Added fixed security issues for 1.4.3 (#1059)

pabel-rh · web-flow · commit 3c941079968f · 2025-04-07T16:29:13.000+01:00
diff --git a/assemblies/assembly-release-notes-fixed-security-issues.adoc b/assemblies/assembly-release-notes-fixed-security-issues.adoc
@@ -5,6 +5,11 @@
 This section lists security issues fixed in {product} {product-version}.
 
 == {product} {product-bundle-version}
+include::./modules/release-notes/snip-fixed-security-issues-in-product-1.4.3.adoc[leveloffset=+2]
+
+// nothing yet so don't include this
+// include::./modules/release-notes/snip-fixed-security-issues-in-rpm-1.4.2.adoc[leveloffset=+2]
+== {product} 1.4.2
 include::./modules/release-notes/snip-fixed-security-issues-in-product-1.4.2.adoc[leveloffset=+2]
 
 // nothing yet so don't include this
diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.4.3.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.4.3.txt
@@ -0,0 +1,3 @@
+CVE-2025-27516
+CVE-2025-29775
+CVE-2025-29774
diff --git a/modules/release-notes/list-fixed-security-issues-in-rpm-1.4.3.txt b/modules/release-notes/list-fixed-security-issues-in-rpm-1.4.3.txt
diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.4.3.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.4.3.adoc
@@ -0,0 +1,10 @@
+= {product} dependency updates
+
+link:https://access.redhat.com/security/cve/CVE-2025-27516[CVE-2025-27516]::
+A flaw was found in Jinja. In affected versions, an oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker who controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox.
+
+link:https://access.redhat.com/security/cve/CVE-2025-29774[CVE-2025-29774]::
+A flaw was found in the xml-crypto library for Node.js. An attacker can exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-crypto to verify signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks.
+
+link:https://access.redhat.com/security/cve/CVE-2025-29775[CVE-2025-29775]::
+A flaw was found in the xml-crypto library for Node.js. An attacker can exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-crypto to verify signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks.
diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.4.3.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.4.3.adoc
@@ -0,0 +1 @@
+= RHEL 9 platform RPM updates

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+CVE-2025-27516`
	`2`	`+CVE-2025-29775`
	`3`	`+CVE-2025-29774`