Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-68121 (GCVE-0-2025-68121)
Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-04-29 13:29
VLAI
EPSS
Title
Unexpected session resumption in crypto/tls
Summary
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Severity
9.1 (Critical)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | crypto/tls |
Affected:
0 , < 1.24.13
(semver)
Affected: 1.25.0-0 , < 1.25.7 (semver) Affected: 1.26.0-rc.1 , < 1.26.0-rc.3 (semver) |
Credits
Coia Prant (github.com/rbqvq)
Go Security Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-68121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T03:55:46.305385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:29:25.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/tls",
"product": "crypto/tls",
"programRoutines": [
{
"name": "Conn.handshakeContext"
},
{
"name": "Conn.Handshake"
},
{
"name": "Conn.HandshakeContext"
},
{
"name": "Conn.Read"
},
{
"name": "Conn.Write"
},
{
"name": "Dial"
},
{
"name": "DialWithDialer"
},
{
"name": "Dialer.Dial"
},
{
"name": "Dialer.DialContext"
},
{
"name": "QUICConn.Start"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.7",
"status": "affected",
"version": "1.25.0-0",
"versionType": "semver"
},
{
"lessThan": "1.26.0-rc.3",
"status": "affected",
"version": "1.26.0-rc.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Coia Prant (github.com/rbqvq)"
},
{
"lang": "en",
"value": "Go Security Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-295: Improper Certificate Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T17:48:44.141Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"url": "https://go.dev/cl/737700"
},
{
"url": "https://go.dev/issue/77217"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"title": "Unexpected session resumption in crypto/tls"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-68121",
"datePublished": "2026-02-05T17:48:44.141Z",
"dateReserved": "2025-12-15T16:48:04.451Z",
"dateUpdated": "2026-04-29T13:29:25.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-68121",
"date": "2026-05-25",
"epss": "0.00018",
"percentile": "0.04801"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-68121\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2026-02-05T18:16:10.857\",\"lastModified\":\"2026-04-29T14:16:16.170\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.\"},{\"lang\":\"es\",\"value\":\"Durante la reanudaci\u00f3n de la sesi\u00f3n en crypto/tls, si la Config subyacente tiene sus campos ClientCAs o RootCAs mutados entre el handshake inicial y el handshake reanudado, el handshake reanudado puede tener \u00e9xito cuando deber\u00eda haber fallado. Esto puede ocurrir cuando un usuario llama a Config.Clone y muta la Config devuelta, o usa Config.GetConfigForClient. Esto puede hacer que un cliente reanude una sesi\u00f3n con un servidor con el que no la habr\u00eda reanudado durante el handshake inicial, o hacer que un servidor reanude una sesi\u00f3n con un cliente con el que no la habr\u00eda reanudado durante el handshake inicial.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.24.13\",\"matchCriteriaId\":\"9FEE539A-EDC2-4044-A38C-5A0FDF567509\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.25.0\",\"versionEndExcluding\":\"1.25.7\",\"matchCriteriaId\":\"B275853C-E253-485B-B469-31D1A7383965\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:1.26.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E529A0EC-B944-4E2F-B26A-2A9F31AFF240\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:1.26.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"553D6D90-140E-4A54-86A3-00E66AC30F3C\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/737700\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/77217\",\"source\":\"security@golang.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/K09ubi9FQFk\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2026-4337\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68121\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-29T03:55:46.305385Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295 Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-06T15:32:38.457Z\"}}], \"cna\": {\"title\": \"Unexpected session resumption in crypto/tls\", \"credits\": [{\"lang\": \"en\", \"value\": \"Coia Prant (github.com/rbqvq)\"}, {\"lang\": \"en\", \"value\": \"Go Security Team\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"crypto/tls\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.24.13\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.25.0-0\", \"lessThan\": \"1.25.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.26.0-rc.1\", \"lessThan\": \"1.26.0-rc.3\", \"versionType\": \"semver\"}], \"packageName\": \"crypto/tls\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Conn.handshakeContext\"}, {\"name\": \"Conn.Handshake\"}, {\"name\": \"Conn.HandshakeContext\"}, {\"name\": \"Conn.Read\"}, {\"name\": \"Conn.Write\"}, {\"name\": \"Dial\"}, {\"name\": \"DialWithDialer\"}, {\"name\": \"Dialer.Dial\"}, {\"name\": \"Dialer.DialContext\"}, {\"name\": \"QUICConn.Start\"}]}], \"references\": [{\"url\": \"https://groups.google.com/g/golang-announce/c/K09ubi9FQFk\"}, {\"url\": \"https://go.dev/cl/737700\"}, {\"url\": \"https://go.dev/issue/77217\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2026-4337\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-295: Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2026-02-05T17:48:44.141Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-68121\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-29T13:29:25.582Z\", \"dateReserved\": \"2025-12-15T16:48:04.451Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2026-02-05T17:48:44.141Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:3929
Vulnerability from csaf_redhat - Published: 2026-03-05 17:28 - Updated: 2026-05-26 09:04Summary
Red Hat Security Advisory: git-lfs security update
Severity
Important
Notes
Topic: An update for git-lfs is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.
