opensuse-su-2025:0021-1
Vulnerability from csaf_opensuse
Published
2025-01-22 10:02
Modified
2025-01-22 10:02
Summary
Security update for gh
Notes
Title of the patch
Security update for gh
Description of the patch
This update for gh fixes the following issues:
- Update to version 2.65.0:
* Bump cli/go-gh for indirect security vulnerability
* Panic mustParseTrackingRef if format is incorrect
* Move trackingRef into pr create package
* Make tryDetermineTrackingRef tests more respective of reality
* Rework tryDetermineTrackingRef tests
* Avoid pointer return from determineTrackingBranch
* Doc determineTrackingBranch
* Don't use pointer for determineTrackingBranch branchConfig
* Panic if tracking ref can't be reconstructed
* Document and rework pr create tracking branch lookup
* Upgrade generated workflows
* Fixed test for stdout in non-tty use case of repo fork
* Fix test
* Alternative: remove LocalBranch from BranchConfig
* Set LocalBranch even if the git config fails
* Add test for permissions check for security and analysis edits (#1)
* print repo url to stdout
* Update pkg/cmd/auth/login/login.go
* Move mention of classic token to correct line
* Separate type decrarations
* Add mention of classic token in gh auth login docs
* Update pkg/cmd/repo/create/create.go
* docs(repo): make explicit which branch is used when creating a repo
* fix(repo fork): add non-TTY output when fork is newly created
* Move api call to editRun
* Complete get -> list renaming
* Better error testing for autolink TestListRun
* Decode instead of unmarshal
* Use 'list' instead of 'get' for autolink list type and method
* Remove NewAutolinkClient
* Break out autolink list json fields test
* PR nits
* Refactor autolink subcommands into their own packages
* Whitespace
* Refactor out early return in test code
* Add testing for AutoLinkGetter
* Refactor autolink list and test to use http interface for simpler testing
* Apply PR comment changes
* Introduce repo autolinks list commands
* Remove release discussion posts and clean up related block in deployment yml
* Extract logic into helper function
* add pending status for workflow runs
* Feat: Allow setting security_and_analysis settings in gh repo edit
* Upgrade golang.org/x/net to v0.33.0
* Document SmartBaseRepoFunc
* Document BaseRepoFunc
* Update releasing.md
* Document how to set gh-merge-base
- Update to version 2.64.0:
* add test for different SAN and SourceRepositoryURI values
* add test for signerRepo and tenant
* add some more fields to test that san, sanregex are set properly
* Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6
* update san and sanregex configuration for readability
* reduce duplication when creating policy content
* tweak output of build policy info
* Name conditionals in PR finder
* Support pr view for intra-org forks
* Return err instead of silentError in merge queue check
* linting pointed out this var is no longer used
* Removed fun, but inaccessible ASCII header
* further tweaks to the long description
* Exit on pr merge with `-d` and merge queue
* Addressed PR review feedback; expanded Long command help string, used ghrepo, clarified some abbreviations
* Update pkg/cmd/attestation/inspect/inspect.go
* Update gh auth commands to point to GitHub Docs
* Reformat ext install long
* Mention Windows quirk in ext install help text
* Fix error mishandling in local ext install
* Assert on err msg directly in ext install tests
* Clarify hosts in ext install help text
* Bump golang.org/x/crypto from 0.29.0 to 0.31.0
* Removed now redundant file
* minor tweak to language
* go mod tidy
* Deleted no-longer-used code.
* deleted now-invalid tests, added a tiny patina of new testing.
* Tightened up docs, deleted dead code, improved printing
* fix file name creation on windows
* wording
* hard code expected digest
* fix download test
* use bash shell with integration tests
* simplify var creation
* update integration test scripts
* fix: list branches in square brackets in gh codespace
* try nesting scripts
* run all tests in a single script
* windows for loop syntax
* use replaceAll
* update expected file path on windows
* run integration tests with windows specific syntax
* run all attestation cmd integration tests automatically
* Bump actions/attest-build-provenance from 1.4.4 to 2.1.0
* Improve error handling in apt setup script
* use different file name for attestation files on windows
* test(gh run): assert branch names are enclosed in square brackets
* docs: enhance help text and prompt for rename command
* Revert 'Confirm auto-detected base branch'
* Confirm auto-detected base branch
* Merge changes from #10004
* Set gh-merge-base from `issue develop`
* Open PR against gh-merge-base
* Refactor extension executable error handling
* fix: list branches in square brackets in gh run view (#10038)
* docs: update description of command
* style: reformat files
* docs: update sentence case
* use github owned oci image
* docs: add mention of scopes help topic in `auth refresh` command help
* docs: add mention of scopes help topic in `auth login` command help
* docs: add help topic for auth scopes
* docs: improve help for browse command
* docs: improve docs for browse command as of #5352
* fix package reference
* add gh attestation verify integration test for oci bundles
* add integration test for bundle-from-oci option
* update tests
* update tests
* move content of veriy policy options function into enforcement criteria
* comment
* try switch statement
* remove duplicate err checking
* get bundle issuer in another func
* more logic updating to remove nesting
* inverse logic for less nesting
* remove unneeded nesting
* wip, linting, getting tests to pass
* wording
* var naming
