{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for gh","title":"Title of the patch"},{"category":"description","text":"This update for gh fixes the following issues:\n\n- Update to version 2.65.0:\n  * Bump cli/go-gh for indirect security vulnerability\n  * Panic mustParseTrackingRef if format is incorrect\n  * Move trackingRef into pr create package\n  * Make tryDetermineTrackingRef tests more respective of reality\n  * Rework tryDetermineTrackingRef tests\n  * Avoid pointer return from determineTrackingBranch\n  * Doc determineTrackingBranch\n  * Don't use pointer for determineTrackingBranch branchConfig\n  * Panic if tracking ref can't be reconstructed\n  * Document and rework pr create tracking branch lookup\n  * Upgrade generated workflows\n  * Fixed test for stdout in non-tty use case of repo fork\n  * Fix test\n  * Alternative: remove LocalBranch from BranchConfig\n  * Set LocalBranch even if the git config fails\n  * Add test for permissions check for security and analysis edits (#1)\n  * print repo url to stdout\n  * Update pkg/cmd/auth/login/login.go\n  * Move mention of classic token to correct line\n  * Separate type decrarations\n  * Add mention of classic token in gh auth login docs\n  * Update pkg/cmd/repo/create/create.go\n  * docs(repo): make explicit which branch is used when creating a repo\n  * fix(repo fork): add non-TTY output when fork is newly created\n  * Move api call to editRun\n  * Complete get -> list renaming\n  * Better error testing for autolink TestListRun\n  * Decode instead of unmarshal\n  * Use 'list' instead of 'get' for autolink list type and method\n  * Remove NewAutolinkClient\n  * Break out autolink list json fields test\n  * PR nits\n  * Refactor autolink subcommands into their own packages\n  * Whitespace\n  * Refactor out early return in test code\n  * Add testing for AutoLinkGetter\n  * Refactor autolink list and test to use http interface for simpler testing\n  * Apply PR comment changes\n  * Introduce repo autolinks list commands\n  * Remove release discussion posts and clean up related block in deployment yml\n  * Extract logic into helper function\n  * add pending status for workflow runs\n  * Feat: Allow setting security_and_analysis settings in gh repo edit\n  * Upgrade golang.org/x/net to v0.33.0\n  * Document SmartBaseRepoFunc\n  * Document BaseRepoFunc\n  * Update releasing.md\n  * Document how to set gh-merge-base\n\n- Update to version 2.64.0:\n  * add test for different SAN and SourceRepositoryURI values\n  * add test for signerRepo and tenant\n  * add some more fields to test that san, sanregex are set properly\n  * Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6\n  * update san and sanregex configuration for readability\n  * reduce duplication when creating policy content\n  * tweak output of build policy info\n  * Name conditionals in PR finder\n  * Support pr view for intra-org forks\n  * Return err instead of silentError in merge queue check\n  * linting pointed out this var is no longer used\n  * Removed fun, but inaccessible ASCII header\n  * further tweaks to the long description\n  * Exit on pr merge with `-d` and merge queue\n  * Addressed PR review feedback; expanded Long command help string, used ghrepo, clarified some abbreviations\n  * Update pkg/cmd/attestation/inspect/inspect.go\n  * Update gh auth commands to point to GitHub Docs\n  * Reformat ext install long\n  * Mention Windows quirk in ext install help text\n  * Fix error mishandling in local ext install\n  * Assert on err msg directly in ext install tests\n  * Clarify hosts in ext install help text\n  * Bump golang.org/x/crypto from 0.29.0 to 0.31.0\n  * Removed now redundant file\n  * minor tweak to language\n  * go mod tidy\n  * Deleted no-longer-used code.\n  * deleted now-invalid tests, added a tiny patina of new testing.\n  * Tightened up docs, deleted dead code, improved printing\n  * fix file name creation on windows\n  * wording\n  * hard code expected digest\n  * fix download test\n  * use bash shell with integration tests\n  * simplify var creation\n  * update integration test scripts\n  * fix: list branches in square brackets in gh codespace\n  * try nesting scripts\n  * run all tests in a single script\n  * windows for loop syntax\n  * use replaceAll\n  * update expected file path on windows\n  * run integration tests with windows specific syntax\n  * run all attestation cmd integration tests automatically\n  * Bump actions/attest-build-provenance from 1.4.4 to 2.1.0\n  * Improve error handling in apt setup script\n  * use different file name for attestation files on windows\n  * test(gh run): assert branch names are enclosed in square brackets\n  * docs: enhance help text and prompt for rename command\n  * Revert 'Confirm auto-detected base branch'\n  * Confirm auto-detected base branch\n  * Merge changes from #10004\n  * Set gh-merge-base from `issue develop`\n  * Open PR against gh-merge-base\n  * Refactor extension executable error handling\n  * fix: list branches in square brackets in gh run view (#10038)\n  * docs: update description of command\n  * style: reformat files\n  * docs: update sentence case\n  * use github owned oci image\n  * docs: add mention of scopes help topic in `auth refresh` command help\n  * docs: add mention of scopes help topic in `auth login` command help\n  * docs: add help topic for auth scopes\n  * docs: improve help for browse command\n  * docs: improve docs for browse command as of #5352\n  * fix package reference\n  * add gh attestation verify integration test for oci bundles\n  * add integration test for bundle-from-oci option\n  * update tests\n  * update tests\n  * move content of veriy policy options function into enforcement criteria\n  * comment\n  * try switch statement\n  * remove duplicate err checking\n  * get bundle issuer in another func\n  * more logic updating to remove nesting\n  * inverse logic for less nesting\n  * remove unneeded nesting\n  * wip, linting, getting tests to pass\n  * wording\n  * var naming\n  * drop table view\n  * order policy info so relevant info is printed next to each other\n  * Update pkg/cmd/attestation/verification/policy.go\n  * Update pkg/cmd/attestation/verification/policy.go\n  * Update pkg/cmd/attestation/verification/policy.go\n  * wip: added new printSummaryInspection\n  * Improve error handling for missing executable\n  * experiment with table output\n  * Assert stderr is empty in manager_test.go\n  * Update error message wording\n  * Change: exit zero, still print warning to stderr\n  * wording\n  * Improve docs on installing extensions\n  * Update language for missing extension executable\n  * Update test comments about Windows behavior\n  * wording\n  * wording\n  * wording\n  * add newlines for additional policy info\n  * Document requirements for local extensions\n  * Warn when installing local ext with no executable\n  * wording\n  * formatting\n  * print policy information before verifying\n  * add initial policy info method\n  * more wip poking around, now with table printing\n  * wip, gh at inspect will check the signature on the bundle\n  * wip: inspect now prints various bundle fields in a nice json\n\n- Update to version 2.63.2:\n\n  * include alg with digest when fetching bundles from OCI\n  * Error for mutually exclusive json and watch flags\n  * Use safepaths for run download\n  * Use consistent slice ordering in run download tests\n  * Consolidate logic for isolating artifacts\n  * Fix PR checkout panic when base repo is not in remotes\n  * When renaming an existing remote in `gh repo fork`, log the change\n  * Improve DNF version clarity in install steps\n  * Fix formatting in client_test.go comments for linter\n  * Expand logic and tests to handle edge cases\n  * Refactor download testing, simpler file descends\n  * Bump github.com/gabriel-vasile/mimetype from 1.4.6 to 1.4.7\n  * Improve test names so there is no repetition\n  * Second attempt to address exploit\n\n- Update to version 2.63.0:\n\n  * Add checkout test that uses ssh git remote url\n  * Rename backwards compatible credentials pattern\n  * Fix CredentialPattern doc typos\n  * Remove TODOs\n  * Fix typos and add tests for CredentialPatternFrom* functions\n  * Add SSH remote todo\n  * General cleanup and docs\n  * Allow repo sync fetch to use insecure credentials pattern\n  * Allow client fetch to use insecure credentials pattern\n  * Allow client push to use insecure credential pattern\n  * Allow client pull to use insecure credential pattern\n  * Allow opt-in to insecure pattern\n  * Support secure credential pattern\n  * Refactor error handling for missing 'workflow' scope in createRelease\n  * ScopesResponder wraps StatusScopesResponder\n  * Refactor `workflow` scope checking\n  * pr feedback\n  * pr feedback\n  * Update pkg/cmd/attestation/verify/attestation_integration_test.go\n  * Apply suggestions from code review\n  * Refactor command documentation to use heredoc\n  * pr feedback\n  * remove unused test file\n  * undo change\n  * add more testing testing fixtures\n  * update test with new test bundle\n  * naming\n  * update test\n  * update test\n  * Fix README.md code block formatting\n  * clean up\n  * wrap sigstore and cert ext verification into a single function\n  * Adding option to return `baseRefOid` in `pr view`\n  * verify cert extensions function should return filtered result list\n  * pr feedback\n  * Update pkg/cmd/attestation/download/download.go\n  * fix function param calls\n  * Update pkg/cmd/attestation/verification/extensions.go\n  * Formatting fix\n  * Updated formatting to be more clear\n  * Updated markdown syntax for a `note`.\n  * Added a section on manual verification of the relases.\n  * Handle missing 'workflow' scope in createRelease\n  * Modify push prompt on repo create when bare\n  * Doc push behaviour for bare repo create\n  * Push --mirror on bare repo create\n  * Add acceptance test for bare repo create\n  * Doc isLocalRepo and git.Client IsLocalRepo differences\n  * Use errWithExitCode interface in repo create isLocalRepo\n  * Backfill repo creation failure tests\n  * Support bare repo creation\n  * use logger println method\n  * simplify verifyCertExtensions\n  * rename type\n  * refactor fetch attestations funcs\n\n- Update to version 2.62.0\n  * CVE-2024-52308: remote code execution (RCE) when users connect\n    to a malicious Codespace SSH server and use the gh codespace\n    ssh or gh codespace logs commands\n    (boo#1233387, GHSA-p2h2-3vg9-4p87)\n  * Check extension for latest version when executed\n  * Shorten extension release checking from 3s to 1s\n\n- includes changes from 2.61.0:\n  * Enhance gh repo edit command to inform users about\n    consequences of changing visibility and ensure users are\n    intentional before making irreversible changes\n\n- Update to version 2.60.1:\n\n  * Note token redaction in Acceptance test README\n  * Refactor gpg-key delete to align with ssh-key delete\n  * Add acceptance tests for org command\n  * Adjust environment help for host and tokens (#9809)\n  * Add SSH Key Acceptance test\n  * Add Acceptance test for label command\n  * Add acceptance test for gpg-key\n  * Update go-internal to redact more token types in Acceptance tests\n  * Address PR feedback\n  * Clarify `gh` is available for GitHub Enterprise Cloud\n  * Remove comment from gh auth logout\n  * Add acceptance tests for auth-setup-git and formattedStringToEnv helper func\n  * Use forked testscript for token redaction\n  * Use new GitHub preview terms in working-with-us.md\n  * Use new GitHub previews terminology in attestation\n  * Test json flags for repo view and list\n  * Clean up auth-login-logout acceptance test with native functionality\n  * Add --token flag to `gh auth login` to accept a PAT as a flag\n  * Setup acceptance testing for auth and tests for auth-token and auth-status\n  * Update variable testscripts based on secret\n  * Check extOwner for no value instead\n  * Fix tests for invalid extension name\n  * Refactor to remove code duplication\n  * Linting: now that mockDataGenerator has an embedded mock, we ought to have pointer receivers in its funcs.\n  * Minor tweaks, added backoff to getTrustDomain\n  * added test for verifying we do 3 retries when fetching attestations.\n  * Fix single quote not expanding vars\n  * Added constant backoff retry to getAttestations.\n  * Address @williammartin PR feedback\n  * wip: added test that fails in the absence of a backoff.\n  * add validation for local ext install\n  * feat: add ArchivedAt field to Repository struct\n  * Refactor `gh secret` testscript\n  * Wrap true in '' in repo-fork-sync\n  * Rename acceptance test directory from repos to repo\n  * Remove unnecessary flags from repo-delete testscript\n  * Replace LICENSE Makefile README.md acceptance api bin build cmd context docs git go.mod go.sum internal pkg script share test utils commands with\n  * Wrap boolean strings in '' so it is clear they are strings\n  * Remove unnecessary gh auth setup-git steps\n  * Cleanup some inconsistencies and improve collapse some functionality\n  * Add acceptance tests for repo deploy-key add/list/delete\n  * Add acceptance tests for repo-fork and repo-sync\n  * Add acceptance test for repo-set-default\n  * Add acceptance test for repo-edit\n  * Add acceptance tests for repo-list and repo-rename\n  * Acceptance testing for repo-archive and repo-unarchive\n  * Add acceptance test for repo-clone\n  * Added acceptance test for repo-delete\n  * Added test function for repos and repo-create test\n  * Implement acceptance tests for search commands\n  * Remove . from test case for TestTitleSurvey\n  * Clean up Title Survey empty title message code\n  * Add missing test to trigger acceptance tests\n  * Add acceptance tests for `gh variable`\n  * Minor polish / consistency\n  * Fix typo in custom command doc\n  * Refactor env2upper, env2lower; add docs\n  * Update secret note about potential failure\n  * Add testscripts for `gh secret`, helper cmds\n  * Remove stdout assertion from release\n  * Rename test files\n  * Add acceptance tests for `release` commands\n  * Implement basic API acceptance test\n  * Remove unnecesary mkdir from download Acceptance test\n  * Remove empty stdout checks\n  * Adjust sleeps to echos in Acceptance workflows\n  * Use regex assert for enable disable workflow Acceptance test\n  * Watch for run to end for cancel Acceptance test\n  * Include startedAt, completedAt in run steps data\n  * Rewrite a sentence in CONTRIBUTING.md\n  * Add filtered content output to docs\n  * sleep 10s before checking for workflow run\n  * Update run-rerun.txtar\n  * Create cache-list-delete.txtar\n  * Create run-view.txtar\n  * Create run-rerun.txtar\n  * Create run-download.txtar\n  * Create run-delete.txtar\n  * Remove IsTenancy and relevant tests from gists as they are unsupported\n  * Remove unnecessary code branches\n  * Add ghe.com to tests describing ghec data residency\n  * Remove comment\n  * auth: Removed redundant ghauth.IsTenancy(host) check\n  * Use go-gh/auth package for IsEnterprise, IsTenancy, and NormalizeHostname\n  * Upgrade go-gh version to 2.11.0\n  * Add test coverage to places where IsEnterprise incorrectly covers Tenancy\n  * Fix issue creation with metadata regex\n  * Create run-cancel.txtar\n  * Create workflow-run.txtar\n  * Create workflow-view.txtar\n  * implement workflow enable/disable acceptance test\n  * implement base workflow list acceptance test\n  * Add comment to acceptance make target\n  * Resolve PR feedback\n  * Acceptance test issue command\n  * Support GH_ACCEPTANCE_SCRIPT\n  * Ensure Acceptance defer failures are debuggable\n  * Add acceptance task to makefile\n  * build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.5 to 1.4.6\n  * Ensure pr create with metadata has assignment\n  * Document sharedCmds func in acceptance tests\n  * Correct testscript description in Acceptance readme\n  * Add link to testscript pkg documentation\n  * Add VSCode extension links to Acceptance README\n  * Fix GH_HOST / GH_ACCEPTANCE_HOST misuse\n  * Acceptance test PR list\n  * Support skipping Acceptance test cleanup\n  * Acceptance test PR creation with metadata\n  * Suggest using legacy PAT for acceptance tests\n  * Add host recommendation to Acceptance test docs\n  * Don't append remaining text if more matches\n  * Highlight matches in table and content\n  * Split all newlines, and output no-color to non-TTY\n  * Print filtered gists similar to code search\n  * Show progress when filtering\n  * Simplify description\n  * Disallow use of --include-content without --filter\n  * Improve help docs\n  * Refactor filtering into existing `gist list`\n  * Improve performance\n  * Add `gist search` command\n  * Fix api tests after function signature changes\n  * Return nil instead of empty objects when err\n  * Fix license list and view tests\n  * Validate required env vars not-empty for Acceptance tests\n  * Add go to test instructions in Acceptance README\n  * Apply suggestions from code review\n  * Error if acceptance tests are targeting github or cli orgs\n  * Add codecoverage to Acceptance README\n  * Isolate acceptance env vars\n  * Add Writing Tests section to Acceptance README\n  * Add Debug and Authoring sections to Acceptance README\n  * Acceptance test PR comment\n  * Acceptance test PR merge and rebase\n  * Note syntax highlighting support for txtar files\n  * Refactor acceptance test environment handling\n  * Add initial acceptance test README\n  * Use txtar extension for testscripts\n  * Support targeting other hosts in acceptance tests\n  * Use stdout2env in PR acceptance tests\n  * Acceptance test PR checkout\n  * Add pr view test script\n  * Initial testscript introduction\n  * While we're at it, let's ensure VerifyCertExtensions can't be tricked the same way.\n  * Add examples for creating `.gitignore` files\n  * Update help for license view\n  * Refactor http error handling\n  * implement `--web` flag for license view\n  * Fix license view help doc, add LICENSE.md example\n  * Update help and fix heredoc indentation\n  * Add SPDX ID to license list output\n  * Fix ExactArgs invocation\n  * Add `Long` for license list indicating limitations\n  * Update function names\n  * Reverse repo/shared package name change\n  * If provided with zero attestations to verify, the LiveSigstoreVerifier.Verify func should return an error.\n  * Bump cli/oauth to 1.1.1\n  * Add test coverage for TitleSurvey change\n  * Fix failing test for pr and issue create\n  * Make the X in the error message red and print with io writer\n  * Handle errors from parsing hostname in auth flow\n  * Apply suggestions from code review\n  * Refactor tests and add new tests\n  * Move API calls to queries_repo.go\n  * Allow user to override markdown wrap width via $GH_MDWIDTH from environment\n  * Add handling of empty titles for Issues and PRs\n  * Print the login URL even when opening a browser\n  * Apply suggestions from code review\n  * Update SECURITY.md\n  * Fix typo and wordsmithing\n  * fix typo\n  * Remove trailing space from heading\n  * Revise wording\n  * Update docs to allow community submitted designs\n  * Implement license view\n  * Implement gitignore view\n  * implement gitignore list\n  * Update license table headings and tests\n  * Fix ListLicenseTemplates doc\n  * fix output capitalization\n  * Cleanup rendering and tests\n  * Remove json output option\n  * Divide shared repo package and add queries tests\n  * First pass at implementing `gh repo license list`\n  * Emit a log message when extension installation falls back to a darwin-amd64 binary on an Apple Silicon macOS machine\n\n- Update to version 2.58.0:\n  * build(deps): bump github.com/theupdateframework/go-tuf/v2\n  * Include `dnf5` commands\n  * Add GPG key instructions to appropriate sections\n  * Update docs language to remove possible confusion around 'where you log in'\n  * Change conditional in promptForHostname to better reflect prompter changes\n  * Shorten language on Authenticate with a GitHub host.\n  * Update language on docstring for `gh auth login`\n  * Change prompts for `gh auth login` to reflect change from GHE to Other\n  * Sentence case 'Other' option in hostname prompt\n  * build(deps): bump github.com/henvic/httpretty from 0.1.3 to 0.1.4\n  * Add documentation explaining how to use `hostname` for `gh auth login`\n  * Replace 'GitHub Enterprise Server' with 'other' in `gh auth login` prompt\n  * fix tenant-awareness for trusted-root command\n  * Fix test\n  * Update pkg/cmd/extension/manager.go\n  * Update comment formatting\n  * Use new HasActiveToken method in trustedroot.go\n  * Add HasActiveToken method to AuthConfig interface\n  * Add HasActiveToken to AuthConfig.\n  * Improve error presentation\n  * Improve the suggested command for creating an issue when an extension doesn't have a binary for your platform\n  * Update pkg/cmd/attestation/trustedroot/trustedroot_test.go\n  * build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.4 to 2.0.5\n  * enforce auth for tenancy\n  * disable auth check for att trusted-root cmd\n  * better error for att verify custom issuer mismatch\n  * Enhance gh repo create docs, fix random cmd link\n","title":"Description of the patch"},{"category":"details","text":"openSUSE-2025-21","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0021-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2025:0021-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HUMKXZZVR2XTEF5OINR7OTNWNR5IVCYQ/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2025:0021-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HUMKXZZVR2XTEF5OINR7OTNWNR5IVCYQ/"},{"category":"self","summary":"SUSE Bug 1233387","url":"https://bugzilla.suse.com/1233387"},{"category":"self","summary":"SUSE CVE CVE-2024-52308 page","url":"https://www.suse.com/security/cve/CVE-2024-52308/"}],"title":"Security update for gh","tracking":{"current_release_date":"2025-01-22T10:02:08Z","generator":{"date":"2025-01-22T10:02:08Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2025:0021-1","initial_release_date":"2025-01-22T10:02:08Z","revision_history":[{"date":"2025-01-22T10:02:08Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"gh-2.65.0-bp156.2.17.1.aarch64","product":{"name":"gh-2.65.0-bp156.2.17.1.aarch64","product_id":"gh-2.65.0-bp156.2.17.1.aarch64"}}],"category":"architecture","name":"aarch64"},{"branches":[{"category":"product_version","name":"gh-2.65.0-bp156.2.17.1.i586","product":{"name":"gh-2.65.0-bp156.2.17.1.i586","product_id":"gh-2.65.0-bp156.2.17.1.i586"}}],"category":"architecture","name":"i586"},{"branches":[{"category":"product_version","name":"gh-bash-completion-2.65.0-bp156.2.17.1.noarch","product":{"name":"gh-bash-completion-2.65.0-bp156.2.17.1.noarch","product_id":"gh-bash-completion-2.65.0-bp156.2.17.1.noarch"}},{"category":"product_version","name":"gh-fish-completion-2.65.0-bp156.2.17.1.noarch","product":{"name":"gh-fish-completion-2.65.0-bp156.2.17.1.noarch","product_id":"gh-fish-completion-2.65.0-bp156.2.17.1.noarch"}},{"category":"product_version","name":"gh-zsh-completion-2.65.0-bp156.2.17.1.noarch","product":{"name":"gh-zsh-completion-2.65.0-bp156.2.17.1.noarch","product_id":"gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"}}],"category":"architecture","name":"noarch"},{"branches":[{"category":"product_version","name":"gh-2.65.0-bp156.2.17.1.ppc64le","product":{"name":"gh-2.65.0-bp156.2.17.1.ppc64le","product_id":"gh-2.65.0-bp156.2.17.1.ppc64le"}}],"category":"architecture","name":"ppc64le"},{"branches":[{"category":"product_version","name":"gh-2.65.0-bp156.2.17.1.s390x","product":{"name":"gh-2.65.0-bp156.2.17.1.s390x","product_id":"gh-2.65.0-bp156.2.17.1.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"gh-2.65.0-bp156.2.17.1.x86_64","product":{"name":"gh-2.65.0-bp156.2.17.1.x86_64","product_id":"gh-2.65.0-bp156.2.17.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Package Hub 15 SP6","product":{"name":"SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6"}},{"category":"product_name","name":"openSUSE Leap 15.6","product":{"name":"openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.6"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.aarch64 as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64"},"product_reference":"gh-2.65.0-bp156.2.17.1.aarch64","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.i586 as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586"},"product_reference":"gh-2.65.0-bp156.2.17.1.i586","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.ppc64le as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le"},"product_reference":"gh-2.65.0-bp156.2.17.1.ppc64le","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.s390x as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x"},"product_reference":"gh-2.65.0-bp156.2.17.1.s390x","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.x86_64 as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64"},"product_reference":"gh-2.65.0-bp156.2.17.1.x86_64","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"gh-bash-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch"},"product_reference":"gh-bash-completion-2.65.0-bp156.2.17.1.noarch","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"gh-fish-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch"},"product_reference":"gh-fish-completion-2.65.0-bp156.2.17.1.noarch","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"gh-zsh-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"},"product_reference":"gh-zsh-completion-2.65.0-bp156.2.17.1.noarch","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.aarch64 as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64"},"product_reference":"gh-2.65.0-bp156.2.17.1.aarch64","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.i586 as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586"},"product_reference":"gh-2.65.0-bp156.2.17.1.i586","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.ppc64le as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le"},"product_reference":"gh-2.65.0-bp156.2.17.1.ppc64le","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.s390x as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x"},"product_reference":"gh-2.65.0-bp156.2.17.1.s390x","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"gh-2.65.0-bp156.2.17.1.x86_64 as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64"},"product_reference":"gh-2.65.0-bp156.2.17.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"gh-bash-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch"},"product_reference":"gh-bash-completion-2.65.0-bp156.2.17.1.noarch","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"gh-fish-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch"},"product_reference":"gh-fish-completion-2.65.0-bp156.2.17.1.noarch","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"gh-zsh-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"},"product_reference":"gh-zsh-completion-2.65.0-bp156.2.17.1.noarch","relates_to_product_reference":"openSUSE Leap 15.6"}]},"vulnerabilities":[{"cve":"CVE-2024-52308","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-52308"}],"notes":[{"category":"general","text":"The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\n\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`.  The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.","title":"CVE description"}],"product_status":{"recommended":["SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64","SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch","SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch","SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64","openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"]},"references":[{"category":"external","summary":"CVE-2024-52308","url":"https://www.suse.com/security/cve/CVE-2024-52308"},{"category":"external","summary":"SUSE Bug 1233387 for CVE-2024-52308","url":"https://bugzilla.suse.com/1233387"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64","SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch","SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch","SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64","openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"]}],"scores":[{"cvss_v3":{"baseScore":9.6,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x","SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64","SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch","SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch","SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x","openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64","openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch","openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"]}],"threats":[{"category":"impact","date":"2025-01-22T10:02:08Z","details":"critical"}],"title":"CVE-2024-52308"}]}