There was a change and now https://github.com/fleetdm/fleet/issues/44374
is to be released in 4.84.2
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Updated recommended patch versions for addressing critical security
vulnerabilities to ensure enhanced protection.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Updating CVE notes with new information for:
- CVE-2026-39883 (only affects BSD and Solaris).
- CVE-2026-32281, CVE-2026-32283: To be fixed in
[v4.84.1](https://github.com/fleetdm/fleet/milestone/246).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Security Updates**
* Updated Fleet vulnerability advisories and remediation guidance with
corrected upgrade recommendations to ensure users receive accurate
information for addressing security issues
* Enhanced vulnerability assessments with additional platform
compatibility information to help users better evaluate applicable risks
to their environments
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes: https://github.com/fleetdm/fleet/actions/runs/24981188476.
Run: https://github.com/fleetdm/fleet/actions/runs/25009852107.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Chores**
* Added vulnerability impact assessments for four CVEs (CVE-2026-28387,
CVE-2026-28388, CVE-2026-28389, CVE-2026-31789). Documentation confirms
these vulnerabilities do not affect the product.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes:
https://github.com/fleetdm/fleet/actions/runs/24980770051/job/73142219314.
Run: https://github.com/fleetdm/fleet/actions/runs/25018399091.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added OpenVEX vulnerability declarations for multiple CVEs, marking
them as not affected for Fleet and fleetctl. Each entry includes
metadata, human-readable status notes, and justifications addressing
exploitability relative to Go runtime, Alpine/musl packages, crypto/SSL
libraries, OpenTelemetry, xmldsig, and media libraries.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24681592163.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added vulnerability disclosures for three CVEs.
* CVE-2026-27806: marked as not affecting fleetctl.
* CVE-2026-32280: denial-of-service affecting many fleetctl versions;
recommend upgrading to a fleetctl build using Go ≥1.26.2 when available.
* CVE-2026-33810: affects fleetctl v4.84.0; recommend upgrading to a
fleetctl build using Go ≥1.26.2 when available.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24676558778.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added security vulnerability assessments for CVE-2026-28390,
CVE-2026-4775, and CVE-2026-5201, confirming these issues do not affect
the product. Statements note that vulnerable code is not in the
product’s execution path and relevant processing (TLS/TIFF/graphics) is
not performed by the shipped components. Includes timestamps and
metadata for traceability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Run: https://github.com/fleetdm/fleet/actions/runs/24673271270
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Security**
* Added vulnerability assessment documentation for CVE-2026-28390,
confirming that bomutils is not affected by this vulnerability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixing https://github.com/fleetdm/fleet/actions/runs/18150944735.
- It seems that when not using the RC versions it cannot determine the
version of the github.com/fleetdm/fleet/v4 package , so it assumes it's
using `v4.0.0` thus causing alerts around our recent SAML vulnerability
(already fixed). So I'm changing it to only run on RC cuts, not every
day.
- Also adding a skip rule for a new CVE that we are not affected by.
We missed to add this when we upgraded Go to 1.24.4.
Report
https://github.com/fleetdm/fleet/actions/runs/15626203997/job/44020838145
How to test (with and without the new VEX file):
```
docker scout cves --only-fixed --vex-location=./security/vex/fleet --only-vex-affected --only-severity high,critical fleetdm/fleet:v4.69.0
```
This PR adds VEX statement files for three vulverabilities:
```
┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │
│ │ │ │ │ │ │ (DoS)... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │
│ │ │ │ │ │ │ (DoS) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │
└─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
```
the vulnerabilities in libxml2 do not affect fleetctl, since the attack
vector is DoS and fleetctl is not a server tool. Additionally the
libxml2 package isn't used by fleetctl directly, but by the tools it
uses for code signing, which don't parse untrusted XML.
I fixed [this](https://github.com/fleetdm/fleet/pull/29692) incorrectly
the first time (my trivy setup is broken on my workstation and I missed
the CI check failure on the original PR).
For #28837.
Fixing this all of this because we got multiple reports from the
community and customers and these were also detected by Amazon
Inspector.
- Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2.
- `docker scout` now fails the daily scheduled action if there are
CRITICAL,HIGH CVEs (we missed setting `exit-code: true`).
- Report CVE-2025-46569 as not affected by it because of our use of
OPA's go package.
- Report CVE-2024-8260 as not affected by it because Fleet doesn't run
on Windows.
- The `security/status.md` shows a lot of changes because we are now
sorting CVEs so that newest come first.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