Security Fix(es):
* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for git-lfs is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3929",
"url": "https://access.redhat.com/errata/RHSA-2026:3929"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3929.json"
}
],
"title": "Red Hat Security Advisory: git-lfs security update",
"tracking": {
"current_release_date": "2026-05-26T09:04:59+00:00",
"generator": {
"date": "2026-05-26T09:04:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:3929",
"initial_release_date": "2026-03-05T17:28:44+00:00",
"revision_history": [
{
"date": "2026-03-05T17:28:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-05T17:28:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:04:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.6::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el9_6.2.src",
"product": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.src",
"product_id": "git-lfs-0:3.6.1-2.el9_6.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el9_6.2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"product": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"product_id": "git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el9_6.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"product_id": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-2.el9_6.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"product_id": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-2.el9_6.2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"product": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"product_id": "git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el9_6.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"product_id": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-2.el9_6.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"product_id": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-2.el9_6.2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"product": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"product_id": "git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el9_6.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64",
"product_id": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-2.el9_6.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"product_id": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-2.el9_6.2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el9_6.2.s390x",
"product": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.s390x",
"product_id": "git-lfs-0:3.6.1-2.el9_6.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el9_6.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"product_id": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-2.el9_6.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"product_id": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-2.el9_6.2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64"
},
"product_reference": "git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le"
},
"product_reference": "git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x"
},
"product_reference": "git-lfs-0:3.6.1-2.el9_6.2.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src"
},
"product_reference": "git-lfs-0:3.6.1-2.el9_6.2.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el9_6.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64"
},
"product_reference": "git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T17:28:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3929"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T17:28:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3929"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T17:28:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3929"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.src",
"AppStream-9.6.0.Z.EUS:git-lfs-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debuginfo-0:3.6.1-2.el9_6.2.x86_64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.aarch64",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.ppc64le",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.s390x",
"AppStream-9.6.0.Z.EUS:git-lfs-debugsource-0:3.6.1-2.el9_6.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:3970
Vulnerability from csaf_redhat - Published: 2026-03-09 01:29 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: rhc-worker-playbook security update
Severity
Important
Notes
Topic: An update for rhc-worker-playbook is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: A worker for yggdrasil that receives Ansible playbooks and executes them against the local host.
Security Fix(es):
* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rhc-worker-playbook is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A worker for yggdrasil that receives Ansible playbooks and executes them against the local host.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3970",
"url": "https://access.redhat.com/errata/RHSA-2026:3970"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3970.json"
}
],
"title": "Red Hat Security Advisory: rhc-worker-playbook security update",
"tracking": {
"current_release_date": "2026-05-26T09:05:02+00:00",
"generator": {
"date": "2026-05-26T09:05:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:3970",
"initial_release_date": "2026-03-09T01:29:32+00:00",
"revision_history": [
{
"date": "2026-03-09T01:29:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-09T01:29:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux_eus:10.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_0?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"product": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"product_id": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debugsource@0.2.3-3.el10_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"product": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"product_id": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debuginfo@0.2.3-3.el10_0?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"product": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"product_id": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debugsource@0.2.3-3.el10_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"product": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"product_id": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debuginfo@0.2.3-3.el10_0?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"product": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"product_id": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debugsource@0.2.3-3.el10_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"product": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"product_id": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debuginfo@0.2.3-3.el10_0?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64",
"product": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64",
"product_id": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debugsource@0.2.3-3.el10_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"product": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"product_id": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debuginfo@0.2.3-3.el10_0?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.src as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64"
},
"product_reference": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le"
},
"product_reference": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x"
},
"product_reference": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64"
},
"product_reference": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64"
},
"product_reference": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le"
},
"product_reference": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x"
},
"product_reference": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
},
"product_reference": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T01:29:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3970"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T01:29:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3970"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T01:29:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3970"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.src",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_0.x86_64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.aarch64",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.ppc64le",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.s390x",
"AppStream-10.0.Z.E2S:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:3971
Vulnerability from csaf_redhat - Published: 2026-03-09 01:33 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: rhc-worker-playbook security update
Severity
Important
Notes
Topic: An update for rhc-worker-playbook is now available for Red Hat Enterprise Linux 10.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: A worker for yggdrasil that receives Ansible playbooks and executes them against the local host.
