Fixing https://github.com/fleetdm/fleet/actions/runs/18150944735.
- It seems that when not using the RC versions it cannot determine the
version of the github.com/fleetdm/fleet/v4 package , so it assumes it's
using `v4.0.0` thus causing alerts around our recent SAML vulnerability
(already fixed). So I'm changing it to only run on RC cuts, not every
day.
- Also adding a skip rule for a new CVE that we are not affected by.
We missed to add this when we upgraded Go to 1.24.4.
Report
https://github.com/fleetdm/fleet/actions/runs/15626203997/job/44020838145
How to test (with and without the new VEX file):
```
docker scout cves --only-fixed --vex-location=./security/vex/fleet --only-vex-affected --only-severity high,critical fleetdm/fleet:v4.69.0
```
This PR adds VEX statement files for three vulverabilities:
```
┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │
│ │ │ │ │ │ │ (DoS)... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │
│ │ │ │ │ │ │ (DoS) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │
└─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
```
the vulnerabilities in libxml2 do not affect fleetctl, since the attack
vector is DoS and fleetctl is not a server tool. Additionally the
libxml2 package isn't used by fleetctl directly, but by the tools it
uses for code signing, which don't parse untrusted XML.
For #27042.
Ready for review, just missing integration tests that I will be writing
today.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For new Fleet configuration settings
- [X] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. If managing
via Gitops:
- [X] Verified that the setting is exported via `fleetctl
generate-gitops`
- [X] Added the setting to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [X] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
For #28837.
Fixing this all of this because we got multiple reports from the
community and customers and these were also detected by Amazon
Inspector.
- Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2.
- `docker scout` now fails the daily scheduled action if there are
CRITICAL,HIGH CVEs (we missed setting `exit-code: true`).
- Report CVE-2025-46569 as not affected by it because of our use of
OPA's go package.
- Report CVE-2024-8260 as not affected by it because Fleet doesn't run
on Windows.
- The `security/status.md` shows a lot of changes because we are now
sorting CVEs so that newest come first.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
