[AutoPR- Security] Patch patch for CVE-2026-56289, CVE-2026-56288 [MEDIUM]#17978
Conversation
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
|
The
|
Kanishk-Bansal
left a comment
There was a problem hiding this comment.
Patch Analysis (CVE-2026-56289 matches upstream)
for CVE-2026-56288 core logic matches upstream, only minor backporting where buf is used instead of patchbuf
Overall LGTM
- Buddy Build
- patch applied during the build (check
rpm.log) - patch include an upstream reference
- PR has security tag
Auto Patch patch for CVE-2026-56289, CVE-2026-56288.
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1156815&view=results
CVE-2026-56288 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1156821&view=results
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology