RLSA-2026:3752

Опубликовано: 21 мая 2026

Источник: rocky

Оценка: Important

Описание

Important: osbuild-composer security update

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Security Fix(es):

crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Затронутые продукты

Rocky Linux 10

Наименование	Архитектура	Релиз	RPM
osbuild-composer	x86_64	5.el10_1.rocky.0.8	osbuild-composer-149-5.el10_1.rocky.0.8.x86_64.rpm
osbuild-composer-core	x86_64	5.el10_1.rocky.0.8	osbuild-composer-core-149-5.el10_1.rocky.0.8.x86_64.rpm
osbuild-composer-worker	x86_64	5.el10_1.rocky.0.8	osbuild-composer-worker-149-5.el10_1.rocky.0.8.x86_64.rpm