Latest release: 265 (19 Apr 2024)
09 Feb 2024 —
Chris Lamb
The diffoscope maintainers are pleased to announce the release of diffoscope
version 256. This version includes the following changes:
* CVE-2024-25711: Use a determistic name when extracting content from GPG
artifacts instead of trusting the value of gpg's --use-embedded-filenames.
This prevents a potential information disclosure vulnerability that could
have been exploited by providing a specially-crafted GPG file with an
embedded filename of, say, "../../.ssh/id_rsa".
Many thanks to Daniel Kahn Gillmor <dkg@debian.org> for reporting this
issue and providing feedback.
(Closes: reproducible-builds/diffoscope#361)
* Temporarily fix support for Python 3.11.8 re. a potential regression
with the handling of ZIP files. (See reproducible-builds/diffoscope#362)
You find out more by visiting the project homepage.