diff --git a/_service b/_service
index 7e3ef32..6782962 100644
--- a/_service
+++ b/_service
@@ -2,7 +2,7 @@
https://github.com/aquasecurity/trivy
git
- v0.59.0
+ v0.59.1
@PARENT_TAG@
v(.*)
enable
diff --git a/_servicedata b/_servicedata
index 59d8914..98ba0e6 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
https://github.com/aquasecurity/trivy
- a58d6854dcfec0349daef27e180f2bdb5b380315
\ No newline at end of file
+ 9aabfd2a91e7278384bce7ccc6841a1d2851feb0
\ No newline at end of file
diff --git a/jwe-avoid-unbounded-splits.patch b/jwe-avoid-unbounded-splits.patch
new file mode 100644
index 0000000..78b6896
--- /dev/null
+++ b/jwe-avoid-unbounded-splits.patch
@@ -0,0 +1,49 @@
+From 99b346cec4e86d102284642c5dcbe9bb0cacfc22 Mon Sep 17 00:00:00 2001
+From: Matthew McPherrin
+Date: Mon, 24 Feb 2025 15:06:34 -0500
+Subject: [PATCH] Don't allow unbounded amounts of splits (#167)
+
+In compact JWS/JWE, don't allow unbounded number of splits.
+Count to make sure there's the right number, then use SplitN.
+---
+ jwe.go | 5 +++--
+ jws.go | 5 +++--
+ jws_test.go | 3 +++
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/jwe.go b/jwe.go
+index 89f03ee..9f1322d 100644
+--- a/jwe.go
++++ b/jwe.go
+@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
+ keyAlgorithms []KeyAlgorithm,
+ contentEncryption []ContentEncryption,
+ ) (*JSONWebEncryption, error) {
+- parts := strings.Split(input, ".")
+- if len(parts) != 5 {
++ // Five parts is four separators
++ if strings.Count(input, ".") != 4 {
+ return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ }
++ parts := strings.SplitN(input, ".", 5)
+
+ rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ if err != nil {
+diff --git a/jws.go b/jws.go
+index 3a91230..d09d8ba 100644
+--- a/jws.go
++++ b/jws.go
+@@ -327,10 +327,11 @@ func parseSignedCompact(
+ payload []byte,
+ signatureAlgorithms []SignatureAlgorithm,
+ ) (*JSONWebSignature, error) {
+- parts := strings.Split(input, ".")
+- if len(parts) != 3 {
++ // Three parts is two separators
++ if strings.Count(input, ".") != 2 {
+ return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ }
++ parts := strings.SplitN(input, ".", 3)
+
+ if parts[1] != "" && payload != nil {
+ return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
diff --git a/trivy-0.59.0.tar.zst b/trivy-0.59.0.tar.zst
deleted file mode 100644
index e79d0ed..0000000
--- a/trivy-0.59.0.tar.zst
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:612f51e63b713df373a4da635359687555dffb519073ce0796a0459a8cbb78ca
-size 52492427
diff --git a/trivy-0.59.1.tar.zst b/trivy-0.59.1.tar.zst
new file mode 100644
index 0000000..ce49fb5
--- /dev/null
+++ b/trivy-0.59.1.tar.zst
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7119a6bac83e6b1703cff2977db5e33e34328952bba5eff53ec574b12f0350d9
+size 52270719
diff --git a/trivy.changes b/trivy.changes
index ede2a69..2809708 100644
--- a/trivy.changes
+++ b/trivy.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Feb 26 09:01:28 UTC 2025 - Dirk Müller
+
+- add jwe-avoid-unbounded-splits.patch (bsc#1237618,
+ CVE-2025-27144)
+
+-------------------------------------------------------------------
+Tue Feb 25 14:46:22 UTC 2025 - dmueller@suse.com
+
+- Update to version 0.59.1:
+ * release: v0.59.1 [release/v0.59] (#8334)
+ * fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
+ * chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
+ * fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
+ * fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
+
-------------------------------------------------------------------
Fri Feb 7 11:33:46 UTC 2025 - Dirk Müller
@@ -97,7 +113,8 @@ Wed Jan 29 11:56:12 UTC 2025 - dmueller@suse.com
- Update to version 0.58.2 (
bsc#1234512, CVE-2024-45337,
- bsc#1235265, CVE-2024-45338):
+ bsc#1235265, CVE-2024-45338,
+ bsc#1232948, CVE-2024-51744):
* release: v0.58.2 [release/v0.58] (#8216)
* fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
* fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
diff --git a/trivy.spec b/trivy.spec
index 46bf61f..6984ce8 100644
--- a/trivy.spec
+++ b/trivy.spec
@@ -17,7 +17,7 @@
Name: trivy
-Version: 0.59.0
+Version: 0.59.1
Release: 0
Summary: A Simple and Comprehensive Vulnerability Scanner for Containers
License: Apache-2.0
@@ -25,6 +25,7 @@ Group: System/Management
URL: https://github.com/aquasecurity/trivy
Source: %{name}-%{version}.tar.zst
Source1: vendor.tar.zst
+Patch1: jwe-avoid-unbounded-splits.patch
BuildRequires: golang-packaging
BuildRequires: zstd
BuildRequires: golang(API) = 1.23
@@ -44,6 +45,10 @@ name of the container.
%prep
%setup -a1
+(
+ cd vendor/github.com/go-jose/go-jose/v4
+%patch -P 1 -p1
+)
%build
export CGO_ENABLED=1
diff --git a/vendor.tar.zst b/vendor.tar.zst
index 46740a7..54fab6d 100644
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:1c84cb56581af26a918c902c3f3b5658094fd31cc88e3db2e85a428527598a6b
-size 38418626
+oid sha256:2e838c120d1a583cc2b4267507f0c1824c09154d3bd50371e90a29b828fc470b
+size 38404606