chore(deps): update registry.redhat.io/openshift4/ose-tools-rhel8 docker digest to c62c9ea [security]

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Update	Change
registry.redhat.io/openshift4/ose-tools-rhel8	digest	898540b -> c62c9ea

---

golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html

CVE-2024-45338

More information

Details

A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2024-45338
• https://bugzilla.redhat.com/show_bug.cgi?id=2333122
• https://www.cve.org/CVERecord?id=CVE-2024-45338
• https://nvd.nist.gov/vuln/detail/CVE-2024-45338
• https://go.dev/cl/637536
• https://go.dev/issue/70906
• https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ
• https://pkg.go.dev/vuln/GO-2024-3333

---

libxslt: Use-After-Free in libxslt numbers.c

CVE-2025-24855

More information

Details

A flaw was found in libxslt numbers.c. This vulnerability allows a use-after-free, potentially leading to memory corruption or code execution via nested XPath evaluations where an XPath context node can be modified but not restored.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-24855
• https://bugzilla.redhat.com/show_bug.cgi?id=2352483
• https://www.cve.org/CVERecord?id=CVE-2025-24855
• https://nvd.nist.gov/vuln/detail/CVE-2025-24855
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/128

---

libxml: use-after-free in xmlXIncludeAddNode

CVE-2022-49043

More information

Details

A flaw was found in libxml2 where improper handling of memory allocation failures in libxml2 can lead to crashes, memory leaks, or inconsistent states. While an attacker cannot directly control allocation failures, they may trigger denial-of-service conditions under extreme system stress.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2022-49043
• https://bugzilla.redhat.com/show_bug.cgi?id=2342118
• https://www.cve.org/CVERecord?id=CVE-2022-49043
• https://nvd.nist.gov/vuln/detail/CVE-2022-49043
• https://github.com/php/php-src/issues/17467
• https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b

---

golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing

CVE-2025-30204

More information

Details

A flaw was found in the golang-jwt implementation of JSON Web Tokens (JWT). In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an application crash, leading to a denial of service.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-30204
• https://bugzilla.redhat.com/show_bug.cgi?id=2354195
• https://www.cve.org/CVERecord?id=CVE-2025-30204
• https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://pkg.go.dev/vuln/GO-2025-3553

---

libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList)

CVE-2024-55549

More information

Details

A flaw was found in libxslt. This vulnerability allows an attacker to trigger a use-after-free issue by excluding result prefixes.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2024-55549
• https://bugzilla.redhat.com/show_bug.cgi?id=2352484
• https://www.cve.org/CVERecord?id=CVE-2024-55549
• https://nvd.nist.gov/vuln/detail/CVE-2024-55549
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/127

---

golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws

CVE-2025-22868

More information

Details

A flaw was found in the golang.org/x/oauth2/jws package in the token parsing component. This vulnerability is made possible because of the use of strings.Split(token, ".") to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-22868
• https://bugzilla.redhat.com/show_bug.cgi?id=2348366
• https://www.cve.org/CVERecord?id=CVE-2025-22868
• https://nvd.nist.gov/vuln/detail/CVE-2025-22868
• https://go.dev/cl/652155
• https://go.dev/issue/71490
• https://pkg.go.dev/vuln/GO-2025-3488

---

grub2: net: Out-of-bounds write in grub_net_search_config_file()

CVE-2025-0624

More information

Details

A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grub_strcpy() function. During this step, it fails to consider the environment variable length when allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue may result in remote code execution through the same network segment grub is searching for the boot information, which can be used to by-pass secure boot protections.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-0624
• https://bugzilla.redhat.com/show_bug.cgi?id=2346112
• https://www.cve.org/CVERecord?id=CVE-2025-0624
• https://nvd.nist.gov/vuln/detail/CVE-2025-0624

