chore(deps): refresh rpm lockfiles [SECURITY] #45
+498
−498
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
3 times, most recently
from
7bf9b96 to
450aa1d
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
7 times, most recently
from
040bd5d to
09e08a4
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
3 times, most recently
from
d1913a8 to
1aba844
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
5 times, most recently
from
60d49fd to
baf37dd
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
4 times, most recently
from
d6c0b10 to
255e99c
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
6 times, most recently
from
9ebc1c2 to
0f6e911
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
2 times, most recently
from
5bb9c85 to
47b63d6
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
6 times, most recently
from
ec15a92 to
b7ef9ed
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
11 times, most recently
from
24ee107 to
1052af4
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
6 times, most recently
from
b65a550 to
684eb28
Compare
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
5 times, most recently
from
6810314 to
8ed968c
Compare
Signed-off-by: konflux-internal-p02 <170854209+konflux-internal-p02[bot]@users.noreply.github.com>
konflux-internal-p02
bot
force-pushed
the
konflux/mintmaker/release-5.3/lock-file-maintenance-vulnerability
branch
from
8ed968c to
4442efa
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
File rpms.in.yaml:
1.0.6-3.el8->1.0.6-4.el8_108.30-15.el8->8.30-16.el8_108.30-15.el8->8.30-16.el8_107.61.1-34.el8_10.8->7.61.1-34.el8_10.98:1.02.181-15.el8_10.2->8:1.02.181-15.el8_10.38:1.02.181-15.el8_10.2->8:1.02.181-15.el8_10.3049-237.git20250603.el8_10->049-239.git20251127.el8_101:4.6.0-23.el8_10->1:4.6.0-24.el8_102.56.4-167.el8_10->2.56.4-168.el8_102.28-251.el8_10.25->2.28-251.el8_10.272.28-251.el8_10.25->2.28-251.el8_10.272.28-251.el8_10.25->2.28-251.el8_10.272.28-251.el8_10.25->2.28-251.el8_10.272.32.1-46.el8->2.32.1-48.el8_107.61.1-34.el8_10.8->7.61.1-34.el8_10.92.32.1-46.el8->2.32.1-48.el8_102.32.1-46.el8->2.32.1-48.el8_102.9-10.el8_10->2.9-11.el8_102.32.1-46.el8->2.32.1-48.el8_102.32.1-46.el8->2.32.1-48.el8_101:1.1.1k-14.el8_6->1:1.1.1k-14.el8_101:1.1.1k-14.el8_6->1:1.1.1k-14.el8_101.74-9.el8->1.74-11.el8_101.3.1-38.el8_10->1.3.1-39.el8_103.6.8-71.el8_10->3.6.8-73.el8_103.6.8-71.el8_10->3.6.8-73.el8_102:4.6-22.el8->2:4.6-23.el8_10239-82.el8_10.8->239-82.el8_10.13239-82.el8_10.8->239-82.el8_10.13239-82.el8_10.8->239-82.el8_10.13239-82.el8_10.8->239-82.el8_10.132025b-1.el8->2025c-1.el82.32.1-46.el8->2.32.1-48.el8_102:2.29.0-3.el8_10.3->2:2.29.0-3.el8_10.42:2.29.0-3.el8_10.3->2:2.29.0-3.el8_10.42:2.29.0-3.el8_10.3->2:2.29.0-3.el8_10.4Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS
CVE-2025-6176
More information
Details
Scrapy are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.
Severity
Important
References
curl: libcurl: Curl out of bounds read for cookie path
CVE-2025-9086
More information
Details
securekeyword forhttps://targethttp://target(samehostname, but using clear text HTTP) using the same cookie set
path=\"/\",).Since this site is not secure, the cookie should just be ignored.
boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Severity
Moderate
References
glib: Integer overflow in in g_escape_uri_string()
CVE-2025-13601
More information
Details
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.
Severity
Moderate
References
util-linux: util-linux: Heap buffer overread in setpwnam() when processing 256-byte usernames
CVE-2025-14104
More information
Details
A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the
setpwnam()function, affecting SUID (Set User ID) login-utils utilities writing to the password database.Severity
Moderate
References
cpython: POP3 command injection in user-controlled commands
CVE-2025-15367
More information
Details
A flaw was found in the poplib module in the Python standard library. The poplib module does not reject control characters, such as newlines, in user-controlled input passed to POP3 commands. This issue allows an attacker to inject additional commands to be executed in the POP3 server.
Severity
Moderate
References
cpython: python: cpython: Quadratic algorithm in xml.dom.minidom leads to denial of service
CVE-2025-12084
More information
Details
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
Severity
Moderate
References
cpython: IMAP command injection in user-controlled commands
CVE-2025-15366
More information
Details
A flaw was found in the imaplib module in the Python standard library. The imaplib module does not reject control characters, such as newlines, in user-controlled input passed to IMAP commands. This issue allows an attacker to inject additional commands to be executed in the IMAP server.
Severity
Moderate
References
cpython: wsgiref.headers.Headers allows header newline injection in Python
CVE-2026-0865
More information
Details
User-controlled header names and values containing newlines can allow injecting HTTP headers.
Severity
Moderate
References
cpython: email header injection due to unquoted newlines
CVE-2026-1299
More information
Details
A flaw was found in the email module in the Python standard library. When serializing an email message, the BytesGenerator class fails to properly quote newline characters for email headers. This issue is exploitable when the LiteralHeader class is used as it does not respect email folding rules, allowing an attacker to inject email headers and potentially modify message recipients or the email body, and spoof sender information.
Severity
Moderate
References
🔧 This Pull Request updates lock files to use the latest dependency versions.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.