Sync Collecting Fix Commits: Fri Jun 5 01:49:16 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/fix-commits/advisory-database-b78f1d41.json

@@ -1,6 +1,24 @@
 {
   "vcs_url": "https://github.com/github/advisory-database",
   "vulnerabilities": {
+    "GHSA-XP6R-8PCC-XV5P": {
+      "0cad4e91b6be43f5595c1f3ff922f8e6c1b36dcf": "Publish GHSA-xp6r-8pcc-xv5p"
+    },
+    "GHSA-9CFW-F3F9-7MM7": {
+      "6a7ada8ed5a8723bbc9fbb5c0173782c6077aedd": "Publish GHSA-9cfw-f3f9-7mm7"
+    },
+    "GHSA-4P62-HQP5-G644": {
+      "16fc8ee9a73a8475aee6c2be1f5e263070f57f08": "Publish GHSA-4p62-hqp5-g644"
+    },
+    "GHSA-RPCF-RMH6-42XR": {
+      "82ed27a1be28f32c5a6c0c5250feadb2fabb729d": "Publish GHSA-rpcf-rmh6-42xr",
+      "70baf992548341028a444769b1f3059679bbdc1b": "Publish Advisories\n\nGHSA-rpcf-rmh6-42xr\nGHSA-hc7m-r6v8-hg9q",
+      "ec81e7d9d005e735f76ac788a995e19ff435c464": "Publish Advisories\n\nGHSA-4vq8-7jfc-9cvp\nGHSA-rpcf-rmh6-42xr\nGHSA-x4rx-4gw3-53p4",
+      "104691bd6b6a08a99074a38699e03fb837d8ba3b": "Publish Advisories\n\nGHSA-rh9r-8973-rv59\nGHSA-h3cr-gxpm-fxxc\nGHSA-mpmx-6xxg-22w6\nGHSA-cjqq-r96c-pwrf\nGHSA-g86v-m7q4-wf42\nGHSA-qhcp-3fxf-c8vc\nGHSA-v29f-v8vv-v975\nGHSA-x4p9-p8g9-v45f\nGHSA-829j-v57j-p8jf\nGHSA-99w3-f67v-mh94\nGHSA-f9xm-74vq-4x7m\nGHSA-fjjv-535c-93p3\nGHSA-m2wf-77jj-chrw\nGHSA-p759-pmv9-f49m\nGHSA-rpcf-rmh6-42xr\nGHSA-v594-44hm-2j7p\nGHSA-wvjj-4g8c-4v8v"
+    },
+    "GHSA-XGX4-4H9W-53PV": {
+      "17248cbcf12d3857794ea9b56f2a75777915b2ee": "Publish GHSA-xgx4-4h9w-53pv"
+    },
     "GHSA-RXV8-25V2-QMQ8": {
       "a1c093930735be898e89b41867f350f04852f42b": "Improve GHSA-rxv8-25v2-qmq8",
       "f805e069de955f6cefb620bcf9b94cf8a34b9d66": "Publish Advisories\n\nGHSA-67c5-x5mf-rppq\nGHSA-rxv8-25v2-qmq8"
@@ -46893,11 +46911,6 @@
     "GHSA-8WJ8-CFXR-9374": {
       "2ad3d028d2a5d055ec43f22d66e46ac27fa6b038": "Publish Advisories\n\nGHSA-4jvf-wx3f-2x8q\nGHSA-7wq2-32h4-9hc9\nGHSA-7xw4-g7mm-r4hh\nGHSA-8wj8-cfxr-9374"
     },
-    "GHSA-RPCF-RMH6-42XR": {
-      "70baf992548341028a444769b1f3059679bbdc1b": "Publish Advisories\n\nGHSA-rpcf-rmh6-42xr\nGHSA-hc7m-r6v8-hg9q",
-      "ec81e7d9d005e735f76ac788a995e19ff435c464": "Publish Advisories\n\nGHSA-4vq8-7jfc-9cvp\nGHSA-rpcf-rmh6-42xr\nGHSA-x4rx-4gw3-53p4",
-      "104691bd6b6a08a99074a38699e03fb837d8ba3b": "Publish Advisories\n\nGHSA-rh9r-8973-rv59\nGHSA-h3cr-gxpm-fxxc\nGHSA-mpmx-6xxg-22w6\nGHSA-cjqq-r96c-pwrf\nGHSA-g86v-m7q4-wf42\nGHSA-qhcp-3fxf-c8vc\nGHSA-v29f-v8vv-v975\nGHSA-x4p9-p8g9-v45f\nGHSA-829j-v57j-p8jf\nGHSA-99w3-f67v-mh94\nGHSA-f9xm-74vq-4x7m\nGHSA-fjjv-535c-93p3\nGHSA-m2wf-77jj-chrw\nGHSA-p759-pmv9-f49m\nGHSA-rpcf-rmh6-42xr\nGHSA-v594-44hm-2j7p\nGHSA-wvjj-4g8c-4v8v"
-    },
     "GHSA-HC7M-R6V8-HG9Q": {
       "70baf992548341028a444769b1f3059679bbdc1b": "Publish Advisories\n\nGHSA-rpcf-rmh6-42xr\nGHSA-hc7m-r6v8-hg9q",
       "e557063088fc32b9a266fe4e7c46c2d7eb3b2cbc": "Publish GHSA-hc7m-r6v8-hg9q"

