NO-ISSUE: Refresh RPM lockfiles RPM lockfile refresh [SECURITY]#10563
Conversation
|
@red-hat-konflux[bot]: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
2 similar comments
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@red-hat-konflux[bot]: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
91bb69e to
f761efd
Compare
|
New changes are detected. LGTM label has been removed. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release-ocm-2.16 #10563 +/- ##
====================================================
- Coverage 44.01% 44.01% -0.01%
====================================================
Files 415 415
Lines 72094 72094
====================================================
- Hits 31733 31729 -4
- Misses 37477 37479 +2
- Partials 2884 2886 +2 🚀 New features to boost your workflow:
|
This PR contains the following updates:
File rpm-prefetching/assisted-service-rhel9/rpms.in.yaml:
4:1-135.el9_7->5:5.8-1.el911.5.0-11.el9->11.5.0-14.el91.27-1.el9_7->1.27-1.el9_811.5.0-11.el9->11.5.0-14.el92.47.3-1.el9_6->2.52.0-1.el92.47.3-1.el9_6->2.52.0-1.el92.47.3-1.el9_6->2.52.0-1.el95.14.0-611.55.1.el9_7->5.14.0-687.20.1.el9_811.5.0-11.el9->11.5.0-14.el911.5.0-11.el9->11.5.0-14.el92.2.57-1.el9_7->2.2.60-1.el9_82.2.57-1.el9_7->2.2.60-1.el9_81:3.5.1-7.el9_7->1:3.5.5-4.el9_82.47.3-1.el9_6->2.52.0-1.el92:1.20.0-3.el9_7->2:1.22.2-6.el9_82.35.2-67.el9_7.1->2.35.2-72.el92.35.2-67.el9_7.1->2.35.2-72.el92.9.6-27.el9->2.9.6-28.el92.9.6-27.el9->2.9.6-28.el92.7.2-4.el9->2.8.1-3.el99:1.02.206-2.el9_7.2->9:1.02.207-4.el9_8.19:1.02.206-2.el9_7.2->9:1.02.207-4.el9_8.10.193-1.el9->0.194-1.el90.193-1.el9->0.194-1.el90.193-1.el9->0.194-1.el90.193-1.el9->0.194-1.el92.5.0-5.el9_7.1->2.5.0-6.el9_8.10.4.1-4.el9->0.4.1-7.el9_83.1-38.20210216cvs.el9->3.1-39.20210216cvs.el911.5.0-11.el9->11.5.0-14.el91:1.54.0-4.el9_7->1:1.54.3-3.el9_81:1.54.0-4.el9_7->1:1.54.3-3.el9_81:1.54.0-4.el9_7->1:1.54.3-3.el9_88.7p1-49.el9_7->9.9p1-7.el9_88.7p1-49.el9_7->9.9p1-7.el9_81:3.5.1-7.el9_7->1:3.5.5-4.el9_81:3.5.1-7.el9_7->1:3.5.5-4.el9_81.5.1-26.el9_6->1.5.1-28.el92:4.9-15.el9->2:4.9-16.el92:1.34-9.el9_7->2:1.34-11.el92.2.57-1.el9_7->2.2.60-1.el9_82.0.6-1.el9->2.0.6-3.el9crun: crun: Privilege escalation due to incorrect parsing of the
--useroptionCVE-2026-30892
More information
Details
A flaw was found in crun, an open-source OCI Container Runtime. A local user can exploit this vulnerability due to incorrect parsing of the
--useroption when usingcrun exec. The value1is misinterpreted as root privileges (User ID 0 and Group ID 0) instead of the intended User ID 1 and Group ID 0. This allows a process to run with higher privileges than expected, leading to privilege escalation.Severity
Moderate
References
libexpat: denial of service via crafted XML input
CVE-2026-45186
More information
Details
A flaw was found in libexpat. When processing a specially crafted XML input containing a specific pattern of attributes, the parsing time increases quadratically due to checks for attribute name collisions. This consumes excessive CPU resources and eventually results in a denial of service.
Severity
Important
References
OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode
CVE-2026-35385
More information
Details
A flaw was found in OpenSSH. When the
scpcommand is used by a root user to download a file with the legacy protocol option (-O) and without preserving original file permissions (-p), the downloaded file can be installed with elevated privileges (setuid or setgid). This unexpected behavior could allow a malicious file to execute with higher permissions than intended, posing a security risk through potential privilege escalation.Severity
Important
References
OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username
CVE-2026-35386
More information
Details
A flaw was found in OpenSSH. This vulnerability allows a remote attacker to achieve arbitrary command execution by injecting shell metacharacters into a username provided on the command line. Exploitation requires an untrusted username and a non-default configuration of the '%' character in
ssh_config.Severity
Important
References
OpenSSH: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage
CVE-2026-35387
More information
Details
A flaw was found in OpenSSH. This vulnerability allows the system to use unintended Elliptic Curve Digital Signature Algorithm (ECDSA) algorithms. This occurs because the configuration for accepted public key algorithms is misinterpreted, leading to the use of weaker cryptographic methods than intended. This could potentially allow an attacker to compromise the confidentiality of data.
Severity
Important
References
OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
CVE-2026-35388
More information
Details
A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a multiplexed session without explicit confirmation, leading to unintended data handling.
Severity
Important
References
OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
CVE-2026-35414
More information
Details
A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorized_keys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This could lead to security bypasses, potentially allowing unintended access or information disclosure in specific authentication contexts.
Severity
Important
References
🔧 This Pull Request updates lock files to use the latest dependency versions.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.