[Git][reproducible-builds/diffoscope-website][master] Update metadata and news to match release of version 257
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Mon Feb 12 18:32:50 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / diffoscope-website
Commits:
155bbd9c by Chris Lamb at 2024-02-12T10:32:38-08:00
Update metadata and news to match release of version 257
- - - - -
3 changed files:
- _data/diffoscope.yml
- _posts/2024-02-09-diffoscope-256-released.md
- + _posts/2024-02-12-diffoscope-257-released.md
Changes:
=====================================
_data/diffoscope.yml
=====================================
@@ -39,6 +39,7 @@ contributors:
- Helmut Grohne
- Holger Levsen
- HW42
+- James Addison
- James Clarke
- Jean-Romain Garnier
- Jelle van der Waa
@@ -107,5 +108,5 @@ description: 'File formats supported include: Android APK files, Android boot im
(.xsb), XML files, XMLB files, XZ compressed files, ZIP archives and Zstandard compressed
files.'
latest_release:
- date: 1707510157
- version: '256'
+ date: 1707761315
+ version: '257'
=====================================
_posts/2024-02-09-diffoscope-256-released.md
=====================================
@@ -8,13 +8,18 @@ The diffoscope maintainers are pleased to announce the release of diffoscope
version `256`. This version includes the following changes:
```
-* Use a determistic name when extracting content from GPG artifacts instead
- of trusting the value of gpg's --use-embedded-filenames. This prevents a
- potential information disclosure vulnerability that could have been
- exploited by providing a specially-crafted GPG file with an embedded
- filename of, say, "../../.ssh/id_rsa". Many thanks to Daniel Kahn Gillmor
- <dkg at debian.org> for reporting this issue and providing feedback.
+* CVE-2024-25711: Use a determistic name when extracting content from GPG
+ artifacts instead of trusting the value of gpg's --use-embedded-filenames.
+
+ This prevents a potential information disclosure vulnerability that could
+ have been exploited by providing a specially-crafted GPG file with an
+ embedded filename of, say, "../../.ssh/id_rsa".
+
+ Many thanks to Daniel Kahn Gillmor <dkg at debian.org> for reporting this
+ issue and providing feedback.
+
(Closes: reproducible-builds/diffoscope#361)
+
* Temporarily fix support for Python 3.11.8 re. a potential regression
with the handling of ZIP files. (See reproducible-builds/diffoscope#362)
```
=====================================
_posts/2024-02-12-diffoscope-257-released.md
=====================================
@@ -0,0 +1,23 @@
+---
+layout: post
+title: diffoscope 257 released
+author: Chris Lamb <lamby at debian.org>
+---
+
+The diffoscope maintainers are pleased to announce the release of diffoscope
+version `257`. This version includes the following changes:
+
+```
+[ James Addison ]
+* Parse the header and hunksize of diffs strictly before parsing the context
+ below. (Closes: reproducible-builds/diffoscope#363)
+* Reformat code to comply with the latest version of Black (24.1.1).
+
+[ Chris Lamb ]
+* Expand the previous changelog entry to include the CVE number that was
+ subsequently assigned.
+* Bump the miniumum Black requirement to run the "Black clean" test and make
+ test_zip.py Black clean.
+```
+
+You find out more by [visiting the project homepage](https://diffoscope.org).
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope-website/-/commit/155bbd9c142394373c5db9c4f4d8fda45946e67a
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope-website/-/commit/155bbd9c142394373c5db9c4f4d8fda45946e67a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240212/e6bdf110/attachment.htm>
More information about the rb-commits
mailing list