Synopsis
The remote openSUSE host is missing one or more security updates.
Description
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21310-1 advisory.
Changes in gh:
- Update to version 2.96.0:
* Critical security fix: patched vulnerability in gh codespace jupyter that could allow command execution when connecting to malicious Codespaces
* Merge commit from fork
* Fix concurrent map writes in codespace port forwarding (#13313)
* docs: fix broken install command and link/grammar errors (#13690)
* Clarify `--clone` boolean flag behaviour in `gh repo fork` help (#13786)
* docs: fix duplicated word in primer README (#13677)
* fix(skills): honor --dir without agent prompt (#13766)
* Support antigravity-cli and antigravity2.0 in gh skill (#13784)
* chore(deps): bump golangci/golangci-lint-action from 9.2.1 to 9.3.0
* docs(search): reword raw qualifier examples
* chore(deps): bump goreleaser/goreleaser-action from 7.2.2 to 7.2.3
* docs(search): simplify raw qualifier examples
* docs(search): add examples for multiple qualifiers
* chore(deps): bump actions/attest from 4.1.0 to 4.1.1
* chore(deps): bump actions/setup-go from 6.4.0 to 6.5.0
* fix(cmdutil): honor DisableAuthCheck under repo-override parents
* feat(release): allow download without authentication
* fix(release): don't let a failed draft lookup mask a found release
* Fix flaky TestHuhPrompterMultiSelectWithSearchPersistence on slow architectures (#13675)
* Detect additional third-party coding agents (#13722)
* Add security disclosure guidance to AGENTS.md (#13720)
* chore(deps): bump actions/checkout from 6.0.3 to 7.0.0
* chore(deps): bump github.com/microsoft/dev-tunnels from 0.1.19 to 0.1.27
* ci: pin GitHub Actions to commit SHAs
* chore(deps): bump github.com/google/go-containerregistry
* Use int64 for GitHub database IDs (#13403)
* docs: fix broken anchor link in release-process-deep-dive (#13688)
* Cover all printSummary branches in a table test
* fix(skills): install universal agent to ~/.agents/skills
* fix: show checks summary when all checks were cancelled
- The following bugs are no longer present in this release (may have been fixed in previous releases): bsc#1234566, bsc#1235345, bsc#1237669, bsc#1239496, bsc#1241837, bsc#1243930, bsc#1251464, bsc#1251666, bsc#1253929, bsc#1258617, bsc#1260271, bsc#1262339, bsc#1262943, bsc#1265405, bsc#1265777, bsc#1266173, bsc#1266618, bsc#1266975, bsc#1267158, bsc#1269427
- Update to version 2.95.0:
* feat(skills): list available skills when install runs non-interactively (#13548)
* fix(skills): stage updates in a temp dir and swap in-place (#13449)
* feat: add `repo read-file` and `repo read-dir` (#13580)
* Bump Go in devcontainer
* Make filtering by bot authors more discoverable (#13642)
* chore(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0
* chore(deps): bump golang.org/x/term from 0.43.0 to 0.44.0
* chore(deps): bump charm.land/lipgloss/v2 from 2.0.3 to 2.0.4
* chore(deps): bump github.com/sigstore/sigstore-go from 1.1.4 to 1.2.1
* chore(deps): bump golang.org/x/text from 0.37.0 to 0.38.0
* test(skill): fix test case name
* test(skill): merge isolated test into table
* Potential fix for pull request finding
* docs(discussion): polish help docs
* chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2
* fix test
* support custom CLAUDE_CONFIG_DIR in install
- Update to version 2.94.0:
* Add gh discussion and Issues 2.0 reference to the `gh` skill, plus a README note (#13631)
* fix(discussion comment): fix bug in requiring body/body-file in add/edit mode
* chore(discussion/client): rename client files
* test(acceptance): fix discussion comment acceptance tests
* fix(discussion/shared): error on out-of-range discussion number in URL
* fix(discussion view): print only requested items in non-tty output
* docs(discussion list): clarify answered examples refer to Q&A discussions
* fix(discussion view): show comments and replies in chronological order
* refactor(discussion list): simplify no-results message and use success icon helper
* fix(discussion view): use color scheme method for success icon
* fix(discussion view): error when --comments is used with a comment argument
* test(acceptance): use positional comment argument in discussion view test
* refactor(discussion/client): take host instead of repo in GetComment