data/fix-commits/buildroot-0b809119.json

@@ -1,6 +1,30 @@
 {
   "vcs_url": "https://github.com/buildroot/buildroot",
   "vulnerabilities": {
+    "GHSA-CCFW-29X7-RRX3": {
+      "35b57a0787a07b71051a180ebe2ebaafca989ee7": "package/libde265: security bump version to 1.1.1\n\nhttps://github.com/strukturag/libde265/releases/tag/v1.1.1\n\nFixes the following security problems:\n\nCVE TBD (GHSA-ccfw-29x7-rrx3)\n- Pixel accessor signed integer overflow causes heap OOB read/write\n\nCVE TBD (GHSA-j2qq-x2xq-g9wr)\n- SAO sequential filter heap buffer overflow via signed integer overflow\n\nThis version bump includes upstream commit\nhttps://github.com/strukturag/libde265/commit/9ded37bda4e9fbc2570c0bd710ee407636bc4f34\nwhich uses constexpr() and causes a build error caught by the Gitlab\npipelines with the gcc-6-based bootlin-aarch64-glibc-old defconfig:\n\n/builds/bkuhls/buildroot/br-test-pkg/bootlin-aarch64-glibc-old/build/libde265-1.1.1/libde265/deblock.cc:594:14:\n error: expected \u2018(\u2019 before \u2018constexpr\u2019\n           if constexpr (sizeof(pixel_t)==1) {\n\nTherefore we need to raise the minimum gcc version according to\nhttps://gcc.gnu.org/projects/cxx-status.html#cxx17 to gcc 7.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
+    },
+    "GHSA-J2QQ-X2XQ-G9WR": {
+      "35b57a0787a07b71051a180ebe2ebaafca989ee7": "package/libde265: security bump version to 1.1.1\n\nhttps://github.com/strukturag/libde265/releases/tag/v1.1.1\n\nFixes the following security problems:\n\nCVE TBD (GHSA-ccfw-29x7-rrx3)\n- Pixel accessor signed integer overflow causes heap OOB read/write\n\nCVE TBD (GHSA-j2qq-x2xq-g9wr)\n- SAO sequential filter heap buffer overflow via signed integer overflow\n\nThis version bump includes upstream commit\nhttps://github.com/strukturag/libde265/commit/9ded37bda4e9fbc2570c0bd710ee407636bc4f34\nwhich uses constexpr() and causes a build error caught by the Gitlab\npipelines with the gcc-6-based bootlin-aarch64-glibc-old defconfig:\n\n/builds/bkuhls/buildroot/br-test-pkg/bootlin-aarch64-glibc-old/build/libde265-1.1.1/libde265/deblock.cc:594:14:\n error: expected \u2018(\u2019 before \u2018constexpr\u2019\n           if constexpr (sizeof(pixel_t)==1) {\n\nTherefore we need to raise the minimum gcc version according to\nhttps://gcc.gnu.org/projects/cxx-status.html#cxx17 to gcc 7.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
+    },
+    "CVE-2026-8328": {
+      "d4be78ccb572f9e44271becb7af3c1987718456e": "package/python3: add upstream security patch for CVE-2026-8328\n\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
+    },
+    "CVE-2026-7774": {
+      "67ec0e9c202a1d0f3cd2d4780a23950ca64a1745": "package/python3: add upstream security patch for CVE-2026-7774\n\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
+    },
+    "CVE-2026-44927": {
+      "08f8c44d150c5fa2d9c8a639c076090cd6a76bba": "package/php: security bump version to 8.5.7\n\nhttps://www.php.net/ChangeLog-8.php#8.5.7\nhttps://news-web.php.net/php.announce/493\nhttps://github.com/php/php-src/blob/php-8.5.7/NEWS\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>",
+      "f01bf75c6b53aba38a9bad698cb672628444f3fc": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit f328822cf17a1b5f5931522207edc64bba4b4456)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
+      "edfb5487c37d56dfac93a19b3871bf0e58286435": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit f328822cf17a1b5f5931522207edc64bba4b4456)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
+      "f328822cf17a1b5f5931522207edc64bba4b4456": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
+    },
+    "CVE-2026-44928": {
+      "08f8c44d150c5fa2d9c8a639c076090cd6a76bba": "package/php: security bump version to 8.5.7\n\nhttps://www.php.net/ChangeLog-8.php#8.5.7\nhttps://news-web.php.net/php.announce/493\nhttps://github.com/php/php-src/blob/php-8.5.7/NEWS\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>",