* drop table view
* order policy info so relevant info is printed next to each other
* Update pkg/cmd/attestation/verification/policy.go
* Update pkg/cmd/attestation/verification/policy.go
* Update pkg/cmd/attestation/verification/policy.go
* wip: added new printSummaryInspection
* Improve error handling for missing executable
* experiment with table output
* Assert stderr is empty in manager_test.go
* Update error message wording
* Change: exit zero, still print warning to stderr
* wording
* Improve docs on installing extensions
* Update language for missing extension executable
* Update test comments about Windows behavior
* wording
* wording
* wording
* add newlines for additional policy info
* Document requirements for local extensions
* Warn when installing local ext with no executable
* wording
* formatting
* print policy information before verifying
* add initial policy info method
* more wip poking around, now with table printing
* wip, gh at inspect will check the signature on the bundle
* wip: inspect now prints various bundle fields in a nice json
- Update to version 2.63.2:
* include alg with digest when fetching bundles from OCI
* Error for mutually exclusive json and watch flags
* Use safepaths for run download
* Use consistent slice ordering in run download tests
* Consolidate logic for isolating artifacts
* Fix PR checkout panic when base repo is not in remotes
* When renaming an existing remote in `gh repo fork`, log the change
* Improve DNF version clarity in install steps
* Fix formatting in client_test.go comments for linter
* Expand logic and tests to handle edge cases
* Refactor download testing, simpler file descends
* Bump github.com/gabriel-vasile/mimetype from 1.4.6 to 1.4.7
* Improve test names so there is no repetition
* Second attempt to address exploit
- Update to version 2.63.0:
* Add checkout test that uses ssh git remote url
* Rename backwards compatible credentials pattern
* Fix CredentialPattern doc typos
* Remove TODOs
* Fix typos and add tests for CredentialPatternFrom* functions
* Add SSH remote todo
* General cleanup and docs
* Allow repo sync fetch to use insecure credentials pattern
* Allow client fetch to use insecure credentials pattern
* Allow client push to use insecure credential pattern
* Allow client pull to use insecure credential pattern
* Allow opt-in to insecure pattern
* Support secure credential pattern
* Refactor error handling for missing 'workflow' scope in createRelease
* ScopesResponder wraps StatusScopesResponder
* Refactor `workflow` scope checking
* pr feedback
* pr feedback
* Update pkg/cmd/attestation/verify/attestation_integration_test.go
* Apply suggestions from code review
* Refactor command documentation to use heredoc
* pr feedback
* remove unused test file
* undo change
* add more testing testing fixtures
* update test with new test bundle
* naming
* update test
* update test
* Fix README.md code block formatting
* clean up
* wrap sigstore and cert ext verification into a single function
* Adding option to return `baseRefOid` in `pr view`
* verify cert extensions function should return filtered result list
* pr feedback
* Update pkg/cmd/attestation/download/download.go
* fix function param calls
* Update pkg/cmd/attestation/verification/extensions.go
* Formatting fix
* Updated formatting to be more clear
* Updated markdown syntax for a `note`.
* Added a section on manual verification of the relases.
* Handle missing 'workflow' scope in createRelease
* Modify push prompt on repo create when bare
* Doc push behaviour for bare repo create
* Push --mirror on bare repo create
* Add acceptance test for bare repo create
* Doc isLocalRepo and git.Client IsLocalRepo differences
* Use errWithExitCode interface in repo create isLocalRepo
* Backfill repo creation failure tests
* Support bare repo creation
* use logger println method
* simplify verifyCertExtensions
* rename type
* refactor fetch attestations funcs
- Update to version 2.62.0
* CVE-2024-52308: remote code execution (RCE) when users connect
to a malicious Codespace SSH server and use the gh codespace
ssh or gh codespace logs commands
(boo#1233387, GHSA-p2h2-3vg9-4p87)
* Check extension for latest version when executed
* Shorten extension release checking from 3s to 1s
- includes changes from 2.61.0:
* Enhance gh repo edit command to inform users about
consequences of changing visibility and ensure users are
intentional before making irreversible changes
- Update to version 2.60.1:
* Note token redaction in Acceptance test README
* Refactor gpg-key delete to align with ssh-key delete
* Add acceptance tests for org command
* Adjust environment help for host and tokens (#9809)
* Add SSH Key Acceptance test
* Add Acceptance test for label command
* Add acceptance test for gpg-key
* Update go-internal to redact more token types in Acceptance tests
* Address PR feedback
* Clarify `gh` is available for GitHub Enterprise Cloud
* Remove comment from gh auth logout
* Add acceptance tests for auth-setup-git and formattedStringToEnv helper func
* Use forked testscript for token redaction
* Use new GitHub preview terms in working-with-us.md
* Use new GitHub previews terminology in attestation
* Test json flags for repo view and list
* Clean up auth-login-logout acceptance test with native functionality
* Add --token flag to `gh auth login` to accept a PAT as a flag
* Setup acceptance testing for auth and tests for auth-token and auth-status
* Update variable testscripts based on secret
* Check extOwner for no value instead
* Fix tests for invalid extension name
* Refactor to remove code duplication
* Linting: now that mockDataGenerator has an embedded mock, we ought to have pointer receivers in its funcs.
* Minor tweaks, added backoff to getTrustDomain
* added test for verifying we do 3 retries when fetching attestations.
* Fix single quote not expanding vars
* Added constant backoff retry to getAttestations.
* Address @williammartin PR feedback
* wip: added test that fails in the absence of a backoff.
* add validation for local ext install
* feat: add ArchivedAt field to Repository struct
* Refactor `gh secret` testscript
* Wrap true in '' in repo-fork-sync
* Rename acceptance test directory from repos to repo
* Remove unnecessary flags from repo-delete testscript
* Replace LICENSE Makefile README.md acceptance api bin build cmd context docs git go.mod go.sum internal pkg script share test utils commands with
* Wrap boolean strings in '' so it is clear they are strings
* Remove unnecessary gh auth setup-git steps
* Cleanup some inconsistencies and improve collapse some functionality
* Add acceptance tests for repo deploy-key add/list/delete
* Add acceptance tests for repo-fork and repo-sync
* Add acceptance test for repo-set-default
* Add acceptance test for repo-edit
* Add acceptance tests for repo-list and repo-rename
* Acceptance testing for repo-archive and repo-unarchive
* Add acceptance test for repo-clone
* Added acceptance test for repo-delete
* Added test function for repos and repo-create test
* Implement acceptance tests for search commands
* Remove . from test case for TestTitleSurvey
* Clean up Title Survey empty title message code
* Add missing test to trigger acceptance tests
* Add acceptance tests for `gh variable`
* Minor polish / consistency
* Fix typo in custom command doc
* Refactor env2upper, env2lower; add docs
* Update secret note about potential failure
* Add testscripts for `gh secret`, helper cmds
* Remove stdout assertion from release
* Rename test files
* Add acceptance tests for `release` commands
* Implement basic API acceptance test
* Remove unnecesary mkdir from download Acceptance test
* Remove empty stdout checks
* Adjust sleeps to echos in Acceptance workflows
* Use regex assert for enable disable workflow Acceptance test
* Watch for run to end for cancel Acceptance test
* Include startedAt, completedAt in run steps data
* Rewrite a sentence in CONTRIBUTING.md
* Add filtered content output to docs
* sleep 10s before checking for workflow run
* Update run-rerun.txtar
* Create cache-list-delete.txtar
* Create run-view.txtar
* Create run-rerun.txtar
* Create run-download.txtar
* Create run-delete.txtar
* Remove IsTenancy and relevant tests from gists as they are unsupported
* Remove unnecessary code branches
* Add ghe.com to tests describing ghec data residency
* Remove comment
* auth: Removed redundant ghauth.IsTenancy(host) check
* Use go-gh/auth package for IsEnterprise, IsTenancy, and NormalizeHostname
* Upgrade go-gh version to 2.11.0
* Add test coverage to places where IsEnterprise incorrectly covers Tenancy
* Fix issue creation with metadata regex
* Create run-cancel.txtar
* Create workflow-run.txtar
* Create workflow-view.txtar
* implement workflow enable/disable acceptance test
* implement base workflow list acceptance test
* Add comment to acceptance make target
* Resolve PR feedback
* Acceptance test issue command
* Support GH_ACCEPTANCE_SCRIPT
* Ensure Acceptance defer failures are debuggable
* Add acceptance task to makefile
* build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.5 to 1.4.6
* Ensure pr create with metadata has assignment
* Document sharedCmds func in acceptance tests
* Correct testscript description in Acceptance readme
* Add link to testscript pkg documentation
* Add VSCode extension links to Acceptance README
* Fix GH_HOST / GH_ACCEPTANCE_HOST misuse
* Acceptance test PR list
* Support skipping Acceptance test cleanup
* Acceptance test PR creation with metadata
* Suggest using legacy PAT for acceptance tests
* Add host recommendation to Acceptance test docs
* Don't append remaining text if more matches
* Highlight matches in table and content
* Split all newlines, and output no-color to non-TTY
* Print filtered gists similar to code search
* Show progress when filtering
* Simplify description
* Disallow use of --include-content without --filter
* Improve help docs
* Refactor filtering into existing `gist list`
* Improve performance
* Add `gist search` command
* Fix api tests after function signature changes
* Return nil instead of empty objects when err
* Fix license list and view tests
* Validate required env vars not-empty for Acceptance tests
* Add go to test instructions in Acceptance README
* Apply suggestions from code review
* Error if acceptance tests are targeting github or cli orgs
* Add codecoverage to Acceptance README
* Isolate acceptance env vars
* Add Writing Tests section to Acceptance README
* Add Debug and Authoring sections to Acceptance README
* Acceptance test PR comment
* Acceptance test PR merge and rebase
* Note syntax highlighting support for txtar files
* Refactor acceptance test environment handling
* Add initial acceptance test README
* Use txtar extension for testscripts
* Support targeting other hosts in acceptance tests
* Use stdout2env in PR acceptance tests
* Acceptance test PR checkout
* Add pr view test script
* Initial testscript introduction
* While we're at it, let's ensure VerifyCertExtensions can't be tricked the same way.
