Issued:: 2026-01-28
Updated:: 2026-01-28

RHSA-2026:1485 - Security Advisory

Overview
Updated Packages

Synopsis

Important: RHUI 4.11.3 security update - python-urllib3

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated version of Red Hat Update Infrastructure (RHUI) is now
available. RHUI 4.11.3 resolves several security vulnerabilities.

Description

Red Hat Update Infrastructure (RHUI) provides a highly scalable and redundant framework for managing repositories and content. It also allows cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.

Security Fixes:

Python-urllib3: Unbounded decompression chain leads to resource exhaustion (CVE-2025-66418)
Python-urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (CVE-2026-21441)
Python-urllib3: urllib3 Streaming API improperly handles highly compressed data (CVE-2025-66471)

This update addresses several vulnerabilities within the urllib3 library pertaining to the handling of compressed content (e.g., gzip, deflate, br, or zstd). A remote attacker could potentially provide specially crafted content that, when processed, leads to excessive CPU utilization and significant memory allocation during decompression, potentially resulting in a denial-of-service (DoS) condition.

Deployment Notes:

RHUA nodes: The updated python3-urllib3 package provided in this errata is intended specifically for Red Hat Update Appliance (RHUA) nodes.
CDS nodes: Content Delivery Server (CDS) nodes should receive the corresponding update directly from the standard Red Hat Enterprise Linux (RHEL) distribution channels.

Impact Assessment:

Under standard operating conditions, a properly secured RHUI environment is not expected to be impacted by these vulnerabilities, as the RHUA typically communicates only with trusted endpoints. However, as a matter of security best practice, all RHUI administrators are strongly advised to apply this update to mitigate potential risks.

Solution

Before applying this update, make sure all previously released errata relevant
to your system have been applied.

1. Apply the update

This update is delivered via a package update, not a new installer. To apply the fix, update the necessary package:

dnf -y update python3.11-urllib3

(Alternatively, rerunning the current rhui-installer will also install this package update automatically.)

2. Restart RHUI services

Execute the following command for the update to take effect:

rhui-services-restart

(Alternatively, if you have rerun the installer, this command is not needed because rerunning the installer restarts RHUI services automatically.)

Affected Products

Red Hat Update Infrastructure 4 x86_64

Fixes

BZ - 2419455 - CVE-2025-66418 urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
BZ - 2419467 - CVE-2025-66471 urllib3: urllib3 Streaming API improperly handles highly compressed data
BZ - 2427726 - CVE-2026-21441 urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Update Infrastructure 4

SRPM
python-urllib3-2.6.3-1.el8ui.src.rpm	SHA-256: cb4624b789614950fbaa6b9542ec17be67951f50894293cc69758f7eff5ddb5b
x86_64
python3.11-urllib3-2.6.3-1.el8ui.noarch.rpm	SHA-256: 140eec087a1bc8200e33ca21b903a888d8517cc6e46e34478a09402c3661a87f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation