SUSE-CU-2026:4723-1: Security update of private-registry/harbor-trivy-adapter
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu May 7 07:25:38 UTC 2026
SUSE Container Update Advisory: private-registry/harbor-trivy-adapter
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4723-1
Container Tags : private-registry/harbor-trivy-adapter:1.1.2 , private-registry/harbor-trivy-adapter:1.1.2-2.34 , private-registry/harbor-trivy-adapter:latest
Container Release : 2.34
Severity : important
Type : security
References : 1255366 1258094 1258513 1260193 1260971 1261052 1262389 1262893
CVE-2025-64702 CVE-2025-66564 CVE-2025-69725 CVE-2026-25934 CVE-2026-33186
CVE-2026-33747 CVE-2026-33748 CVE-2026-34986 CVE-2026-39984
-----------------------------------------------------------------
The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1722-1
Released: Wed May 6 16:56:29 2026
Summary: Security update for trivy
Type: security
Severity: important
References: 1255366,1258094,1258513,1260193,1260971,1261052,1262389,1262893,CVE-2025-64702,CVE-2025-66564,CVE-2025-69725,CVE-2026-25934,CVE-2026-33186,CVE-2026-33747,CVE-2026-33748,CVE-2026-34986,CVE-2026-39984
This update for trivy fixes the following issues:
- Update to version 0.70.0:
* CVE-2026-33186: Fixed authorization bypass due to improper validation of
the HTTP/2 :path pseudo-header (bsc#1260193)
* CVE-2026-33747: Fixed malicious API messages causing files to be written
outside of the BuildKit state directory(bsc#1260971)
* CVE-2026-33748: Fixed insufficient validation of Git URL fragment subdir
components (bsc#1261052)
* CVE-2026-39984: Fixed improper certificate validation (bsc#1262389)
* CVE-2026-34986: Fixed denial of service via crafted JWE input (bsc#1262893)
* chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#10496)
* chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 (#10526)
* chore(deps): bump the common group across 1 directory with 8 updates (#10540)
* chore(deps): bump the docker group across 1 directory with 2 updates (#10538)
* fix: use Development category for GoReleaser discussions (#10530)
* chore(deps): bump testcontainers-go to v0.42.0 (#10531)
* chore: update CODEOWNERS (#10529)
* chore(deps): bump helm.sh/helm/v3 from 3.20.1 to 3.20.2 (#10511)
* chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 (#10510)
* chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1 (#10449)
* ci: migrate from mkdocs-material-insiders to mkdocs-material (#10509)
* chore: remove aquasecurity/homebrew-trivy tap from GoReleaser (#10508)
* ci: update runners for workflows that interact with GitHub API (#10502)
* ci: rename tokens and update runners (#10500)
* ci: trigger helm chart publishing via helm-charts workflow (#10474)
* ci: remove ruleset update step from release-please workflow (#10499)
* ci: use large runner and replace ORG_REPO_TOKEN in release-please workflow (#10498)
* ci: trigger rpm/deb deployment via trivy-repo workflow (#10476)
* fix: remove os.Stdout from wazero module config (#10403)
* chore(deps): bump the common group across 1 directory with 22 updates (#10408)
* chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#10407)
* fix(flag): validate template file extension (#10296)
* fix(sbom): preserve Red Hat BuildInfo when scanning SBOMs without layer info (#10378)
* fix: handle Go 1.26 GOEXPERIMENT version format change (#10351)
* fix(python): handle multiple version specifiers in requirements.txt (#10361)
* ci: run Trivy version bump in trivy-action (#10272)
* fix(python): nil pointer dereference with optional poetry groups without dependencies (#10359)
* ci: replace personal email with github-actions[bot] in workflows (#10369)
* chore: replace smithy epoch parsing with stdlib time.Unix (#10286)
* test: update golden files for purl changes (#10372)
* ci: add zizmor to scan GitHub Actions workflows (#10322)
* refactor: log statuses as strings (#10285)
* ci: add build provenance attestations for release artifacts (#10316)
* fix(sbom): add NOASSERTION for licenseDeclared/licenseConcluded in SPDX non-library packages (#10368)
* fix(report): set correct sarif ROOTPATH uri when scanning a git repository (#10366)
* perf(plugin): optimize directory traversal by replacing filepath.Walk with filepath.WalkDir (#10325)
* docs: correct typos in CHANGELOG and diagram (#10320)
* chore: delete roadmap wf (#10295)
* ci(helm): bump Trivy version to 0.69.3 for Trivy Helm Chart 0.21.3 (#10310)
* fix(cyclonedx): include CVSS v4 vulnerability ratings (#10313)
* fix: detected vulnerability fields in azure and mariner detector (#10275)
* ci: add persist-credentials: false to checkout steps (#10306)
* ci(helm): bump Trivy version to 0.69.2 for Trivy Helm Chart 0.21.2 (#10270)
* chore(deps): bump the common group across 1 directory with 8 updates (#10248)
* chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#10257)
* chore(deps): bump the aws group across 1 directory with 6 updates (#10249)
* chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#10241)
* ci: remove apidiff workflow (#10259)
* chore(deps): bump github.com/docker/cli from 29.1.4+incompatible to 29.2.1+incompatible in the docker group across 1 directory (#10221)
* ci: bump golangci-lint to v2.10 in cache-test-assets (#10243)
* feat(java): add support for proxy configuration from Maven settings.xml (#10187)
* chore(deps): bump the github-actions group across 3 directories with 11 updates (#10242)
* feat(python): add pylock.toml support (#10137)
* chore: bump SPDX license IDs and exceptions to `v3.28.0` (#10233)
* docs: fix typos and upgrade insecure HTTP links to HTTPS (#10219)
* chore: bump golangci-lint to v2.10.0 (#10223)
* feat(misconf): support for azurerm_network_interface_security_group_association (#10215)
* ci: pin Docker Engine to v29 for integration tests (#10232)
* feat(go): detect version from ELF symbol table for binaries built with -trimpath (#10197)
* docs: migrate private registry documentation from GCR to GAR (#10208)
* chore(deps): bump the common group across 1 directory with 24 updates (#10206)
* chore(deps): update Docker client SDK to v29 (#10202)
* test: update Docker Engine integration tests for Docker API v0.29.0+ compatibility (#10199)
* fix(misconf): initialize custom annotation field if empty (#10123)
* feat(ubuntu): add eol data for 25.10 (#10181)
* docs: fix incorrect count of Python package managers (#10175)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (#10179)
* feat(misconf): resolve Azure resources via resource_id (#10173)
* ci(helm): bump Trivy version to 0.69.1 for Trivy Helm Chart 0.21.1 (#10155)
* refactor: remove unused Insecure field from ServiceOption (#10113)
* refactor: reduce complexity of init in detect.go (#10163)
* feat(misconf): adapt ARM k8s clusters (#9696) (#10125)
* docs: update version endpoint example in client/server documentation (#10151)
* feat(vuln): skip third-party packages in common Detect function (#10129)
* ci: add composite action for Go setup (#10146)
* fix(misconf): apply check aliases when filtering results via .trivyignore (#10112)
* docs(terraform): add limitation for data sources and computed resource attributes (#10128)
* fix: update PhotonOS feed URL (#10122)
* feat(server): include server version info in JSON output for client/server mode (#10075)
* chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs (#10107)
* refactor: unify scanner error limit and compiler limit (#10106)
* ci(helm): bump Trivy version to 0.69.0 for Trivy Helm Chart 0.21.0 (#10103)
* fix(java): Disable overwriting exclusions (#10088)
* refactor(rust): use txtar format for cargo analyzer test data (#10104)
* feat(python): add pylock.toml (PEP 751) parser (#9632)
* chore(deps): bump the aws group across 1 directory with 6 updates (#10068)
* fix(server): exclude JavaDB and CheckBundle from /version endpoint (#10100)
- Update to version 0.69.3:
* CVE-2026-25934: Fixed improper verification of data integrity values for .pack and .idx files (bsc#1258094)
* fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#10291)
* release: v0.69.2 [release/v0.69] (#10266)
* fix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#10267)
* fix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#10264)
* ci: remove apidiff workflow
* release: v0.69.1 [release/v0.69] (#10145)
* ci: add composite action for Go setup [backport: release/v0.69] (#10150)
* fix(misconf): apply check aliases when filtering results via .trivyignore [backport: release/v0.69] (#10143)
* chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs [backport: release/v0.69] (#10135)
- Update to version 0.69.0:
* CVE-2025-64702: Fixed quic-go HTTP/3 QPACK Header Expansion DoS (bsc#1255366)
* CVE-2025-69725: Fixed incorrect input validation in the RedirectSlashes function (bsc#1258513)
* chore: bump trivy-checks to v2 (#9875)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1 (#10091)
* fix(repo): return a nil interface for gitAuth if missing (#10097)
* fix(java): correctly inherit properties from parent fields for pom.xml files (#9111)
* fix(rust): implement version inheritance for Cargo mono repos (#10011)
* feat(activestate): add support ActiveState images (#10081)
* feat(vex): support per-repo tls configuration (#10030)
* refactor: allow per-request transport options override (#10083)
* chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#10084)
* chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 (#10085)
* fix(java): correctly propagate repositories from upper POMs to dependencies (#10077)
* feat(rocky): enable modular package vulnerability detection (#10069)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 (#10079)
* docs: fix mistake in config file example for skip-dirs/skip-files flag (#10070)
* feat(report): add Trivy version to JSON output (#10065)
* fix(rust): add cargo workspace members glob support (#10032)
* feat: add AnalyzedBy field to track which analyzer detected packages (#10059)
* fix: use canonical SPDX license IDs from embeded licenses.json (#10053)
* docs: fix link to Docker Image Specification (#10057)
* feat(secret): add detection for Symfony default secret key (#9892)
* refactor(misconf): move common logic to base value and simplify typed values (#9986)
* fix(java): add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#9880)
* feat(misconf): use Terraform plan configuration to partially restore schema (#9623)
* feat(misconf): add action block to Terraform schema (#10035)
* fix(misconf): correct typos in block and attribute names (#9993)
* test(misconf): simplify test values using *Test helpers (#9985)
* fix(misconf): safely parse rotation_period in google_kms_crypto_key (#9980)
* feat(misconf): support for ARM resources defined as an object (#9959)
* feat(misconf): support for azurerm_*_web_app (#9944)
* test: migrate private test helpers to `export_test.go` convention (#10043)
* chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.6.2 (#10048)
* fix(secret): improve word boundary detection for Hugging Face tokens (#10046)
* fix(go): use ldflags version for all pseudo-versions (#10037)
* chore: switch to ID from AVDID in internal and user-facing fields (#9655)
* refactor(misconf)!: use ID instead of AVDID for providers mapping (#9752)
* fix: move enum into items for array-type fields in JSON Schema (#10039)
* docs: fix incorrect documentation URLs (#10038)
* feat(sbom): exclude PEP 770 SBOMs in .dist-info/sboms/ (#10033)
* fix(docker): fix non-det scan results for images with embedded SBOM (#9866)
* chore(deps): bump the github-actions group with 11 updates (#10001)
* test: fix assertion after 2026 roll over (#10002)
* fix(vuln): skip vulns detection for CentOS Stream family without scan failure (#9964)
* fix(license): normalize licenses for PostAnalyzers (#9941)
* feat(nodejs): parse licenses from `package-lock.json` file (#9983)
* chore: update reference links to Go Wiki (#9987)
* refactor: add xslices.Map and replace lo.Map usages (#9984)
* fix(image): race condition in image artifact inspection (#9966)
* feat(flag): add JSON Schema for trivy.yaml configuration file (#9971)
* refactor(debian): use txtar format for test data (#9957)
* chore(deps): bump `golang.org/x/tools` to `v0.40.0` + `gopls` to `v0.21.0` (#9973)
* feat(rootio): Update trivy db to support usage of Severity from root.io feed (#9930)
* feat(vuln): skip vulnerability scanning for third-party packages in Debian/Ubuntu (#9932)
* docs: add info that `--file-pattern` flag doesn't disable default behaviuor (#9961)
* perf(misconf): optimize string concatenation in azure scanner (#9969)
* chore: add client option to install script (#9962)
* ci(helm): bump Trivy version to 0.68.2 for Trivy Helm Chart 0.20.1 (#9956)
* chore(deps): bump github.com/quic-go/quic-go from 0.54.1 to 0.57.0 (#9952)
* docs: update binary signature verification for sigstore bundles (#9929)
* chore(deps): bump alpine from `3.22.1` to `3.23.0` (#9935)
* chore(alpine): add EOL date for alpine 3.23 (#9934)
* feat(cloudformation): add support for Fn::ForEach (#9508)
* ci: enable `check-latest` for `setup-go` (#9931)
* feat(debian): detect third-party packages using maintainer list (#9917)
* fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file (#9924)
* feat(helm): add sslCertDir parameter (#9697)
* fix(misconf): respect .yml files when Helm charts are detected (#9912)
* feat(php): add support for dev dependencies in Composer (#9910)
* chore(deps): bump the common group across 1 directory with 9 updates (#9903)
* chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.1.1+incompatible in the docker group (#9859)
* fix: remove trailing tab in statefulset template (#9889)
* feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800)
* feat(misconf): initial ansible scanning support (#9332)
* feat(misconf): Update Azure Database schema (#9811)
* ci(helm): bump Trivy version to 0.68.1 for Trivy Helm Chart 0.20.0 (#9869)
* chore: update the install script (#9874)
The following package changes have been done:
- trivy-0.70.0-150000.1.12.1 updated
- system-user-harbor-2.14.3-150700.1.15 updated
- container:suse-sle15-15.7-07d8c80b3c1b8287450453b5fb7fab24c31e32ee657f87deeb820b65120b8658-0 updated
More information about the sle-container-updates
mailing list