All errata/sisyphus_loongarch64/ALT-PU-2026-10692-1
ALT-PU-2026-10692-1

Package update openbao in branch sisyphus_loongarch64

Version2.5.5-alt1
Task#0
Published2026-07-07
Max severityHIGH
Severity:

Closed issues (12)

CVE-2026-32952
HIGH7.5

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patches the issue.

Published: 2026-04-24Modified: 2026-06-17
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2026-41889
LOW2.3

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.

Published: 2026-05-08Modified: 2026-06-17
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0LOW 2.3
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
GHSA-8w8f-r2xv-4q4j
MEDIUM6.5

OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types

Published: 2026-06-19
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GHSA-c36x-h252-g9x2
LOW2.1

OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808

Published: 2026-06-19
CVSS 4.0LOW 2.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
GHSA-j88v-2chj-qfwx
LOW2.3

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

Published: 2026-04-22Modified: 2026-05-13
CVSS 4.0LOW 2.3
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
GHSA-mwr2-wmgp-crj6
LOW2.3

OpenBao's System Backend allows Unauthorized Management of the containing Namespace

Published: 2026-06-19
CVSS 4.0LOW 2.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N