Skip to content

NO-ISSUE: Refresh RPM lockfiles RPM lockfile refresh [SECURITY]#10563

Open
red-hat-konflux[bot] wants to merge 1 commit into
release-ocm-2.16from
konflux/mintmaker/release-ocm-2.16/lock-file-maintenance-rpm-lockfile-refresh-vulnerability
Open

NO-ISSUE: Refresh RPM lockfiles RPM lockfile refresh [SECURITY]#10563
red-hat-konflux[bot] wants to merge 1 commit into
release-ocm-2.16from
konflux/mintmaker/release-ocm-2.16/lock-file-maintenance-rpm-lockfile-refresh-vulnerability

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

File rpm-prefetching/assisted-service-rhel9/rpms.in.yaml:

Package Change
containers-common 4:1-135.el9_7 -> 5:5.8-1.el9
cpp 11.5.0-11.el9 -> 11.5.0-14.el9
crun 1.27-1.el9_7 -> 1.27-1.el9_8
gcc 11.5.0-11.el9 -> 11.5.0-14.el9
git 2.47.3-1.el9_6 -> 2.52.0-1.el9
git-core 2.47.3-1.el9_6 -> 2.52.0-1.el9
git-core-doc 2.47.3-1.el9_6 -> 2.52.0-1.el9
kernel-headers 5.14.0-611.55.1.el9_7 -> 5.14.0-687.20.1.el9_8
libasan 11.5.0-11.el9 -> 11.5.0-14.el9
libubsan 11.5.0-11.el9 -> 11.5.0-14.el9
nmstate 2.2.57-1.el9_7 -> 2.2.60-1.el9_8
nmstate-libs 2.2.57-1.el9_7 -> 2.2.60-1.el9_8
openssl-devel 1:3.5.1-7.el9_7 -> 1:3.5.5-4.el9_8
perl-Git 2.47.3-1.el9_6 -> 2.52.0-1.el9
skopeo 2:1.20.0-3.el9_7 -> 2:1.22.2-6.el9_8
binutils 2.35.2-67.el9_7.1 -> 2.35.2-72.el9
binutils-gold 2.35.2-67.el9_7.1 -> 2.35.2-72.el9
cracklib 2.9.6-27.el9 -> 2.9.6-28.el9
cracklib-dicts 2.9.6-27.el9 -> 2.9.6-28.el9
cryptsetup-libs 2.7.2-4.el9 -> 2.8.1-3.el9
device-mapper 9:1.02.206-2.el9_7.2 -> 9:1.02.207-4.el9_8.1
device-mapper-libs 9:1.02.206-2.el9_7.2 -> 9:1.02.207-4.el9_8.1
elfutils-debuginfod-client 0.193-1.el9 -> 0.194-1.el9
elfutils-default-yama-scope 0.193-1.el9 -> 0.194-1.el9
elfutils-libelf 0.193-1.el9 -> 0.194-1.el9
elfutils-libs 0.193-1.el9 -> 0.194-1.el9
expat 2.5.0-5.el9_7.1 -> 2.5.0-6.el9_8.1
libeconf 0.4.1-4.el9 -> 0.4.1-7.el9_8
libedit 3.1-38.20210216cvs.el9 -> 3.1-39.20210216cvs.el9
libgomp 11.5.0-11.el9 -> 11.5.0-14.el9
NetworkManager 1:1.54.0-4.el9_7 -> 1:1.54.3-3.el9_8
NetworkManager-config-server 1:1.54.0-4.el9_7 -> 1:1.54.3-3.el9_8
NetworkManager-libnm 1:1.54.0-4.el9_7 -> 1:1.54.3-3.el9_8
openssh 8.7p1-49.el9_7 -> 9.9p1-7.el9_8
openssh-clients 8.7p1-49.el9_7 -> 9.9p1-7.el9_8
openssl 1:3.5.1-7.el9_7 -> 1:3.5.5-4.el9_8
openssl-libs 1:3.5.1-7.el9_7 -> 1:3.5.5-4.el9_8
pam 1.5.1-26.el9_6 -> 1.5.1-28.el9
shadow-utils-subid 2:4.9-15.el9 -> 2:4.9-16.el9
tar 2:1.34-9.el9_7 -> 2:1.34-11.el9
nmstate-devel 2.2.57-1.el9_7 -> 2.2.60-1.el9_8
librtas 2.0.6-1.el9 -> 2.0.6-3.el9

crun: crun: Privilege escalation due to incorrect parsing of the --user option

CVE-2026-30892

More information

Details

A flaw was found in crun, an open-source OCI Container Runtime. A local user can exploit this vulnerability due to incorrect parsing of the --user option when using crun exec. The value 1 is misinterpreted as root privileges (User ID 0 and Group ID 0) instead of the intended User ID 1 and Group ID 0. This allows a process to run with higher privileges than expected, leading to privilege escalation.

Severity

Moderate

References


libexpat: denial of service via crafted XML input

CVE-2026-45186

More information

Details

A flaw was found in libexpat. When processing a specially crafted XML input containing a specific pattern of attributes, the parsing time increases quadratically due to checks for attribute name collisions. This consumes excessive CPU resources and eventually results in a denial of service.

Severity

Important

References


OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode

CVE-2026-35385

More information

Details

A flaw was found in OpenSSH. When the scp command is used by a root user to download a file with the legacy protocol option (-O) and without preserving original file permissions (-p), the downloaded file can be installed with elevated privileges (setuid or setgid). This unexpected behavior could allow a malicious file to execute with higher permissions than intended, posing a security risk through potential privilege escalation.

Severity

Important

References


OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username

CVE-2026-35386

More information

Details

A flaw was found in OpenSSH. This vulnerability allows a remote attacker to achieve arbitrary command execution by injecting shell metacharacters into a username provided on the command line. Exploitation requires an untrusted username and a non-default configuration of the '%' character in ssh_config.

Severity

Important

References


OpenSSH: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage

CVE-2026-35387

More information

Details

A flaw was found in OpenSSH. This vulnerability allows the system to use unintended Elliptic Curve Digital Signature Algorithm (ECDSA) algorithms. This occurs because the configuration for accepted public key algorithms is misinterpreted, leading to the use of weaker cryptographic methods than intended. This could potentially allow an attacker to compromise the confidentiality of data.

Severity

Important

References


OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions

CVE-2026-35388

More information

Details

A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a multiplexed session without explicit confirmation, leading to unintended data handling.

Severity

Important

References


OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option

CVE-2026-35414

More information

Details

A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorized_keys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This could lead to security bypasses, potentially allowing unintended access or information disclosure in specific authentication contexts.

Severity

Important

References

🔧 This Pull Request updates lock files to use the latest dependency versions.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rpm-lockfile labels Jun 30, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

Update Change
lockFileMaintenance All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.


Configuration

📅 Schedule: (UTC)

  • Branch creation
  • At any time (no schedule defined)
  • Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e107d5b5-0794-40f8-89ee-b4d6255b4d82

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/release-ocm-2.16/lock-file-maintenance-rpm-lockfile-refresh-vulnerability

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jun 30, 2026
@openshift-ci openshift-ci Bot requested review from adriengentil and oourfali June 30, 2026 13:07
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

2 similar comments
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 9dd048d and 2 for PR HEAD 91bb69e in total

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-ocm-2.16/lock-file-maintenance-rpm-lockfile-refresh-vulnerability branch from 91bb69e to f761efd Compare July 3, 2026 00:11
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.01%. Comparing base (4add9bc) to head (f761efd).

Additional details and impacted files

Impacted file tree graph

@@                 Coverage Diff                  @@
##           release-ocm-2.16   #10563      +/-   ##
====================================================
- Coverage             44.01%   44.01%   -0.01%     
====================================================
  Files                   415      415              
  Lines                 72094    72094              
====================================================
- Hits                  31733    31729       -4     
- Misses                37477    37479       +2     
- Partials               2884     2886       +2     

see 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. rpm-lockfile size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant