{"affected":[{"ecosystem_specific":{"binaries":[{"hauler":"1.3.1-bp160.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"hauler","purl":"pkg:rpm/opensuse/hauler&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.3.1-bp160.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for hauler fixes the following issues:\n\n- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,\n  bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,\n  bsc#1248937, CVE-2025-58058):\n  * bump github.com/containerd/containerd (#474)\n  * another fix to tests for new tests (#472)\n  * fixed typo in testdata (#471)\n  * fixed/cleaned new tests (#470)\n  * trying a new way for hauler testing (#467)\n  * update for cosign v3 verify (#469)\n  * added digests view to info (#465)\n  * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)\n  * update oras-go to v1.2.7 for security patches (#464)\n  * update cosign to v3.0.2+hauler.1 (#463)\n  * fixed homebrew directory deprecation (#462)\n  * add registry logout command (#460)\n\n- Update to version 1.3.0:\n  * bump the go_modules group across 1 directory with 2 updates (#455)\n  * upgraded versions/dependencies/deprecations (#454)\n  * allow loading of docker tarballs (#452)\n  * bump the go_modules group across 1 directory with 2 updates (#449)\n\n- update to 1.2.5 (bsc#1246722, CVE-2025-46569):\n  * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in\n    the go_modules group across 1 directory (CVE-2025-46569)\n  * deprecate auth from hauler store copy\n  * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the\n    go_modules group across 1 directory\n  * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0\n    in the go_modules group across 1 directory\n  * upgraded go and dependencies versions\n\n- Update to version 1.2.5:\n  * upgraded go and dependencies versions (#444)\n  * Bump github.com/go-viper/mapstructure/v2 (#442)\n  * bump github.com/cloudflare/circl (#441)\n  * deprecate auth from hauler store copy (#440)\n  * Bump github.com/open-policy-agent/opa (#438)\n\n- update to 1.2.4 (CVE-2025-22872, bsc#1241804):\n  * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules\n    group across 1 directory\n  * minor tests updates\n\n- Update to version 1.2.3:\n  * formatting and flag text updates\n  * add keyless signature verification (#434)\n  * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)\n  * add --only flag to hauler store copy (for images) (#429)\n  * fix tlog verification error/warning output (#428)\n\n- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):\n  * cleanup new tlog flag typos and add shorthand (#426)\n  * default public transparency log verification to false to be airgap friendly but allow override (#425)\n  * bump github.com/golang-jwt/jwt/v4 (#423)\n  * bump the go_modules group across 1 directory with 2 updates (#422)\n  * bump github.com/go-jose/go-jose/v3 (#417)\n  * bump github.com/go-jose/go-jose/v4 (#415)\n  * clear default manifest name if product flag used with sync (#412)\n  * updates for v1.2.0 (#408)\n  * fixed remote code (#407)\n  * added remote file fetch to load (#406)\n  * added remote and multiple file fetch to sync (#405)\n  * updated save flag and related logs (#404)\n  * updated load flag and related logs [breaking change] (#403)\n  * updated sync flag and related logs [breaking change] (#402)\n  * upgraded api update to v1/updated dependencies (#400)\n  * fixed consts for oci declarations (#398)\n  * fix for correctly grabbing platform post cosign 2.4 updates (#393)\n  * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)\n  * Bump the go_modules group across 1 directory with 2 updates (#385)\n  * replace mholt/archiver with mholt/archives (#384)\n  * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)\n  * cleaned up registry and improved logging (#378)\n  * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)\n- bump net/html dependencies (bsc#1235332, CVE-2024-45338)\n\n- Update to version 1.1.1:\n  * fixed cli desc for store env var (#374)\n  * updated versions for go/k8s/helm (#373)\n  * updated version flag to internal/flags (#369)\n  * renamed incorrectly named consts (#371)\n  * added store env var (#370)\n  * adding ignore errors and retries for continue on error/fail on error (#368)\n  * updated/fixed hauler directory (#354)\n  * standardize consts (#353)\n  * removed cachedir code (#355)\n  * removed k3s code (#352)\n  * updated dependencies for go, helm, and k8s (#351)\n  * [feature] build with boring crypto where available (#344)\n  * updated workflow to goreleaser builds (#341)\n  * added timeout to goreleaser workflow (#340)\n  * trying new workflow build processes (#337)\n  * improved workflow performance (#336)\n  * have extract use proper ref (#335)\n  * yet another workflow goreleaser fix (#334)\n  * even more workflow fixes (#333)\n  * added more fixes to github workflow (#332)\n  * fixed typo in hauler store save (#331)\n  * updates to fix build