* Add examples for creating `.gitignore` files
* Update help for license view
* Refactor http error handling
* implement `--web` flag for license view
* Fix license view help doc, add LICENSE.md example
* Update help and fix heredoc indentation
* Add SPDX ID to license list output
* Fix ExactArgs invocation
* Add `Long` for license list indicating limitations
* Update function names
* Reverse repo/shared package name change
* If provided with zero attestations to verify, the LiveSigstoreVerifier.Verify func should return an error.
* Bump cli/oauth to 1.1.1
* Add test coverage for TitleSurvey change
* Fix failing test for pr and issue create
* Make the X in the error message red and print with io writer
* Handle errors from parsing hostname in auth flow
* Apply suggestions from code review
* Refactor tests and add new tests
* Move API calls to queries_repo.go
* Allow user to override markdown wrap width via $GH_MDWIDTH from environment
* Add handling of empty titles for Issues and PRs
* Print the login URL even when opening a browser
* Apply suggestions from code review
* Update SECURITY.md
* Fix typo and wordsmithing
* fix typo
* Remove trailing space from heading
* Revise wording
* Update docs to allow community submitted designs
* Implement license view
* Implement gitignore view
* implement gitignore list
* Update license table headings and tests
* Fix ListLicenseTemplates doc
* fix output capitalization
* Cleanup rendering and tests
* Remove json output option
* Divide shared repo package and add queries tests
* First pass at implementing `gh repo license list`
* Emit a log message when extension installation falls back to a darwin-amd64 binary on an Apple Silicon macOS machine
- Update to version 2.58.0:
* build(deps): bump github.com/theupdateframework/go-tuf/v2
* Include `dnf5` commands
* Add GPG key instructions to appropriate sections
* Update docs language to remove possible confusion around 'where you log in'
* Change conditional in promptForHostname to better reflect prompter changes
* Shorten language on Authenticate with a GitHub host.
* Update language on docstring for `gh auth login`
* Change prompts for `gh auth login` to reflect change from GHE to Other
* Sentence case 'Other' option in hostname prompt
* build(deps): bump github.com/henvic/httpretty from 0.1.3 to 0.1.4
* Add documentation explaining how to use `hostname` for `gh auth login`
* Replace 'GitHub Enterprise Server' with 'other' in `gh auth login` prompt
* fix tenant-awareness for trusted-root command
* Fix test
* Update pkg/cmd/extension/manager.go
* Update comment formatting
* Use new HasActiveToken method in trustedroot.go
* Add HasActiveToken method to AuthConfig interface
* Add HasActiveToken to AuthConfig.
* Improve error presentation
* Improve the suggested command for creating an issue when an extension doesn't have a binary for your platform
* Update pkg/cmd/attestation/trustedroot/trustedroot_test.go
* build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.4 to 2.0.5
* enforce auth for tenancy
* disable auth check for att trusted-root cmd
* better error for att verify custom issuer mismatch
* Enhance gh repo create docs, fix random cmd link
Patchnames
openSUSE-2025-21
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for gh",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for gh fixes the following issues:\n\n- Update to version 2.65.0:\n * Bump cli/go-gh for indirect security vulnerability\n * Panic mustParseTrackingRef if format is incorrect\n * Move trackingRef into pr create package\n * Make tryDetermineTrackingRef tests more respective of reality\n * Rework tryDetermineTrackingRef tests\n * Avoid pointer return from determineTrackingBranch\n * Doc determineTrackingBranch\n * Don\u0027t use pointer for determineTrackingBranch branchConfig\n * Panic if tracking ref can\u0027t be reconstructed\n * Document and rework pr create tracking branch lookup\n * Upgrade generated workflows\n * Fixed test for stdout in non-tty use case of repo fork\n * Fix test\n * Alternative: remove LocalBranch from BranchConfig\n * Set LocalBranch even if the git config fails\n * Add test for permissions check for security and analysis edits (#1)\n * print repo url to stdout\n * Update pkg/cmd/auth/login/login.go\n * Move mention of classic token to correct line\n * Separate type decrarations\n * Add mention of classic token in gh auth login docs\n * Update pkg/cmd/repo/create/create.go\n * docs(repo): make explicit which branch is used when creating a repo\n * fix(repo fork): add non-TTY output when fork is newly created\n * Move api call to editRun\n * Complete get -\u003e list renaming\n * Better error testing for autolink TestListRun\n * Decode instead of unmarshal\n * Use \u0027list\u0027 instead of \u0027get\u0027 for autolink list type and method\n * Remove NewAutolinkClient\n * Break out autolink list json fields test\n * PR nits\n * Refactor autolink subcommands into their own packages\n * Whitespace\n * Refactor out early return in test code\n * Add testing for AutoLinkGetter\n * Refactor autolink list and test to use http interface for simpler testing\n * Apply PR comment changes\n * Introduce repo autolinks list commands\n * Remove release discussion posts and clean up related block in deployment yml\n * Extract logic into helper function\n * add pending status for workflow runs\n * Feat: Allow setting security_and_analysis settings in gh repo edit\n * Upgrade golang.org/x/net to v0.33.0\n * Document SmartBaseRepoFunc\n * Document BaseRepoFunc\n * Update releasing.md\n * Document how to set gh-merge-base\n\n- Update to version 2.64.0:\n * add test for different SAN and SourceRepositoryURI values\n * add test for signerRepo and tenant\n * add some more fields to test that san, sanregex are set properly\n * Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6\n * update san and sanregex configuration for readability\n * reduce duplication when creating policy content\n * tweak output of build policy info\n * Name conditionals in PR finder\n * Support pr view for intra-org forks\n * Return err instead of silentError in merge queue check\n * linting pointed out this var is no longer used\n * Removed fun, but inaccessible ASCII header\n * further tweaks to the long description\n * Exit on pr merge with `-d` and merge queue\n * Addressed PR review feedback; expanded Long command help string, used ghrepo, clarified some abbreviations\n * Update pkg/cmd/attestation/inspect/inspect.go\n * Update gh auth commands to point to GitHub Docs\n * Reformat ext install long\n * Mention Windows quirk in ext install help text\n * Fix error mishandling in local ext install\n * Assert on err msg directly in ext install tests\n * Clarify hosts in ext install help text\n * Bump golang.org/x/crypto from 0.29.0 to 0.31.0\n * Removed now redundant file\n * minor tweak to language\n * go mod tidy\n * Deleted no-longer-used code.\n * deleted now-invalid tests, added a tiny patina of new testing.\n * Tightened up docs, deleted dead code, improved printing\n * fix file name creation on windows\n * wording\n * hard code expected digest\n * fix download test\n * use bash shell with integration tests\n * simplify var creation\n * update integration test scripts\n * fix: list branches in square brackets in gh codespace\n * try nesting scripts\n * run all tests in a single script\n * windows for loop syntax\n * use replaceAll\n * update expected file path on windows\n * run integration tests with windows specific syntax\n * run all attestation cmd integration tests automatically\n * Bump actions/attest-build-provenance from 1.4.4 to 2.1.0\n * Improve error handling in apt setup script\n * use different file name for attestation files on windows\n * test(gh run): assert branch names are enclosed in square brackets\n * docs: enhance help text and prompt for rename command\n * Revert \u0027Confirm auto-detected base branch\u0027\n * Confirm auto-detected base branch\n * Merge changes from #10004\n * Set gh-merge-base from `issue develop`\n * Open PR against gh-merge-base\n * Refactor extension executable error handling\n * fix: list branches in square brackets in gh run view (#10038)\n * docs: update description of command\n * style: reformat files\n * docs: update sentence case\n * use github owned oci image\n * docs: add mention of scopes help topic in `auth refresh` command help\n * docs: add mention of scopes help topic in `auth login` command help\n * docs: add help topic for auth scopes\n * docs: improve help for browse command\n * docs: improve docs for browse command as of #5352\n * fix package reference\n * add gh attestation verify integration test for oci bundles\n * add integration test for bundle-from-oci option\n * update tests\n * update tests\n * move content of veriy policy options function into enforcement criteria\n * comment\n * try switch statement\n * remove duplicate err checking\n * get bundle issuer in another func\n * more logic updating to remove nesting\n * inverse logic for less nesting\n * remove unneeded nesting\n * wip, linting, getting tests to pass\n * wording\n * var naming\n * drop table view\n * order policy info so relevant info is printed next to each other\n * Update pkg/cmd/attestation/verification/policy.go\n * Update pkg/cmd/attestation/verification/policy.go\n * Update pkg/cmd/attestation/verification/policy.go\n * wip: added new printSummaryInspection\n * Improve error handling for missing executable\n * experiment with table output\n * Assert stderr is empty in manager_test.go\n * Update error message wording\n * Change: exit zero, still print warning to stderr\n * wording\n * Improve docs on installing extensions\n * Update language for missing extension executable\n * Update test comments about Windows behavior\n * wording\n * wording\n * wording\n * add newlines for additional policy info\n * Document requirements for local extensions\n * Warn when installing local ext with no executable\n * wording\n * formatting\n * print policy information before verifying\n * add initial policy info method\n * more wip poking around, now with table printing\n * wip, gh at inspect will check the signature on the bundle\n * wip: inspect now prints various bundle fields in a nice json\n\n- Update to version 2.63.2:\n\n * include alg with digest when fetching bundles from OCI\n * Error for mutually exclusive json and watch flags\n * Use safepaths for run download\n * Use consistent slice ordering in run download tests\n * Consolidate logic for isolating artifacts\n * Fix PR checkout panic when base repo is not in remotes\n * When renaming an existing remote in `gh repo fork`, log the change\n * Improve DNF version clarity in install steps\n * Fix formatting in client_test.go comments for linter\n * Expand logic and tests to handle edge cases\n * Refactor download testing, simpler file descends\n * Bump github.com/gabriel-vasile/mimetype from 1.4.6 to 1.4.7\n * Improve test names so there is no repetition\n * Second attempt to address exploit\n\n- Update to version 2.63.0:\n\n * Add checkout