Skip to content

chore: update dependencies#438

Draft
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/dependencies
Draft

chore: update dependencies#438
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/dependencies

Conversation

@renovate

@renovate renovate Bot commented Mar 5, 2025

Copy link
Copy Markdown

Update Request | Renovate Bot

This PR contains the following updates:

Package Update Change
SELinuxProject/selinux minor 3.103.11
davea42/libdwarf-code patch 2.3.12.3.2
git://git.kernel.org/pub/scm/git/git.git minor 2.54.02.55.0
git://git.savannah.gnu.org/libtool.git minor 2.5.42.6.1
openssl/openssl major 3.6.34.0.1
pypa/setuptools major 82.0.183.0.0
siderolabs/bldr patch v0.6.0v0.6.1

Release Notes

SELinuxProject/selinux (SELinuxProject/selinux)

v3.11: SELinux userspace release 3.11

Compare Source

RELEASE 3.11

User-visible changes since 3.10

  • Several security improvements in libselinux, dbus, gui, mcstrans and sandbox
  • Added secilcheck program to check CIL neverallows against binary policies
  • Improved restorecond.service to use new restorecond -F option to run in
    foreground
  • restorecon only logs error on read-only filesystem instead of failing (allows
    relabeling with read-only BTRFS subvolumes)
  • Added setfiles -A option to disable SELINUX_RESTORECON_ADD_ASSOC
  • Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to
    selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse to
    relabel files with multiple hard links to prevent mislabeling them. Updated
    restorecond(8) to always pass this flag when relabeling files to prevent
    mislabeling hard links to files owned by others, e.g. when relabeling user
    home directories or /tmp.
  • Dropped sandbox/seunshare -k/--kill support (unused by sandbox, fundamentally
    racy, redundant with killall -Z).
  • Fixed sandbox/seunshare getopt flags to match the actual options.
  • Fixed sandbox/seunshare remounting of /tmp and /var/tmp within the sandbox.
  • Fixed sandbox interactive prompt for saving files.
  • Added a cache size cap, max client cap, receive timeout, and maxbit cap to
    mcstrans to reduce the risk of DoS from misbehaving clients.
  • Fixed mcstrans UAF on SIGHUP reload of its configuration files.
  • Fixed mcstrans translation for uncached entries.
  • Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on large
    semanage import operations (#​291).
  • Fixed libsepol generation of constraint expressions with a list of names when
    writing policy.conf from CIL.
  • Fixed libsepol to generate constrain/validatetrans instead of
    mlsconstrain/mlsvalidatetrans when converting a module to CIL unless the
    constraint contains an expression based on level.
  • Fixed libsepol selection of tunableif or booleanif and to skip empty
    conditional blocks when converting a module to CIL.
  • Fixed libsepol/secilc reporting of CIL source file info.
  • Fixed libsepol to require at least one perm in a CIL classperm and to
    correctly count the number of elements in the avtab.
  • Fixed libsepol to link xperm rule permissions correctly.
  • Fixed libsepol off-by-one error in cats_ebitmap_len().
  • Fixed dispol and dismod to show all options in the -h text.
  • Fixed checkpolicy handling of out-of-range and complement at range boundaries
    for xperm rules (#​530, #​531).
  • Dropped legacy fscon statement support from checkpolicy - never used in
    SELinux policies for mainline kernels (#​518).
  • Fixed libselinux constructor to not clobber errno (#​445).
  • Fixed libselinux selabel_partial_match(3) to correctly find partial matches.
  • Fixed libselinux selinux_init_policy_load() to still try to mount selinuxfs on
    /sys/fs/selinux even if the mount of sysfs on /sys fails - this can occur
    legitimately within a user namespace.
  • Improved restorecon related functionality in libselinux
  • Improved semanage-fcontext(8) manpage
  • Dropped Python 2 support from audit2why
  • Multiple documentation improvements.
  • Bug fixes

Security/hardening changes

  • Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues in file
    relabeling if /proc is available (so that it can use /proc/self/fd-based
    pathnames). If /proc is not available, selinux_restorecon(3) falls back to
    just passing the full pathname each time for compatibility within chroot or
    other environments. For callers that pass the SELINUX_RESTORECON_REALPATH
    flag, like restorecon(8), selinux_restorecon(3) will still follow any
    intermediate symlinks in the initial pathname as part of realpath(3)
    canonicalization. Otherwise, selinux_restorecon(3) will not follow any
    symlinks. This may yield different user-visible behavior for setfiles(8) and
    restorecond(8) but only if a path containing an intermediate symlink is
    specified on the command-line (setfiles) or configuration (restorecond) since
    they did not follow any symlinks found during the tree walk regardless.

  • Rewrote restorecond and sandbox/seunshare to eliminate TOCTOU issues on their
    other path-based operations via /proc/self/fd and the use of a safe_open()
    helper. This may yield different behavior if a path containing an intermediate
    symlink is passed to them via configuration (restorecond) or command-line
    (seunshare).

  • Many hardening fixes spanning the entire tree (including but not limited to
    #​522, #​523, #​525 thru #​529, #​532 thru #​534)

Development-relevant changes

  • Reformatted entire tree based on .clang-format and added new
    check-format/format make targets to check and/or reformat code to match.
    This is now a requirement for new patches.
  • Improved CI and refactored CI build into a custom GH action
  • libselinux and python use system Python3 build module
  • Fixed build errors with glibc 2.43.
  • Fixed libselinux build for non-pthread builds.
  • Build shared libraries with -fPIC for LTO.
  • Fixed uclibc build failure (#​435).
  • Multiple fixes for musl/llvm-based builds, including adding a new
    EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass
    --undefined-version through to lld (#​511 thru #​515).
  • Fixed libsemanage pywrap target deps for parallel builds.
  • Updated pywrap build targets for modern python builds using the Python3 build
    module.
  • Disabled build isolation for sepolicy python module.
davea42/libdwarf-code (davea42/libdwarf-code)

v2.3.2: libdwarf -code release 2.3.2

Compare Source

Enables reading of Elf objects with any sections compressed (previously only some could be decompressed).
Fixes vulnerabilities reading corrupted Mach-o objects.

openssl/openssl (openssl/openssl)

v4.0.1

Compare Source

  • Add client-side validation for TLS 1.3 session ticket lifetimes.

    In accordance with RFC 8446 Section 4.6.1,
    TLS 1.3 clients must not cache session tickets
    for longer than 7 days (604800 seconds).
    When processing a new session ticket message with a
    ticket_lifetime_hint value greater than 7 days,
    the client now caps the lifetime to the
    maximum permitted value of 7 days (604800 seconds).

    Abel Thomas

v4.0.0

Compare Source

  • Fixed heap use-after-free in PKCS7_verify().

    Severity: High

    Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
    trigger a use-after-free during PKCS#7 signature verification.

    Impact summary: A use-after-free may result in process crashes, heap
    corruption, or, potentially, remote code execution.

    Reported by: Thai Duong (Calif.io in collaboration with Claude
    and Anthropic Research).

    ([CVE-2026-45447])

    Igor Ustinov

  • Fixed CMS AuthEnvelopedData processing may accept forged messages.

    Severity: Moderate

    Issue Summary: Cryptographic Message Services (CMS) processing fails
    to perform sufficient input validation on the cipher and tag length fields
    of AuthEnvelopedData containers, leading to various potential compromises.

    Impact Summary: Attackers making use of these vulnerabilities may achieve
    key-equivalent functionality for a given CMS recipient and/or bypass
    integrity validation for a given message.

    Reported by: Asim Viladi Oglu Manizada, Alex Gaynor (Anthropic),
    Ying Dong, and Haiyang Huang.

