File _patchinfo of Package patchinfo.42816

<patchinfo incident="42816">
  <issue tracker="bnc" id="1257138">VUL-0: CVE-2026-24137: vexctl: github.com/sigstore/sigstore/pkg/tuf: legacy TUF client allows for arbitrary file writes with target cache path traversal</issue>
  <issue tracker="bnc" id="1256535">VUL-0: CVE-2026-22772: vexctl: github.com/sigstore/fulcio: bypass MetaIssuer URL validation bypass can trigger SSRF to arbitrary internal services</issue>
  <issue tracker="bnc" id="1239323">VUL-0: CVE-2025-22869: vexctl: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
  <issue tracker="bnc" id="1240444">VUL-0: CVE-2025-30204: vexctl: github.com/golang-jwt/jwt/v4: jwt-go allows excessive memory allocation during header parsing</issue>
  <issue tracker="bnc" id="1239186">VUL-0: CVE-2025-22868: vexctl: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2</issue>
  <issue tracker="bnc" id="1234486">VUL-0: CVE-2024-45337: vexctl: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto</issue>
  <issue tracker="bnc" id="1253802">VUL-0: CVE-2025-58181: vexctl: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
  <issue tracker="bnc" id="1237611">VUL-0: CVE-2025-27144: vexctl: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service</issue>
  <issue tracker="bnc" id="1238683">VUL-0: CVE-2025-22870: vexctl: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs</issue>
  <issue tracker="cve" id="2025-22869"/>
  <issue tracker="cve" id="2026-22772"/>
  <issue tracker="cve" id="2025-30204"/>
  <issue tracker="cve" id="2025-27144"/>
  <issue tracker="cve" id="2025-58181"/>
  <issue tracker="cve" id="2025-22870"/>
  <issue tracker="cve" id="2026-24137"/>
  <issue tracker="cve" id="2024-45337"/>
  <issue tracker="cve" id="2025-22868"/>
  <packager>jfkw</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for vexctl</summary>
  <description>This update for vexctl fixes the following issues:

- Update to version 0.4.1+git78.f951e3a:
- CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2. (bsc#1239186)
- CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto. (bsc#1234486)
- CVE-2025-27144: Go JOSE's Parsing Vulnerable to Denial of Service. (bsc#1237611)
- CVE-2025-22870: proxy bypass using IPv6 zone IDs. (bsc#1238683)
- CVE-2025-22869: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh. (bsc#1239323)
- CVE-2025-30204: jwt-go allows excessive memory allocation during header parsing. (bsc#1240444)
- CVE-2025-58181: invalidated number of mechanisms can cause unbounded memory consumption. (bsc#1253802)
- CVE-2026-22772: MetaIssuer URL validation bypass can trigger SSRF to arbitrary internal services. (bsc#1256535)
- CVE-2026-24137: legacy TUF client allows for arbitrary file writes with target cache path traversal. (bsc#1257138)
</description>
</patchinfo>