+      "f01bf75c6b53aba38a9bad698cb672628444f3fc": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit f328822cf17a1b5f5931522207edc64bba4b4456)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
+      "edfb5487c37d56dfac93a19b3871bf0e58286435": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit f328822cf17a1b5f5931522207edc64bba4b4456)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
+      "f328822cf17a1b5f5931522207edc64bba4b4456": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
+    },
     "CVE-2026-3276": {
       "9cba1cfaaf7acb64d7e73ffeb4ad455c784d7764": "package/python3: add upstream security patch for CVE-2026-3276\n\nhttps://seclists.org/oss-sec/2026/q2/801\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Peter Korsgaard <peter@korsgaard.com>"
     },
@@ -893,16 +917,6 @@
       "43ade7f40f3b944e227421bd158060f88018f017": "package/libmodsecurity: security bump version to 3.0.15\n\nhttps://github.com/owasp-modsecurity/ModSecurity/blob/v3.0.15/CHANGES\n\nFixes CVE-2026-42268 & CVE-2026-30923.\n\nRebased patch 0001 due to upstream commit\nhttps://github.com/owasp-modsecurity/ModSecurity/commit/f38b5b7296d87e7b1744ef6b5f3dca11fe7cf886\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit e00d34dcc95eb8f0f8a35a81483cbe18d3eccfc6)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
       "e00d34dcc95eb8f0f8a35a81483cbe18d3eccfc6": "package/libmodsecurity: security bump version to 3.0.15\n\nhttps://github.com/owasp-modsecurity/ModSecurity/blob/v3.0.15/CHANGES\n\nFixes CVE-2026-42268 & CVE-2026-30923.\n\nRebased patch 0001 due to upstream commit\nhttps://github.com/owasp-modsecurity/ModSecurity/commit/f38b5b7296d87e7b1744ef6b5f3dca11fe7cf886\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
     },
-    "CVE-2026-44927": {
-      "f01bf75c6b53aba38a9bad698cb672628444f3fc": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit f328822cf17a1b5f5931522207edc64bba4b4456)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
-      "edfb5487c37d56dfac93a19b3871bf0e58286435": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit f328822cf17a1b5f5931522207edc64bba4b4456)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
-      "f328822cf17a1b5f5931522207edc64bba4b4456": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
-    },
-    "CVE-2026-44928": {
-      "f01bf75c6b53aba38a9bad698cb672628444f3fc": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit f328822cf17a1b5f5931522207edc64bba4b4456)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
-      "edfb5487c37d56dfac93a19b3871bf0e58286435": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit f328822cf17a1b5f5931522207edc64bba4b4456)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
-      "f328822cf17a1b5f5931522207edc64bba4b4456": "package/liburiparser: security bump version to 1.0.2\n\nhttps://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog\n\nFixes CVE-2026-44927 & CVE-2026-44928.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>"
-    },
     "CVE-2026-2291": {
       "b09763e6d96de908c353ea2439bbcb3c9cd1a700": "package/dnsmasq: security bump version to 2.92rel2\n\nhttps://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html\nhttps://thekelleys.org.uk/dnsmasq/CVE/\n\nFixes CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892,\nCVE-2026-4893 & CVE-2026-5172.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit 6be9c7e9cfa90ff465fca6de4c2802149dcf722d)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",
       "209a227a6ddf9f982eb8791db960675b47fccf98": "package/dnsmasq: security bump version to 2.92rel2\n\nhttps://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html\nhttps://thekelleys.org.uk/dnsmasq/CVE/\n\nFixes CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892,\nCVE-2026-4893 & CVE-2026-5172.\n\nSigned-off-by: Bernd Kuhls <bernd@kuhls.net>\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n(cherry picked from commit 6be9c7e9cfa90ff465fca6de4c2802149dcf722d)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>",

