Path to this page:
Subject: CVS commit: pkgsrc/sysutils/packer
From: Benny Siegert
Date: 2023-12-24 13:36:18
Message id: 20231224123618.93F37FA42@cvs.NetBSD.org
Log Message:
packer: update to 1.9.5 and add security fix
This is the last version before the change to a non-free license.
This fixes the following vulnerability:
Vulnerability #1: GO-2023-2402
Man-in-the-middle attacker can compromise integrity of secure channel in
golang.org/x/crypto
More info: https://pkg.go.dev/vuln/GO-2023-2402
Module: golang.org/x/crypto
Found in: golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d
Fixed in: golang.org/x/crypto@v0.17.0
1.9.3
core/docs: Clarify the expected usage of the packer init command for HCL2
template builds.
core/hcp: Add support for project-level service principals. A user connecting
with a project level service principals must provide a valid HCP_PROJECT_ID
in order to connect.
core: A new Docker image packer:release-full has been added for all
supported architectures. The release-full image includes Packer and all the
official plugins pre-installed in its environment.
core: Add enhanced support to Packer telemetry for bundle plugins usage.
1.9.4
Bug fix: When invoking Packer with the CHECKPOINT_DISABLE environment variable
the telemetry reporter is left uninitialized in order to disable telemetry
reporting. Any method calls on the nil reporter is expected to check if the
reporter is active or in NOOP mode. The SetBundledUsage function, introduced in
Packer 1.9.2, failed to perform a nil check before attempting to modify an
attribute, causing Packer to fail when telemetry is disabled. This release
fixes this issue by introducing such a check.
1.9.5
Bump github.com/go-jose/go-jose/v3 to address GO-2023-2334.
Add VirtualBox as known plugin prefix to prevent endless bundled plugin
warning.
Files: