From 5b7e9047fc7c27ba02fddfc47cb64a44a11c6587 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Mon, 15 Jun 2026 11:04:06 +1000 Subject: [PATCH] UID2-6385/UID2-6481: extend CVE-2025-66293 expiry, remove CVE-2025-68973 CVE-2025-66293 (libpng OOB read): extended expiry to 2026-09-15 with an improved comment explaining the Java service does not use libpng's PNG processing API. Fix is available in Alpine 3.23 >= 1.6.53-r0 but the pinned eclipse-temurin image has not yet been rebuilt with it. CVE-2025-68973 (GnuPG OOB write): removed suppression. gnupg 2.4.9-r0 (the patched version) has been in Alpine 3.23 since January 2026 and the pinned image was last rebuilt in May 2026, so the fix is present in the current image. uid2-operator is a pure Java service that does not invoke GnuPG, so this was doubly moot. Co-Authored-By: Claude Sonnet 4.6 --- .trivyignore | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.trivyignore b/.trivyignore index 773e22e06..210a8c807 100644 --- a/.trivyignore +++ b/.trivyignore @@ -2,11 +2,12 @@ # See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ # for more details -# UID2-6385 -CVE-2025-66293 exp:2026-06-15 - -# UID2-6481 -CVE-2025-68973 exp:2026-06-15 +# libpng OOB read in png_image_read_composite - uid2-operator is a pure Java service +# that never calls into libpng's simplified PNG processing API; the JVM does not use +# libpng for image handling. Fix is available in Alpine 3.23 >= 1.6.53-r0 but the +# pinned eclipse-temurin image has not yet been rebuilt with it (tracked alongside +# sibling CVE-2026-25646 which shares the same base-image lag). See: UID2-6385 +CVE-2025-66293 exp:2026-09-15 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API # See: UID2-6670