chore(deps): refresh rpm lockfiles [SECURITY]#1589
chore(deps): refresh rpm lockfiles [SECURITY]#1589red-hat-konflux[bot] wants to merge 1 commit intomainfrom
Conversation
red-hat-konflux
Bot
added
approved
red-hat-konflux
Bot
force-pushed
the
konflux/mintmaker/main/lock-file-maintenance-vulnerability
branch
from
5864b2e to
e44eb4d
Compare
|
New changes are detected. LGTM label has been removed. |
red-hat-konflux
Bot
force-pushed
the
konflux/mintmaker/main/lock-file-maintenance-vulnerability
branch
11 times, most recently
from
d4a03a0 to
f979df1
Compare
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
red-hat-konflux
Bot
force-pushed
the
konflux/mintmaker/main/lock-file-maintenance-vulnerability
branch
from
f979df1 to
c26f86d
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@red-hat-konflux[bot]: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This PR contains the following updates:
File rpms.in.yaml:
3.9.25-3.el9_7.2->3.9.25-3.el9_7.33.9.25-3.el9_7.2->3.9.25-3.el9_7.33.9.25-3.el9_7.2->3.9.25-3.el9_7.3Warning
Some dependencies could not be looked up. Check the warning logs for more information.
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API
CVE-2026-4786
More information
Details
A flaw was found in the Python webbrowser.open() API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution.
Severity
Important
References
python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules
CVE-2026-6100
More information
Details
A flaw was found in Python's decompression modules, including
lzma.LZMADecompressor,bz2.BZ2Decompressor, andgzip.GzipFile. This vulnerability, a use-after-free, can occur if a program attempts to re-use a decompression object after a memory allocation error, especially when the system is experiencing high memory usage. Exploitation of this flaw could potentially allow an attacker to execute arbitrary code or access sensitive data. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after aMemoryErroris raised during decompression. Using the helper functions to one-shot decompress data such aslzma.decompress(),bz2.decompress(),gzip.decompress(), andzlib.decompress()are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.Severity
Important
References
🔧 This Pull Request updates lock files to use the latest dependency versions.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.