    ([CVE-2026-34182])

    Neil Horman

  • Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.

    Severity: Moderate

    Issue summary: Remote peer may exhaust heap memory of the QUIC server
    or client by flooding it with packets containing PATH_CHALLENGE frames.

    Impact summary: A malicious remote peer can cause an unbounded memory
    allocation which can lead to an abnormal termination of the application
    acting as a QUIC client or server and a Denial of Service.

    Reported by: Abhinav Agarwal.

    ([CVE-2026-34183])

    Abhinav Agarwal and Alexandr Nedvedicky

  • Fixed double-free when checking OCSP stapled response.

    Severity: Moderate

    Issue summary: A malicious server can exploit TLS OCSP stapling by delivering
    a crafted response through the status_request extension, triggering
    a double-free in the client's certificate verification path.

    Impact summary: Successful exploitation allows an attacker to corrupt heap
    memory via a double-free, potentially leading to a Denial of Service
    or possibly an attacker controlled code execution or other undefined
    behavior.

    Reported by: Wang Kenaz (University of Illinois),
    Guido Vranken (Aisle Research), and Aaron Grattafiori (Nvidia).

    ([CVE-2026-35188])

    Daniel Kubec

  • Fixed NULL pointer dereference in QUIC server initial packet handling.

    Severity: Moderate

    Issue summary: Receiving a QUIC initial packet with an invalid token
    may trigger a NULL pointer dereference in the OpenSSL QUIC server
    with address validation disabled.

    Impact summary: NULL pointer dereference typically causes abnormal
    termination of the affected QUIC server process and a Denial of Service.

    Reported by: Sunwoo Lee (KENTECH), Hyuk Lim (KENTECH),
    and Seunghyun Yoon (KENTECH).

    ([CVE-2026-42764])

    Sunwoo Lee (KENTECH), Hyuk Lim (KENTECH), and Seunghyun Yoon (KENTECH)

  • Fixed AES-OCB IV ignored on EVP_Cipher() path.

    Severity: Moderate

    Issue summary: When an application drives an AES-OCB context through
    the public EVP_Cipher() one-shot interface, the application-supplied
    initialisation vector (IV) is silently discarded.

    Impact summary: Every message encrypted under the same key uses the same
    effective nonce regardless of the IV supplied by the caller, resulting
    in (key, nonce) reuse and loss of confidentiality. If the same code path
    is used to compute the authentication tag, the tag depends only
    on the (key, IV) pair and not on the plaintext or ciphertext, allowing
    universal forgery of arbitrary ciphertext from a single captured message.

    Reported by: Alex Gaynor (Anthropic).

    ([CVE-2026-45445])

    Viktor Dukhovni

  • Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.

    Severity: Low

    Issue summary: A signed integer overflow when sizing the destination
    buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap
    buffer overflow.

    Impact summary: A heap buffer overflow may lead to a crash or possibly
    attacker controlled code execution or other undefined behaviour.

    Reported by: Zehua Qiao and Jinwen He.

    ([CVE-2026-7383])

    Viktor Dukhovni

  • Fixed out-of-bounds read in CMS password-based decryption.

    Severity: Low

    Issue summary: When CMS password-based decryption ([RFC 3211]/PWRI key
    unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode
    KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key().

    Impact summary: A heap buffer over-read may trigger a crash, which leads
    to Denial of Service for an application if the input buffer ends at a memory
    page boundary and the following page is unmapped. There is no information
    disclosure, as the over-read bytes are not revealed to the attacker.

    Reported by: Bhabani Sankar Das and Haruki Oyama (Waseda University).

    ([CVE-2026-9076])

    Nikola Pajkovský

  • Fixed heap buffer over-read in ASN.1 content parsing.

    Severity: Low

    Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive
    element whose content exceeds 2 gigabytes in length may cause a heap buffer
    over-read on 64-bit Unix and Unix-like platforms.

    Impact summary: The heap buffer over-read may crash the application (Denial
    of Service) or to load into the decoded ASN.1 object contents of memory
    beyond the end of the input buffer. More typically, such ASN.1 elements
    would instead be truncated.

    Reported by: Frank Buss.

    ([CVE-2026-34180])

    Viktor Dukhovni

  • Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.

    Severity: Low

    Issue Summary: The PKCS#12 file processing fails to perform sufficient input
    validation for files that use Password-Based Message Authentication Code 1
    (PBMAC1) integrity mechanism allowing a certificate and private key forgery.

    Impact Summary: An attacker impersonating a user can cause a service reading
    PKCS#12 files to accept forged certificates and private keys with a 1 in 256
    probability.

    Reported by: Pavol Žáčik (Red Hat) and Alex Gaynor (Anthropic).

    ([CVE-2026-34181])

    Alicja Kario (Red Hat)

  • Fixed NULL dereference in certificate verification with OCSP Checking.

    Severity: Low

    Issue summary: When a partial-chain certificate verification is enabled
    together with OCSP response checking for the whole chain, a NULL dereference
    will happen if the verified chain does not have a self-signed trusted anchor,
    crashing the process.

    Impact summary: A NULL pointer dereference can trigger a crash which leads
    to a Denial of Service for an application.

    Reported by: Joshua Rogers (Aisle Research).

    ([CVE-2026-42765])

    Joshua Rogers (Aisle Research) and Daniel Kubec

  • Fixed possible NULL dereference in password-dased CMS decryption.

    Severity: Low

    Issue summary: A specially crafted password-encrypted CMS message
    could trigger a NULL pointer dereference during CMS decryption.

    Impact summary: This NULL pointer dereference could lead to an application
    crash and a Denial of Service.

    Reported by: Mayank Jangid, Kushal Khemka, Hari Priandana,
    Bhabani Sankar Das, and Qifan Zhang (Palo Alto Networks).

    ([CVE-2026-42766])

    Igor Ustinov

  • Fixed NULL pointer dereference in CRMF EncryptedValue decryption.

    Severity: Low

    Issue summary: An attacker-controlled CMP (Certificate Management Protocol)
    server could trigger a NULL pointer dereference in a CMP client application.

    Impact summary: A NULL pointer dereference could cause a crash
    of the application and a Denial of Service.

    Reported by: Zhanpeng Liu (Tencent Xuanwu Lab),
    Guannan Wang (Tencent Xuanwu Lab), and Guancheng Li (Tencent Xuanwu Lab).

    ([CVE-2026-42767])

    Igor Ustinov

  • Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
    and PKCS7_decrypt().

    Severity: Low

    Issue summary: The CMS_decrypt() and PKCS7_decrypt() functions
    are vulnerable to Bleichenbacher-style attack when an attacker is able
    to provide CMS or S/MIME messages and observe the error code
    and/or decryption output.

    Impact summary: The Bleichenbacher-style attack allows an attacker to use
    the victim's vulnerable application as a way to decrypt or sign messages
    with the victim's private RSA key.

    Reported by: Alex Gaynor (Anthropic).

    ([CVE-2026-42768])

    Dmitry Belyavskiy (Red Hat) and Alicja Kario (Red Hat)

  • Fixed trust anchor substitution via cert/issuer typo in CMP
    rootCaKeyUpdate.

    Severity: Low

    Issue Summary: An error in the callback used to verify the certificate
    provided in a Root CA key update Certificate Management Protocol (CMP)
    message response rendered the certificate validation ineffectual,
    which could lead to escalation of credentials from the Registration
    Authority (RA) level to the root Certification Authority (root CA) level.

    Impact Summary: The Registration Authority could replace the root CA
    certificate for the CMP clients with an arbitrary root CA certificate.

    Reported by: Alex Gaynor (Anthropic).

    ([CVE-2026-42769])

    Alex Gaynor (Anthropic) and Bob Beck

  • Fixed FFC-DH peer validation uses attacker-supplied q.

