Red Hat Product Errata RHSA-2025:9640 - Security Advisory
Issued:
2025-06-25
Updated:
2025-06-25

RHSA-2025:9640 - Security Advisory

Synopsis

Moderate: osbuild-composer security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Security Fix(es):

  • net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server - AUS 9.2 x86_64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x

Fixes

  • BZ - 2358493 - CVE-2025-22871 net/http: Request smuggling due to acceptance of invalid chunked data in net/http

Red Hat Enterprise Linux Server - AUS 9.2

SRPM
osbuild-composer-76.1-2.el9_2.src.rpm SHA-256: 838bc3c1cee3c3edc9318a1a9e2812e4e70cfe0ad971443f61f21eb284773e3e
x86_64
osbuild-composer-76.1-2.el9_2.x86_64.rpm SHA-256: ee0c9d025f00a0007df9f7e588b968023eed3630ad325870a460ab0f93ae9dd3
osbuild-composer-core-76.1-2.el9_2.x86_64.rpm SHA-256: 0283f27a197863e7299979f7373e992f592fc5de4bb11b849294de26b29df094
osbuild-composer-core-debuginfo-76.1-2.el9_2.x86_64.rpm SHA-256: 2724a06328bbe56097c3f9d0e4cec374e916bfd44e856ae9be15d062698fe3f6
osbuild-composer-debuginfo-76.1-2.el9_2.x86_64.rpm SHA-256: 393520882edce5c121113d048477cc070606df9880cc35d44deae98908ffce6f
osbuild-composer-debugsource-76.1-2.el9_2.x86_64.rpm SHA-256: 17a7a80015fe197d2240b722c15bc466eb67499d56d80f9e1acdb5a04c209574
osbuild-composer-dnf-json-76.1-2.el9_2.x86_64.rpm SHA-256: 297ecfbca743529f12b2b7e3c772db726852207c1637a8e1d70af2290ae8f412
osbuild-composer-tests-debuginfo-76.1-2.el9_2.x86_64.rpm SHA-256: c024fee6c2a761fa6f1ad06269f38621314d0c2fc0d9e79ed8c191bef18d5ed6
osbuild-composer-worker-76.1-2.el9_2.x86_64.rpm SHA-256: ae69ff46893f681a35509a5c8263e2b0a2624a3c629c0457ab2a477bab9dd0ee
osbuild-composer-worker-debuginfo-76.1-2.el9_2.x86_64.rpm SHA-256: f7f37f8340a783e57517fc58c8e1e6856ee2eb88065d01472658d07b9627584c

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2

SRPM
osbuild-composer-76.1-2.el9_2.src.rpm SHA-256: 838bc3c1cee3c3edc9318a1a9e2812e4e70cfe0ad971443f61f21eb284773e3e
ppc64le
osbuild-composer-76.1-2.el9_2.ppc64le.rpm SHA-256: 62d4c286d2a0d443285006f578c092f271929c6e1ca2d10f6baa03acd1e4c880
osbuild-composer-core-76.1-2.el9_2.ppc64le.rpm SHA-256: ac6271fbcc162eb930a689f3739f373ae87f06cb0225f5c8314d12f360b6f0e9
osbuild-composer-core-debuginfo-76.1-2.el9_2.ppc64le.rpm SHA-256: 4027842aba1d6ffa67ba1e12b11d2457e442a316e9880e438c2f0b332e4b831d
osbuild-composer-debuginfo-76.1-2.el9_2.ppc64le.rpm SHA-256: 80854a1f1acc8675fb421a197a049f8494f802624d8706947405ec36f128400b
osbuild-composer-debugsource-76.1-2.el9_2.ppc64le.rpm SHA-256: 41769ad834d77cfca820b19c6624dcab5f960c08cdcee4c799490057022a8b0a
osbuild-composer-dnf-json-76.1-2.el9_2.ppc64le.rpm SHA-256: 1c215a412bdc680a47ee97a7ab12544b7b4317fcfb3e2dbef7d3c940bd409358
osbuild-composer-tests-debuginfo-76.1-2.el9_2.ppc64le.rpm SHA-256: ed59a29f47bade56fc5e8fd3a7690732b62483f63a8eebe1833ec871d1e95e7c
osbuild-composer-worker-76.1-2.el9_2.ppc64le.rpm SHA-256: 2d6225d21d36530aacb670bf0bc16b9fa8854e8fb607d3de811b64720f20dd81
osbuild-composer-worker-debuginfo-76.1-2.el9_2.ppc64le.rpm SHA-256: c459def908a78baa979fbb7fc18e4a24889af9cb167b16e3bc2211a3da95ca11

