Description of the patch:
This update for trivy fixes the following issues
- CVE-2025-64702: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS (bsc#1255366).
- CVE-2025-69725: github.com/go-chi/chi/v5: incorrect input validation in the RedirectSlashes function can lead to an
open redirect (bsc#1258513).
- CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files
can lead to the consumption of corrupted files (bsc#1258094).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260193).
- CVE-2026-33747: github.com/moby/buildkit: malicious frontends can craft API messages that cause files to be written
outside of the BuildKit state directory (bsc#1260971).
- CVE-2026-33748: github.com/moby/buildkit: insufficient validation of Git URL fragment subdir components may allow
access to files outside the checked-out Git repository (bsc#1261052).
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262893).
- CVE-2026-39984: github.com/sigstore/timestamp-authority/v2/pkg/verification: improper certificate validation can be
used to bypass some authorization controls (bsc#1262389).
- CVE-2026-41506: github.com/go-git/go-git/v5: HTTP authentication credential leak when following redirects during
smart-HTTP clone and fetch operations (bsc#1264873).
Changes for trivy:
- Updated go-git to 5.18.0.
- Updated to version 0.70.0.