FERRAMENTAS LINUX: OpenSUSE Patches Critical Flaws in Gitea Tea CLI: Update to v0.12.0 Now

The openSUSE Security Team has released update 2026:0074-1 for gitea-tea, addressing CVE-2025-47911 & CVE-2025-58190. This moderate-rated patch upgrades the CLI tool to version 0.12.0, introducing critical workflow management commands, API extensions, and essential security fixes for authentication and file permissions.

The openSUSE project has officially released a pivotal security update for gitea-tea, the official command-line interface for Gitea. Issued on March 8, 2026, under advisory openSUSE-SU-2026:0074-1, this update transitions the tool to version 0.12.0.

While rated as moderate severity, it addresses two specific CVEs and a host of functional improvements that directly impact the security and stability of development workflows on openSUSE Backports SLE-15-SP7.

For systems administrators and DevOps engineers relying on Gitea for self-hosted Git repositories, understanding the nuances of this patch is critical.

This update isn't merely a feature drop; it is a targeted response to potential access and authentication vulnerabilities that could compromise CI/CD pipelines and source code integrity.

Why This Update Demands Immediate Attention

The core imperative for applying this security update stems from the resolution of two identified Common Vulnerabilities and Exposures (CVEs):

CVE-2025-47911 (CVSS 6.9)
CVE-2025-58190 (CVSS 6.9)

Both vulnerabilities carry a CVSS score of 6.9, classified as moderate. In the context of a source code management tool, this rating should not be underestimated.

These flaws pertain to access issues, which in practical terms, could potentially allow for unauthorized actions or information disclosure if left unpatched. The update proactively mitigates these risks by fortifying the CLI's interaction with the Gitea server, ensuring that authentication and command execution adhere strictly to security best practices.

Deep Dive: What’s New in Gitea Tea v0.12.0?

Beyond the security patches, the update to version 0.12.0 introduces substantial enhancements that transform gitea-tea from a simple helper tool into a more powerful automation interface.

Key New Features & Capabilities

This release significantly expands the CLI's functionality, making it indispensable for scripted interactions and complex Git operations.

Workflow Management: The introduction of tea actions commands (from issues #880, #796) allows developers to manage Gitea Actions workflows directly from the terminal. This is a game-changer for CI/CD management without leaving the command line.

Extended API Access: The new tea api subcommand (from #879) acts as a direct passthrough to the Gitea API, enabling arbitrary calls for operations not explicitly covered by built-in commands. This provides immense flexibility for advanced automation.

Repository Webhooks: Administrators can now programmatically manage webhooks using tea (from #798), streamlining integrations with external services like Slack, Jenkins, or custom notification systems.

AGit Flow Support: Creating pull requests using the popular AGit flow is now supported (from #867), aligning the tool with modern, distributed code review practices.

Enhanced Data Output: The addition of JSON output for pull requests and issues (from #864, #841) means data can be easily parsed and consumed by other scripts or monitoring tools, moving beyond human-readable tables.

Critical Bug Fixes and Security Hardening

The "Bug Fixes" section of the changelog reads like a checklist for a security-focused release.

Authentication and Access Control

SSH Authentication: A fix ensures the token uniqueness check is correctly skipped when using SSH authentication (#898), resolving a major blocker for users relying on SSH keys.

Environment Variables: Authentication via environment variables when specifying a repository argument has been corrected (#809), ensuring that automated scripts run in CI environments authenticate correctly.

Token Validation: The client now requires a non-empty token when retrieving logins (#895), preventing potential misconfigurations.

System Integrity and Permissions

File Permissions: A significant security hardening measure is the fix for config file permissions (#856). The update removes group read/write permissions, ensuring that sensitive credentials stored in the config file are not inadvertently exposed to other users on a multi-tenant system.

Concurrency Control: The implementation of file locking for safe concurrent access to the config file (#881) prevents data corruption in environments where multiple tea processes might run simultaneously.

User Experience and Reliability

Crash Prevention: A fix for a crash during PR creation (#823) and improved error handling for git worktree support (#850) enhances stability.

CLI Robustness: The update reverts a change that required HTTP/HTTPS login URLs, restoring SSH as a valid login method (#891). This is crucial for users in air-gapped or internally networked environments.

Technical Specifications: The Build and Dependencies

For the security-conscious engineer, the software supply chain matters. This update builds gitea-tea with Go 1.25 (#886), incorporating the latest compiler security features and standard library improvements. Key dependencies have been rigorously updated to their latest stable versions, including:

urfave/cli v3.6.2
go-git v5.16.5
Charmbracelet's lipgloss v2

These updates ensure that the toolchain itself is free from known vulnerabilities in older libraries.

Implementation: Patching Your openSUSE System

Applying this update is straightforward using openSUSE's robust package management tools. The update is specifically targeted for openSUSE Backports SLE-15-SP7.

For users of YaST (Graphical Interface):

Open YaST.
Navigate to Software > Online Update.
Accept the patch openSUSE-2026-74.

For users of Zypper (Command Line):
Execute the following command in your terminal:

sudo zypper patch

This command will automatically fetch and apply all pending patches, including this one.

Alternatively, to install this specific patch:

sudo zypper in -t patch openSUSE-2026-74=1

Affected Packages

Post-update, your system should reflect the new package versions:

Main Package: gitea-tea-0.12.0-bp157.2.15.1 (for architectures: aarch64, i586, ppc64le, s390x, x86_64)
Shell Completions (Noarch):
- gitea-tea-bash-completion-0.12.0-bp157.2.15.1
- gitea-tea-zsh-completion-0.12.0-bp157.2.15.1

Frequently Asked Questions (FAQ)

Q: Is this update critical for my single-user development machine?

A: While rated moderate, it addresses authentication and permission flaws. If you use gitea-tea to interact with remote repositories, updating is a best practice to protect your access credentials and ensure secure operation.

Q: Will updating break my existing automation scripts?

A: The update to v0.12.0 is backward-compatible in its core functions. However, the new tea api command and JSON outputs offer new opportunities. Review your scripts if they rely on specific error message strings, as error handling has been improved.

Q: I use SSH exclusively. Will this update affect my login flow?

A: No. In fact, version 0.12.0 specifically restores and improves SSH support, ensuring that the SSH authentication path works without prompting for unnecessary token checks.

Q: What are the CVEs fixed in this update?

A: This update resolves CVE-2025-47911 and CVE-2025-58190. You can find detailed technical information on the SUSE security channel: CVE-2025-47911 and CVE-2025-58190.

Conclusion: Strengthen Your Development Foundation

Proactive security maintenance is the hallmark of a resilient IT infrastructure. The openSUSE-SU-2026:0074-1 update for gitea-tea is more than a routine patch; it is a significant upgrade that enhances both the security posture and the functional capability of your Gitea CLI tool.

By addressing key vulnerabilities in authentication and file permissions while simultaneously expanding the tool's API and workflow management features, this release ensures that your interaction with Gitea remains secure, efficient, and future-proof.