Security Fix(es):
* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rhc-worker-playbook is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A worker for yggdrasil that receives Ansible playbooks and executes them against the local host.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3971",
"url": "https://access.redhat.com/errata/RHSA-2026:3971"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3971.json"
}
],
"title": "Red Hat Security Advisory: rhc-worker-playbook security update",
"tracking": {
"current_release_date": "2026-05-26T09:05:02+00:00",
"generator": {
"date": "2026-05-26T09:05:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:3971",
"initial_release_date": "2026-03-09T01:33:17+00:00",
"revision_history": [
{
"date": "2026-03-09T01:33:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-09T01:33:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"product": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"product_id": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debugsource@0.2.3-3.el10_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"product": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"product_id": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debuginfo@0.2.3-3.el10_1?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"product": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"product_id": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debugsource@0.2.3-3.el10_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"product": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"product_id": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debuginfo@0.2.3-3.el10_1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"product": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"product_id": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debugsource@0.2.3-3.el10_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"product": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"product_id": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debuginfo@0.2.3-3.el10_1?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"product": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"product_id": "rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook@0.2.3-3.el10_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64",
"product": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64",
"product_id": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debugsource@0.2.3-3.el10_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"product": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"product_id": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-playbook-debuginfo@0.2.3-3.el10_1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64"
},
"product_reference": "rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64"
},
"product_reference": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le"
},
"product_reference": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x"
},
"product_reference": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64"
},
"product_reference": "rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64"
},
"product_reference": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le"
},
"product_reference": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x"
},
"product_reference": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
},
"product_reference": "rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T01:33:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3971"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T01:33:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3971"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T01:33:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3971"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.src",
"AppStream-10.1.Z:rhc-worker-playbook-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debuginfo-0:0.2.3-3.el10_1.x86_64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.aarch64",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.ppc64le",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.s390x",
"AppStream-10.1.Z:rhc-worker-playbook-debugsource-0:0.2.3-3.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:3977
Vulnerability from csaf_redhat - Published: 2026-03-09 01:52 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: golang-github-openprinting-ipp-usb security update
Severity
Important
Notes
Topic: An update for golang-github-openprinting-ipp-usb is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: HTTP reverse proxy, backed by IPP-over-USB connection to device. It enables
driverless support for USB devices capable of using IPP-over-USB protocol.
Security Fix(es):
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang-github-openprinting-ipp-usb is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "HTTP reverse proxy, backed by IPP-over-USB connection to device. It enables\n driverless support for USB devices capable of using IPP-over-USB protocol.\n\nSecurity Fix(es):\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3977",
"url": "https://access.redhat.com/errata/RHSA-2026:3977"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3977.json"
}
],
"title": "Red Hat Security Advisory: golang-github-openprinting-ipp-usb security update",
"tracking": {
"current_release_date": "2026-05-26T09:05:09+00:00",
"generator": {
"date": "2026-05-26T09:05:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:3977",
"initial_release_date": "2026-03-09T01:52:37+00:00",
"revision_history": [
{
"date": "2026-03-09T01:52:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-09T01:52:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux_eus:10.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"product": {
"name": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"product_id": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb@0.9.27-3.el10_0.2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"product": {
"name": "ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"product_id": "ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb@0.9.27-3.el10_0.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"product": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"product_id": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb-debugsource@0.9.27-3.el10_0.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"product": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"product_id": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb-debuginfo@0.9.27-3.el10_0.2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"product": {
"name": "ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"product_id": "ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb@0.9.27-3.el10_0.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"product": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"product_id": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb-debugsource@0.9.27-3.el10_0.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"product": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"product_id": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb-debuginfo@0.9.27-3.el10_0.2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"product": {
"name": "ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"product_id": "ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb@0.9.27-3.el10_0.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"product": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"product_id": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb-debugsource@0.9.27-3.el10_0.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"product": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"product_id": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb-debuginfo@0.9.27-3.el10_0.2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"product": {
"name": "ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"product_id": "ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb@0.9.27-3.el10_0.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"product": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"product_id": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-openprinting-ipp-usb-debugsource@0.9.27-3.el10_0.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64",
"product": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64",
"product_id": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ipp-usb-debuginfo@0.9.27-3.el10_0.2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src"
},
"product_reference": "golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64"
},
"product_reference": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le"
},
"product_reference": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x"
},
"product_reference": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64"
},
"product_reference": "golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-0:0.9.27-3.el10_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64"
},
"product_reference": "ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-0:0.9.27-3.el10_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le"
},
"product_reference": "ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-0:0.9.27-3.el10_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x"
},
"product_reference": "ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-0:0.9.27-3.el10_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64"
},
"product_reference": "ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64"
},
"product_reference": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le"
},
"product_reference": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x"
},
"product_reference": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64"
},
"product_reference": "ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T01:52:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3977"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T01:52:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3977"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.2.src",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:golang-github-openprinting-ipp-usb-debugsource-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-0:0.9.27-3.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:ipp-usb-debuginfo-0:0.9.27-3.el10_0.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:3985
Vulnerability from csaf_redhat - Published: 2026-03-09 02:13 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: git-lfs security update
Severity
Important
Notes
Topic: An update for git-lfs is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.
