Skip to content

Commit 720ca2b

Browse files
UID2-6385/UID2-6481: extend CVE-2025-66293 expiry, remove CVE-2025-68973 (#2607)
CVE-2025-66293 (libpng OOB read): extended expiry to 2026-09-15 with an improved comment explaining the Java service does not use libpng's PNG processing API. Fix is available in Alpine 3.23 >= 1.6.53-r0 but the pinned eclipse-temurin image has not yet been rebuilt with it. CVE-2025-68973 (GnuPG OOB write): removed suppression. gnupg 2.4.9-r0 (the patched version) has been in Alpine 3.23 since January 2026 and the pinned image was last rebuilt in May 2026, so the fix is present in the current image. uid2-operator is a pure Java service that does not invoke GnuPG, so this was doubly moot. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent f1dd3fd commit 720ca2b

1 file changed

Lines changed: 6 additions & 5 deletions

File tree

.trivyignore

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,12 @@
22
# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/
33
# for more details
44

5-
# UID2-6385
6-
CVE-2025-66293 exp:2026-06-15
7-
8-
# UID2-6481
9-
CVE-2025-68973 exp:2026-06-15
5+
# libpng OOB read in png_image_read_composite - uid2-operator is a pure Java service
6+
# that never calls into libpng's simplified PNG processing API; the JVM does not use
7+
# libpng for image handling. Fix is available in Alpine 3.23 >= 1.6.53-r0 but the
8+
# pinned eclipse-temurin image has not yet been rebuilt with it (tracked alongside
9+
# sibling CVE-2026-25646 which shares the same base-image lag). See: UID2-6385
10+
CVE-2025-66293 exp:2026-09-15
1011

1112
# jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
1213
# See: UID2-6670

0 commit comments

Comments
 (0)