{"id":"openSUSE-SU-2026:20702-1","summary":"Security update for trivy","details":"This update for trivy fixes the following issues:\n\nChanges in trivy:\n\n- Update to version 0.70.0 (\n     bsc#1260193, CVE-2026-33186,\n     bsc#1260971, CVE-2026-33747,\n     bsc#1261052, CVE-2026-33748,\n     bsc#1262389, CVE-2026-39984,\n     bsc#1262893, CVE-2026-34986):\n  * release: v0.70.0 [main] (#10105)\n  * chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#10496)\n  * chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 (#10526)\n  * chore(deps): bump the common group across 1 directory with 8 updates (#10540)\n  * chore(deps): bump the docker group across 1 directory with 2 updates (#10538)\n  * fix: use Development category for GoReleaser discussions (#10530)\n  * chore(deps): bump testcontainers-go to v0.42.0 (#10531)\n  * chore: update CODEOWNERS (#10529)\n  * chore(deps): bump helm.sh/helm/v3 from 3.20.1 to 3.20.2 (#10511)\n  * chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 (#10510)\n  * chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1 (#10449)\n  * ci: migrate from mkdocs-material-insiders to mkdocs-material (#10509)\n  * chore: remove aquasecurity/homebrew-trivy tap from GoReleaser (#10508)\n  * ci: update runners for workflows that interact with GitHub API (#10502)\n  * ci: rename tokens and update runners (#10500)\n  * ci: trigger helm chart publishing via helm-charts workflow (#10474)\n  * ci: remove ruleset update step from release-please workflow (#10499)\n  * ci: use large runner and replace ORG_REPO_TOKEN in release-please workflow (#10498)\n  * ci: trigger rpm/deb deployment via trivy-repo workflow (#10476)\n  * fix: remove os.Stdout from wazero module config (#10403)\n  * chore(deps): bump the common group across 1 directory with 22 updates (#10408)\n  * chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#10407)\n  * fix(flag): validate template file extension (#10296)\n  * fix(sbom): preserve Red Hat BuildInfo when scanning SBOMs without layer info (#10378)\n  * fix: handle Go 1.26 GOEXPERIMENT version format change (#10351)\n  * fix(python): handle multiple version specifiers in requirements.txt (#10361)\n  * ci: run Trivy version bump in trivy-action (#10272)\n  * fix(python): nil pointer dereference with optional poetry groups without dependencies (#10359)\n  * ci: replace personal email with github-actions[bot] in workflows (#10369)\n  * chore: replace smithy epoch parsing with stdlib time.Unix (#10286)\n  * test: update golden files for purl changes (#10372)\n  * ci: add zizmor to scan GitHub Actions workflows (#10322)\n  * refactor: log statuses as strings (#10285)\n  * ci: add build provenance attestations for release artifacts (#10316)\n  * fix(sbom): add NOASSERTION for licenseDeclared/licenseConcluded in SPDX non-library packages (#10368)\n  * fix(report): set correct sarif ROOTPATH uri when scanning a git repository (#10366)\n  * perf(plugin): optimize directory traversal by replacing filepath.Walk with filepath.WalkDir (#10325)\n  * docs: correct typos in CHANGELOG and diagram (#10320)\n  * chore: delete roadmap wf (#10295)\n  * ci(helm): bump Trivy version to 0.69.3 for Trivy Helm Chart 0.21.3 (#10310)\n  * fix(cyclonedx): include CVSS v4 vulnerability ratings (#10313)\n  * fix: detected vulnerability fields in azure and mariner detector (#10275)\n  * ci: add persist-credentials: false to checkout steps (#10306)\n  * ci(helm): bump Trivy version to 0.69.2 for Trivy Helm Chart 0.21.2 (#10270)\n  * chore(deps): bump the common group across 1 directory with 8 updates (#10248)\n  * chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#10257)\n  * chore(deps): bump the aws group across 1 directory with 6 updates (#10249)\n  * chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#10241)\n  * ci: remove apidiff workflow (#10259)\n  * chore(deps): bump github.com/docker/cli from 29.1.4+incompatible to 29.2.1+incompatible in the docker group across 1 directory (#10221)\n  * ci: bump golangci-lint to v2.10 in cache-test-assets (#10243)\n  * feat(java): add support for proxy configuration from Maven settings.xml (#10187)\n  * chore(deps): bump the github-actions group across 3 directories with 11 updates (#10242)\n  * feat(python): add pylock.toml support (#10137)\n  * chore: bump SPDX license IDs and exceptions to `v3.28.0` (#10233)\n  * docs: