OpenVox

v8.27.0 Security

This release includes 17 security fixes for security teams reviewing exposed deployments.

Published 19d Configuration Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 17 known CVEs

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 9d

ReleasePort 8.27.0 patches CVE‑2026‑41316 (CVSS 8.1) via erb 4.0.3.1 and resolves CVE‑2026‑5773 (CVSS 7.5) by upgrading curl to 8.20.0.

Why it matters: CVE‑2026‑41316, rated CVSS 8.1, is fixed in erb 4.0.3.1; CVE‑2026‑5773, rated CVSS 7.5, requires upgrading curl to 8.20.0.

Summary

AI summary

CVE-2026-41316 (CVSS 8.1) and CVE-2026-5773 (CVSS 7.5) security vulnerabilities resolved.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Mitigates CVE-2026-42258 through pkg:gem/[email protected] update Mitigates CVE-2026-42258 through pkg:gem/[email protected] update Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Mitigates CVE-2026-42246 via pkg:gem/[email protected] update Mitigates CVE-2026-42246 via pkg:gem/[email protected] update Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Mitigates CVE-2026-42245 through pkg:gem/[email protected] upgrade Mitigates CVE-2026-42245 through pkg:gem/[email protected] upgrade Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Mitigates CVE-2026-5545 via [email protected] update Mitigates CVE-2026-5545 via [email protected] update Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Mitigates CVE-2026-6253 through [email protected] upgrade Mitigates CVE-2026-6253 through [email protected] upgrade Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Mitigates CVE-2026-6429 through [email protected] update Mitigates CVE-2026-6429 through [email protected] update Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Resolves CVE-2026-6732 by updating libxml2 to 2.15.3 Resolves CVE-2026-6732 by updating libxml2 to 2.15.3 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes CVE-2026-41316 via pkg:gem/[email protected] Fixes CVE-2026-41316 via pkg:gem/[email protected] Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Addresses CVE-2026-5773 by updating curl to 8.20.0 Addresses CVE-2026-5773 by updating curl to 8.20.0 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes CVE-2026-6276 with [email protected] upgrade Fixes CVE-2026-6276 with [email protected] upgrade Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes CVE-2026-7009 via [email protected] upgrade Fixes CVE-2026-7009 via [email protected] upgrade Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Low	Avoids badly anchored regular expression Avoids badly anchored regular expression Source: granite4.1:30b@2026-05-22-audit Confidence: low	—

Full changelog

What's Changed

Security Issues Resolved

| Identifier | CVSS 3.1 Score | Resolved By |
|-------------------------------------------------------------------| :------------: |-----------------------------------|
| CVE-2026-41316 | 8.1 | pkg:gem/[email protected] |
| CVE-2026-42258 | N/A | pkg:gem/[email protected] |
| CVE-2026-42246 | N/A | pkg:gem/[email protected] |
| CVE-2026-42245 | N/A | pkg:gem/[email protected] |
| CVE-2026-42257 | N/A | pkg:gem/[email protected] |
| CVE-2026-5773 | 7.5 | pkg:github/curl/[email protected] |
| CVE-2026-6276 | 7.5 | pkg:github/curl/[email protected] |
| CVE-2026-5545 | 6.5 | pkg:github/curl/[email protected] |
| CVE-2026-6253 | 5.9 | pkg:github/curl/[email protected] |
| CVE-2026-4873 | 5.9 | pkg:github/curl/[email protected] |
| CVE-2026-7168 | 5.3 | pkg:github/curl/[email protected] |
| CVE-2026-6429 | 5.3 | pkg:github/curl/[email protected] |
| CVE-2026-7009 | 5.3 | pkg:github/curl/[email protected] |
| CVE-2026-6732 | 7.5 | pkg:github/gnome/[email protected] |

Bug Fixes 🐛

avoid badly anchored regular expression by @corporate-gadfly in https://github.com/OpenVoxProject/openvox/pull/414

Other Changes

Add release version check and stop trying to bump to an RC version by @nmburgan in https://github.com/OpenVoxProject/openvox/pull/413
Modify S3 copy command to suppress progress output by @corporate-gadfly in https://github.com/OpenVoxProject/openvox/pull/423
Update github_changelog_generator by @nmburgan in https://github.com/OpenVoxProject/openvox/pull/424
Changes to prepare for 8.x branching by @nmburgan in https://github.com/OpenVoxProject/openvox/pull/425
Promote puppet-runtime 2026.05.07.1 into 8.x by @OpenVoxProjectBot in https://github.com/OpenVoxProject/openvox/pull/430
Promote openfact 5.6.1 into 8.x by @OpenVoxProjectBot in https://github.com/OpenVoxProject/openvox/pull/438
Promote puppet-runtime 2026.05.11.1 into 8.x by @OpenVoxProjectBot in https://github.com/OpenVoxProject/openvox/pull/439
8.x Backport: Fix rubocop 1.86.2 lint by @Sharpie in https://github.com/OpenVoxProject/openvox/pull/448

Full Changelog: https://github.com/OpenVoxProject/openvox/compare/8.26.2...8.27.0

Security Fixes

CVE-2026-41316 — CVSS 8.1 fixed by upgrading `pkg:gem/erb` to 4.0.3.1
CVE-2026-42258, CVE-2026-42246, CVE-2026-42245, CVE-2026-42257 – resolved in `pkg:gem/[email protected]` (CVSS not specified)
CVE-2026-5773 — CVSS 7.5 fixed by upgrading `pkg:github/curl/curl` to 8.20.0
CVE-2026-6276 — CVSS 7.5 fixed by upgrading `pkg:github/curl/curl` to 8.20.0
CVE-2026-5545 — CVSS 6.5 fixed by upgrading `pkg:github/curl/curl` to 8.20.0
CVE-2026-6253 — CVSS 5.9 fixed by upgrading `pkg:github/curl/curl` to 8.20.0
CVE-2026-4873 — CVSS 5.9 fixed by upgrading `pkg:github/curl/curl` to 8.20.0
CVE-2026-7168 — CVSS 5.3 fixed by upgrading `pkg:github/curl/curl` to 8.20.0
CVE-2026-6429 — CVSS 5.3 fixed by upgrading `pkg:github/curl/curl` to 8.20.0
CVE-2026-7009 — CVSS 5.3 fixed by upgrading `pkg:github/curl/curl` to 8.20.0
CVE-2026-6732 — CVSS 7.5 fixed by upgrading `pkg:github/gnome/libxml2` to 2.15.3
CVE-2026-42246
CVE-2026-42246
CVE-2026-42245
CVE-2026-42245
CVE-2026-42257
CVE-2026-42257

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OpenVox

Get notified when new releases ship.

About OpenVox

Community fork of the last open source version of Puppet, a software configuration management tool which includes its own declarative language to describe system configuration.

All releases →

Related context

Related tools

Related CVEs

CVE-2026-41316 NVD KEV EPSS
CVE-2026-42245 NVD KEV EPSS
CVE-2026-42246 NVD KEV EPSS
CVE-2026-42258 NVD KEV EPSS
CVE-2026-5545 NVD KEV EPSS
CVE-2026-5773 NVD KEV EPSS
CVE-2026-6253 NVD KEV EPSS
CVE-2026-6276 NVD KEV EPSS
CVE-2026-6429 NVD KEV EPSS
CVE-2026-6732 NVD KEV EPSS
CVE-2026-7009 NVD KEV EPSS