* refactor(discussion view): replace --replies flag with positional comment argument
* chore: fix formatting
* test(acceptance): cover discussion comment URLs in comment and view tests
* feat(discussion): support comment URLs in --replies and comment command
* test(discussion comment): add non-tty delete flag validation test case
* test(acceptance): add discussion comment acceptance test
* refactor(acceptance): use discussion comment command instead of raw API calls
* feat(discussion): add discussion comment command
* feat(discussion/client): add comment manipulation methods
* chore: apply formatting
* chore(discussion): remove unused HttpClient field from create and edit
* fix(discussion): remove redundant error wrapping on ListCategories
* test(discussion list): rename TestNewCmdList2 to TestNewCmdList
* Add terminal-mockup canvas extension for marketing screenshots (#13612)
* fix(discussion): add missing repo flag override
* test(discussion list): consolidate tests into table-driven format
* docs(acceptance): add new jq2env and jq-assert functions
* test(discussion): add acceptance tests for discussion commands
* fix(discussion list): print answered instead of checkmark in non-tty mode
* refactor(discussion/client): precheck discussions enabled via getRepositoryMeta
* refactor(discussion): add Cursor field and ExportData to DiscussionListResult
* feat(extension): alias `uninstall` to `remove`
* chore(deps): bump actions/checkout from 6.0.2 to 6.0.3
* chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1
* chore(deps): bump charm.land/bubbletea/v2 from 2.0.6 to 2.0.7
* docs(discussion view): improve long help text for clarity
* fix(discussion): handle partial failure on create/update label mutations
* Clean up deferred issue update helper (#13584)
* Auto-install official extension stubs in CI (#13581)
* chore(discussion/client): fix formatting
* docs(discussion/client): add godoc to exported consts
* refactor(discussion list): make pager call/error consistent with view command
* refactor(discussion): extract command-level consts for enums
* fix(discussion): various polish and small fixes
* Merge pull request #13057 from cli/kw/issues-2.0
* Bump Go to 1.26.4
* chore(deps): bump github.com/mattn/go-colorable from 0.1.14 to 0.1.15
* address review comments
* feat(discussion edit): add discussion edit command
* feat(discussion create): add discussion create command
* feat(discussion view): add discussion view command
* feat(discussion list): add discussion list command
* feat(discussion/shared): add shared utilities for discussion commands
* feat(discussion/client): add discussion client package
* Use github-copilot agent ID in skill list tests and help text
* Rename hosts field and helpers to agentHosts in skill list
* Stat SKILL.md before reading in skill list
* Sanitize terminal control characters in skill list output
* chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1
* chore(deps): bump github.com/gdamore/tcell/v2 from 2.13.9 to 2.13.10
* address copilot comments, clarify text
* address copilot comments
* handle skills in skills/ folder when running list command, by marking them as published
* address bagtoad's feedback
* add --all flag to install all skills in a repo
* fix warning message to make it clear
* skip prompting for skills without metadata when running gh skill update --all
* add logic to preview too
* fix discovery support in nested dirs
* fix test
* fix tests
* fix linting
* add skill list command
- Update to version 2.93.0:
* test(attestation): align integration tests with new external HTTP client
* fix: use separate http client for non-github hosts
* docs: note immutable releases starting v2.93.0
* bump golang.org/x/net
* Link to Accessibility category for community discussions instead of ACR (#13481)
* Allow agents as application for secrets (#13421)
* SHA pin first-party GitHub Actions
* chore(deps): bump github/codeql-action from 4 to 4.35.5
* Add 3 day dependabot cooldown period
* chore(deps): bump github.com/google/go-containerregistry
* Run govulncheck daily instead of weekly
* Merge pull request #13486 from cli/tommy/update-x-crypto
* Potential fix for pull request finding
* Potential fix for pull request finding
* Stop bumping homebrew on release
* chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 (#13461)
* Remove discussion workflow