---

kernel: ALSA: usb-audio: Fix out of bounds reads when finding clock sources

CVE-2024-53150

More information

Details

A vulnerability was found in the Linux kernel's USB Audio driver. This flaw can allow an attacker with physical access to the system to use a malicious USB device to gain additional access. This is possible by reading arbitrary system memory.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2024-53150
• https://bugzilla.redhat.com/show_bug.cgi?id=2333971
• https://www.cve.org/CVERecord?id=CVE-2024-53150
• https://nvd.nist.gov/vuln/detail/CVE-2024-53150
• https://lore.kernel.org/linux-cve-announce/2024122427-CVE-2024-53150-3a7d@gregkh/T
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

---

sudo: LPE via host option

CVE-2025-32462

More information

Details

A privilege escalation vulnerability was found in Sudo. In certain configurations, unauthorized users can gain elevated system privileges via the Sudo host option (-h or --host). When using the default sudo security policy plugin (sudoers), the host option is intended to be used in conjunction with the list option (-l or --list) to determine what permissions a user has on a different system. However, this restriction can be bypassed, allowing a user to elevate their privileges on one system to the privileges they may have on a different system, effectively ignoring the host identifier in any sudoers rules. This vulnerability is particularly impactful for systems that share a single sudoers configuration file across multiple computers or use network-based user directories, such as LDAP, to provide sudoers rules on a system.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-32462
• https://bugzilla.redhat.com/show_bug.cgi?id=2374692
• https://www.cve.org/CVERecord?id=CVE-2025-32462
• https://nvd.nist.gov/vuln/detail/CVE-2025-32462
• https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
• https://www.sudo.ws/security/advisories/host_any/

---

baremetal-operator/apis: Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD

CVE-2025-29781

More information

Details

A flaw was found in the Bare Metal Operator (BMO) Kubernetes API component. BMO enables users to load Secrets from arbitrary namespaces upon deployment of the namespace-scoped Custom Resource BMCEventSubscription. In affected versions, an adversary using a Kubernetes account with only namespace level roles (e.g. a tenant controlling a namespace) may create a BMCEventSubscription in their authorized namespace and then load Secrets from their unauthorized namespaces to another authorized namespace via the Baremetal Operator, which can lead to the exposure of secrets and credential information.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-29781
• https://bugzilla.redhat.com/show_bug.cgi?id=2353041
• https://www.cve.org/CVERecord?id=CVE-2025-29781
• https://nvd.nist.gov/vuln/detail/CVE-2025-29781
• https://github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c
• https://github.com/metal3-io/baremetal-operator/pull/2321
• https://github.com/metal3-io/baremetal-operator/pull/2322
• https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq
• https://github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md

---

golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh

CVE-2025-22869

More information

Details

A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-22869
• https://bugzilla.redhat.com/show_bug.cgi?id=2348367
• https://www.cve.org/CVERecord?id=CVE-2025-22869
• https://nvd.nist.gov/vuln/detail/CVE-2025-22869
• https://go.dev/cl/652135
• https://go.dev/issue/71931
• https://pkg.go.dev/vuln/GO-2025-3487

---

github.com/golang/glog: Vulnerability when creating log files in github.com/golang/glog

CVE-2024-45339

More information

Details

A flaw was found in glog, a logging library. This vulnerability allows an unprivileged attacker to overwrite sensitive files via a symbolic link planted in a widely writable directory, exploiting the log file path predictability.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2024-45339
• https://bugzilla.redhat.com/show_bug.cgi?id=2342463
• https://www.cve.org/CVERecord?id=CVE-2024-45339
• https://nvd.nist.gov/vuln/detail/CVE-2024-45339
• https://github.com/golang/glog/pull/74
• https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2
• https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs
• https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
• https://pkg.go.dev/vuln/GO-2025-3372

---

libxml2: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2

CVE-2025-6021

More information

Details

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-6021
• https://bugzilla.redhat.com/show_bug.cgi?id=2372406
• https://www.cve.org/CVERecord?id=CVE-2025-6021
• https://nvd.nist.gov/vuln/detail/CVE-2025-6021

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]
Once this PR has been reviewed and has the lgtm label, please assign lucifergene for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-pipelines member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.