Security Fix(es):
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for git-lfs is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3985",
"url": "https://access.redhat.com/errata/RHSA-2026:3985"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3985.json"
}
],
"title": "Red Hat Security Advisory: git-lfs security update",
"tracking": {
"current_release_date": "2026-05-26T09:05:04+00:00",
"generator": {
"date": "2026-05-26T09:05:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:3985",
"initial_release_date": "2026-03-09T02:13:04+00:00",
"revision_history": [
{
"date": "2026-03-09T02:13:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-09T02:13:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-8.el8_10.src",
"product": {
"name": "git-lfs-0:3.4.1-8.el8_10.src",
"product_id": "git-lfs-0:3.4.1-8.el8_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-8.el8_10?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-8.el8_10.aarch64",
"product": {
"name": "git-lfs-0:3.4.1-8.el8_10.aarch64",
"product_id": "git-lfs-0:3.4.1-8.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-8.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"product": {
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"product_id": "git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.4.1-8.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"product": {
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"product_id": "git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.4.1-8.el8_10?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-8.el8_10.ppc64le",
"product": {
"name": "git-lfs-0:3.4.1-8.el8_10.ppc64le",
"product_id": "git-lfs-0:3.4.1-8.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-8.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"product": {
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"product_id": "git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.4.1-8.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"product": {
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"product_id": "git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.4.1-8.el8_10?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-8.el8_10.x86_64",
"product": {
"name": "git-lfs-0:3.4.1-8.el8_10.x86_64",
"product_id": "git-lfs-0:3.4.1-8.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-8.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64",
"product": {
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64",
"product_id": "git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.4.1-8.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"product": {
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"product_id": "git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.4.1-8.el8_10?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.4.1-8.el8_10.s390x",
"product": {
"name": "git-lfs-0:3.4.1-8.el8_10.s390x",
"product_id": "git-lfs-0:3.4.1-8.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.4.1-8.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"product": {
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"product_id": "git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.4.1-8.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"product": {
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"product_id": "git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.4.1-8.el8_10?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-8.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64"
},
"product_reference": "git-lfs-0:3.4.1-8.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-8.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le"
},
"product_reference": "git-lfs-0:3.4.1-8.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-8.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x"
},
"product_reference": "git-lfs-0:3.4.1-8.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-8.el8_10.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src"
},
"product_reference": "git-lfs-0:3.4.1-8.el8_10.src",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.4.1-8.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64"
},
"product_reference": "git-lfs-0:3.4.1-8.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64"
},
"product_reference": "git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le"
},
"product_reference": "git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x"
},
"product_reference": "git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64"
},
"product_reference": "git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64"
},
"product_reference": "git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le"
},
"product_reference": "git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x"
},
"product_reference": "git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64"
},
"product_reference": "git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T02:13:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3985"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-09T02:13:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3985"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debuginfo-0:3.4.1-8.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:git-lfs-debugsource-0:3.4.1-8.el8_10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:4164
Vulnerability from csaf_redhat - Published: 2026-03-10 09:29 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: git-lfs security update
Severity
Important
Notes
Topic: An update for git-lfs is now available for Red Hat Enterprise Linux 10.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.
