Skip to content

NO-ISSUE: Refresh RPM lockfiles [SECURITY]#2059

Open
red-hat-konflux[bot] wants to merge 1 commit into
masterfrom
konflux/mintmaker/master/rpm-lockfile-refresh-vulnerability
Open

NO-ISSUE: Refresh RPM lockfiles [SECURITY]#2059
red-hat-konflux[bot] wants to merge 1 commit into
masterfrom
konflux/mintmaker/master/rpm-lockfile-refresh-vulnerability

Conversation

@red-hat-konflux
Copy link
Copy Markdown
Contributor

@red-hat-konflux red-hat-konflux Bot commented Apr 1, 2026
edited
Loading

This PR contains the following updates:

Update Change
lockFileMaintenance All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rpm-lockfile labels Apr 1, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 1, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 1, 2026

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

File rpm-prefetching/assisted-installer-controller/rpms.in.yaml:

Package Change
rsync 3.2.5-3.el9 -> 3.2.5-3.el9_7.2

rsync: Rsync: Out of bounds array access via negative index

CVE-2025-10158

More information

Details

An out of bounds read flaw has been discovered in rsync. A malicious client acting as the receiver of an rsync file transfer can trigger an OOB read via a negative array index. The rsync client requires at least read access to the remote rsync module to trigger the issue.

Severity

Moderate

References

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 1, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0c0a2468-a616-4575-9884-e5950744f784

📥 Commits

Reviewing files that changed from the base of the PR and between 357a5bb and dc007b6.

📒 Files selected for processing (1)
  • rpm-prefetching/assisted-installer-controller/rpms.lock.yaml

Walkthrough

Updated the pinned rsync RPM dependency in the lock file from version 3.2.5-3.el9 to 3.2.5-3.el9_7.2. The update includes URL, checksum, and size adjustments for all supported architectures: aarch64, ppc64le, s390x, and x86_64.

Changes

Cohort / File(s) Summary
RPM Dependency Version Bump
rpm-prefetching/assisted-installer-controller/rpms.lock.yaml		 Updated rsync package metadata across all architectures from 3.2.5-3.el9 to 3.2.5-3.el9_7.2, modifying evr, sourcerpm, url, size, and checksum fields.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/master/rpm-lockfile-refresh-vulnerability

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 1, 2026
@openshift-ci openshift-ci Bot requested review from jhernand and romfreiman April 1, 2026 20:24
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 1, 2026

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

2 similar comments
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 1, 2026

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 1, 2026

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 1, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.82%. Comparing base (5312670) to head (dc007b6).
⚠️ Report is 12 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #2059   +/-   ##
=======================================
  Coverage   48.82%   48.82%           
=======================================
  Files          20       20           
  Lines        4397     4397           
=======================================
  Hits         2147     2147           
  Misses       2026     2026           
  Partials      224      224
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@openshift-merge-bot
Copy link
Copy Markdown
Contributor

openshift-merge-bot Bot commented Apr 1, 2026

/retest-required

Remaining retests: 0 against base HEAD f388598 and 2 for PR HEAD 357a5bb in total

@red-hat-konflux
NO-ISSUE: Refresh RPM lockfiles [SECURITY]
dc007b6 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/master/rpm-lockfile-refresh-vulnerability branch from 357a5bb to dc007b6 Compare April 9, 2026 12:17
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 9, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 9, 2026

New changes are detected. LGTM label has been removed.

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 9, 2026

@red-hat-konflux[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhernand jhernand Awaiting requested review from jhernand

@romfreiman romfreiman Awaiting requested review from romfreiman

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. rpm-lockfile size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@openshift-ci-robot