Skip to content

strimzi-kafka-operator/0.49.1-r5: cve remediation #78295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
octo-sts wants to merge 1 commit into
base: main
Choose a base branch
from

strimzi-kafka-operator/0.49.1-r5: fix GHSA-cphf-4846-3xx9

6313974
Select commit
Loading
Failed to load commit list.
Open

strimzi-kafka-operator/0.49.1-r5: cve remediation #78295

strimzi-kafka-operator/0.49.1-r5: fix GHSA-cphf-4846-3xx9
6313974
Select commit
Loading
Failed to load commit list.
Octo STS / staging-autofix completed Jan 16, 2026 in 0s

Pull request does not have the "staging-autofix" label

ci-cve-scan

The build failed due to a 'must-fix' CVE (GHSA-cphf-4846-3xx9) found in the vertx-core library. This vulnerability is present in both aarch64 and x86_64 builds of strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk and requires an upgrade to vertx-core version 4.5.24 or newer.

❌ Other error @ /opt/cruise-control/libs/vertx-core-4.5.8.jar
Command:
CVE Scan
Diagnostic:
Must-Fix CVEs Found: GHSA-cphf-4846-3xx9
Log Snippets:
This section clearly states that a 'must-fix' CVE was found and that the check will fail until it's resolved, indicating the primary cause of the build failure. 
### ⚠️ Must-Fix CVEs Found

The following CVEs were marked as must-fix in the PR body:


    

  • GHSA-cphf-4846-3xx9 (found in: aarch64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk, x86_64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk)
    • 



This check will fail until these CVEs are resolved.


This context shows the specific file and package where the CVE was detected (vertx-core 4.5.8) and provides the fix version (4.5.24). 
#### aarch64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk

└── 📄 /opt/cruise-control/libs/vertx-core-4.5.8.jar
        📦 vertx-core 4.5.8 (java-archive)
            Medium CVE-2026-1002 GHSA-cphf-4846-3xx9 fixed in 4.5.24

```</pre>
</details>
<br>
<details>
<summary><i>This context shows the specific file and package where the CVE was detected for the x86_64 architecture, confirming the same vulnerability and fix version.</i></summary>
<pre style="overflow-x: auto; white-space: nowrap;">#### x86_64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk





└── 📄 /opt/cruise-control/libs/vertx-core-4.5.8.jar

📦 vertx-core 4.5.8 (java-archive)

Medium CVE-2026-1002 GHSA-cphf-4846-3xx9 fixed in 4.5.24


</details>
<br>
</td></tr>
</table>



## ci-cve-scan-db

A critical 'must-fix' CVE (GHSA-cphf-4846-3xx9) was detected in 'vertx-core 4.5.8', which is present in 'strimzi-kafka-operator-kafka-thirdparty-libs-cc' for both aarch64 and x86_64 architectures. This vulnerability is fixed in 'vertx-core 4.5.24' and is blocking the current check.

**Confidence:** 98%

<table style="width: 100%; border-collapse: collapse; table-layout: fixed;">
<tr><td style="border: 1px solid black; border-top-left-radius: 6px; border-top-right-radius: 6px; padding: 12px; font-size: 1.2em; font-weight: bold;">
❌ Other error</td></tr>
<tr><td style="border-left: 1px solid black; border-right: 1px solid black; padding: 12px;">
<b>Command:</b><br>
<pre style="overflow-x: auto; white-space: pre;">CVE Scan</pre>
</td></tr>
<tr><td style="border-left: 1px solid black; border-right: 1px solid black; padding: 12px;">
<b>Diagnostic:</b><br>
<pre style="overflow-x: auto; white-space: nowrap;">Must-Fix CVE GHSA-cphf-4846-3xx9 found in vertx-core 4.5.8, fixed in 4.5.24</pre>
</td></tr>
<tr><td style="border-left: 1px solid black; border-right: 1px solid black; border-bottom: 1px solid black; border-bottom-left-radius: 6px; border-bottom-right-radius: 6px; padding: 12px;">
<b>Log Snippets:</b><br>
<details>
<summary><i>Indicates the presence of critical vulnerabilities.</i></summary>
<pre style="overflow-x: auto; white-space: nowrap;">### ⚠️ Must-Fix CVEs Found</pre>
</details>
<br>
<details>
<summary><i>Identifies the specific 'must-fix' CVE and the affected packages/architectures.</i></summary>
<pre style="overflow-x: auto; white-space: nowrap;">The following CVEs were marked as must-fix in the PR body:

- GHSA-cphf-4846-3xx9 (found in: aarch64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk, x86_64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk)</pre>
</details>
<br>
<details>
<summary><i>Explains that this CVE is a blocking issue.</i></summary>
<pre style="overflow-x: auto; white-space: nowrap;">This check will fail until these CVEs are resolved.</pre>
</details>
<br>
<details>
<summary><i>Details the vulnerable component (vertx-core 4.5.8) and the version containing the fix (4.5.24) for aarch64.</i></summary>
<pre style="overflow-x: auto; white-space: nowrap;">└── 📄 /opt/cruise-control/libs/vertx-core-4.5.8.jar
        📦 vertx-core 4.5.8 (java-archive)
            Medium CVE-2026-1002 GHSA-cphf-4846-3xx9 fixed in 4.5.24</pre>
</details>
<br>
<details>
<summary><i>Details the vulnerable component (vertx-core 4.5.8) and the version containing the fix (4.5.24) for x86_64.</i></summary>
<pre style="overflow-x: auto; white-space: nowrap;">└── 📄 /opt/cruise-control/libs/vertx-core-4.5.8.jar
        📦 vertx-core 4.5.8 (java-archive)
            Medium CVE-2026-1002 GHSA-cphf-4846-3xx9 fixed in 4.5.24</pre>
</details>
<br>
</td></tr>
</table>

<!--staging-autofix-status-->
<!--
{
  "observedGeneration": "6313974ef6206f1ad1801e8c94235768d21de8b0",
  "status": "completed",
  "conclusion": "neutral",
  "details": {
    "checkRunAnalyses": {
      "60581123041": {
        "name": "ci-cve-scan-db",
        "details_url": "https://octo-sts.dev",
        "analysis": {
          "summary": "A critical 'must-fix' CVE (GHSA-cphf-4846-3xx9) was detected in 'vertx-core 4.5.8', which is present in 'strimzi-kafka-operator-kafka-thirdparty-libs-cc' for both aarch64 and x86_64 architectures. This vulnerability is fixed in 'vertx-core 4.5.24' and is blocking the current check.",
          "failures": [
            {
              "type": "other",
              "error_message": "Must-Fix CVE GHSA-cphf-4846-3xx9 found in vertx-core 4.5.8, fixed in 4.5.24",
              "context": [
                {
                  "content": "### ⚠️ Must-Fix CVEs Found",
                  "why_relevant": "Indicates the presence of critical vulnerabilities."
                },
                {
                  "content": "The following CVEs were marked as must-fix in the PR body:\n\n- GHSA-cphf-4846-3xx9 (found in: aarch64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk, x86_64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk)",
                  "why_relevant": "Identifies the specific 'must-fix' CVE and the affected packages/architectures."
                },
                {
                  "content": "This check will fail until these CVEs are resolved.",
                  "why_relevant": "Explains that this CVE is a blocking issue."
                },
                {
                  "content": "└── 📄 /opt/cruise-control/libs/vertx-core-4.5.8.jar\n        📦 vertx-core 4.5.8 (java-archive)\n            Medium CVE-2026-1002 GHSA-cphf-4846-3xx9 fixed in 4.5.24",
                  "why_relevant": "Details the vulnerable component (vertx-core 4.5.8) and the version containing the fix (4.5.24) for aarch64."
                },
                {
                  "content": "└── 📄 /opt/cruise-control/libs/vertx-core-4.5.8.jar\n        📦 vertx-core 4.5.8 (java-archive)\n            Medium CVE-2026-1002 GHSA-cphf-4846-3xx9 fixed in 4.5.24",
                  "why_relevant": "Details the vulnerable component (vertx-core 4.5.8) and the version containing the fix (4.5.24) for x86_64."
                }
              ],
              "failing_command": "CVE Scan",
              "severity": "error"
            }
          ],
          "confidence_score": 0.98
        }
      },
      "60581123464": {
        "name": "ci-cve-scan",
        "details_url": "https://octo-sts.dev",
        "analysis": {
          "summary": "The build failed due to a 'must-fix' CVE (GHSA-cphf-4846-3xx9) found in the `vertx-core` library. This vulnerability is present in both aarch64 and x86_64 builds of `strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk` and requires an upgrade to `vertx-core` version 4.5.24 or newer.",
          "failures": [
            {
              "type": "other",
              "error_message": "Must-Fix CVEs Found: GHSA-cphf-4846-3xx9",
              "location": {
                "file_path": "/opt/cruise-control/libs/vertx-core-4.5.8.jar"
              },
              "context": [
                {
                  "content": "### ⚠️ Must-Fix CVEs Found\n\n\nThe following CVEs were marked as must-fix in the PR body:\n\n- GHSA-cphf-4846-3xx9 (found in: aarch64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk, x86_64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk)\n\n\nThis check will fail until these CVEs are resolved.",
                  "why_relevant": "This section clearly states that a 'must-fix' CVE was found and that the check will fail until it's resolved, indicating the primary cause of the build failure."
                },
                {
                  "content": "#### aarch64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk\n\n\n```\n└── 📄 /opt/cruise-control/libs/vertx-core-4.5.8.jar\n        📦 vertx-core 4.5.8 (java-archive)\n            Medium CVE-2026-1002 GHSA-cphf-4846-3xx9 fixed in 4.5.24\n\n```",
                  "why_relevant": "This context shows the specific file and package where the CVE was detected (vertx-core 4.5.8) and provides the fix version (4.5.24)."
                },
                {
                  "content": "#### x86_64/strimzi-kafka-operator-kafka-thirdparty-libs-cc-0.49.1-r6.apk\n\n\n```\n└── 📄 /opt/cruise-control/libs/vertx-core-4.5.8.jar\n        📦 vertx-core 4.5.8 (java-archive)\n            Medium CVE-2026-1002 GHSA-cphf-4846-3xx9 fixed in 4.5.24\n\n```",
                  "why_relevant": "This context shows the specific file and package where the CVE was detected for the x86_64 architecture, confirming the same vulnerability and fix version."
                }
              ],
              "failing_command": "CVE Scan",
              "severity": "error"
            }
          ]
        }
      }
    }
  }
}
-->
<!--/staging-autofix-status-->
View more details on Octo STS