test that uses ssh git remote url\n * Rename backwards compatible credentials pattern\n * Fix CredentialPattern doc typos\n * Remove TODOs\n * Fix typos and add tests for CredentialPatternFrom* functions\n * Add SSH remote todo\n * General cleanup and docs\n * Allow repo sync fetch to use insecure credentials pattern\n * Allow client fetch to use insecure credentials pattern\n * Allow client push to use insecure credential pattern\n * Allow client pull to use insecure credential pattern\n * Allow opt-in to insecure pattern\n * Support secure credential pattern\n * Refactor error handling for missing \u0027workflow\u0027 scope in createRelease\n * ScopesResponder wraps StatusScopesResponder\n * Refactor `workflow` scope checking\n * pr feedback\n * pr feedback\n * Update pkg/cmd/attestation/verify/attestation_integration_test.go\n * Apply suggestions from code review\n * Refactor command documentation to use heredoc\n * pr feedback\n * remove unused test file\n * undo change\n * add more testing testing fixtures\n * update test with new test bundle\n * naming\n * update test\n * update test\n * Fix README.md code block formatting\n * clean up\n * wrap sigstore and cert ext verification into a single function\n * Adding option to return `baseRefOid` in `pr view`\n * verify cert extensions function should return filtered result list\n * pr feedback\n * Update pkg/cmd/attestation/download/download.go\n * fix function param calls\n * Update pkg/cmd/attestation/verification/extensions.go\n * Formatting fix\n * Updated formatting to be more clear\n * Updated markdown syntax for a `note`.\n * Added a section on manual verification of the relases.\n * Handle missing \u0027workflow\u0027 scope in createRelease\n * Modify push prompt on repo create when bare\n * Doc push behaviour for bare repo create\n * Push --mirror on bare repo create\n * Add acceptance test for bare repo create\n * Doc isLocalRepo and git.Client IsLocalRepo differences\n * Use errWithExitCode interface in repo create isLocalRepo\n * Backfill repo creation failure tests\n * Support bare repo creation\n * use logger println method\n * simplify verifyCertExtensions\n * rename type\n * refactor fetch attestations funcs\n\n- Update to version 2.62.0\n * CVE-2024-52308: remote code execution (RCE) when users connect\n to a malicious Codespace SSH server and use the gh codespace\n ssh or gh codespace logs commands\n (boo#1233387, GHSA-p2h2-3vg9-4p87)\n * Check extension for latest version when executed\n * Shorten extension release checking from 3s to 1s\n\n- includes changes from 2.61.0:\n * Enhance gh repo edit command to inform users about\n consequences of changing visibility and ensure users are\n intentional before making irreversible changes\n\n- Update to version 2.60.1:\n\n * Note token redaction in Acceptance test README\n * Refactor gpg-key delete to align with ssh-key delete\n * Add acceptance tests for org command\n * Adjust environment help for host and tokens (#9809)\n * Add SSH Key Acceptance test\n * Add Acceptance test for label command\n * Add acceptance test for gpg-key\n * Update go-internal to redact more token types in Acceptance tests\n * Address PR feedback\n * Clarify `gh` is available for GitHub Enterprise Cloud\n * Remove comment from gh auth logout\n * Add acceptance tests for auth-setup-git and formattedStringToEnv helper func\n * Use forked testscript for token redaction\n * Use new GitHub preview terms in working-with-us.md\n * Use new GitHub previews terminology in attestation\n * Test json flags for repo view and list\n * Clean up auth-login-logout acceptance test with native functionality\n * Add --token flag to `gh auth login` to accept a PAT as a flag\n * Setup acceptance testing for auth and tests for auth-token and auth-status\n * Update variable testscripts based on secret\n * Check extOwner for no value instead\n * Fix tests for invalid extension name\n * Refactor to remove code duplication\n * Linting: now that mockDataGenerator has an embedded mock, we ought to have pointer receivers in its funcs.\n * Minor tweaks, added backoff to getTrustDomain\n * added test for verifying we do 3 retries when fetching attestations.\n * Fix single quote not expanding vars\n * Added constant backoff retry to getAttestations.\n * Address @williammartin PR feedback\n * wip: added test that fails in the absence of a backoff.\n * add validation for local ext install\n * feat: add ArchivedAt field to Repository struct\n * Refactor `gh secret` testscript\n * Wrap true in \u0027\u0027 in repo-fork-sync\n * Rename acceptance test directory from repos to repo\n * Remove unnecessary flags from repo-delete testscript\n * Replace LICENSE Makefile README.md acceptance api bin build cmd context docs git go.mod go.sum internal pkg script share test utils commands with\n * Wrap boolean strings in \u0027\u0027 so it is clear they are strings\n * Remove unnecessary gh auth setup-git steps\n * Cleanup some inconsistencies and improve collapse some functionality\n * Add acceptance tests for repo deploy-key add/list/delete\n * Add acceptance tests for repo-fork and repo-sync\n * Add acceptance test for repo-set-default\n * Add acceptance test for repo-edit\n * Add acceptance tests for repo-list and repo-rename\n * Acceptance testing for repo-archive and repo-unarchive\n * Add acceptance test for repo-clone\n * Added acceptance test for repo-delete\n * Added test function for repos and repo-create test\n * Implement acceptance tests for search commands\n * Remove . from test case for TestTitleSurvey\n * Clean up Title Survey empty title message code\n * Add missing test to trigger acceptance tests\n * Add acceptance tests for `gh variable`\n * Minor polish / consistency\n * Fix typo in custom command doc\n * Refactor env2upper, env2lower; add docs\n * Update secret note about potential failure\n * Add testscripts for `gh secret`, helper cmds\n * Remove stdout assertion from release\n * Rename test files\n * Add acceptance tests for `release` commands\n * Implement basic API acceptance test\n * Remove unnecesary mkdir from download Acceptance test\n * Remove empty stdout checks\n * Adjust sleeps to echos in Acceptance workflows\n * Use regex assert for enable disable workflow Acceptance test\n * Watch for run to end for cancel Acceptance test\n * Include startedAt, completedAt in run steps data\n * Rewrite a sentence in CONTRIBUTING.md\n * Add filtered content output to docs\n * sleep 10s before checking for workflow run\n * Update run-rerun.txtar\n * Create cache-list-delete.txtar\n * Create run-view.txtar\n * Create run-rerun.txtar\n * Create run-download.txtar\n * Create run-delete.txtar\n * Remove IsTenancy and relevant tests from gists as they are unsupported\n * Remove unnecessary code branches\n * Add ghe.com to tests describing ghec data residency\n * Remove comment\n * auth: Removed redundant ghauth.IsTenancy(host) check\n * Use go-gh/auth package for IsEnterprise, IsTenancy, and NormalizeHostname\n * Upgrade go-gh version to 2.11.0\n * Add test coverage to places where IsEnterprise incorrectly covers Tenancy\n * Fix issue creation with metadata regex\n * Create run-cancel.txtar\n * Create workflow-run.txtar\n * Create workflow-view.txtar\n * implement workflow enable/disable acceptance test\n * implement base workflow list acceptance test\n * Add comment to acceptance make target\n * Resolve PR feedback\n * Acceptance test issue command\n * Support GH_ACCEPTANCE_SCRIPT\n * Ensure Acceptance defer failures are debuggable\n * Add acceptance task to makefile\n * build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.5 to 1.4.6\n * Ensure pr create with metadata has assignment\n * Document sharedCmds func in acceptance tests\n * Correct testscript description in Acceptance readme\n * Add link to testscript pkg documentation\n * Add VSCode extension links to Acceptance README\n * Fix GH_HOST / GH_ACCEPTANCE_HOST misuse\n * Acceptance test PR list\n * Support skipping Acceptance test cleanup\n * Acceptance test PR creation with metadata\n * Suggest using legacy PAT for acceptance tests\n * Add host recommendation to Acceptance test docs\n * Don\u0027t append remaining text if more matches\n * Highlight matches in table and content\n * Split all newlines, and output no-color to non-TTY\n * Print filtered gists similar to code search\n * Show progress when filtering\n * Simplify description\n * Disallow use of --include-content without --filter\n * Improve help docs\n * Refactor filtering into existing `gist list`\n * Improve performance\n * Add `gist search` command\n * Fix api tests after function signature changes\n * Return nil instead of empty objects when err\n * Fix license list and view tests\n * Validate required env vars not-empty for Acceptance tests\n * Add go to test instructions in Acceptance README\n * Apply suggestions from code review\n * Error if acceptance tests are targeting github or cli orgs\n * Add codecoverage to Acceptance README\n * Isolate acceptance env vars\n * Add Writing Tests section to Acceptance README\n * Add Debug and Authoring sections to Acceptance README\n * Acceptance test PR comment\n * Acceptance test PR merge and rebase\n * Note syntax highlighting support for txtar files\n * Refactor acceptance test environment handling\n * Add initial acceptance test README\n * Use txtar extension for testscripts\n * Support targeting other hosts in acceptance tests\n * Use stdout2env in PR acceptance tests\n * Acceptance test PR checkout\n * Add pr view test script\n * Initial testscript introduction\n * While we\u0027re at it, let\u0027s ensure VerifyCertExtensions can\u0027t be tricked the same way.\n * Add examples for creating `.gitignore` files\n * Update help for license view\n * Refactor http error handling\n * implement `--web` flag for license view\n * Fix license view help doc, add LICENSE.md example\n * Update help and fix heredoc indentation\n * Add SPDX ID to license list output\n * Fix ExactArgs invocation\n * Add `Long` for license list indicating limitations\n * Update function names\n * Reverse repo/shared package name change\n * If provided with zero attestations to verify, the LiveSigstoreVerifier.Verify func should return an error.\n * Bump cli/oauth to 1.1.1\n * Add test coverage for TitleSurvey change\n * Fix failing test for pr and issue create\n * Make the X in the error message red and print with io writer\n * Handle errors from parsing hostname in auth flow\n * Apply suggestions from code review\n * Refactor tests and add new tests\n * Move API calls to queries_repo.go\n * Allow user to override markdown wrap width via $GH_MDWIDTH from environment\n * Add handling of empty titles for Issues and PRs\n * Print the login URL even when opening a browser\n * Apply suggestions from code review\n * Update SECURITY.md\n * Fix typo and wordsmithing\n * fix typo\n * Remove trailing space from heading\n * Revise wording\n * Update docs to allow community submitted designs\n * Implement license view\n * Implement gitignore view\n * implement gitignore list\n * Update license table headings and tests\n * Fix ListLicenseTemplates doc\n * fix output capitalization\n * Cleanup rendering and tests\n * Remove json output option\n * Divide shared repo package and add queries tests\n * First pass at implementing `gh repo license list`\n * Emit a log message when extension installation falls back to a darwin-amd64 binary on an Apple Silicon macOS machine\n\n- Update to version 2.58.0:\n * build(deps): bump github.com/theupdateframework/go-tuf/v2\n * Include `dnf5` commands\n * Add GPG key instructions to appropriate sections\n * Update docs language to remove possible confusion around \u0027where you log in\u0027\n * Change conditional in promptForHostname to better reflect prompter changes\n * Shorten language on Authenticate with a GitHub host.