SUSE 5151 Published by

Updated git-cliff packages are available for SUSE Linux Enterprise 15 SP5:

openSUSE-SU-2024:0130-1: important: Security update for git-cliff




openSUSE-SU-2024:0130-1: important: Security update for git-cliff


openSUSE Security Update: Security update for git-cliff
_______________________________

Announcement ID: openSUSE-SU-2024:0130-1
Rating: important
References: #1223218
Cross-References: CVE-2024-32650
CVSS scores:
CVE-2024-32650 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for git-cliff fixes the following issues:

- update to 2.2.2:
* (changelog) Allow adding custom context
* (changelog) Ignore empty lines when using split_commits
* (parser) Allow matching empty commit body
* Documentation updates

- update to 2.2.1:
* Make rendering errors more verbose
* Support detecting config from project manifest
* Make the bump version rules configurable
* bug fixes and documentation updates
- CVE-2024-32650: rust-rustls: Infinite loop with proper client input
fixes (boo#1223218)

- Update to version 2.1.2:
* feat(npm): add programmatic API for TypeScript
* chore(fixtures): enable verbose logging for output
* refactor(clippy): apply clippy suggestions
* refactor(changelog): do not output to stdout when prepend is used
* feat(args): add `--tag-pattern` argument
* fix(config): fix commit parser regex in the default config
* fix(github): sanitize the GitHub token in debug logs
* chore(config): add animation to the header of the changelog
* refactor(clippy): apply clippy suggestions
* docs(security): update security policy
* chore(project): add readme to core package
* chore(embed): do not allow missing docs
* chore(config): skip dependabot commits for dev updates
* docs(readme): mention RustLab 2023 talk
* chore(config): revamp the configuration files
* chore(docker): update versions in Dockerfile
* chore(example): use full links in GitHub templates
* chore(project): bump MSRV to 1.74.1
* revert(config): use postprocessors for checking the typos
* feat(template): support using PR labels in the GitHub template
* docs(configuration): fix typo
* feat(args): add `--no-exec` flag for skipping command execution
* chore(command): explicitly set the directory of command to current dir
* refactor(ci): use hardcoded workspace members for cargo-msrv command
* refactor(ci): simplify cargo-msrv installation
* refactor(clippy): apply clippy suggestions
* refactor(config): use postprocessors for checking the typos
* chore(project): update copyright years
* chore(github): update templates about GitHub integration
* feat(changelog): set the timestamp of the previous release
* feat(template): support using PR title in the GitHub template
* feat(changelog): improve skipping via `.cliffignore` and
`--skip-commit`
* chore(changelog): disable the default behavior of next-version
* fix(git): sort commits in topological order
* test(changelog): use the correct version for missing tags
* chore(changelog): use 0.1.0 as default next release if no tag is found
* feat(github)!: support integration with GitHub repos
* refactor(changelog): support `--bump` for processed releases
* fix(cli): fix broken pipe when stdout is interrupted
* test(fixtures): update the bumped value output to add prefix
* feat(changelog): support tag prefixes with `--bump`
* feat(changelog)!: set tag to `0.0.1` via `--bump` if no tags exist
* fix(commit): trim the trailing newline from message
* docs(readme): use the raw link for the animation
* chore(example): remove limited commits example
* feat(args): add `-x` short argument for `--context`
* revert(deps): bump actions/upload-pages-artifact from 2 to 3
* revert(deps): bump actions/deploy-pages from 3 to 4
* chore(dependabot): group the dependency updates for creating less PRs
* feat(parser): support using SHA1 of the commit
* feat(commit): add merge_commit flag to the context
* chore(mergify): don't update PRs for the main branch
* fix(links): skip checking the GitHub commit URLs
* fix(changelog): fix previous version links
* feat(parser): support using regex scope values
* test(fixture): update the date for example test fixture
* docs(fixtures): add instructions for adding new fixtures
* feat(args): support initialization with built-in templates
* feat(changelog)!: support templating in the footer
* feat(args): allow returning the bumped version
* test(fixture): add test fixture for bumping version
* fix: allow version bump with a single previous release
* fix(changelog): set the correct previous tag when a custom tag is given
* feat(args): set `CHANGELOG.md` as default missing value for output
option
* refactor(config): remove unnecessary newline from configs

- Update to version 1.4.0:
* Support bumping the semantic version via `--bump`
* Add 'typos' check
* Log the output of failed external commands -
* breaking change: Support regex in 'tag_pattern' configuration
* Add field and value matchers to the commit parser

- Update to version 1.2.0:
* Update clap and clap extras to v4
* Make the fields of Signature public
* Add a custom configuration file for the repository
* Support placing configuration inside pyproject.toml
* Generate SBOM/provenance for the Docker image
* Support using regex group values
* [breaking] Nested environment config overrides
* Set max of limit_commits to the number of commits
* Set the node cache dependency path
* Use the correct argument in release script

- Update to version 1.1.2:
* Do not skip all tags when skip_tags is empty (#136)
* Allow saving context to a file (#138)
* Derive the tag order from commits instead of timestamp (#139)
* Use timestamp for deriving the tag order (#139)

- Update to version 1.1.1:
* Relevant change: Update README.md about the NPM package
* Fix type casting in base NPM package
* Rename the package on Windows
* Disable liquid parsing in README.md by using raw blocks
* Support for generating changelog for multiple git repositories
* Publish binaries for more platforms/architectures

- Update to version 1.0.0:
* Bug Fixes
- Fix test fixture failures
* Documentation
- Fix GitHub badges in README.md
* Features
- [breaking] Replace --date-order by --topo-order
- Allow running with --prepend and --output
- [breaking] Use current time for --tag argument
- Include completions and mangen in binary releases
- Publish Debian package via release workflow
* Miscellaneous Tasks
- Run all test fixtures
- Remove deprecated set-output usage
- Update actions/checkout to v3
- Comment out custom commit preprocessor
* Refactor
- Apply clippy suggestions
* Styling
- Update README.md about the styling of footer field

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-130=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

git-cliff-2.2.2-bp155.2.3.1

- openSUSE Backports SLE-15-SP5 (noarch):

git-cliff-bash-completion-2.2.2-bp155.2.3.1
git-cliff-fish-completion-2.2.2-bp155.2.3.1
git-cliff-zsh-completion-2.2.2-bp155.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-32650.html
https://bugzilla.suse.com/1223218