From d430a86a99c701fc9713a9616b195d45e73b5e5c Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: Fri, 14 Mar 2025 11:03:51 +0100 Subject: [PATCH] skopeo-1.18.1-1.el10 - update to the latest content of https://github.com/containers/skopeo/tree/release-1.18 (https://github.com/containers/skopeo/commit/bfd0850) - fixes "CVE-2025-27144 skopeo: Go JOSE's Parsing Vulnerable to Denial of Service [rhel-10.1]" - Resolves: RHEL-80611 Signed-off-by: Jindrich Novy --- skopeo.spec | 24 +++++++++++++++++++++--- sources | 2 +- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/skopeo.spec b/skopeo.spec index 9f1d40e..845d090 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -9,6 +9,10 @@ %global gomodulesmode GO111MODULE=on +%global branch release-1.18 +%global commit0 bfd0850f067e79cf4a60a911e212a62bd55181fb +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) + # No btrfs on RHEL %if %{defined fedora} %define build_with_btrfs 1 @@ -34,7 +38,7 @@ Epoch: %{conditional_epoch} # If that's what you're reading, Version must be 0, and will be updated by Packit for # copr and koji builds. # If you're reading this on dist-git, the version is automatically filled in by Packit. -Version: 1.18.0 +Version: 1.18.1 # The `AND` needs to be uppercase in the License for SPDX compatibility License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0 Release: 1%{?dist} @@ -46,7 +50,11 @@ ExclusiveArch: aarch64 ppc64le s390x x86_64 Summary: Inspect container images and repositories on registries URL: https://github.com/containers/%{name} # Tarball fetched from upstream -Source0: %{url}/archive/v%{version}.tar.gz +%if 0%{?branch:1} +Source0: https://github.com/containers/%{name}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz +%else +Source0: https://github.com/containers/%{name}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz +%endif BuildRequires: %{_bindir}/go-md2man %if %{defined build_with_btrfs} BuildRequires: btrfs-progs-devel @@ -92,7 +100,11 @@ This package contains system tests for %{name}. Only intended for distro gating tests. End user / customer usage not supported. %prep -%autosetup -Sgit %{name}-%{version} +%if 0%{?branch:1} +%autosetup -Sgit -n containers-%{name}-%{shortcommit0} +%else +%autosetup -Sgit -n %{name}-%{commit0} +%endif # The %%install stage should not rebuild anything but only install what's # built in the %%build stage. So, remove any dependency on build targets. sed -i 's/^install-binary: bin\/%{name}.*/install-binary:/' Makefile @@ -159,6 +171,12 @@ cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/ %{_datadir}/%{name}/test %changelog +* Fri Mar 14 2025 Jindrich Novy - 1:1.18.1-1 +- update to the latest content of https://github.com/containers/skopeo/tree/release-1.18 + (https://github.com/containers/skopeo/commit/bfd0850) +- fixes "CVE-2025-27144 skopeo: Go JOSE's Parsing Vulnerable to Denial of Service [rhel-10.1]" +- Resolves: RHEL-80611 + * Thu Feb 13 2025 Jindrich Novy - 1:1.18.0-1 - update to https://github.com/containers/skopeo/releases/tag/v1.18.0 - Related: RHEL-58990 diff --git a/sources b/sources index 6ece875..3a3dff0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v1.18.0.tar.gz) = 7d56d78b4e0299c187eb2ea46a2d6ac41a4ad30848e9f5fe43285af74c5207f6fc4ee98c15bd5114de7a660e52846f75c26632ae1aa3ccf656b504798a6b1d56 +SHA512 (release-1.18-bfd0850.tar.gz) = 70ae4b50c6c729226bca6ad54c56b7619047c476dbb6521f90c2f1f2da2292c2cdf87d4a50df4b0cbcf4eb72f5f21acfee333e8a20950f7cd63dc87e78e9eeaa