* Remove dependency on persistent token
* Remove third-party license debris
* chore(deps): bump github.com/theupdateframework/go-tuf/v2
* docs: drop --repo gh-cli from dnf install lines
* Assert digest prefix in release verify no-attestation tests
* chore(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1
* Derive digest algorithm from ref length in release verify commands
* docs: fix duplicated of in release-process-deep-dive
* chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0
* Simplify bump-go.sh toolchain logic
* Remove unnecessary null checks in jq output handling
* Rewrite script to use go mod edit instead of grep/sed
* Address code review comments
* Improve version comparison to handle both X.Y.0 and X.Y.Z formats
* Update bump-go.sh to handle missing toolchain directive
* Initial plan
* Update CODEOWNERS for skills directory ownership
* chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0
* chore(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0
* chore(deps): bump golang.org/x/term from 0.42.0 to 0.43.0
* fix(copilot): update test assertion to match updated error message
* fix(copilot): provide full path to copilot binary on exec error
* fix(copilot): hint to run copilot directly when exec fails
* fix(telemetry): use CREATE_NO_WINDOW to prevent tzutil console flash on Windows
* Fix triage-pull-requests skipping PRs that open as draft
* chore(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0
* Bump Go toolchain to 1.26.3
* Fix skills acceptance tests
* Add explicit build tags to platform-specific echo test files
* Address review feedback on echo mode polling
* Poll TTY echo mode instead of sleeping in password tests
* Record accessibility state in telemetry
* Bump copilot telemetry sampling to 100%
* chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6
* Remove numberFieldOnly API shortcut
* Grammar fixes
* Switch from actions/attest-build-provenance to actions/attest
* Enable extended PR screening for external PRs
* Fix flaky Password test by increasing echo mode setup timeout
* Add missing //go:build integration tag to verify_integration_test.go
* chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1
* Apply patch from code review feedback.
* Print `gh auth refresh` for 401 returns
* Update installation commands for GitHub CLI
- Update to version 2.92.0:
* Bump Go to 1.26.2
* chore(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22
* Update command.go
* Add Resource not accessible to ProjectsV2IgnorableError
* chore: fix zsh completion on debian
* install_linux: correct typo in Homebrew copy
* chore(deps): bump charm.land/bubbletea/v2 from 2.0.2 to 2.0.6
* chore(deps): bump github.com/gdamore/tcell/v2 from 2.13.8 to 2.13.9
* Update acceptance/testdata/workflow/run-view-log-escape-sequences.txtar
* Fix log terminal injection
* fix(skills): include --allow-hidden-dirs in preview hint from install
* Install skills flat by Name, not namespaced InstallName
* feat(skills): add --allow-hidden-dirs flag to preview command
* feat(skills): support GHEC with data residency hosts
* Fix SetSampleRate not updating sample_rate dimension
* fix: yaml.github-actions.security.run-shell-injection.run-shell-injection security vulnerability
* Enable telemetry without env var
* test(telemetry): assert ANSI escape chars for color codes
* fix(telemetry): lower bias in sample bucket calc
* feat(skills): detect re-published skills and offer upstream install
* Log when there is no telemetry
* Add telemetry command
* Record official extension telemetry
* fix(skills): prioritize DisplayName/Name over InstallName match
* fix(skills): match skills by install name in preview command
* use the right json field names for skills
* fix totalCount guidance
* docs(skills): note --template collisions and single-string search
* backtick skill filename
* docs(skills): drop hand-copied naming rules from gh-skill
* use hyphen instead
* docs(skills): add gh and gh-skill agent skills
* feat(skills): support nested skills/ directories in discovery
* fix(skills): make --fix and --dry-run mutually exclusive, suppress publish prompt
* fix(skills): use canonical 'gh skill' not 'gh skills' alias
* fix(skills): stop publish --fix from publishing
* Include CI context in telemetry
* refactor: decouple hidden-dir filtering from discovery layer
