{"affected":[{"ecosystem_specific":{"binaries":[{"go-sendxmpp":"0.15.1-bp160.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"go-sendxmpp","purl":"pkg:rpm/opensuse/go-sendxmpp&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.15.1-bp160.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for go-sendxmpp fixes the following issues:\n\nChanges in go-sendxmpp:\n\n- Update to 0.15.1:\n  Added\n  * Add XEP-0359 Origin-ID to messages (requires go-xmpp >= v0.2.18).\n  Changed\n  * HTTP upload: Ignore timeouts on disco IQs as some components do\n    not reply.\n- Upgrades the embedded golang.org/x/net to 0.46.0\n  * Fixes: bsc#1251461, CVE-2025-47911: various algorithms with\n    quadratic complexity when parsing HTML documents\n  * Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption\n    by 'html.ParseFragment' when processing specially crafted input\n\n- Update to 0.15.0:\n  Added:\n  * Add flag --verbose to show debug information.\n  * Add flag --recipients to specify recipients by file.\n  * Add flag --retry-connect to try after a waiting time if the connection fails.\n  * Add flag --retry-connect-max to specify the amount of retry attempts.\n  * Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.\n  * Add support for punycode domains.\n  Changed:\n  * Update gopenpgp library to v3.\n  * Improve error detection for MUC joins.\n  * Don't try to connect to other SRV record targets if error contains 'auth-failure'.\n  * Remove support for old SSDP version (via go-xmpp v0.2.15).\n  * Http-upload: Stop checking other disco items after finding upload component.\n  * Increase default TLS version to 1.3.\n- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0\n\n- Update to 0.14.1:\n  * Use prettier date format for error messages.\n  * Update XEP-0474 to version 0.4.0 (requires go-xmpp >= 0.2.10).\n\n- Update to 0.14.0:\n  Added:\n  * Add --fast-invalidate to allow invalidating the FAST token.\n  Changed:\n  * Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.\n  * Delete legacy Ox private key directory if it's empty.\n  * Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp >= 0.2.9).\n  * Print debug output to stdout, not stderr (requires go-xmpp >= 0.2.9).\n  * Show RECV: and SEND: prefix for debug output (requires go-xmpp >= 0.2.9).\n  * Delete stored fast token if --fast-invalidate and --fast-off are set.\n  * Show error when FAST creds are stored but non-FAST mechanism is requested.\n\n- Update to 0.13.0:\n  Added:\n  * Add --anonymous to support anonymous authentication (requires go-xmpp >= 0.2.8).\n  * Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp >= 0.2.8).\n  * Add support for see-other-host stream error (requires go-xmpp >= 0.2.8).\n  Changed:\n  * Don't automatically try other auth mechanisms if FAST authentication fails.\n\n- Update to 0.12.1:\n  Changed:\n  * Print error instead of quitting if a message of type error is received.\n  * Allow upload of multiple files.\n  Added:\n  * Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.\n\n- Update to 0.12.0:\n  Added:\n  * Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv >= 0.3.3).\n  * Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp >= 0.2.5).\n  Changed:\n  * Disable PLAIN authentication per default.\n  * Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires\n    go-xmpp >= 0.2.5).\n\n- Update to 0.11.4:\n  * Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp >= 0.2.4).\n\n- Update to 0.11.3:\n  * Add go-xmpp library version to --version output (requires go-xmpp >= 0.2.2).\n  * Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp >= v0.2.3).\n  * [gocritic]: Improve code quality.\n","id":"openSUSE-SU-2026:20058-1","modified":"2026-01-17T09:30:33Z","published":"2026-01-17T09:30:33Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1241814"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251461"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251677"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-22872"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47911"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58190"}],"related":["CVE-2025-22872","CVE-2025-47911","CVE-2025-58190"],"summary":"Security update for go-sendxmpp","upstream":["CVE-2025-22872","CVE-2025-47911","CVE-2025-58190"]}