- Issued:
- 2026-01-22
- Updated:
- 2026-01-23
RHSA-2026:1018 - Security Advisory
Synopsis
Important: Red Hat OpenShift GitOps v1.17.4 security update
Type/Severity
Security Advisory: Important
Topic
Important: Red Hat OpenShift GitOps v1.17.4 security update
Description
An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):
- GITOPS-8231 (CVE-2025-47913 openshift-gitops-1/argocd-agent-rhel8: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [gitops-1.17])
- GITOPS-8233 (CVE-2025-47913 openshift-gitops-1/argocd-rhel9: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [gitops-1.17])
- GITOPS-8078 (CVE-2025-58183 openshift-gitops-1/argocd-rhel8: Unbounded allocation when parsing GNU sparse map [gitops-1.17])
- GITOPS-8081 (CVE-2025-58183 openshift-gitops-1/dex-rhel8: Unbounded allocation when parsing GNU sparse map [gitops-1.17])
- GITOPS-7753 (CVE-2025-58754 openshift-gitops-1/argocd-extensions-rhel8: Axios DoS via lack of data size check [gitops-1.17])
- GITOPS-8511 (CVE-2025-68156 openshift-gitops-1/argocd-rhel8: Expr: Denial of Service via uncontrolled recursion in expression evaluation [gitops-1.17])
- GITOPS-8512 (CVE-2025-68156 openshift-gitops-1/argocd-rhel9: Expr: Denial of Service via uncontrolled recursion in expression evaluation [gitops-1.17])
- GITOPS-7568 (ignoreDifferences setting is not honored for OAuthClient resource)
- GITOPS-7992 (openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition)
- GITOPS-8225 (RC 1.19.0-2 : haproxy replica remains 1 with HA upgrade)
- GITOPS-8411 (CVE-2025-55190 still blocking due to github.com/argoproj/argo-cd/v2@v2.14.11 in gitops-rhel8:v1.18.1)
- GITOPS-8591 (Reciving TargetDown after upgrading GitOps )
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Fixes
- GITOPS-7568 - ignoreDifferences setting is not honored for OAuthClient resource
- GITOPS-7992 - openshift-gitops-operator-metrics-monitor ServiceMonitor is attempting to use a bearerTokenFile configuration in its endpoints definition
- GITOPS-8225 - RC 1.19.0-2 : haproxy replica remains 1 with HA upgrade
- GITOPS-8411 - CVE-2025-55190 still blocking due to github.com/argoproj/argo-cd/v2@v2.14.11 in gitops-rhel8:v1.18.1
- GITOPS-8591 - Reciving TargetDown after upgrading GitOps
amd64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:c1061a246650fe9735d3c5b439fb81e859e5badcd69c4ea241204287e14ec802 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:f5b3f576f18c0687c5cb757d8c7420ca883033975b906cd2c6fabace582a7fdd |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:8a07b1dcc21b99093a21936da2959f4ff9dbe9b2a138609594ec1cbfab06d096 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:95db3bb5baeea65a0304c1701ae7f84b9431fc1f13f7c18085abc82d5a7eace1 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:8019ec0d2ecc069941d771369cd072c656532aa7bff4a15ba0f62e4d0545992e |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:f626986471cf481e3101377242474d3904439fa12ed45b9dd49cb1d369390c65 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:b5ef707dee8e0098612e5117b8e5baaebb959c75a0416624d727dd44106c401b |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:d12e12f7aa0f40272033174000422448695ccaa5f5331624144be0506e3f2475 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:1fdc8378e3f67e274146571a566c49a99069964e167e7915fa078d508cedf388 |
| registry.redhat.io/openshift-gitops-1/gitops-operator-bundle@sha256:710f6fe3896177cae0d900643b7147d11410e5e58ee012e139fbeee308ee297b |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:e76acb4eff779bd17f575e3535cf8be658205fe1e7bc14c67a4f26110c4f8c5f |
arm64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:5cd9912e51ffea57bad97d8d725cd6210c0ba43d41d6a11c67b03d7e8807a1b4 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:1f93ea9508e4f1a9c54158d8fa6a0dc7babb65fcbd606c3474fd953fc80e95c9 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:a922ecfd9f8d0cbc42897871235789c5f60dfeef43487697152acd492da2ba52 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:752863bfda3f6021ffbb356696049b7983dec9556da06f2c5e653fa9244a2b25 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:19ee8d67235801b83af21c52b92b0855e34f959700eb400d2db455a50b91f512 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:54cf6dad43d830b530b6554c25f24b23be3bb51fc9436b20fc4c75fa03665b84 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:c89915b32d7812867b049c754480667c6218738d81fceb7012a615928508d62d |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:c8c274929641a8ddcbd8045daee04d1cc4f361acd4e9891b43718acef88ea842 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:bc068cd4d0d2a6c9bae530b3343cfc31ff19e109b70021ef260bb87548a9c1b9 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:8d10a7ccbb3ef67f3f5ad3f4dd77927a6ab15b7bdb78cf821ee764f967adcdc2 |
ppc64le
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:04a0309f1ea64b27a03d51ed435e3ba03b9b1c00f92ef1d136db7873be49bf6c |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:0afd39c2275c46025cee7518d62cc3a26441758f9315e864d25f8b78a5e464f4 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:309b422848a3c58a2f6716b2ae7891fae31a2bee824dddf2206d3ee4d9c0e3be |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:221e413f5a21ae4a8eb3a92c88a0f901980fb022f43c5c9dd0b618cb8d94f12f |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:2946fd417176936f3339cbbb3597d45f586357e68810d8449e716fb827f5debb |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:cf87bc59b51519af1fb349291dc6e0e346c22db132ab8ed2b0efd49e2a1f9775 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:495cfc1e0b1112d6d534baacda0d5591b67af1123b7099a65514365226b8874d |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:e7a5ca5641b9c72d42b39b087a9277183a2767e326914ea0441ce5904a77b44f |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:c8cca109f73568bd4331ecab567ba39a5d016bfd249bc6e62c79eb903df7f77d |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:3a7697e1f5e899b15e86d98c813857a5513055dbb8202f082ebcd1c1e91e7e2c |
s390x
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:42bcfb29916b6c0ed25625841c9dd483b1a36cd978c6815a2969a794417474b0 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:7bec6ba526ade9f626672e69d9b4a22df5a4d5d6b65a3d7fd681055968e85db8 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:38252c3097bc6ac5971aff8ca9c9280a5569b8824a96034cddeff4a2feed9354 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:6dbc097f05deedeb5a1242bcbbbd71a32f7280e60d65ba0773b36f83b98bcd31 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:80f845196a254e186385aa8c0217bfd857a1832357bc309875b6b82a835eadee |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:81f57cf09f298ba6436d9f3236d53210de456b8b1e54b565788b15b7a9d48411 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:072fc7738b1bd7fdfacc99eafc7fe55dfa3ebfb79466f255401b821391667971 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:809292e8911468c8b463736793bc42adb6e9d886d7a3a3452706668091f22b20 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:4a9f42b315becd846787de8798c2bb85d3a2bf607dacd85a18976fa16c00302d |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:dab0ffcf048536d127483cce2042665a687086d72ce420ecca6dba3e3787f339 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
