chore(deps): refresh rpm lockfiles (release-1.18) [SECURITY]#956
Open
red-hat-konflux[bot] wants to merge 1 commit into
Conversation
red-hat-konflux
Bot
force-pushed
the
konflux/mintmaker/release-1.18-release-1.18/lock-file-maintenance-vulnerability
branch
3 times, most recently
from
b6f0404 to
65f8561
Compare
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
red-hat-konflux
Bot
force-pushed
the
konflux/mintmaker/release-1.18-release-1.18/lock-file-maintenance-vulnerability
branch
from
65f8561 to
a493e70
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
File prefetch/rpms/ubi9/rpms.in.yaml:
3.26.5-3.el9_7->3.31.8-3.el93.26.5-3.el9_7->3.31.8-3.el93.26.5-3.el9_7->3.31.8-3.el92.47.3-1.el9_6->2.52.0-1.el92.47.3-1.el9_6->2.52.0-1.el92.47.3-1.el9_6->2.52.0-1.el92.47.3-1.el9_6->2.52.0-1.el92.9.6-27.el9->2.9.6-28.el92.9.6-27.el9->2.9.6-28.el92.5.0-5.el9_7.1->2.5.0-6.el95.39-16.el9->5.39-17.el91.6-19.el9_7.0.2->1.6-19.el9_8.20.4.1-4.el9->0.4.1-5.el93.1-38.20210216cvs.el9->3.1-39.20210216cvs.el92.37.4-21.el9_7->2.37.4-25.el98.7p1-49.el9_7->9.9p1-7.el9_88.7p1-49.el9_7->9.9p1-7.el9_81:3.5.1-7.el9_7->1:3.5.5-2.el9_81.5.1-26.el9_6->1.5.1-28.el92:1.34-9.el9_7->2:1.34-11.el92.37.4-21.el9_7->2.37.4-25.el92.37.4-21.el9_7->2.37.4-25.el92:8.2.2637-23.el9_7.3->2:8.2.2637-26.el9_8.42.0.6-1.el9->2.0.6-3.el9jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers
CVE-2026-39979
More information
Details
A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the
jv_parse_sizedfunction can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the error message generated by the parser.Severity
Important
References
jq: jq: Denial of Service via crafted JSON object causing hash collisions
CVE-2026-40164
More information
Details
A flaw was found in jq, a command-line JSON processor. A remote attacker could exploit this vulnerability by providing a specially crafted JSON object. This object leverages a weakness in jq's hashing algorithm, which uses a hardcoded, publicly known seed. By crafting the JSON object to cause hash collisions, an attacker can degrade the performance of JSON object hash table operations, leading to significant CPU exhaustion and a denial of service (DoS) for systems processing the malicious JSON data.
Severity
Important
References
OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
CVE-2026-35386
More information
Details
A flaw was found in OpenSSH. This vulnerability allows a remote attacker to achieve arbitrary command execution by injecting shell metacharacters into a username provided on the command line. Exploitation requires an untrusted username and a non-default configuration of the '%' character in
ssh_config.Severity
Important
References
OpenSSH: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage
CVE-2026-35387
More information
Details
A flaw was found in OpenSSH. This vulnerability allows the system to use unintended Elliptic Curve Digital Signature Algorithm (ECDSA) algorithms. This occurs because the configuration for accepted public key algorithms is misinterpreted, leading to the use of weaker cryptographic methods than intended. This could potentially allow an attacker to compromise the confidentiality of data.
Severity
Important
References
OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode
CVE-2026-35385
More information
Details
A flaw was found in OpenSSH. When the
scpcommand is used by a root user to download a file with the legacy protocol option (-O) and without preserving original file permissions (-p), the downloaded file can be installed with elevated privileges (setuid or setgid). This unexpected behavior could allow a malicious file to execute with higher permissions than intended, posing a security risk through potential privilege escalation.Severity
Important
References
OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
CVE-2026-35388
More information
Details
A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a multiplexed session without explicit confirmation, leading to unintended data handling.
Severity
Important
References
OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
CVE-2026-35414
More information
Details
A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorized_keys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This could lead to security bypasses, potentially allowing unintended access or information disclosure in specific authentication contexts.
Severity
Important
References
🔧 This Pull Request updates lock files to use the latest dependency versions.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.