Update registry.redhat.io/openshift4/ose-tools-rhel8 Docker digest to 6d7a592 [SECURITY]

[red-hat-konflux-kflux-prd-rh02]

This PR contains the following updates:

Package	Update	Change
registry.redhat.io/openshift4/ose-tools-rhel8	digest	c9fb4c7 -> 6d7a592

---

sudo: LPE via host option

CVE-2025-32462

More information

Details

A privilege escalation vulnerability was found in Sudo. In certain configurations, unauthorized users can gain elevated system privileges via the Sudo host option (-h or --host). When using the default sudo security policy plugin (sudoers), the host option is intended to be used in conjunction with the list option (-l or --list) to determine what permissions a user has on a different system. However, this restriction can be bypassed, allowing a user to elevate their privileges on one system to the privileges they may have on a different system, effectively ignoring the host identifier in any sudoers rules. This vulnerability is particularly impactful for systems that share a single sudoers configuration file across multiple computers or use network-based user directories, such as LDAP, to provide sudoers rules on a system.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-32462
• https://bugzilla.redhat.com/show_bug.cgi?id=2374692
• https://www.cve.org/CVERecord?id=CVE-2025-32462
• https://nvd.nist.gov/vuln/detail/CVE-2025-32462
• https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
• https://www.sudo.ws/security/advisories/host_any/

---

baremetal-operator/apis: Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD

CVE-2025-29781

More information

Details

A flaw was found in the Bare Metal Operator (BMO) Kubernetes API component. BMO enables users to load Secrets from arbitrary namespaces upon deployment of the namespace-scoped Custom Resource BMCEventSubscription. In affected versions, an adversary using a Kubernetes account with only namespace level roles (e.g. a tenant controlling a namespace) may create a BMCEventSubscription in their authorized namespace and then load Secrets from their unauthorized namespaces to another authorized namespace via the Baremetal Operator, which can lead to the exposure of secrets and credential information.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-29781
• https://bugzilla.redhat.com/show_bug.cgi?id=2353041
• https://www.cve.org/CVERecord?id=CVE-2025-29781
• https://nvd.nist.gov/vuln/detail/CVE-2025-29781
• https://github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c
• https://github.com/metal3-io/baremetal-operator/pull/2321
• https://github.com/metal3-io/baremetal-operator/pull/2322
• https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq
• https://github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md

---

libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList)

CVE-2024-55549

More information

Details

A flaw was found in libxslt. This vulnerability allows an attacker to trigger a use-after-free issue by excluding result prefixes.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2024-55549
• https://bugzilla.redhat.com/show_bug.cgi?id=2352484
• https://www.cve.org/CVERecord?id=CVE-2024-55549
• https://nvd.nist.gov/vuln/detail/CVE-2024-55549
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/127

---

libxslt: Use-After-Free in libxslt numbers.c

CVE-2025-24855

More information

Details

A flaw was found in libxslt numbers.c. This vulnerability allows a use-after-free, potentially leading to memory corruption or code execution via nested XPath evaluations where an XPath context node can be modified but not restored.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-24855
• https://bugzilla.redhat.com/show_bug.cgi?id=2352483
• https://www.cve.org/CVERecord?id=CVE-2025-24855
• https://nvd.nist.gov/vuln/detail/CVE-2025-24855
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/128

---

golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing

CVE-2025-30204

More information

Details

A flaw was found in the golang-jwt implementation of JSON Web Tokens (JWT). In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an application crash, leading to a denial of service.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-30204
• https://bugzilla.redhat.com/show_bug.cgi?id=2354195
• https://www.cve.org/CVERecord?id=CVE-2025-30204
• https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://pkg.go.dev/vuln/GO-2025-3553

---

libxml2: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2

CVE-2025-6021

More information

Details

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2025-6021
• https://bugzilla.redhat.com/show_bug.cgi?id=2372406
• https://www.cve.org/CVERecord?id=CVE-2025-6021
• https://nvd.nist.gov/vuln/detail/CVE-2025-6021

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]
Once this PR has been reviewed and has the lgtm label, please assign lokanandaprabhu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a openshift-pipelines member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.