Security Fix(es):
* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for git-lfs is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:4164",
"url": "https://access.redhat.com/errata/RHSA-2026:4164"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4164.json"
}
],
"title": "Red Hat Security Advisory: git-lfs security update",
"tracking": {
"current_release_date": "2026-05-26T09:05:05+00:00",
"generator": {
"date": "2026-05-26T09:05:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:4164",
"initial_release_date": "2026-03-10T09:29:17+00:00",
"revision_history": [
{
"date": "2026-03-10T09:29:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-10T09:29:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-7.el10_1.src",
"product": {
"name": "git-lfs-0:3.6.1-7.el10_1.src",
"product_id": "git-lfs-0:3.6.1-7.el10_1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-7.el10_1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-7.el10_1.aarch64",
"product": {
"name": "git-lfs-0:3.6.1-7.el10_1.aarch64",
"product_id": "git-lfs-0:3.6.1-7.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-7.el10_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"product_id": "git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-7.el10_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"product_id": "git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-7.el10_1?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-7.el10_1.ppc64le",
"product": {
"name": "git-lfs-0:3.6.1-7.el10_1.ppc64le",
"product_id": "git-lfs-0:3.6.1-7.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-7.el10_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"product_id": "git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-7.el10_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"product_id": "git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-7.el10_1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-7.el10_1.s390x",
"product": {
"name": "git-lfs-0:3.6.1-7.el10_1.s390x",
"product_id": "git-lfs-0:3.6.1-7.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-7.el10_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"product_id": "git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-7.el10_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"product_id": "git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-7.el10_1?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-7.el10_1.x86_64",
"product": {
"name": "git-lfs-0:3.6.1-7.el10_1.x86_64",
"product_id": "git-lfs-0:3.6.1-7.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-7.el10_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64",
"product_id": "git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-7.el10_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"product_id": "git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-7.el10_1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-7.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64"
},
"product_reference": "git-lfs-0:3.6.1-7.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-7.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le"
},
"product_reference": "git-lfs-0:3.6.1-7.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-7.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x"
},
"product_reference": "git-lfs-0:3.6.1-7.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-7.el10_1.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src"
},
"product_reference": "git-lfs-0:3.6.1-7.el10_1.src",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-7.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64"
},
"product_reference": "git-lfs-0:3.6.1-7.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T09:29:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4164"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T09:29:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4164"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T09:29:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4164"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.src",
"AppStream-10.1.Z:git-lfs-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debuginfo-0:3.6.1-7.el10_1.x86_64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.aarch64",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.ppc64le",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.s390x",
"AppStream-10.1.Z:git-lfs-debugsource-0:3.6.1-7.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:4166
Vulnerability from csaf_redhat - Published: 2026-03-10 09:26 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: git-lfs security update
Severity
Important
Notes
Topic: An update for git-lfs is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.
Security Fix(es):
* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for git-lfs is now available for Red Hat Enterprise Linux 10.0 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:4166",
"url": "https://access.redhat.com/errata/RHSA-2026:4166"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4166.json"
}
],
"title": "Red Hat Security Advisory: git-lfs security update",
"tracking": {
"current_release_date": "2026-05-26T09:05:05+00:00",
"generator": {
"date": "2026-05-26T09:05:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:4166",
"initial_release_date": "2026-03-10T09:26:33+00:00",
"revision_history": [
{
"date": "2026-03-10T09:26:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-10T09:26:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux_eus:10.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el10_0.2.src",
"product": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.src",
"product_id": "git-lfs-0:3.6.1-2.el10_0.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el10_0.2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"product": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"product_id": "git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el10_0.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"product_id": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-2.el10_0.2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"product_id": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-2.el10_0.2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"product": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"product_id": "git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el10_0.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"product_id": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-2.el10_0.2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"product_id": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-2.el10_0.2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el10_0.2.s390x",
"product": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.s390x",
"product_id": "git-lfs-0:3.6.1-2.el10_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el10_0.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"product_id": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-2.el10_0.2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"product_id": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-2.el10_0.2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"product": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"product_id": "git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.6.1-2.el10_0.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64",
"product": {
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64",
"product_id": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.6.1-2.el10_0.2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"product": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"product_id": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.6.1-2.el10_0.2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64"
},
"product_reference": "git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le"
},
"product_reference": "git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x"
},
"product_reference": "git-lfs-0:3.6.1-2.el10_0.2.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.src as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src"
},
"product_reference": "git-lfs-0:3.6.1-2.el10_0.2.src",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.6.1-2.el10_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64"
},
"product_reference": "git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64"
},
"product_reference": "git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"product_id": "AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
},
"product_reference": "git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z.E2S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T09:26:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4166"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T09:26:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4166"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T09:26:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4166"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.src",
"AppStream-10.0.Z.E2S:git-lfs-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debuginfo-0:3.6.1-2.el10_0.2.x86_64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.aarch64",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.ppc64le",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.s390x",
"AppStream-10.0.Z.E2S:git-lfs-debugsource-0:3.6.1-2.el10_0.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:4170
Vulnerability from csaf_redhat - Published: 2026-03-10 10:02 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: Red Hat OpenShift API for Data Protection
Severity
Important
Notes
Topic: A new version of OpenShift API for Data Protection (OADP) is now available.
