File _patchinfo of Package patchinfo.42061
<patchinfo incident="42061">
<issue tracker="bnc" id="1251547">VUL-0: CVE-2025-58190: trivy: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
<issue tracker="bnc" id="1253977">VUL-0: CVE-2025-47914: trivy: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read</issue>
<issue tracker="bnc" id="1251363">VUL-0: CVE-2025-47911: trivy: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
<issue tracker="bnc" id="1253512">VUL-0: CVE-2025-47913: trivy: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request</issue>
<issue tracker="bnc" id="1253786">VUL-0: CVE-2025-58181: trivy: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption</issue>
<issue tracker="cve" id="2025-58181"/>
<issue tracker="cve" id="2025-47913"/>
<issue tracker="cve" id="2025-47911"/>
<issue tracker="cve" id="2025-47914"/>
<issue tracker="cve" id="2025-58190"/>
<packager>dirkmueller</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for trivy</summary>
<description>This update for trivy fixes the following issues:
Update to version 0.68.2.
Security issues fixed:
- CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents
(bsc#1251363).
- CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in
response to a key listing or signing request (bsc#1253512).
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: lack of message size validation in SSH Agent servers leads to an
out-of-bounds read when processing new identity requests (bsc#1253977).
- CVE-2025-58181: golang.org/x/crypto/ssh: missing validations in SSH servers lead to excessive memory consumption
when parsing GSSAPI authentication requests (bsc#1253786).
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially
crafted input (bsc#1251547).
Other updates and bugfixes:
- Version 0.68.2:
* fix(deps): bump alpine from 3.22.1 to 3.23.0 (#9949)
- Version 0.68.1:
* fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
* chore(deps): bump the testcontainers group with 2 updates (#9506)
- Version 0.68.0:
* feat(aws): Add support for dualstack ECR endpoints (#9862)
* fix(vex): use a separate `visited` set for each DFS path (#9760)
* refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
* chore(cli): Remove Trivy Cloud (#9847)
* fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
* fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
* chore(deps): bump the docker group with 3 updates (#9776)
* chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
* chore(deps): bump the common group across 1 directory with 20 updates (#9840)
* feat(image): add Sigstore bundle SBOM support (#9516)
* chore(deps): bump the aws group with 7 updates (#9691)
* chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
* feat(sbom): add support for SPDX attestations (#9829)
* feat(misconf): Update Azure network schema for new checks (#9791)
* feat(misconf): Update AppService schema (#9792)
* fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
* feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
* feat(report): add fingerprint generation for vulnerabilities (#9794)
* chore: trigger the trivy-www workflow (#9737)
* fix: update all documentation links (#9777)
* feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
* feat(flag): add `--cacert` flag (#9781)
* fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
* chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
* fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files
(#9751)
* feat(db): enable concurrent access to vulnerability database (#9750)
* feat(misconf): add agentpools to azure container schema (#9714)
* feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
* feat(misconf): Update Azure Compute schema (#9675)
* feat(misconf): Update azure storage schema (#9728)
* feat(misconf): Update SecurityCenter schema (#9674)
* feat(image): pass global context to docker/podman image save func (#9733)
* chore(deps): bump the github-actions group with 4 updates (#9739)
* fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
* feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
* feat(dotnet): add dependency graph support for .deps.json files (#9726)
* feat(misconf): Add support for configurable Rego error limit (#9657)
* feat(misconf): Add RoleAssignments attribute (#9396)
* feat(report): add image reference to report metadata (#9729)
* fix(os): Add photon 5.0 in supported OS (#9724)
* fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
* refactor: add case-insensitive string set implementation (#9720)
* feat: include registry and repository in artifact ID calculation (#9689)
* feat(java): add support remote repositories from settings.xml files (#9708)
* fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
* fix(report): correct field order in SARIF license results (#9712)
* refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
* fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
* fix: close all opened resources if an error occurs (#9665)
* refactor(misconf): type-safe parser results in generic scanner (#9685)
* feat(image): add RepoTags support for Docker archives (#9690)
* chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
* feat(misconf): Update Azure Container Schema (#9673)
* feat(misconf): include map key in manifest snippet for diagnostics (#9681)
* refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
* refactor(cli): Update the cloud config command (#9676)
* fix(sbom): add `buildInfo` info as properties (#9683)
* feat: add ReportID field to scan reports (#9670)
* feat(cli): Add trivy cloud suppport (#9637)
* feat: add ArtifactID field to uniquely identify scan targets (#9663)
* fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
* feat(sbom): use SPDX license IDs list to validate SPDX IDs (#9569)
* fix: use context for analyzers (#9538)
* chore(deps): bump the docker group with 3 updates (#9545)
* chore(deps): bump the aws group with 6 updates (#9547)
* fix: Trim the end-of-range suffix (#9618)
* fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
* refactor: move the aws config (#9617)
* fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
* fix: using SrcVersion instead of Version for echo detector (#9552)
* feat(fs): change artifact type to repository when git info is detected (#9613)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
* fix(vex): don't use reused BOM (#9604)
* fix: restore compatibility for google.protobuf.Value (#9559)
* chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
* feat: allow ignoring findings by type in Rego (#9578)
* refactor(misconf): add ID to scan.Rule (#9573)
* fix(java): update order for resolving package fields from multiple demManagement (#9575)
* chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
* chore(deps): bump the common group across 1 directory with 7 updates (#9590)
* chore(deps): Switch to go-viper/mapstructure (#9579)
* chore: add context to the cache interface (#9565)
* fix: validate backport branch name (#9548)
</description>
</patchinfo>
