`melange update-cache` has unbounded HTTP download that can exhaust disk in CI

melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions = 0.40.5. Fix: Merge...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection in values including series paths, patch filenames, and numeric parameters, which are read from patch.yaml. An attacker who can control inputs to this file can cause shell commands to be run on the build host by injecti...