chore(deps): update registry.redhat.io/rhtas/cosign-rhel9 docker tag to v1.4.1-1779106733 [security]

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
registry.redhat.io/rhtas/cosign-rhel9	stage	minor	1.3.2 → 1.4.1-1779106733

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation

CVE-2026-32281

More information

Details

A flaw was found in Go's crypto/x509 package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-32281
• https://bugzilla.redhat.com/show_bug.cgi?id=2456333
• https://www.cve.org/CVERecord?id=CVE-2026-32281
• https://nvd.nist.gov/vuln/detail/CVE-2026-32281
• https://go.dev/cl/758061
• https://go.dev/issue/78281
• https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
• https://pkg.go.dev/vuln/GO-2026-4946

---

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

CVE-2026-34986

More information

Details

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-34986
• https://bugzilla.redhat.com/show_bug.cgi?id=2455470
• https://www.cve.org/CVERecord?id=CVE-2026-34986
• https://nvd.nist.gov/vuln/detail/CVE-2026-34986
• https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
• https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants

---

github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability

CVE-2026-33816

More information

Details

A flaw was found in github.com/jackc/pgx, a PostgreSQL driver for Go. This memory-safety vulnerability could allow an attacker to cause various impacts, such as denial of service (DoS) or potentially arbitrary code execution, by exploiting memory corruption issues. The exact method of exploitation and specific consequences would depend on the nature of the memory corruption.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-33816
• https://bugzilla.redhat.com/show_bug.cgi?id=2455972
• https://www.cve.org/CVERecord?id=CVE-2026-33816
• https://nvd.nist.gov/vuln/detail/CVE-2026-33816
• https://pkg.go.dev/vuln/GO-2026-4772

---

golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root

CVE-2026-32282

More information

Details

A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the Root.Chmod function is replaced with a symbolic link during execution, specifically after Root.Chmod checks the target but before acting, the chmod operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-32282
• https://bugzilla.redhat.com/show_bug.cgi?id=2456336
• https://www.cve.org/CVERecord?id=CVE-2026-32282
• https://nvd.nist.gov/vuln/detail/CVE-2026-32282
• https://go.dev/cl/763761
• https://go.dev/issue/78293
• https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
• https://pkg.go.dev/vuln/GO-2026-4864

---

github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability

CVE-2026-33815

More information

Details

A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-33815
• https://bugzilla.redhat.com/show_bug.cgi?id=2455975
• https://www.cve.org/CVERecord?id=CVE-2026-33815
• https://nvd.nist.gov/vuln/detail/CVE-2026-33815
• https://pkg.go.dev/vuln/GO-2026-4771

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[konflux-ci-qe-bot]

Scenario: pr-e2e-tests
@red-hat-konflux[bot]: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name	Status	Rerun command	Build Log	Test Log
e2e-4.20-rwlts	Failed	/retest	View Pipeline Log	View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

1. Install ORAS (see the ORAS installation guide).
2. Download artifacts with the following commands:

mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/rhtap-team/rhtap-cli:e2e-4.20-rwlts

Test results analysis

<not enabled>

OCI Artifact Browser URL

<not enabled>