\n * Update language on docstring for `gh auth login`\n * Change prompts for `gh auth login` to reflect change from GHE to Other\n * Sentence case \u0027Other\u0027 option in hostname prompt\n * build(deps): bump github.com/henvic/httpretty from 0.1.3 to 0.1.4\n * Add documentation explaining how to use `hostname` for `gh auth login`\n * Replace \u0027GitHub Enterprise Server\u0027 with \u0027other\u0027 in `gh auth login` prompt\n * fix tenant-awareness for trusted-root command\n * Fix test\n * Update pkg/cmd/extension/manager.go\n * Update comment formatting\n * Use new HasActiveToken method in trustedroot.go\n * Add HasActiveToken method to AuthConfig interface\n * Add HasActiveToken to AuthConfig.\n * Improve error presentation\n * Improve the suggested command for creating an issue when an extension doesn\u0027t have a binary for your platform\n * Update pkg/cmd/attestation/trustedroot/trustedroot_test.go\n * build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.4 to 2.0.5\n * enforce auth for tenancy\n * disable auth check for att trusted-root cmd\n * better error for att verify custom issuer mismatch\n * Enhance gh repo create docs, fix random cmd link\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2025-21",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0021-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:0021-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HUMKXZZVR2XTEF5OINR7OTNWNR5IVCYQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:0021-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HUMKXZZVR2XTEF5OINR7OTNWNR5IVCYQ/"
},
{
"category": "self",
"summary": "SUSE Bug 1233387",
"url": "https://bugzilla.suse.com/1233387"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52308 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52308/"
}
],
"title": "Security update for gh",
"tracking": {
"current_release_date": "2025-01-22T10:02:08Z",
"generator": {
"date": "2025-01-22T10:02:08Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:0021-1",
"initial_release_date": "2025-01-22T10:02:08Z",
"revision_history": [
{
"date": "2025-01-22T10:02:08Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.aarch64",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.aarch64",
"product_id": "gh-2.65.0-bp156.2.17.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.i586",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.i586",
"product_id": "gh-2.65.0-bp156.2.17.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"product": {
"name": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"product_id": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch"
}
},
{
"category": "product_version",
"name": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"product": {
"name": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"product_id": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch"
}
},
{
"category": "product_version",
"name": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"product": {
"name": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"product_id": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.ppc64le",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.ppc64le",
"product_id": "gh-2.65.0-bp156.2.17.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.s390x",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.s390x",
"product_id": "gh-2.65.0-bp156.2.17.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.x86_64",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.x86_64",
"product_id": "gh-2.65.0-bp156.2.17.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP6",
"product": {
"name": "SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.i586 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.i586 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52308",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52308"
}
],
"notes": [
{
"category": "general",
"text": "The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\n\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64",
"SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64",
"openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52308",
"url": "https://www.suse.com/security/cve/CVE-2024-52308"
},
{
"category": "external",
"summary": "SUSE Bug 1233387 for CVE-2024-52308",
"url": "https://bugzilla.suse.com/1233387"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64",
"SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64",
"openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64",
"SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64",
"openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-22T10:02:08Z",
"details": "critical"
}
],
"title": "CVE-2024-52308"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…