Skip to content

Fix 4 CVEs (CVE-2025-52881, CVE-2025-66506, CVE-2026-49478, ...)#438

Closed
oadp-rebasebot-app[bot] wants to merge 4 commits into
openshift:oadp-1.6from
oadp-rebasebot:cve-fix/oadp-1.6/20260713-2
Closed

Fix 4 CVEs (CVE-2025-52881, CVE-2025-66506, CVE-2026-49478, ...)#438
oadp-rebasebot-app[bot] wants to merge 4 commits into
openshift:oadp-1.6from
oadp-rebasebot:cve-fix/oadp-1.6/20260713-2

Conversation

@oadp-rebasebot-app

Copy link
Copy Markdown

CVE Fixes

Automated scan found 4 fixable Go dependency CVE(s) in openshift/openshift-velero-plugin on branch oadp-1.6.

CVE Severity Package Fixed Version Description
CVE-2025-52881 HIGH github.com/opencontainers/selinux 1.13.0 runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
CVE-2025-66506 HIGH github.com/sigstore/fulcio 1.8.3 github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token
CVE-2026-49478 HIGH github.com/sigstore/fulcio 1.8.6 Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage
CVE-2026-48702 HIGH github.com/sigstore/rekor 1.5.2 Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic

How this was fixed

  • go get <package>@<fixed_version> for each vulnerable dependency
  • go mod tidy to clean up

Generated by cve-scan pipeline

oadp-rebasebot[bot] added 4 commits July 13, 2026 13:51
- CVE-2025-52881: github.com/opencontainers/selinux v1.11.0 → 1.13.0
- CVE-2025-66506: github.com/sigstore/fulcio v1.4.5 → 1.8.3
- CVE-2026-49478: github.com/sigstore/fulcio v1.4.5 → 1.8.6
- CVE-2026-48702: github.com/sigstore/rekor v1.3.6 → 1.5.2
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 634d7965-c301-4654-ac53-278f87f8af50

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci
openshift-ci Bot requested review from kaovilai and sseago July 13, 2026 13:53
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oadp-rebasebot-app[bot]
Once this PR has been reviewed and has the lgtm label, please assign jmontleon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 13, 2026
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

Hi @oadp-rebasebot-app[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Joeavaikath

Copy link
Copy Markdown
Contributor

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 13, 2026
@Joeavaikath

Copy link
Copy Markdown
Contributor

/retest

@Joeavaikath

Copy link
Copy Markdown
Contributor

#441 lots of bumps, these two prs are maaybe going in, lets see if anything breaks

@Joeavaikath

Copy link
Copy Markdown
Contributor

/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 14, 2026
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

@oadp-rebasebot-app[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/unit-test 7366971 link true /test unit-test
ci/prow/images 7366971 link true /test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant