melange/0.13.2 package update

[octo-sts]

[github-actions]

Package melange: Click to expand/collapse

Package melange:
Modified: /usr/bin/melange

Package melange-microvm-init: Click to expand/collapse

Package melange-microvm-init:
Unchanged

malcontent found differences: Click to expand/collapse

Deleted: melange-microvm-init/var/lib/db/sbom/melange-microvm-init-0.13.1-r0.spdx.json [⚠️ MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
-MEDIUM	net/download	download files	downloadLocation
-LOW	ref/site/url	contains embedded HTTPS URLs	https://spdx.org/spdxdocs/chainguard/melange/89539679bab55564abf08c1615e7

Added: melange-microvm-init/var/lib/db/sbom/melange-microvm-init-0.13.2-r0.spdx.json [⚠️ MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
+MEDIUM	net/download	download files	downloadLocation
+LOW	ref/site/url	contains embedded HTTPS URLs	https://spdx.org/spdxdocs/chainguard/melange/03180d6e0a8a84f1b8d79d9867d8

Changed: /tmp/wolfictl-apk-2953385631/melange/usr/bin/melange

Changed: /tmp/wolfictl-apk-2953385631/melange-microvm-init/init

Moved: melange/var/lib/db/sbom/melange-0.13.1-r0.spdx.json -> /tmp/wolfictl-apk-2953385631/melange/var/lib/db/sbom/melange-0.13.2-r0.spdx.json (similarity: 0.99)

[octo-sts]

malcontent detected files with a risk score equal or higher than 'CRITICAL': Click to expand/collapse

/tmp/malcontent2009238845/packages/x86_64/melange-0.13.2-r0.apk/usr/bin/melange [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
HIGH	admin/pip_install	Installs software using pip from python	pip installb3312fa7e23ee7e4988e056be3f82d19
CRITICAL	combo/dropper/shell	change dir, fetch file via tor, make it executable, and run it	./b ./configure --prefix ./configure command. ./configure.ac ./dist/ ./m ./package.json ./pipe/docker ./pombump-deps.yaml ./pombump-properties.yaml .onion cd $ cd /home/build chmod curl -L
HIGH	ref/path/hidden	hidden path in a system directory	scallhtml3125Atoilib/bin/.so.

[octo-sts]

superseded by #30356