OPENSUSE-SU-2026:20318-1
Vulnerability from csaf_opensuse - Published: 2026-03-03 14:44 - Updated: 2026-03-03 14:44Summary
Security update for gitea-tea
Notes
Title of the patch
Security update for gitea-tea
Description of the patch
This update for gitea-tea fixes the following issues:
Changes in gitea-tea:
- update to 0.12.0:
* New Features
- Add tea actions commands for managing workflow runs and
workflows in #880, #796
- Add tea api subcommand for arbitrary API calls not covered by
existing commands in #879
- Add repository webhook management commands in #798
- Add JSON output support for single PR view in #864
- Add JSON output and file redirection for issue detail view in
#841
- Support creating AGit flow pull requests in #867
* Bug Fixes
- Fix authentication via environment variables when specifying
repo argument in #809
- Fix issue detail view ignoring --owner flag in #899
- Fix PR create crash in #823
- Fix TTY prompt handling in #897
- Fix termenv OSC RGBA handling in #907
- Fix labels delete command and --id flag type in #865
- Fix delete repo command description in #858
- Fix pagination flags for secrets list, webhooks list, and
pull requests list in #853, #852,
- #851
- Enable git worktree support and improve PR create error
handling in #850
- Only prompt for SSH passphrase when necessary in #844
- Only prompt for login confirmation when no default login is
set in #839
- Skip token uniqueness check when using SSH authentication in
#898
- Require non-empty token in GetLoginByToken in #895
- Fix config file permissions to remove group read/write in
#856
* Improvements
- Add file locking for safe concurrent access to config file in
#881
- Improve error messages throughout the CLI in #871
- Send consistent HTTP request headers in #888
- Revert requiring HTTP/HTTPS login URLs; restore SSH as a
login method in #891
- Refactor context into dedicated subpackages in #873, #888
- General code cleanup and improvements in #869, #870
- Add test coverage for login matching in #820
* Build & Dependencies
- Build with Go 1.25 in #886
- Build for Windows aarch64
- Update Gitea SDK version in #868
- Update Nix flake in #872
- Update dependencies including lipgloss v2, urfave/cli v3.6.2,
go-git v5.16.5, and various Go modules in #849, #875, #876,
#878, #884, #885, #900, #901, #904, #905
- Update CI actions (checkout v6, setup-go v6) in #882, #883
Patchnames
openSUSE-Leap-16.0-packagehub-146
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for gitea-tea",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for gitea-tea fixes the following issues:\n\nChanges in gitea-tea:\n\n- update to 0.12.0:\n * New Features\n - Add tea actions commands for managing workflow runs and\n workflows in #880, #796\n - Add tea api subcommand for arbitrary API calls not covered by\n existing commands in #879\n - Add repository webhook management commands in #798\n - Add JSON output support for single PR view in #864\n - Add JSON output and file redirection for issue detail view in\n #841\n - Support creating AGit flow pull requests in #867\n * Bug Fixes\n - Fix authentication via environment variables when specifying\n repo argument in #809\n - Fix issue detail view ignoring --owner flag in #899\n - Fix PR create crash in #823\n - Fix TTY prompt handling in #897\n - Fix termenv OSC RGBA handling in #907\n - Fix labels delete command and --id flag type in #865\n - Fix delete repo command description in #858\n - Fix pagination flags for secrets list, webhooks list, and\n pull requests list in #853, #852,\n - #851\n - Enable git worktree support and improve PR create error\n handling in #850\n - Only prompt for SSH passphrase when necessary in #844\n - Only prompt for login confirmation when no default login is\n set in #839\n - Skip token uniqueness check when using SSH authentication in\n #898\n - Require non-empty token in GetLoginByToken in #895\n - Fix config file permissions to remove group read/write in\n #856\n * Improvements\n - Add file locking for safe concurrent access to config file in\n #881\n - Improve error messages throughout the CLI in #871\n - Send consistent HTTP request headers in #888\n - Revert requiring HTTP/HTTPS login URLs; restore SSH as a\n login method in #891\n - Refactor context into dedicated subpackages in #873, #888\n - General code cleanup and improvements in #869, #870\n - Add test coverage for login matching in #820\n * Build \u0026 Dependencies\n - Build with Go 1.25 in #886\n - Build for Windows aarch64\n - Update Gitea SDK version in #868\n - Update Nix flake in #872\n - Update dependencies including lipgloss v2, urfave/cli v3.6.2,\n go-git v5.16.5, and various Go modules in #849, #875, #876,\n #878, #884, #885, #900, #901, #904, #905\n - Update CI actions (checkout v6, setup-go v6) in #882, #883\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-146",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20318-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for gitea-tea",
"tracking": {
"current_release_date": "2026-03-03T14:44:11Z",
"generator": {
"date": "2026-03-03T14:44:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20318-1",
"initial_release_date": "2026-03-03T14:44:11Z",
"revision_history": [
{
"date": "2026-03-03T14:44:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.12.0-bp160.1.1.aarch64",
"product": {
"name": "gitea-tea-0.12.0-bp160.1.1.aarch64",
"product_id": "gitea-tea-0.12.0-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"product": {
"name": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"product_id": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch",
"product": {
"name": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch",
"product_id": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.12.0-bp160.1.1.ppc64le",
"product": {
"name": "gitea-tea-0.12.0-bp160.1.1.ppc64le",
"product_id": "gitea-tea-0.12.0-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.12.0-bp160.1.1.s390x",
"product": {
"name": "gitea-tea-0.12.0-bp160.1.1.s390x",
"product_id": "gitea-tea-0.12.0-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.12.0-bp160.1.1.x86_64",
"product": {
"name": "gitea-tea-0.12.0-bp160.1.1.x86_64",
"product_id": "gitea-tea-0.12.0-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.12.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64"
},
"product_reference": "gitea-tea-0.12.0-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.12.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le"
},
"product_reference": "gitea-tea-0.12.0-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.12.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x"
},
"product_reference": "gitea-tea-0.12.0-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.12.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64"
},
"product_reference": "gitea-tea-0.12.0-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch"
},
"product_reference": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
},
"product_reference": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-03T14:44:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-03T14:44:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…