Refresh RPM lockfiles [SECURITY]#894
Refresh RPM lockfiles [SECURITY]#894red-hat-konflux-kflux-prd-rh02[bot] wants to merge 1 commit intomasterfrom
Conversation
red-hat-konflux-kflux-prd-rh02
bot
added
docs-approved
ok-to-test
px-approved
qe-approved
labels
|
Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR. I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
9b6b29f to
55ff0c8
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
55ff0c8 to
53b4769
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
53b4769 to
4117fee
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
4117fee to
0388841
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
0388841 to
69ebc8b
Compare
|
🤖 To deploy this PR, run the following command: |
|
/retest |
|
/test e2e-aws-serial |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
69ebc8b to
3f0c6c1
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
3f0c6c1 to
1dbd0bc
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
1dbd0bc to
2e5b8d7
Compare
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
0804272 to
0778bfb
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
0778bfb to
9510675
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
9510675 to
b6b51aa
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
b6b51aa to
b4cb816
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
2 times, most recently
from
828b82f to
73e46d4
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
73e46d4 to
2c74d0f
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
2 times, most recently
from
3b01f0e to
5363ba1
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
5363ba1 to
a2bdb2e
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
a2bdb2e to
750db4d
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
750db4d to
8cd501b
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
8cd501b to
e2f8584
Compare
|
🤖 To deploy this PR, run the following command: |
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
e2f8584 to
606e34d
Compare
|
🤖 To deploy this PR, run the following command: |
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
red-hat-konflux-kflux-prd-rh02
bot
force-pushed
the
konflux/mintmaker/master/lock-file-maintenance-vulnerability
branch
from
606e34d to
b4c3226
Compare
|
🤖 To deploy this PR, run the following command: |
|
@red-hat-konflux-kflux-prd-rh02[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
1 participant
This PR contains the following updates:
File images/must-gather/rpms.in.yaml:
4.16.0-202410172045.p0.gcf533b5.assembly.stream.el9->4.20.0-202603030647.p2.g64e778a.assembly.stream.el91.6-17.el9->1.6-19.el93.2.3-20.el9->3.2.5-3.el92:1.34-7.el9->2:1.34-9.el9_7File images/openscap/rpms.in.yaml:
1:1.3.12-1.el9_6->1:1.3.13-1.el9_71:1.3.12-1.el9_6->1:1.3.13-1.el9_72.5.0-5.el9_6->2.5.0-5.el9_7.128-10.el9->28-11.el92.37.4-21.el9->2.37.4-21.el9_71:3.2.2-6.el9_5.1->1:3.5.1-7.el9_71.5.1-25.el9_6->1.5.1-26.el9_6252-51.el9_6.1->252-55.el9_7.7252-51.el9_6.1->252-55.el9_7.7252-51.el9_6.1->252-55.el9_7.72.37.4-21.el9->2.37.4-21.el9_72.37.4-21.el9->2.37.4-21.el9_7Warning
Some dependencies could not be looked up. Check the warning logs for more information.
expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing
CVE-2025-59375
More information
Details
A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.
Severity
Important
References
util-linux: util-linux: Heap buffer overread in setpwnam() when processing 256-byte usernames
CVE-2025-14104
More information
Details
A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the
setpwnam()function, affecting SUID (Set User ID) login-utils utilities writing to the password database.Severity
Moderate
References
systemd-coredump: race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump
CVE-2025-4598
More information
Details
A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.
A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.
Severity
Moderate
References
runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
CVE-2025-52881
More information
Details
A flaw was found in runc. This attack is a more sophisticated variant of CVE-2019-16884, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation applied for CVE-2019-16884 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files.
Severity
Important
References
golang: net/url: Memory exhaustion in query parameter parsing in net/url
CVE-2025-61726
More information
Details
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
Severity
Important
References
🔧 This Pull Request updates lock files to use the latest dependency versions.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.