Red Hat Product Errata RHBA-2025:10420 - Bug Fix Advisory
Issued:
2025-07-07
Updated:
2025-07-07

RHBA-2025:10420 - Bug Fix Advisory

Synopsis

Updated rhel8/toolbox container image

Type/Severity

Bug Fix Advisory

Topic

An updated rhel8/toolbox container image is now available in the Red Hat container registry.

Description

The rhel8/toolbox container image can be used with Toolbox to obtain RHEL based containerized command line environments to aid with development and software testing. Toolbox is built on top of Podman and other standard container technologies from OCI.

To pull this container image, run one of the following commands:

podman pull registry.redhat.io/rhel8/toolbox (authenticated)
podman pull registry.access.redhat.com/ubi8/toolbox (unauthenticated)

Solution

The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io or registry.access.redhat.com using the "podman pull" command.

For more information about the image, search the <image_name> in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2370010 - CVE-2025-4435 cpython: Tarfile extracts filtered members when errorlevel=0
  • BZ - 2370013 - CVE-2024-12718 cpython: python: Bypass extraction filter to modify file metadata outside extraction directory
  • BZ - 2370014 - CVE-2025-4330 cpython: python: Extraction filter bypass for linking outside extraction directory
  • BZ - 2370016 - CVE-2025-4517 python: cpython: Arbitrary writes via tarfile realpath overflow
  • BZ - 2372426 - CVE-2025-4138 cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
  • BZ - 2372512 - CVE-2025-6020 linux-pam: Linux-pam directory Traversal
  • BZ - 2374692 - CVE-2025-32462 sudo: LPE via host option

aarch64

rhel8/toolbox@sha256:fbbf7c2f45407439f617d9088a4ecf844ebbffd46b55f3033363ffb94cea717e
ubi8/toolbox@sha256:fbbf7c2f45407439f617d9088a4ecf844ebbffd46b55f3033363ffb94cea717e

ppc64le

rhel8/toolbox@sha256:b2408cecad7ee552903b0bd2a35f499fdd915635af468140a9650069c183129e
ubi8/toolbox@sha256:b2408cecad7ee552903b0bd2a35f499fdd915635af468140a9650069c183129e

s390x

rhel8/toolbox@sha256:e9afeacc9c1820749dccd51369c7bb78c175cb50d1a46ae14f7035d661aefefc
ubi8/toolbox@sha256:e9afeacc9c1820749dccd51369c7bb78c175cb50d1a46ae14f7035d661aefefc

x86_64

rhel8/toolbox@sha256:03bb6f52457caebde6e05bcbb8d84932d00f6c0286ecbdc126986a5e781bc83d
ubi8/toolbox@sha256:03bb6f52457caebde6e05bcbb8d84932d00f6c0286ecbdc126986a5e781bc83d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.