Описание
Security update for trivy
This update for trivy fixes the following issues:
Changes in trivy:
-
Update to version 0.70.0 ( bsc#1260193, CVE-2026-33186, bsc#1260971, CVE-2026-33747, bsc#1261052, CVE-2026-33748, bsc#1262389, CVE-2026-39984, bsc#1262893, CVE-2026-34986):
- release: v0.70.0 [main] (#10105)
- chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#10496)
- chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 (#10526)
- chore(deps): bump the common group across 1 directory with 8 updates (#10540)
- chore(deps): bump the docker group across 1 directory with 2 updates (#10538)
- fix: use Development category for GoReleaser discussions (#10530)
- chore(deps): bump testcontainers-go to v0.42.0 (#10531)
- chore: update CODEOWNERS (#10529)
- chore(deps): bump helm.sh/helm/v3 from 3.20.1 to 3.20.2 (#10511)
- chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 (#10510)
- chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1 (#10449)
- ci: migrate from mkdocs-material-insiders to mkdocs-material (#10509)
- chore: remove aquasecurity/homebrew-trivy tap from GoReleaser (#10508)
- ci: update runners for workflows that interact with GitHub API (#10502)
- ci: rename tokens and update runners (#10500)
- ci: trigger helm chart publishing via helm-charts workflow (#10474)
- ci: remove ruleset update step from release-please workflow (#10499)
- ci: use large runner and replace ORG_REPO_TOKEN in release-please workflow (#10498)
- ci: trigger rpm/deb deployment via trivy-repo workflow (#10476)
- fix: remove os.Stdout from wazero module config (#10403)
- chore(deps): bump the common group across 1 directory with 22 updates (#10408)
- chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#10407)
- fix(flag): validate template file extension (#10296)
- fix(sbom): preserve Red Hat BuildInfo when scanning SBOMs without layer info (#10378)
- fix: handle Go 1.26 GOEXPERIMENT version format change (#10351)
- fix(python): handle multiple version specifiers in requirements.txt (#10361)
- ci: run Trivy version bump in trivy-action (#10272)
- fix(python): nil pointer dereference with optional poetry groups without dependencies (#10359)
- ci: replace personal email with github-actions[bot] in workflows (#10369)
- chore: replace smithy epoch parsing with stdlib time.Unix (#10286)
- test: update golden files for purl changes (#10372)
- ci: add zizmor to scan GitHub Actions workflows (#10322)
- refactor: log statuses as strings (#10285)
- ci: add build provenance attestations for release artifacts (#10316)
- fix(sbom): add NOASSERTION for licenseDeclared/licenseConcluded in SPDX non-library packages (#10368)
- fix(report): set correct sarif ROOTPATH uri when scanning a git repository (#10366)
- perf(plugin): optimize directory traversal by replacing filepath.Walk with filepath.WalkDir (#10325)
- docs: correct typos in CHANGELOG and diagram (#10320)
- chore: delete roadmap wf (#10295)
- ci(helm): bump Trivy version to 0.69.3 for Trivy Helm Chart 0.21.3 (#10310)
- fix(cyclonedx): include CVSS v4 vulnerability ratings (#10313)
- fix: detected vulnerability fields in azure and mariner detector (#10275)
- ci: add persist-credentials: false to checkout steps (#10306)
- ci(helm): bump Trivy version to 0.69.2 for Trivy Helm Chart 0.21.2 (#10270)
- chore(deps): bump the common group across 1 directory with 8 updates (#10248)
- chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#10257)
- chore(deps): bump the aws group across 1 directory with 6 updates (#10249)
- chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#10241)
- ci: remove apidiff workflow (#10259)
- chore(deps): bump github.com/docker/cli from 29.1.4+incompatible to 29.2.1+incompatible in the docker group across 1 directory (#10221)
- ci: bump golangci-lint to v2.10 in cache-test-assets (#10243)
- feat(java): add support for proxy configuration from Maven settings.xml (#10187)
- chore(deps): bump the github-actions group across 3 directories with 11 updates (#10242)
- feat(python): add pylock.toml support (#10137)
- chore: bump SPDX license IDs and exceptions to
v3.28.0(#10233) - docs: fix typos and upgrade insecure HTTP links to HTTPS (#10219)
- chore: bump golangci-lint to v2.10.0 (#10223)
- feat(misconf): support for azurerm_network_interface_security_group_association (#10215)
- ci: pin Docker Engine to v29 for integration tests (#10232)
- feat(go): detect version from ELF symbol table for binaries built with -trimpath (#10197)
- docs: migrate private registry documentation from GCR to GAR (#10208)
