Red Hat Product Errata RHSA-2025:7479 - Security Advisory
Issued:
2025-05-13
Updated:
2025-05-13

RHSA-2025:7479 - Security Advisory

Synopsis

Important: opentelemetry-collector security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Collector with the supported components for a Red Hat build of OpenTelemetry

Security Fix(es):

  • go-jose: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144)
  • golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868)
  • github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input (CVE-2025-29786)
  • golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64

Fixes

  • BZ - 2347423 - CVE-2025-27144 go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
  • BZ - 2348366 - CVE-2025-22868 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
  • BZ - 2352914 - CVE-2025-29786 github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input
  • BZ - 2354195 - CVE-2025-30204 golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing

Red Hat Enterprise Linux for x86_64 10

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
x86_64
opentelemetry-collector-0.107.0-9.el10_0.x86_64.rpm SHA-256: 4dd448334bc5014591f38df3797609a4e44b165fba7aafc41ce29f37a041e1fd

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
x86_64
opentelemetry-collector-0.107.0-9.el10_0.x86_64.rpm SHA-256: 4dd448334bc5014591f38df3797609a4e44b165fba7aafc41ce29f37a041e1fd

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
s390x
opentelemetry-collector-0.107.0-9.el10_0.s390x.rpm SHA-256: 165bf21c489b3d5b5d15cceb3ec6da375d3033044c356f7e39c4cc078966ba8d

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
s390x
opentelemetry-collector-0.107.0-9.el10_0.s390x.rpm SHA-256: 165bf21c489b3d5b5d15cceb3ec6da375d3033044c356f7e39c4cc078966ba8d

Red Hat Enterprise Linux for Power, little endian 10

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
ppc64le
opentelemetry-collector-0.107.0-9.el10_0.ppc64le.rpm SHA-256: 9fa4ab9cad66df08c25c8f00f669106fe61c8e79b2a7198af3c9dd3488ce8e4a

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
ppc64le
opentelemetry-collector-0.107.0-9.el10_0.ppc64le.rpm SHA-256: 9fa4ab9cad66df08c25c8f00f669106fe61c8e79b2a7198af3c9dd3488ce8e4a

Red Hat Enterprise Linux for ARM 64 10

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
aarch64
opentelemetry-collector-0.107.0-9.el10_0.aarch64.rpm SHA-256: 79cb00e588cab8e66dc6222d9ddec16134bda75fdc5f7ee2400e98dc5a41ad89

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
aarch64
opentelemetry-collector-0.107.0-9.el10_0.aarch64.rpm SHA-256: 79cb00e588cab8e66dc6222d9ddec16134bda75fdc5f7ee2400e98dc5a41ad89

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
aarch64
opentelemetry-collector-0.107.0-9.el10_0.aarch64.rpm SHA-256: 79cb00e588cab8e66dc6222d9ddec16134bda75fdc5f7ee2400e98dc5a41ad89

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
s390x
opentelemetry-collector-0.107.0-9.el10_0.s390x.rpm SHA-256: 165bf21c489b3d5b5d15cceb3ec6da375d3033044c356f7e39c4cc078966ba8d

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
ppc64le
opentelemetry-collector-0.107.0-9.el10_0.ppc64le.rpm SHA-256: 9fa4ab9cad66df08c25c8f00f669106fe61c8e79b2a7198af3c9dd3488ce8e4a

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0

SRPM
opentelemetry-collector-0.107.0-9.el10_0.src.rpm SHA-256: 850b614c87e1ee5fa98ad9914d477811a661aba47492b835c30f13ca1c054e61
x86_64
opentelemetry-collector-0.107.0-9.el10_0.x86_64.rpm SHA-256: 4dd448334bc5014591f38df3797609a4e44b165fba7aafc41ce29f37a041e1fd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.