Threats Tagged 'cve-2026-40938'

The 1.21.2 release of Red Hat OpenShift Pipelines Operator.

Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.

An update is now available for Red Hat Lightspeed (formerly Insights) for Runtimes on RHEL 9. Security fix(es): * gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186) * crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281) * internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) * crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) * crypto/x509: crypto/tls: Denial of Service vulnerability in certificate chain building (CVE-2026-32280) * crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es): * github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986) * crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281) * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Releases of Red Hat OpenShift Builds 1.6.5

Releases of Red Hat OpenShift Builds 1.6.5

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.