- chore(deps): bump the common group across 1 directory with 24 updates (#10206)
- chore(deps): update Docker client SDK to v29 (#10202)
- test: update Docker Engine integration tests for Docker API v0.29.0+ compatibility (#10199)
- fix(misconf): initialize custom annotation field if empty (#10123)
- feat(ubuntu): add eol data for 25.10 (#10181)
- docs: fix incorrect count of Python package managers (#10175)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (#10179)
- feat(misconf): resolve Azure resources via resource_id (#10173)
- ci(helm): bump Trivy version to 0.69.1 for Trivy Helm Chart 0.21.1 (#10155)
- refactor: remove unused Insecure field from ServiceOption (#10113)
- refactor: reduce complexity of init in detect.go (#10163)
- feat(misconf): adapt ARM k8s clusters (#9696) (#10125)
- docs: update version endpoint example in client/server documentation (#10151)
- feat(vuln): skip third-party packages in common Detect function (#10129)
- ci: add composite action for Go setup (#10146)
- fix(misconf): apply check aliases when filtering results via .trivyignore (#10112)
- docs(terraform): add limitation for data sources and computed resource attributes (#10128)
- fix: update PhotonOS feed URL (#10122)
- feat(server): include server version info in JSON output for client/server mode (#10075)
- chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs (#10107)
- refactor: unify scanner error limit and compiler limit (#10106)
- ci(helm): bump Trivy version to 0.69.0 for Trivy Helm Chart 0.21.0 (#10103)
- fix(java): Disable overwriting exclusions (#10088)
- refactor(rust): use txtar format for cargo analyzer test data (#10104)
- feat(python): add pylock.toml (PEP 751) parser (#9632)
- chore(deps): bump the aws group across 1 directory with 6 updates (#10068)
- fix(server): exclude JavaDB and CheckBundle from /version endpoint (#10100)
-
Update to version 0.69.3 (CVE-2026-25934, bsc#1258094):
- release: v0.69.3 [release/v0.69] (#10293)
- fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#10291)
- release: v0.69.2 [release/v0.69] (#10266)
- fix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#10267)
- fix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#10264)
- ci: remove apidiff workflow
- release: v0.69.1 [release/v0.69] (#10145)
- ci: add composite action for Go setup [backport: release/v0.69] (#10150)
- fix(misconf): apply check aliases when filtering results via .trivyignore [backport: release/v0.69] (#10143)
- chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs [backport: release/v0.69] (#10135)
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1258094
- SUSE Bug 1258513
- SUSE Bug 1260193
- SUSE Bug 1260971
- SUSE Bug 1261052
- SUSE Bug 1262389
- SUSE Bug 1262893
- SUSE CVE CVE-2025-69725 page
- SUSE CVE CVE-2026-25934 page
- SUSE CVE CVE-2026-33186 page
- SUSE CVE CVE-2026-33747 page
- SUSE CVE CVE-2026-33748 page
- SUSE CVE CVE-2026-34986 page
- SUSE CVE CVE-2026-39984 page
Описание
An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain.
Затронутые продукты
Ссылки
- CVE-2025-69725
- SUSE Bug 1258511
Описание
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
Затронутые продукты
Ссылки
- CVE-2026-25934
- SUSE Bug 1258093
Описание
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Затронутые продукты
Ссылки
- CVE-2026-33186
- SUSE Bug 1260085
Описание
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
Затронутые продукты
Ссылки
- CVE-2026-33747
- SUSE Bug 1260954
Описание
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Затронутые продукты
Ссылки
- CVE-2026-33748
- SUSE Bug 1261046
Описание
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Затронутые продукты
Ссылки
- CVE-2026-34986
- SUSE Bug 1262805
Описание
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-specific constraint checks in VerifyLeafCert uses the first non-CA certificate from the PKCS#7 certificate bag instead of the leaf certificate from the verified chain. An attacker can exploit this by prepending a forged certificate to the certificate bag while the message is signed with an authorized key, causing the library to validate the signature against one certificate but perform authorization checks against another. This vulnerability only affects users of the timestamp-authority/v2/pkg/verification package and does not affect the timestamp-authority service itself or sigstore-go. The issue has been fixed in version 2.0.6.
Затронутые продукты
Ссылки
- CVE-2026-39984
- SUSE Bug 1262338