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2

SRPM
osbuild-composer-76.1-2.el9_2.src.rpm SHA-256: 838bc3c1cee3c3edc9318a1a9e2812e4e70cfe0ad971443f61f21eb284773e3e
x86_64
osbuild-composer-76.1-2.el9_2.x86_64.rpm SHA-256: ee0c9d025f00a0007df9f7e588b968023eed3630ad325870a460ab0f93ae9dd3
osbuild-composer-core-76.1-2.el9_2.x86_64.rpm SHA-256: 0283f27a197863e7299979f7373e992f592fc5de4bb11b849294de26b29df094
osbuild-composer-core-debuginfo-76.1-2.el9_2.x86_64.rpm SHA-256: 2724a06328bbe56097c3f9d0e4cec374e916bfd44e856ae9be15d062698fe3f6
osbuild-composer-debuginfo-76.1-2.el9_2.x86_64.rpm SHA-256: 393520882edce5c121113d048477cc070606df9880cc35d44deae98908ffce6f
osbuild-composer-debugsource-76.1-2.el9_2.x86_64.rpm SHA-256: 17a7a80015fe197d2240b722c15bc466eb67499d56d80f9e1acdb5a04c209574
osbuild-composer-dnf-json-76.1-2.el9_2.x86_64.rpm SHA-256: 297ecfbca743529f12b2b7e3c772db726852207c1637a8e1d70af2290ae8f412
osbuild-composer-tests-debuginfo-76.1-2.el9_2.x86_64.rpm SHA-256: c024fee6c2a761fa6f1ad06269f38621314d0c2fc0d9e79ed8c191bef18d5ed6
osbuild-composer-worker-76.1-2.el9_2.x86_64.rpm SHA-256: ae69ff46893f681a35509a5c8263e2b0a2624a3c629c0457ab2a477bab9dd0ee
osbuild-composer-worker-debuginfo-76.1-2.el9_2.x86_64.rpm SHA-256: f7f37f8340a783e57517fc58c8e1e6856ee2eb88065d01472658d07b9627584c

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2

SRPM
osbuild-composer-76.1-2.el9_2.src.rpm SHA-256: 838bc3c1cee3c3edc9318a1a9e2812e4e70cfe0ad971443f61f21eb284773e3e
aarch64
osbuild-composer-76.1-2.el9_2.aarch64.rpm SHA-256: bb82d700d6e033e80a5188155ddac2de61f57a197a135536dcaf840fb6a43542
osbuild-composer-core-76.1-2.el9_2.aarch64.rpm SHA-256: 00e58a1a05d921f3ebdf0ff61ae48ab7f9cfeca52c66381d56d45bcf149d70f6
osbuild-composer-core-debuginfo-76.1-2.el9_2.aarch64.rpm SHA-256: 386214375f150ab163f6c9b0f3a9d13ecc5ae83bc8265b79a73a13ac03345624
osbuild-composer-debuginfo-76.1-2.el9_2.aarch64.rpm SHA-256: 9bc1d050e7ad40a91c522936f25fb84c1a810a25c54a74da46080b10c3c050cb
osbuild-composer-debugsource-76.1-2.el9_2.aarch64.rpm SHA-256: 7a86c4a8badccf0864c7d8abc5fa9d42fb1257331f8167c02d9bba10c7a7ba1e
osbuild-composer-dnf-json-76.1-2.el9_2.aarch64.rpm SHA-256: d30ac540456c3da7c841b07840cbc6d42e8aa8c46dc27665c3dd4d098db1cccb
osbuild-composer-tests-debuginfo-76.1-2.el9_2.aarch64.rpm SHA-256: 97ab5c3da36e053c0c31b3a94310b7ff3f444dd6b9f3da9d080f80d256bfd24d
osbuild-composer-worker-76.1-2.el9_2.aarch64.rpm SHA-256: 8fa3c4d15b4a7947c9d6f3c2677e467955ba685d1c6dda584b950b28749154e7
osbuild-composer-worker-debuginfo-76.1-2.el9_2.aarch64.rpm SHA-256: 3aea76cf1f5879cf08ca1e54cf8cfef335cae1162cec58f3133888ca8f4ed283

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2

SRPM
osbuild-composer-76.1-2.el9_2.src.rpm SHA-256: 838bc3c1cee3c3edc9318a1a9e2812e4e70cfe0ad971443f61f21eb284773e3e
s390x
osbuild-composer-76.1-2.el9_2.s390x.rpm SHA-256: 330ab484a5ad3fe9ab5dea3bffa927b11f1e7d7ed1e0c39ff8348ab56f1c85df
osbuild-composer-core-76.1-2.el9_2.s390x.rpm SHA-256: a87586a74432970044eb082a470f2feb89569cf2d9567475f90382dc74d49744
osbuild-composer-core-debuginfo-76.1-2.el9_2.s390x.rpm SHA-256: 74c22c4c7e50ab98d5e99b8fb2cb7c55f07184a0e6b7671d3d7e29ed2847d52a
osbuild-composer-debuginfo-76.1-2.el9_2.s390x.rpm SHA-256: 51b1f02f69ed0d349c620773fa397860e6bfbd6daa7c62ccc667a1282611e39b
osbuild-composer-debugsource-76.1-2.el9_2.s390x.rpm SHA-256: a74dca6159d388d67a8f4cf4052a0ceade53c83b42cc26a19620e441feb29a34
osbuild-composer-dnf-json-76.1-2.el9_2.s390x.rpm SHA-256: 69a82ccc01563f8f6a5ebeee30e4f8a743ba3c698a86e156c830a4f64af16370
osbuild-composer-tests-debuginfo-76.1-2.el9_2.s390x.rpm SHA-256: 507c8888c2184574979764d2b5e068509e97e03e4ee5fc541253db4f3d718a7a
osbuild-composer-worker-76.1-2.el9_2.s390x.rpm SHA-256: 3e2b2afad98d87b464e290a24b35c2b1dfeea35cd23a25620796442c187e92c5
osbuild-composer-worker-debuginfo-76.1-2.el9_2.s390x.rpm SHA-256: f45c1a2e51d74af017b9aa81b3da127d55e4b02ed82380fc735d0212a798b81f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.