Details: OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
44 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64 | — |
Vendor Fix
fix
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64 | — |
Threats
Impact
Moderate
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A new version of OpenShift API for Data Protection (OADP) is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift API for Data Protection (OADP) enables you to back up and restore\napplication resources, persistent volume data, and internal container\nimages to external backup storage. OADP enables both file system-based and\nsnapshot-based backups for persistent volumes.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:4170",
"url": "https://access.redhat.com/errata/RHSA-2026:4170"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61726",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61728",
"url": "https://access.redhat.com/security/cve/CVE-2025-61728"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-68121",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/backup_and_restore/oadp-application-backup-and-restore",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/backup_and_restore/oadp-application-backup-and-restore"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4170.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift API for Data Protection",
"tracking": {
"current_release_date": "2026-05-26T09:05:06+00:00",
"generator": {
"date": "2026-05-26T09:05:06+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:4170",
"initial_release_date": "2026-03-10T10:02:11+00:00",
"revision_history": [
{
"date": "2026-03-10T10:02:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-10T10:02:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:06+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift API for Data Protection 1.5",
"product": {
"name": "OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_api_data_protection:1.5::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift API for Data Protection"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"product_id": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-hypershift-velero-plugin-rhel9@sha256%3Ade2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857087"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"product_id": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel9@sha256%3Aff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857516"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"product_id": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel9@sha256%3Ab7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857381"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"product_id": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-non-admin-rhel9@sha256%3Af3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856841"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"product_id": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel9-operator@sha256%3A7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771952244"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel9@sha256%3A66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857537"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel9@sha256%3A105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856850"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel9@sha256%3Aa144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856984"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel9@sha256%3A2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856844"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-legacy-aws-rhel9@sha256%3Ac935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857147"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256%3A2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d?arch=arm64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856962"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"product_id": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-hypershift-velero-plugin-rhel9@sha256%3A268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857087"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"product_id": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel9@sha256%3Aafb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857516"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"product_id": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel9@sha256%3A82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857381"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"product_id": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-non-admin-rhel9@sha256%3Abb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856841"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"product_id": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel9-operator@sha256%3Ae25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771952244"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"product_id": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-operator-bundle@sha256%3A8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771953299"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel9@sha256%3A7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857537"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel9@sha256%3Ae8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856850"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel9@sha256%3Acf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856984"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel9@sha256%3A8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856844"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-legacy-aws-rhel9@sha256%3A10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857147"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256%3Ade99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99?arch=amd64\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856962"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"product_id": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-hypershift-velero-plugin-rhel9@sha256%3Aeae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857087"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"product_id": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel9@sha256%3A07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857516"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"product_id": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel9@sha256%3A17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857381"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"product_id": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-non-admin-rhel9@sha256%3A75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856841"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"product_id": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel9-operator@sha256%3A6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771952244"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel9@sha256%3A1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857537"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel9@sha256%3A7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856850"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel9@sha256%3A168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