* Add support for installation in multiple agent hosts in `gh skills install` (#13209)
* Add skills specific telemetry
* chore(deps): bump github.com/google/go-containerregistry
* Do not send telemetry for aliases
* Apply review feedback
* Disable telemetry for GHES
* remove misleading text
* Add sampled command telemetry
* Update publish_test.go
* refactor: replace real git with run.CommandStubber in publish tests
* fix: apply review feedback nil HttpClient, local dedup type
* Remove dispatch after install, install only
* Rename official extension files and types to stubs
* Replace em-dashes with regular dashes
* Address PR review feedback
* Add no em dash rule to AGENTS.md
* Suggest and install official extensions via stub commands
* Add @cli/code-reviewers to all CODEOWNERS rules
* Add cli/skill-reviewers as CODEOWNERS for skills packages
* style: fix gofmt alignment in publish tests
* fix: update acceptance test to match current error message
* fix: address post-merge review feedback for skills commands
* refactor: remove redundant nil-client fallback in skills publish (#13168)
* feat(skills): auto-push unpushed commits before publish
* refactor: use shared discovery logic in publish command
* fix(skill publish): remove misleading `validate` alias
* docs(skill): improve help docs
* fix skills names in examples
* Disable auth check for `gh extension install`
* Suggest and install official extensions for unknown commands
* Update acceptance/testdata/skills/skills-search-noresults.txtar
* URL-encode parentPath in skills discovery API call
* Disable auth check for local-only skill flags
* fix: address review feedback on namespace changes
* chore: remove unused newTestGitClient function
* fix: preserve namespace in skills search deduplication
* fix: use target directory remotes in skills publish
* fix: enforce size cap on first preview file, surface corrupted skills, fail on path traversal
* fix: align relevanceScore comments with implementation and fix typo
* chore(deps): bump charm.land/lipgloss/v2 from 2.0.2 to 2.0.3
* chore(deps): bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21
* address review comments
* clean up interface and fix a few bugs
* cleanup frontmatter fields
* add .agents/skills as default installation path for hosts that support it: cursor, codex, gemini CLI, github copilot, antigravity.
* show loading spinner during installation, even for multi-file skills
* use markdown renderer in preview when previewing multi-file skills
* Expand test coverage and fix invariants/bugs
* add core logic and improve test coverage
* improve test coverage/cleanup
* register initial skills commands
* add skills command scaffold
* docs: fix SHA512 checksum for GPG key
* chore(deps): bump github.com/hashicorp/go-version from 1.8.0 to 1.9.0
* chore(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0
* chore(deps): bump github.com/sigstore/timestamp-authority/v2
* docs: add sha/md5 checksums of keyring files
* chore(deps): bump github.com/google/go-containerregistry
* chore(deps): bump github.com/sigstore/protobuf-specs from 0.5.0 to 0.5.1
* chore: delete experimental script/debian-devel
* chore(deps): bump charm.land/bubbles/v2 from 2.0.0 to 2.1.0
* Document dependency CVE policy in SECURITY.md
* docs: add manual PGP key verification commands
* chore: re-add toolchain to go1.26.2
* docs: polish wording around PGP keys
* docs: include PGP key fingerprints
* Fix infinite loop in 'gh release list --limit 0'
* chore(deps): bump github.com/in-toto/attestation from 1.1.2 to 1.2.0
* chore(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5
* test(internal/authflow): assert user-agent header is not modified/added
* replace github.com/golang/snappy with klauspost/compress/snappy
* docs: require tests and linter pass before committing
* fix(auth): preserve User-Agent in authflow getViewer
* fix(api): propagate InvokingAgent in gh api HTTP client
* chore(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.8.2
* chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1
- Update to version 2.89.0:
* Ensure huh prompter cleans up
* fix(huh prompter): remove unused fields and imports
* go mod tidy
* feat(huh prompter): clear search input after submitting query
* refactor(huh prompter): custom Field for MultiSelectWithSearch
* feat(huh prompter): add placeholder to search input
* fix(huh prompter): use synchronized accessors to eliminate data race
* fix(accessible prompter): update test expectations for huh v2
* refactor(huh prompter): pipe-based test harness with full coverage
* test(huh prompter): add table-driven tests for all prompt types
* Upgrade to huh/v2 and fix selection persistence in MultiSelectWithSearch
* Fix gofmt alignment for prompter-enabled fields in IOStreams
* Use LayoutStack for huhPrompter MultiSelectWithSearch
* Add experimental huh-only prompter gated by GH_EXPERIMENTAL_PROMPTER
* Add nameWithOwner to necessary tests
* fix(pr view): fetch nameWithOwner in headRepository GraphQL query
* test(acceptance): remove run-download-traversal test
* fix(acceptance): set git identity in testscript sandbox
* internal/codespaces/portforwarder: define err in go func instead of use err defined in outer scope
* chore(deps): bump github.com/zalando/go-keyring from 0.2.6 to 0.2.8
* Update docs/triage.md
* Update docs/triage.md
* Align triage.md with unified triage process
* Fix typo: remove extra space in README.md link
* fix(survey): use useReviewerSearch consistently in prompt path
* fix(pr create): wire up @copilot assignee replacement and [bot] suffix
* refactor(survey): simplify ApiActorsSupported in RepoMetadataInput
* docs(featuredetection): document GHES removal criteria for ApiActorsSupported
* refactor(featuredetection): rename ActorIsAssignable to ApiActorsSupported
* refactor(pr shared): consolidate ActorAssignees and ActorReviewers into ApiActorsSupported
* refactor(pr shared): extract SpecialAssigneeReplacer for @me and Copilot expansion
* chore(deps): bump github.com/google/go-containerregistry
* Record agentic invocations in User-Agent header
* Address review: table tests, godocs, code style
* Add AGENTS.md optimized for AI agent token efficiency
* docs: simplify flag text
* docs(pr edit): improve command examples with grouped sections
* docs: clarify that --add-reviewer can re-request reviews
* feat(pr create, issue create): search-based assignee selection in MetadataSurvey
* review: address code review feedback
* refactor(issue edit): wire up search-based assignee selection
* refactor(pr edit): remove actor accumulation hack from assignee search
* refactor(pr edit, issue edit): use login-based assignee mutation for flag flows
* fix(pr create): use login-based assignee mutation on github.com
* chore(deps): bump microsoft/setup-msbuild from 2.0.0 to 3.0.0
* chore(deps): bump mislav/bump-homebrew-formula-action from 3.6 to 4.1
* Remove auto-labels from issue templates
* fix(agent-task): resolve Copilot API URL dynamically (#12956)
* chore(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3
* chore(deps): bump azure/login from 2.3.0 to 3.0.0
* fix: improve docs around IssueRepoInfo
* test(issue transfer): update stub for IssueRepositoryInfo query
* fix(issue transfer): use IssueRepoInfo to fetch minimal fields for issues
* test(issue create): update stubs for IssueRepositoryInfo query
* fix(issue create): use IssueRepoInfo to avoid requiring Contents:Read permission
* test(api): add tests for GitHubRepo and IssueRepoInfo
* refactor(api): add IssueRepoInfo for minimal issue repo queries
- Update to version 2.88.1:
* Revert fix: clarify scope error while creating issues for projects
* Revert refactor: deduplicate scope error handling between api/client.go and project queries
* Switch deployment signing to OIDC authentication
- Update to version 2.88.0:
* fix: add if guard to no-response job to prevent running on workflow_dispatch
* Add pitch surfacing workflow (monthly + manual dispatch)
* fix: address review feedback on squash merge commit message
* fix: gofmt alignment in test struct literals
* feat(repo): add --squash-merge-commit-message flag to gh repo edit
* chore(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0
* refactor: change extractFileName param from []byte to string
* Update Go version requirement to 1.26+
* Bump golangci-lint from v2.6.0 to v2.11.0 for Go 1.26 support
* Bump Go from 1.25.7 to 1.26.1 to fix stdlib vulnerabilities
* Address review comments: use actorDisplayName for Copilot author display
* Show friendly display names in gh issue view
* Add generic actorDisplayName for all actor display names
* Show friendly Copilot (AI) name in gh pr view
* fix: align example indentation with codebase convention
