Commit 720ca2b
UID2-6385/UID2-6481: extend CVE-2025-66293 expiry, remove CVE-2025-68973 (#2607)
CVE-2025-66293 (libpng OOB read): extended expiry to 2026-09-15 with an
improved comment explaining the Java service does not use libpng's PNG
processing API. Fix is available in Alpine 3.23 >= 1.6.53-r0 but the
pinned eclipse-temurin image has not yet been rebuilt with it.
CVE-2025-68973 (GnuPG OOB write): removed suppression. gnupg 2.4.9-r0
(the patched version) has been in Alpine 3.23 since January 2026 and the
pinned image was last rebuilt in May 2026, so the fix is present in the
current image. uid2-operator is a pure Java service that does not invoke
GnuPG, so this was doubly moot.
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>1 parent f1dd3fd commit 720ca2b
1 file changed
Lines changed: 6 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
5 | | - | |
6 | | - | |
7 | | - | |
8 | | - | |
9 | | - | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
10 | 11 | | |
11 | 12 | | |
12 | 13 | | |
| |||
0 commit comments