856984"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel9@sha256%3A0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856844"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-legacy-aws-rhel9@sha256%3A193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857147"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256%3A92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5?arch=s390x\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856962"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-hypershift-velero-plugin-rhel9@sha256%3A52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857087"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel9@sha256%3A9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857516"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel9@sha256%3A6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857381"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-non-admin-rhel9@sha256%3A7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856841"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel9-operator@sha256%3A55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771952244"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel9@sha256%3A5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857537"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel9@sha256%3A081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856850"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel9@sha256%3A335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856984"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel9@sha256%3Aee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856844"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-legacy-aws-rhel9@sha256%3Ab3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771857147"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256%3Af40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp\u0026tag=1771856962"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T10:02:11+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4170"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61728",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:39.965024+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434431"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker needs to be able to process a malicious zip archive with an application using the archive/zip package. Additionally, this vulnerability can cause a Go application to consume an excessive amount of CPU and memory, eventually resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61728"
},
{
"category": "external",
"summary": "RHBZ#2434431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61728"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"category": "external",
"summary": "https://go.dev/cl/736713",
"url": "https://go.dev/cl/736713"
},
{
"category": "external",
"summary": "https://go.dev/issue/77102",
"url": "https://go.dev/issue/77102"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4342",
"url": "https://pkg.go.dev/vuln/GO-2026-4342"
}
],
"release_date": "2026-01-28T19:30:31.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T10:02:11+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4170"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, implement a timeout in your archive/zip processing logic to abort the operation if it exceeds a few seconds, preventing the application from consuming an excessive amount of resources.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T10:02:11+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4170"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:268e73e691f41b0a12b93c03a38c042b788a8b25119d03d43e966058a98dd1dd_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:52ea2f66223a172c31513572c1c8cd65532bf790eab02eb6e5d587b131c0c474_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:de2b9acd6ce2e487fed18bc6634eecbe5aaa76ca5e2907c9d22228a386c1a04e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:eae057bec74ac61b9d052ad765492fa607498ef5b7e1d7e2e607665b228298e4_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:07e2b1b186f3feaa6b0048f6788fbb053711a885a046d5a17a39a3fbc37b3f01_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9c03c4133e4a280b65da5adbe1b70c1d2f585419f597a10f7086e700210791dc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:afb537839347b55db4cbc3757f0e47afd0faf98bf26649d1af4117bba7a39b72_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:ff8450d4b8f40e33ae544449407399c7204b768349234f1438c7ec533602e664_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:17a4a6040bc7ad24bd0a6445f9eb97ca94f438b4302e715f103d30f73983fd00_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:6833f09d69c8d60990fed4c282e23dc45cf9fb93fc7102b9cf736244a2895b45_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:82e54c9f5d8e4706aebf6f938a5d0a2c2a2cfc3bed571a10ec461bd2a48e2e60_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:b7aa2b4bf922452334c890e2ce56ad535eebbd2dc20637702a3d4097dc2007a8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:75ef60f6723db723b81ffe52ef55062476fb65d53d3b65fd959c8210ebaaf713_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:7e98d2a0eb2d31736814d06c80e9501610ce33fe959a4204a768cabb64c89dbf_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:bb6c1337b03d7b92f722c87e77fea069df70c97775744cb7afa53b97aa672ac8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:f3385c6b788ce0b0d2c5b99561386078d4206bde7a13a615602aab82d411b915_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:8149c664c680df2561593e16a2c6442a73711a87659789f0fef55133ed984642_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:55fce6251931f9e7064bf1072462e9bb76268bf2cfbe62d3721b5b18c7edf84a_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:6f8bba07f297d75b1d42b6011b438b3626857c892c94dab3d54c2cf51a928b81_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:7b7728404ab31e4cb56b9eccf979077291da19116d9019e561ce1349f08c30d2_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:e25471ee7dc5a107f6c08f84415845cd4d61297448d2ce3753a60f39a29bcd57_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:168db9b96fd91c830fa322eddff7739a8dd2a0be2a9f5891ed2ca8525e5da15e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:335ffb6ae1b33cdb837982441715bcf829b539cb62f8e7a40561d76e6f491f6e_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:a144158b0697990dc354ebf4ef7eb7da7f7643e2718e14126df2c6cfba6fc202_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:cf524ae1652b6ca6372da35af44a4af46129fdab2d368e6c476ef6c4e8f85cff_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:0214fcc58fedd15e6415d2ed24886c7e31d530adea063a0751dee84ff785d8fa_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2b4808ab800751c4c4714d238c97a0c9419e62208ac68abac5942148471874b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:8a2b001d37e86bfe305ef69d36099df1fd81e151f9f258a5337605696ef4046a_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:ee5f48c276145a6de3baa0fd3a754189f0dbacaaeda05b6b0bcc05de6502f5e2_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:10cc392176ea44e630ca236fb4671c0448d53e284fd8a44df24fadfd5623df63_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:193866ca8d7c931a7e571b8b058bcb400c07fc271bc7033024218e25d301f2df_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3719f7fc4e20fe5f482eac625