    Severity: Low

    Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)
    peer key, the peer key is not properly checked for the subgroup membership.

    Impact summary: A malicious peer which presents an X9.42 key carrying
    the victim's p and g parameters, a forged q = r (a small prime factor
    of the cofactor (p − 1)/q_local), and a public value Y of order r can
    recover the victim's private key after a small number of key exchange
    attempts.

    Reported by: Alex Gaynor (Anthropic).

    ([CVE-2026-42770])

    Alex Gaynor (Anthropic), Viktor Dukhovni, and Norbert Pócs

  • Fixed possible out of bounds read in X509_VERIFY_PARAM_set1_email().

    Severity: Low

    Issue summary: When X509_VERIFY_PARAM_set1_email() is called
    by an application to validate a crafted e-mail address, such as during
    S/MIME message validation, an out of bounds read can happen.

    Impact summary: This out of bounds read will not directly exfiltrate
    the data read to the attacker, so, the most likely result is a crash
    and a Denial of Service.

    Reported by: TrendAI Zero Day Initiative.

    ([CVE-2026-42771])

    Bob Beck

  • Fixed incorrect tag processing for empty messages in AES-GCM-SIV
    and AES-SIV modes.

    Severity: Low

    Issue summary: The implementations of AES-SIV ([RFC 5297]) and AES-GCM-SIV
    ([RFC 8452]) mishandle the authentication of AAD (Additional Authenticated
    Data) with an empty ciphertext, allowing forgery of such messages.

    Impact summary: An attacker can forge empty messages with arbitrary AAD
    to the victim's application using these ciphers.

    Reported by: Alex Gaynor (Anthropic).

    ([CVE-2026-45446])

    Dmitry Belyavskiy (Red Hat)

  • Fixed a regression introduced in 4.0.0 that led to a openssl pkey
    command crash when it was invoked to encrypt a private key with password
    being provided interactively.

    Viktor Dukhovni

  • Fixed a regression introduced in 4.0.0 that led to openssl s_client -adv
    command prematurely terminating a session when reading input of 16384 bytes
    in one read() call.

    Eugene Syromiatnikov

  • Fixed TLS 1.3 server not sending NewSessionTicket message
    after ciphersuite mismatch.

    Daniel Kubec

  • Implemented validation of the minimal length of PSK identity
    being of at least one byte long, as required per [RFC 8446].

    Matt Caswell

  • Fixed usage of stale application buffer pointer by kTLS implementation
    after incomplete writes when SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER is set,
    that led to invalid memory reads and sending of incorrect data.

    Ilya Maximets

pypa/setuptools (pypa/setuptools)

v83.0.0

Compare Source

siderolabs/bldr (siderolabs/bldr)

v0.6.1

Compare Source

bldr 0.6.1 (2026-07-03)

Welcome to the v0.6.1 release of bldr!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/bldr/issues.

Build Platform

Packages can now pin the platform their build runs on with the buildPlatform
field, independent of the requested target platform. This enables
cross-compilation: e.g. building an arm64 artifact on an amd64 worker (no
emulation), where ARCH/TARGET still describe the target while the build
executes on buildPlatform.

Contributors
  • Andrey Smirnov
  • Mark Glants
Changes
4 commits

  • d9f3216 release(v0.6.1): prepare release
  • 7364273 feat: add buildPlatform to pin a package's build platform
  • a9fb31d chore: bump dependencies
  • 7618c55 chore: bump Go dependencies and rekres

Changes from siderolabs/gen
1 commit

  • c526410 fix: skip unknown-key check for types with custom YAML unmarshaler

Dependency Changes
  • github.com/anchore/syft v1.42.4 -> v1.46.0
  • github.com/moby/buildkit v0.30.0 -> v0.31.1
  • github.com/siderolabs/gen v0.8.6 -> v0.8.7
  • go.yaml.in/yaml/v4 v4.0.0-rc.4 -> v4.0.0-rc.6
  • golang.org/x/sync v0.20.0 -> v0.21.0