processes (#330)\n  * added integration tests for non hauler tarballs (#325)\n  * bump: golang >= 1.23.1 (#328)\n  * add platform flag to store save (#329)\n  * Update feature_request.md\n  * updated/standardize command descriptions (#313)\n  * use new annotation for 'store save' manifest.json (#324)\n  * enable docker load for hauler tarballs (#320)\n  * bump to cosign v2.2.3-carbide.3 for new annotation (#322)\n  * continue on error when adding images to store (#317)\n  * Update README.md (#318)\n  * fixed completion commands (#312)\n  * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311)\n  * pages: enable go install hauler.dev/go/hauler (#310)\n  * Create CNAME\n  * pages: initial workflow (#309)\n  * testing and linting updates (#305)\n  * feat-273: TLS Flags (#303)\n  * added list-repos flag (#298)\n  * fixed hauler login typo (#299)\n  * updated cobra function for shell completion (#304)\n  * updated install.sh to remove github api (#293)\n  * fix image ref keys getting squashed when containing sigs/atts (#291)\n  * fix missing versin info in release build (#283)\n  * bump github.com/docker/docker in the go_modules group across 1 directory (#281)\n  * updated install script (`install.sh`) (#280)\n  * fix digest images being lost on load of hauls (Signed). (#259)\n  * feat: add readonly flag (#277)\n  * fixed makefile for goreleaser v2 changes (#278)\n  * updated goreleaser versioning defaults (#279)\n  * update feature_request.md (#274)\n  * updated old references\n  * updated actions workflow user\n  * added dockerhub to github actions workflow\n  * removed helm chart\n  * added debug container and workflow\n  * updated products flag description\n  * updated chart for release\n  * fixed workflow errors/warnings\n  * fixed permissions on testdata\n  * updated chart versions (will need to update again)\n  * last bit of fixes to workflow\n  * updated unit test workflow\n  * updated goreleaser deprecations\n  * added helm chart release job\n  * updated github template names\n  * updated imports (and go fmt)\n  * formatted gitignore to match dockerignore\n  * formatted all code (go fmt)\n  * updated chart tests for new features\n  * Adding the timeout flag for fileserver command\n  * Configure chart commands to use helm clients for OCI and private registry support\n  * Added some documentation text to sync command\n  * Bump golang.org/x/net from 0.17.0 to 0.23.0\n  * fix for dup digest smashing in cosign\n  * removed vagrant scripts\n  * last bit of updates and formatting of chart\n  * updated hauler testdata\n  * adding functionality and cleaning up\n  * added initial helm chart\n  * removed tag in release workflow\n  * updated/fixed image ref in release workflow\n  * updated/fixed platforms in release workflow\n  * updated/cleaned github actions (#222)\n  * Make Product Registry configurable (#194)\n  * updated fileserver directory name (#219)\n  * fix logging for files\n  * add extra info for the tempdir override flag\n  * tempdir override flag for load\n  * deprecate the cache flag instead of remove\n  * switch to using bci-golang as builder image\n  * fix: ensure /tmp for hauler store load\n  * added the copy back for now\n  * remove copy at the image sync not needed with cosign update\n  * removed misleading cache flag\n  * better logging when adding to store\n  * update to v2.2.3 of our cosign fork\n  * add: dockerignore\n  * add: Dockerfile\n  * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0\n  * Bump github.com/docker/docker\n  * updated and added new logos\n  * updated github files\n","id":"openSUSE-SU-2025:20160-1","modified":"2025-12-12T13:20:11Z","published":"2025-12-12T13:20:11Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1235332"},{"type":"REPORT","url":"https://bugzilla.suse.com/1241184"},{"type":"REPORT","url":"https://bugzilla.suse.com/1241804"},{"type":"REPORT","url":"https://bugzilla.suse.com/1246722"},{"type":"REPORT","url":"https://bugzilla.suse.com/1248937"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251516"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251651"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251891"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-0406"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45338"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-11579"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-22872"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-46569"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47911"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58058"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58190"}],"related":["CVE-2024-0406","CVE-2024-45338","CVE-2025-11579","CVE-2025-22872","CVE-2025-46569","CVE-2025-47911","CVE-2025-58058","CVE-2025-58190"],"summary":"Security update for hauler","upstream":["CVE-2024-0406","CVE-2024-45338","CVE-2025-11579","CVE-2025-22872","CVE-2025-46569","CVE-2025-47911","CVE-2025-58058","CVE-2025-58190"]}