fix typos and upgrade insecure HTTP links to HTTPS (#10219)\n  * chore: bump golangci-lint to v2.10.0 (#10223)\n  * feat(misconf): support for azurerm_network_interface_security_group_association  (#10215)\n  * ci: pin Docker Engine to v29 for integration tests (#10232)\n  * feat(go): detect version from ELF symbol table for binaries built with -trimpath (#10197)\n  * docs: migrate private registry documentation from GCR to GAR (#10208)\n  * chore(deps): bump the common group across 1 directory with 24 updates (#10206)\n  * chore(deps): update Docker client SDK to v29 (#10202)\n  * test: update Docker Engine integration tests for Docker API v0.29.0+ compatibility (#10199)\n  * fix(misconf): initialize custom annotation field if empty (#10123)\n  * feat(ubuntu): add eol data for 25.10 (#10181)\n  * docs: fix incorrect count of Python package managers (#10175)\n  * chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (#10179)\n  * feat(misconf): resolve Azure resources via resource_id (#10173)\n  * ci(helm): bump Trivy version to 0.69.1 for Trivy Helm Chart 0.21.1 (#10155)\n  * refactor: remove unused Insecure field from ServiceOption (#10113)\n  * refactor: reduce complexity of init in detect.go (#10163)\n  * feat(misconf): adapt ARM k8s clusters (#9696) (#10125)\n  * docs: update version endpoint example in client/server documentation (#10151)\n  * feat(vuln): skip third-party packages in common Detect function (#10129)\n  * ci: add composite action for Go setup (#10146)\n  * fix(misconf): apply check aliases when filtering results via .trivyignore (#10112)\n  * docs(terraform): add limitation for data sources and computed resource attributes (#10128)\n  * fix: update PhotonOS feed URL (#10122)\n  * feat(server): include server version info in JSON output for client/server mode (#10075)\n  * chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs (#10107)\n  * refactor: unify scanner error limit and compiler limit (#10106)\n  * ci(helm): bump Trivy version to 0.69.0 for Trivy Helm Chart 0.21.0 (#10103)\n  * fix(java): Disable overwriting exclusions (#10088)\n  * refactor(rust): use txtar format for cargo analyzer test data (#10104)\n  * feat(python): add pylock.toml (PEP 751) parser (#9632)\n  * chore(deps): bump the aws group across 1 directory with 6 updates (#10068)\n  * fix(server): exclude JavaDB and CheckBundle from /version endpoint (#10100)\n\n- Update to version 0.69.3 (CVE-2026-25934, bsc#1258094):\n  * release: v0.69.3 [release/v0.69] (#10293)\n  * fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#10291)\n  * release: v0.69.2 [release/v0.69] (#10266)\n  * fix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#10267)\n  * fix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#10264)\n  * ci: remove apidiff workflow\n  * release: v0.69.1 [release/v0.69] (#10145)\n  * ci: add composite action for Go setup [backport: release/v0.69] (#10150)\n  * fix(misconf): apply check aliases when filtering results via .trivyignore [backport: release/v0.69] (#10143)\n  * chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs [backport: release/v0.69] (#10135)\n","modified":"2026-05-09T18:25:03.765832Z","published":"2026-05-06T11:33:27Z","related":["CVE-2025-69725","CVE-2026-25934","CVE-2026-33186","CVE-2026-33747","CVE-2026-33748","CVE-2026-34986","CVE-2026-39984"],"upstream":["CVE-2025-69725","CVE-2026-25934","CVE-2026-33186","CVE-2026-33747","CVE-2026-33748","CVE-2026-34986","CVE-2026-39984"],"references":[{"type":"ADVISORY"},{"type":"REPORT","url":"https://bugzilla.suse.com/1258094"},{"type":"REPORT","url":"https://bugzilla.suse.com/1258513"},{"type":"REPORT","url":"https://bugzilla.suse.com/1260193"},{"type":"REPORT","url":"https://bugzilla.suse.com/1260971"},{"type":"REPORT","url":"https://bugzilla.suse.com/1261052"},{"type":"REPORT","url":"https://bugzilla.suse.com/1262389"},{"type":"REPORT","url":"https://bugzilla.suse.com/1262893"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-69725"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-25934"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-33186"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-33747"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-33748"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-34986"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-39984"}],"schema_version":"1.7.5"}