- Issued:
- 2025-04-16
- Updated:
- 2025-04-16
RHSA-2025:3959 - Security Advisory
Synopsis
Important: VolSync 0.11.2 security fixes and enhancements for RHEL 9
Type/Severity
Security Advisory: Important
Topic
VolSync v0.11.2 general availability release images, which provide
enhancements, security fixes, and updated container images.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Description
VolSync v0.11.2 is a Kubernetes operator that enables asynchronous replication
of persistent volumes within a cluster, or across clusters. After deploying
the VolSync operator, it can create and maintain copies of your persistent
data.
For more information about VolSync, see:
or the VolSync open source community website at:
https://volsync.readthedocs.io/en/stable/
This advisory contains enhancements and updates to the VolSync
container images.
Security fix(es):
- golang.org/x/oauth2: Unexpected memory consumption during token parsing in
golang.org/x/oauth2 (CVE-2025-22868)
- golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of
golang.org/x/crypto/ssh (CVE-2025-22869)
Solution
For more details, see the Red Hat Advanced Cluster Management for Kubernetes
documentation:
Affected Products
- Red Hat Advanced Cluster Management for Kubernetes 2 for RHEL 9 x86_64
Fixes
- BZ - 2348366 - CVE-2025-22868 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
- BZ - 2348367 - CVE-2025-22869 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
- HYPBLD-618 - Release v0.11.2 of VolSync
- ACM-19031 - Release VolSync v0.11.2
CVEs
- CVE-2019-12900
- CVE-2020-11023
- CVE-2021-3903
- CVE-2021-43618
- CVE-2022-48554
- CVE-2023-7104
- CVE-2023-29491
- CVE-2023-31484
- CVE-2023-32573
- CVE-2023-33285
- CVE-2023-34410
- CVE-2023-37369
- CVE-2023-37920
- CVE-2023-38197
- CVE-2023-47038
- CVE-2024-2236
- CVE-2024-3596
- CVE-2024-8176
- CVE-2024-9287
- CVE-2024-10963
- CVE-2024-11168
- CVE-2024-12085
- CVE-2024-12797
- CVE-2024-28834
- CVE-2024-28835
- CVE-2024-34397
- CVE-2024-43855
- CVE-2024-56171
- CVE-2025-22868
- CVE-2025-22869
- CVE-2025-24928
aarch64
| rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d |
ppc64le
| rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2 |
s390x
| rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8 |
x86_64
| rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee |
| rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