data/fix-commits/gitlab-accd617b.json

@@ -1,6 +1,12 @@
 {
   "vcs_url": "https://gitlab.com/gitlab-org/gitlab",
   "vulnerabilities": {
+    "CVE-2026-35172": {
+      "fd1091f51bb44671a9b18bc5bc6232e261bee8f4": "Bump devfile gem to 0.5.2 to resolve CVE-2026-35172 and CVE-2026-33540\n\nUpgrades devfile gem to 0.5.2, which bumps devfile/library to v2.4.0 and\ndrops the vulnerable github.com/distribution/distribution/v3 dependency\ncontaining CVE-2026-35172 and CVE-2026-33540.\n\ndevfile/library v2.4.0 changes env var ordering in generated Kubernetes\nmanifests (PROJECT_SOURCE now precedes PROJECTS_ROOT), so fixture files\nare updated accordingly.\n\nChangelog: security\nEE: true"
+    },
+    "CVE-2026-33540": {
+      "fd1091f51bb44671a9b18bc5bc6232e261bee8f4": "Bump devfile gem to 0.5.2 to resolve CVE-2026-35172 and CVE-2026-33540\n\nUpgrades devfile gem to 0.5.2, which bumps devfile/library to v2.4.0 and\ndrops the vulnerable github.com/distribution/distribution/v3 dependency\ncontaining CVE-2026-35172 and CVE-2026-33540.\n\ndevfile/library v2.4.0 changes env var ordering in generated Kubernetes\nmanifests (PROJECT_SOURCE now precedes PROJECTS_ROOT), so fixture files\nare updated accordingly.\n\nChangelog: security\nEE: true"
+    },
     "CVE-2019-18451": {
       "da5e2743396213f0dd9d16b618fdcecfec85ca98": "Address review on DAP IV gate\n\n- Use THROUGH_NAMESPACE_ACCESS_FEATURE_MAP as SSOT, drop DAP_FEATURES\n  duplicate so any new :duo_agent_platform entry is auto-gated.\n- Replace custom safe_return_to? with InternalRedirect#safe_redirect_path\n  (CVE-2019-18451 hardening already in the concern).\n- Internationalize the DAP IV error message.\n- Drop dead CI_VERIFICATION_CONTEXT constant; default branch in\n  verified_for_current_context? already covers the CI path.\n- Simplify dap_identity_verified? to a single boolean expression.\n- Drop redundant .root_ancestor call on governing_namespace result.\n- Drop defensive respond_to? guards in the controller and the Grape\n  helper; the methods are unconditionally available now.\n- Specs: switch to :ai_abstraction_layer / :instance_resiliency\n  feature_categories, rename the shared example to be assertion-explicit,\n  add credit-card-verified context, stub credit_card_verified? and\n  phone_verified? rather than dap_identity_verified? itself."
     },

data/fix-commits/imagemagick-b15feb65.json

@@ -1,6 +1,9 @@
 {
   "vcs_url": "https://github.com/imagemagick/imagemagick",
   "vulnerabilities": {
+    "GHSA-C8R2-MC3P-4F8J": {
+      "fe20c950a7ee8b965a9a061ac97d695bcb308d63": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-c8r2-mc3p-4f8j"
+    },
     "GHSA-44CP-C3WW-9RV5": {
       "e8a61457c90fcc632217cf5504da5c31e4b8d95c": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-44cp-c3ww-9rv5"
     },

data/fix-commits/pinot-68dd9d77.json

@@ -1,7 +1,20 @@
 {
   "vcs_url": "https://github.com/apache/pinot",
   "vulnerabilities": {
+    "CVE-2026-5598": {
+      "165ab819b6e76e02b740330c4deef2821472cb52": "Patch CVEs for 1.5.1: bouncycastle 1.84 via pulsar 4.0.10, commons-configuration2 2.15.0\n\n- pulsar 4.0.9 -> 4.0.10 pulls bouncy-castle-bc 4.0.10 (bcprov/bcpkix/bcutil 1.84),\n  fixing CVE-2026-5598, CVE-2026-0636, CVE-2026-5588\n- commons-configuration2 2.13.0 -> 2.15.0 fixes CVE-2026-45205\n\nCo-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>"
+    },
+    "CVE-2026-0636": {
+      "165ab819b6e76e02b740330c4deef2821472cb52": "Patch CVEs for 1.5.1: bouncycastle 1.84 via pulsar 4.0.10, commons-configuration2 2.15.0\n\n- pulsar 4.0.9 -> 4.0.10 pulls bouncy-castle-bc 4.0.10 (bcprov/bcpkix/bcutil 1.84),\n  fixing CVE-2026-5598, CVE-2026-0636, CVE-2026-5588\n- commons-configuration2 2.13.0 -> 2.15.0 fixes CVE-2026-45205\n\nCo-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>"
+    },
+    "CVE-2026-5588": {
+      "165ab819b6e76e02b740330c4deef2821472cb52": "Patch CVEs for 1.5.1: bouncycastle 1.84 via pulsar 4.0.10, commons-configuration2 2.15.0\n\n- pulsar 4.0.9 -> 4.0.10 pulls bouncy-castle-bc 4.0.10 (bcprov/bcpkix/bcutil 1.84),\n  fixing CVE-2026-5598, CVE-2026-0636, CVE-2026-5588\n- commons-configuration2 2.13.0 -> 2.15.0 fixes CVE-2026-45205\n\nCo-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>"
+    },
+    "CVE-2026-45205": {
+      "165ab819b6e76e02b740330c4deef2821472cb52": "Patch CVEs for 1.5.1: bouncycastle 1.84 via pulsar 4.0.10, commons-configuration2 2.15.0\n\n- pulsar 4.0.9 -> 4.0.10 pulls bouncy-castle-bc 4.0.10 (bcprov/bcpkix/bcutil 1.84),\n  fixing CVE-2026-5598, CVE-2026-0636, CVE-2026-5588\n- commons-configuration2 2.13.0 -> 2.15.0 fixes CVE-2026-45205\n\nCo-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>"
+    },
     "CVE-2026-2332": {
+      "51a65ff39dbc9ce4119ebcf15fe6243b8e2e753f": "Exclude embedded Jetty from Hadoop deps in pinot-orc/pinot-parquet (CVE-2026-2332) (#18659)\n\n---------\n\nCo-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>",
       "2da7284e01d859ed2a52da74c15680162a579455": "Exclude embedded Jetty from Hadoop deps in pinot-orc/pinot-parquet (CVE-2026-2332) (#18659)\n\n---------\n\nCo-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>",
       "b5f7e61efe0f320e7a6460e1f9a26fd677a0fcad": "Prepare release-1.5.1: patch CVEs and set version to 1.5.1-SNAPSHOT\n\nBranch cut from the release-1.5.0 tag for a security patch release.\n\nCVE fixes (ref apache/pinot#18593):\n- netty 4.1.122.Final -> 4.1.134.Final\n  (CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871,\n   CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587)\n- log4j 2.25.3 -> 2.26.0\n  (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481)\n- async-http-client 3.0.7 -> 3.0.10 (CVE-2026-45300)\n- httpclient5 5.6 -> 5.6.1 (CVE-2026-40542)\n\nKnown exception: Jetty CVE-2026-2332 is not addressed. The Jetty 9.4.x\nbranch is EOL with patched=None (advisory GHSA-355h-qmc2-wpwf); only\nJetty 12.0.33/12.1.7 are fixed. The jetty deps here are managed versions\nfor the optional Hadoop/Spark/Pulsar plugins only; Pinot's HTTP layer\nuses Grizzly/Jersey. Closing it requires a Jetty 9->12 migration, out of\nscope for a patch release.\n\nVerified with a full `mvn clean install -DskipTests` (80 modules,\nDependencyConvergence + BannedDependencies enforcer rules pass).\n\nCo-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>"
     },