Skip to content

chore(deps): rpm updates #2249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-3.21
Choose a base branch
from
Open

chore(deps): rpm updates #2249

wants to merge 1 commit into from

Conversation

red-hat-konflux[bot]
Copy link
Contributor

This PR contains the following updates:

Package Update Change
audit-libs patch 3.1.2-1.el8 -> 3.1.2-1.el8_10.1
device-mapper patch 8:1.02.181-15.el8_10 -> 8:1.02.181-15.el8_10.2
device-mapper-libs patch 8:1.02.181-15.el8_10 -> 8:1.02.181-15.el8_10.2
dracut minor 049-233.git20240115.el8 -> 049-237.git20250603.el8_10
emacs-filesystem patch 1:26.1-13.el8_10 -> 1:26.1-15.el8_10
lz4-libs patch 1.8.3-3.el8_4 -> 1.8.3-5.el8_10
platform-python-setuptools patch 39.2.0-8.el8_10 -> 39.2.0-9.el8_10
python3-audit patch 3.1.2-1.el8 -> 3.1.2-1.el8_10.1
python3-setuptools-wheel patch 39.2.0-8.el8_10 -> 39.2.0-9.el8_10

setuptools: Path Traversal Vulnerability in setuptools PackageIndex

CVE-2025-47273

More information

Details

A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn't expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.

Severity

Moderate

References

Configuration

📅 Schedule: Branch creation - "after 3am and before 7am" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).

@red-hat-konflux
chore(deps): rpm updates
bb005ea 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux bot requested review from rhacs-bot and a team as code owners July 15, 2025 04:31
@red-hat-konflux red-hat-konflux bot enabled auto-merge (squash) July 15, 2025 04:31
rhacs-bot
rhacs-bot approved these changes Jul 15, 2025
View reviewed changes
Copy link
Contributor

@rhacs-bot rhacs-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved by automation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhacs-bot rhacs-bot rhacs-bot approved these changes

Assignees
No one assigned
Labels
auto-approve build-builder-image rebuild-test-container Rebuild the collector-tests container.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rhacs-bot