Skip to content

chore(deps): refresh rpm lockfiles [SECURITY] #2561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 27, 2025
Merged

chore(deps): refresh rpm lockfiles [SECURITY] #2561

merged 1 commit into from
Oct 27, 2025
+532 −532

Conversation

@red-hat-konflux
Copy link
Contributor

@red-hat-konflux red-hat-konflux bot commented Oct 8, 2025
edited
Loading

This PR contains the following updates:

File rpms.in.yaml:

Package Change
vim-filesystem 2:8.0.1763-19.el8_6.4 -> 2:8.0.1763-21.el8_10
binutils 2.30-125.el8_10 -> 2.30-127.el8_10
curl 7.61.1-34.el8_10.3 -> 7.61.1-34.el8_10.8
file 5.33-26.el8 -> 5.33-27.el8_10
file-libs 5.33-26.el8 -> 5.33-27.el8_10
gnutls 3.6.16-8.el8_10.3 -> 3.6.16-8.el8_10.4
grub2-common 1:2.02-167.el8_10 -> 1:2.02-169.el8_10
grub2-tools 1:2.02-167.el8_10 -> 1:2.02-169.el8_10
grub2-tools-minimal 1:2.02-167.el8_10 -> 1:2.02-169.el8_10
kernel-headers 4.18.0-553.75.1.el8_10 -> 4.18.0-553.81.1.el8_10
libcom_err 1.45.6-6.el8_10 -> 1.45.6-7.el8_10
libcom_err-devel 1.45.6-6.el8_10 -> 1.45.6-7.el8_10
libcurl 7.61.1-34.el8_10.3 -> 7.61.1-34.el8_10.8
libcurl-devel 7.61.1-34.el8_10.3 -> 7.61.1-34.el8_10.8
libssh 0.9.6-14.el8 -> 0.9.6-15.el8_10
libssh-config 0.9.6-14.el8 -> 0.9.6-15.el8_10
openssh 8.0p1-25.el8_10 -> 8.0p1-26.el8_10
openssh-clients 8.0p1-25.el8_10 -> 8.0p1-26.el8_10
s390utils-base 2:2.29.0-3.el8_10.1 -> 2:2.29.0-3.el8_10.3
s390utils-core 2:2.29.0-3.el8_10.1 -> 2:2.29.0-3.el8_10.3
s390utils-se-data 2:2.29.0-3.el8_10.1 -> 2:2.29.0-3.el8_10.3

gnutls: Vulnerability in GnuTLS otherName SAN export

CVE-2025-32988

More information

Details

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Severity

Moderate

References

gnutls: NULL pointer dereference in _gnutls_figure_common_ciphersuite()

CVE-2025-6395

More information

Details

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

Severity

Moderate

References

gnutls: Vulnerability in GnuTLS certtool template parsing

CVE-2025-32990

More information

Details

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Severity

Moderate

References

libssh: out-of-bounds read in sftp_handle()

CVE-2025-5318

More information

Details

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Severity

Moderate

References

openssh: Machine-in-the-middle attack if VerifyHostKeyDNS is enabled

CVE-2025-26465

More information

Details

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Severity

Moderate

References

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).

@red-hat-konflux red-hat-konflux bot requested a review from rhacs-bot as a code owner October 8, 2025 16:30
@red-hat-konflux red-hat-konflux bot added build-builder-image rebuild-test-container Rebuild the collector-tests container. labels Oct 8, 2025
@red-hat-konflux red-hat-konflux bot requested a review from a team as a code owner October 8, 2025 16:30
rhacs-bot
rhacs-bot approved these changes Oct 8, 2025
View reviewed changes
Copy link
Contributor

@rhacs-bot rhacs-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved by automation.

@codecov-commenter
Copy link

codecov-commenter commented Oct 8, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.60%. Comparing base (eb2bc9e) to head (562cf7b).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2561   +/-   ##
=======================================
  Coverage   27.60%   27.60%           
=======================================
  Files          95       95           
  Lines        5422     5422           
  Branches     2523     2523           
=======================================
  Hits         1497     1497           
  Misses       3213     3213           
  Partials      712      712
Flag Coverage Δ
collector-unit-tests 27.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/master/lock-file-maintenance-vulnerability branch 9 times, most recently from 70cae05 to f590e31 Compare October 15, 2025 20:26
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/master/lock-file-maintenance-vulnerability branch 9 times, most recently from ece7051 to 358532f Compare October 24, 2025 08:23
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/master/lock-file-maintenance-vulnerability branch 3 times, most recently from c59d202 to bc36e35 Compare October 27, 2025 08:24
@red-hat-konflux
chore(deps): refresh rpm lockfiles [SECURITY]
562cf7b 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/master/lock-file-maintenance-vulnerability branch from bc36e35 to 562cf7b Compare October 27, 2025 12:24
@msugakov
Copy link
Contributor

/retest collector-on-push

@msugakov msugakov merged commit 01ece37 into master Oct 27, 2025
80 of 86 checks passed
@msugakov msugakov deleted the konflux/mintmaker/master/lock-file-maintenance-vulnerability branch October 27, 2025 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhacs-bot rhacs-bot rhacs-bot approved these changes

Assignees

No one assigned

Labels

auto-approve build-builder-image rebuild-test-container Rebuild the collector-tests container.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@codecov-commenter @msugakov @rhacs-bot