* fix: address review feedback for --exclude flag
* fix: share diffHeaderRegexp between changedFilesNames and extractFileName, fix gofmt
* feat(pr diff): add --exclude flag to filter files from diff output
* Fetch org teams via repository.owner inline fragment
* chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2
* Exclude PR author from reviewer candidates in SuggestedReviewerActors
* Fix duplicate reviewers in gh pr edit by passing logins as defaults
* Exclude current user from suggested reviewers in gh pr create
* Replace @copilot with Copilot reviewer login in gh pr create
* Add TODO requestReviewsByLoginCleanup on GHES ID-based reviewer path
* Remove /slug team reviewer shorthand normalization
* Add TODO requestReviewsByLoginCleanup on static reviewer MultiSelect
* Check state.ActorReviewers in MetadataSurvey reviewer search gate
* Label Copilot detection in SuggestedReviewerActorsForRepo as a hack
* Add TODO requestReviewsByLoginCleanup in CreatePullRequest
* refactor: deduplicate scope error handling between api/client.go and project queries
* Fix extension install error message showing raw struct instead of owner/repo (#12836)
* chore(deps): bump github.com/docker/cli
* Remove StateReason feature detection for issue close
* Remove unnecessary StateReasonDuplicate feature detection
* docs: add examples to gh issue close help text (#12830)
* Fix incorrect integer conversion from int to uint16 in port forwarder (#12831)
* Combine issue feature detection into a single GraphQL query
* feat(browse): add blame flag
* Reword `--no-upstream` help doc
* test(issue list): cover additional PR search qualifier variants
* fix(issue list): reject pull request-only search qualifiers
* chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0
* chore(deps): bump github.com/gabriel-vasile/mimetype
* chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1
* chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0
* chore(deps): bump actions/download-artifact from 7 to 8
* chore(deps): bump actions/upload-artifact from 6 to 7
* Set COPILOT_GH env var when launching Copilot CLI
* Simplify progress indicators in issue develop
* Emit null for zero createdAt/updatedAt values
* Address Copilot review feedback
* Polish --json support for agent-task view
* Polish --json support for agent-task list
* Fix gofmt alignment in view_test.go
* feat(pr): add changeType field to files JSON output
* Add --duplicate-of flag and duplicate reason to gh issue close
* Add --json support to `gh agent-task view`
* Add --json support to `gh agent-task list`
* fix(project/item-edit): preserve title/body when editing draft issue with partial flags
* Add databaseId to assignees GraphQL fragment
* fix(licenses): implement VCS-friendly embedding
* chore(gitignore): ignore generated license files
* Use pre-compiled regexp for matching Content-Type
* chore(script/licenses): fix indentation
* fix(script/licenses): generate licenses in separate dirs
* Fix invalid ANSI SGR escape code in JSON and diff colorization
* Add --no-upstream flag to gh repo clone
* Clarify ReviewerCandidate relationship to AssignableActor
* Move PR review queries from queries_pr.go to queries_pr_review.go
* Use org/slug format in test fixtures and remove /slug normalization
* Normalize /slug team shorthand to org/slug and fix docs
* Include bot logins in login-based reviewer mutation guard
* Skip reviewer metadata fetch when using search-based selection
* Update test assertions to expect org/slug team format
* Wire bot reviewer logins through CreatePullRequest
* Partition bot reviewers separately for RequestReviewsByLogin ...
Please note that the description has been truncated due to length. Please refer to vendor advisory for the full description.
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected gh, gh-bash-completion, gh-fish-completion and / or gh-zsh-completion packages.
Plugin Details
File Name: openSUSE-2026-21310-1.nasl
Agent: unix
Supported Sensors: Continuous Assessment, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:gh-fish-completion, p-cpe:/a:novell:opensuse:gh-bash-completion, cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:gh-zsh-completion, p-cpe:/a:novell:opensuse:gh
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 7/10/2026
Vulnerability Publication Date: 11/14/2024