ca7b6ce56abcf04a3764b1794fd200ccecf0cb_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:c935be74c2c5c826f3eae12abdbd43e66da27420f27c4ab6eeca56f3fb3b8505_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2ab13fc22bf9bcea91b6380527001fdddf4aa383e1e55416c9975c6c5765a88d_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:92a50bd94dba6eb9306511f92a1821098b451f6716424172bf3f1cdd0351dab5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:de99130c5ae2867134504638ef2f95fa046ab62bde0b890b6f8fac366ca97a99_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:f40b010404a36e74abd265a828a2a8e8f39d732c6c22d526f49ef88c062ff54f_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:081a160bc1078a93a4a57e6a8e289a3d3ef600745ac777d757ee4d4f97a70868_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:105bb18e2d1d6c5385bb74137d2d76f6bc86e40f6ab6ed7d9a597ad099ac620e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:7cbae61ca8eb96a2a72b028d2c7d0b0263f972a3693d52847998fc1d15aefa9c_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:e8d27cfe9428bcd2ec46e9d043f5f7fff768658f22e3fd592d8526bbceb697ec_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:1366e07f272bf7ff10c0745839ff224eb57cc49a7d9d6939461412c3a1e7e288_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:5650943c347887119860ccb157a720791e3d27a5d3ab9d632a251a67a1131820_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:66f1817a5115451e027a634302cce0f5d0363340d52b84d112732f6fde09229e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:7b2a6de1e9a124a5f2588a49b17fac3e4152a7d66792306a33a8d20a918dabbb_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:4174
Vulnerability from csaf_redhat - Published: 2026-03-10 12:12 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: opentelemetry-collector security update
Severity
Important
Notes
Topic: An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 10.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Collector with the supported components for a Red Hat build of OpenTelemetry
Security Fix(es):
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Collector with the supported components for a Red Hat build of OpenTelemetry\n\nSecurity Fix(es):\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:4174",
"url": "https://access.redhat.com/errata/RHSA-2026:4174"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4174.json"
}
],
"title": "Red Hat Security Advisory: opentelemetry-collector security update",
"tracking": {
"current_release_date": "2026-05-26T09:05:06+00:00",
"generator": {
"date": "2026-05-26T09:05:06+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:4174",
"initial_release_date": "2026-03-10T12:12:43+00:00",
"revision_history": [
{
"date": "2026-03-10T12:12:43+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-10T12:12:43+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:06+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.src",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.src",
"product_id": "opentelemetry-collector-0:0.144.0-1.el10_1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el10_1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"product_id": "opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el10_1?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"product_id": "opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el10_1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"product_id": "opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el10_1?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.x86_64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.x86_64",
"product_id": "opentelemetry-collector-0:0.144.0-1.el10_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el10_1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el10_1.src",
"relates_to_product_reference": "AppStream-10.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el10_1.x86_64",
"relates_to_product_reference": "AppStream-10.1.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T12:12:43+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4174"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T12:12:43+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4174"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.aarch64",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.ppc64le",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.s390x",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.src",
"AppStream-10.1.Z:opentelemetry-collector-0:0.144.0-1.el10_1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
RHSA-2026:4177
Vulnerability from csaf_redhat - Published: 2026-03-10 19:22 - Updated: 2026-05-26 09:05Summary
Red Hat Security Advisory: opentelemetry-collector security update
Severity
Important
Notes
Topic: An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Collector with the supported components for a Red Hat build of OpenTelemetry
Security Fix(es):
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Collector with the supported components for a Red Hat build of OpenTelemetry\n\nSecurity Fix(es):\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:4177",
"url": "https://access.redhat.com/errata/RHSA-2026:4177"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4177.json"
}
],
"title": "Red Hat Security Advisory: opentelemetry-collector security update",
"tracking": {
"current_release_date": "2026-05-26T09:05:07+00:00",
"generator": {
"date": "2026-05-26T09:05:07+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:4177",
"initial_release_date": "2026-03-10T19:22:05+00:00",
"revision_history": [
{
"date": "2026-03-10T19:22:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-10T19:22:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-26T09:05:07+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.src",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.src",
"product_id": "opentelemetry-collector-0:0.144.0-1.el9_7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el9_7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"product_id": "opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el9_7?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"product_id": "opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el9_7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.x86_64",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.x86_64",
"product_id": "opentelemetry-collector-0:0.144.0-1.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el9_7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"product": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"product_id": "opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/opentelemetry-collector@0.144.0-1.el9_7?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el9_7.src",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "opentelemetry-collector-0:0.144.0-1.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64"
},
"product_reference": "opentelemetry-collector-0:0.144.0-1.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T19:22:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4177"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-10T19:22:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:4177"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.src",
"AppStream-9.7.0.Z.MAIN:opentelemetry-collector-0:0.144.0-1.el9_7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…