-completion": "2.65.0-bp156.2.17.1",
            "gh": "2.65.0-bp156.2.17.1",
            "gh-bash-completion": "2.65.0-bp156.2.17.1",
            "gh-zsh-completion": "2.65.0-bp156.2.17.1"
        }
    ]
}