chore(deps): update dependency wolfi-dev/wolfictl to v0.27.2

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
wolfi-dev/wolfictl	patch	0.27.1 -> 0.27.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

wolfi-dev/wolfictl (wolfi-dev/wolfictl)

v0.27.2

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/wolfictl:0.27.2

📦 Image Reference ghcr.io/uniget-org/tools/wolfictl:0.27.2

digest	sha256:6291b24a6564a2556e85e28e7f986b1acd6ea8292bb3f8de2de72ba4b8980f53
vulnerabilities
platform	linux/amd64
size	49 MB
packages	323

github.com/u-root/u-root 0.14.0 (golang) pkg:golang/github.com/u-root/u-root@0.14.0 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=v7.0.0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description This affects all versions of package github.com/u-root/u-root/pkg/tarutil. It is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=7.0.0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.

github.com/theupdateframework/go-tuf 0.7.0 (golang) pkg:golang/github.com/theupdateframework/go-tuf@0.7.0 Affected range >=0 Fixed version Not Fixed Description Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

github.com/aws/aws-sdk-go 1.55.5 (golang) pkg:golang/github.com/aws/aws-sdk-go@1.55.5 Affected range >=0 Fixed version Not Fixed Description A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files. Affected range >=0 Fixed version Not Fixed Description A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12335167244.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12335167244.