diff --git a/cluster-api-helm-controller.advisories.yaml b/cluster-api-helm-controller.advisories.yaml index 7e20bdd4b1..9eab64971c 100644 --- a/cluster-api-helm-controller.advisories.yaml +++ b/cluster-api-helm-controller.advisories.yaml @@ -88,6 +88,10 @@ advisories: componentType: go-module componentLocation: /usr/bin/cluster-api-helm-controller scanner: grype + - timestamp: 2025-08-02T00:37:37Z + type: pending-upstream-fix + data: + note: "Upstream needs to make code changes in order to upgrade helm.sh/helm/v3 to 3.18.4. Pending PR is inflight awaiting upstream approval: https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/pull/420" - id: CGA-m548-vg3p-3399 aliases: @@ -124,3 +128,7 @@ advisories: componentType: go-module componentLocation: /usr/bin/cluster-api-helm-controller scanner: grype + - timestamp: 2025-08-02T00:37:37Z + type: pending-upstream-fix + data: + note: "Upstream needs to make code changes in order to upgrade helm.sh/helm/v3 to 3.18.4. Pending PR is inflight awaiting upstream approval: https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/pull/420" diff --git a/python-3.10.advisories.yaml b/python-3.10.advisories.yaml index c32731f000..5db65994d4 100644 --- a/python-3.10.advisories.yaml +++ b/python-3.10.advisories.yaml @@ -44,6 +44,10 @@ advisories: componentType: apk componentLocation: /.PKGINFO scanner: grype + - timestamp: 2025-08-01T00:32:23Z + type: pending-upstream-fix + data: + note: 'Upstream maintainers must release the backport PR for Python 3.10. The tarfile validation fix from gh-130577 is ready for 3.10 via PR #137176 but not yet merged and released. CVE-2025-8194 is fixed in Python 3.13.5+ but requires backporting to 3.10 branch. Reference: https://github.com/python/cpython/pull/137176' - id: CGA-5pmm-mmg3-pfp3 aliases: diff --git a/python-3.11.advisories.yaml b/python-3.11.advisories.yaml index d4b6de4fdb..f5f9b3536e 100644 --- a/python-3.11.advisories.yaml +++ b/python-3.11.advisories.yaml @@ -184,6 +184,10 @@ advisories: componentType: apk componentLocation: /.PKGINFO scanner: grype + - timestamp: 2025-08-01T00:32:04Z + type: pending-upstream-fix + data: + note: 'Upstream maintainers must release the backport PR for Python 3.11. The tarfile validation fix from gh-130577 is ready for 3.11 via PR #137172 but not yet merged and released. CVE-2025-8194 is fixed in Python 3.13.5+ but requires backporting to 3.11 branch. Reference: https://github.com/python/cpython/pull/137172' - id: CGA-h6qq-2p9f-rrpx aliases: diff --git a/python-3.12.advisories.yaml b/python-3.12.advisories.yaml index 284ab3afcd..a0347ae178 100644 --- a/python-3.12.advisories.yaml +++ b/python-3.12.advisories.yaml @@ -278,6 +278,10 @@ advisories: componentType: apk componentLocation: /.PKGINFO scanner: grype + - timestamp: 2025-08-01T00:31:45Z + type: pending-upstream-fix + data: + note: 'Upstream maintainers must release the backport PR for Python 3.12. The tarfile validation fix from gh-130577 is ready for 3.12 via PR #137171 but not yet merged and released. CVE-2025-8194 is fixed in Python 3.13.5+ but requires backporting to 3.12 branch. Reference: https://github.com/python/cpython/pull/137171' - id: CGA-q3qc-6cj9-jg33 aliases: diff --git a/python-3.13.advisories.yaml b/python-3.13.advisories.yaml index 1d6b4c4d20..dc035ef662 100644 --- a/python-3.13.advisories.yaml +++ b/python-3.13.advisories.yaml @@ -296,3 +296,7 @@ advisories: componentType: apk componentLocation: /.PKGINFO scanner: grype + - timestamp: 2025-08-01T01:03:45Z + type: pending-upstream-fix + data: + note: The tarfile validation fix from gh-130577 has been cherry-picked from Python 3.13 main branch to our python-3.13 package. However, this remains a pending-upstream-fix until an official Python 3.13.6+ release includes this security fix. The cherry-pick provides immediate protection while waiting for the upstream release.