Previous release can be found at v0.6.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-project-automation github-project-automation Bot moved this to To Do in Planning Mar 5, 2025
@talos-bot talos-bot moved this from To Do to In Review in Planning Mar 5, 2025
@smira smira removed this from Planning Mar 5, 2025
@renovate renovate Bot changed the title chore: update dependencies chore: update dependency git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git to v34 Mar 5, 2025
@renovate renovate Bot force-pushed the renovate/dependencies branch 2 times, most recently from 1d5ed39 to b460bd6 Compare March 7, 2025 10:49
@renovate renovate Bot changed the title chore: update dependency git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git to v34 chore: update dependencies Mar 7, 2025
@renovate renovate Bot force-pushed the renovate/dependencies branch 4 times, most recently from 4274135 to ff37e3d Compare March 14, 2025 23:26
@renovate renovate Bot force-pushed the renovate/dependencies branch 2 times, most recently from 8f606c5 to 7a78a37 Compare March 21, 2025 10:11
@renovate renovate Bot changed the title chore: update dependencies chore: update dependency swig/swig to v4.3.0 Mar 21, 2025
@renovate renovate Bot force-pushed the renovate/dependencies branch from 7a78a37 to 6afeb46 Compare March 21, 2025 12:12
@renovate renovate Bot changed the title chore: update dependency swig/swig to v4.3.0 chore: update dependencies Mar 21, 2025
@renovate renovate Bot force-pushed the renovate/dependencies branch 2 times, most recently from d0c7eed to 5dd4665 Compare March 26, 2025 08:03
@renovate renovate Bot force-pushed the renovate/dependencies branch 5 times, most recently from 21dffca to 3e5cc30 Compare April 4, 2025 08:02
@renovate renovate Bot force-pushed the renovate/dependencies branch 5 times, most recently from 9e4e461 to 50b1227 Compare April 10, 2025 19:25
@renovate renovate Bot force-pushed the renovate/dependencies branch from 50b1227 to 6f25a6c Compare April 12, 2025 19:44
@renovate renovate Bot force-pushed the renovate/dependencies branch 2 times, most recently from 7d27edc to 2d246a1 Compare May 15, 2025 11:13
@renovate renovate Bot force-pushed the renovate/dependencies branch from 2d246a1 to fa24ade Compare May 24, 2025 11:59
@renovate renovate Bot force-pushed the renovate/dependencies branch 4 times, most recently from e911e58 to 45f5a9b Compare June 6, 2025 10:50
@renovate renovate Bot force-pushed the renovate/dependencies branch 3 times, most recently from 80f9be9 to 368bed7 Compare June 15, 2025 07:57
@renovate renovate Bot force-pushed the renovate/dependencies branch from 368bed7 to 1e32b7e Compare June 28, 2025 08:11
@renovate renovate Bot force-pushed the renovate/dependencies branch 3 times, most recently from e29bbcf to 22d416a Compare July 8, 2025 19:49
@renovate renovate Bot force-pushed the renovate/dependencies branch 4 times, most recently from 62e43ac to 7c60459 Compare July 16, 2025 14:09
@renovate renovate Bot force-pushed the renovate/dependencies branch from 7c60459 to df0fcb8 Compare July 27, 2025 16:00
@renovate renovate Bot force-pushed the renovate/dependencies branch 4 times, most recently from 61fd535 to 777ba2e Compare August 7, 2025 12:34
@renovate renovate Bot force-pushed the renovate/dependencies branch 4 times, most recently from 5ce8a27 to f5f2e7b Compare August 16, 2025 03:13
@renovate renovate Bot force-pushed the renovate/dependencies branch 2 times, most recently from 70132b5 to 1edeced Compare August 24, 2025 23:14
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants