Skip to content

chore(deps): refresh rpm lockfiles [SECURITY] #464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
red-hat-konflux wants to merge 1 commit into
base: redhat-3.16
Choose a base branch
from
Open

chore(deps): refresh rpm lockfiles [SECURITY] #464

red-hat-konflux wants to merge 1 commit into from

Conversation

@red-hat-konflux
Copy link

@red-hat-konflux red-hat-konflux bot commented Dec 17, 2025
edited
Loading

This PR contains the following updates:

File rpms.in.yaml:

Package Change
openssh 8.7p1-46.el9 -> 8.7p1-47.el9_7
openssh-clients 8.7p1-46.el9 -> 8.7p1-47.el9_7

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand

CVE-2025-61985

More information

Details

ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

Severity

Moderate

References

openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand

CVE-2025-61984

More information

Details

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Severity

Moderate

References

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/redhat-3.16/lock-file-maintenance-vulnerability branch 6 times, most recently from 3ae29b5 to 51b8af8 Compare December 22, 2025 13:02
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/redhat-3.16/lock-file-maintenance-vulnerability branch from 51b8af8 to 10f2aff Compare January 6, 2026 17:07
@red-hat-konflux
chore(deps): refresh rpm lockfiles [SECURITY]
f4a2f3e 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/redhat-3.16/lock-file-maintenance-vulnerability branch from 10f2aff to f4a2f3e Compare January 8, 2026 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants