Red Hat Product Errata RHSA-2026:1837 - Security Advisory
Issued:
2026-02-03
Updated:
2026-02-05

RHSA-2026:1837 - Security Advisory

Synopsis

Moderate: osbuild-composer security update

Type/Severity

Security Advisory: Moderate

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for osbuild-composer is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Security Fix(es):

  • golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64

Fixes

  • BZ - 2407258 - CVE-2025-58183 golang: archive/tar: Unbounded allocation when parsing GNU sparse map

Red Hat Enterprise Linux for x86_64 10

SRPM
osbuild-composer-149-4.el10_1.src.rpm SHA-256: 0bfa40e4508e3304b358f26257a3d53302c1e0f360e36e7850b70c77a7cb6be6
x86_64
osbuild-composer-149-4.el10_1.x86_64.rpm SHA-256: 71c96efa76a3004afbe452b8c514d731abe8b1a1401ff7b5192edf24647e0303
osbuild-composer-core-149-4.el10_1.x86_64.rpm SHA-256: 77943845461341025f27fb302e25816ee179bf579d9905d2d180886be704ccac
osbuild-composer-core-debuginfo-149-4.el10_1.x86_64.rpm SHA-256: 1a016c591e7ac8093c4f1c94bd5c4c5c6deea0cbc2e2fd157e6002cbfb73f1cd
osbuild-composer-debugsource-149-4.el10_1.x86_64.rpm SHA-256: a0c13897ce0ea230f43b72ea60c96c8f612115ced19849839ee0f4b19f54c285
osbuild-composer-tests-debuginfo-149-4.el10_1.x86_64.rpm SHA-256: 8bfaf344abd8a9560ec17644ac65f933ac263bc2e388246e2132a9a0d3f05d95
osbuild-composer-worker-149-4.el10_1.x86_64.rpm SHA-256: e8c508c547782e982ae7c16f18e1fe6ee9e47e229faa5b2a518983604389c868
osbuild-composer-worker-debuginfo-149-4.el10_1.x86_64.rpm SHA-256: 7351c87ff3b84db533cc25da8a203783f2548e574e152fd1fcf3ee07996ca8e4

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
osbuild-composer-149-4.el10_1.src.rpm SHA-256: 0bfa40e4508e3304b358f26257a3d53302c1e0f360e36e7850b70c77a7cb6be6
s390x
osbuild-composer-149-4.el10_1.s390x.rpm SHA-256: 36e610c09c8e329ee3d31fc8fb41662ef6eba502679361ce390b7b268698fe4a
osbuild-composer-core-149-4.el10_1.s390x.rpm SHA-256: 8164ef04d8431455f4c72e8ff74269042f8b164b8a5437bcf5c5977d601a46ae
osbuild-composer-core-debuginfo-149-4.el10_1.s390x.rpm SHA-256: f5418f4bfbb5014cfda128a9d4ac74072cadef5c99425ed567534802e8364696
osbuild-composer-debugsource-149-4.el10_1.s390x.rpm SHA-256: f3e21ed1914debe18b0e7e6a73a8eda889673375952296e5c7049a370f0b6d95
osbuild-composer-tests-debuginfo-149-4.el10_1.s390x.rpm SHA-256: ba695a6da54a5a6ee744f090e4f98e302f2a11c30fc3c29a92700806d238cebd
osbuild-composer-worker-149-4.el10_1.s390x.rpm SHA-256: 9be33f65c71a0387d1399ce3db70a189ea1494d411708d51ffb1b204ca51702e
osbuild-composer-worker-debuginfo-149-4.el10_1.s390x.rpm SHA-256: 2183f8b8254a27a113ac6325ee630c36b8ffd3028e0a906e8f48a0b3ab9cfa0d

Red Hat Enterprise Linux for Power, little endian 10

SRPM
osbuild-composer-149-4.el10_1.src.rpm SHA-256: 0bfa40e4508e3304b358f26257a3d53302c1e0f360e36e7850b70c77a7cb6be6
ppc64le
osbuild-composer-149-4.el10_1.ppc64le.rpm SHA-256: ee0506a05e6a03fb4d14191c5ddda8e6383813ab77089313d6c273853f9945b0
osbuild-composer-core-149-4.el10_1.ppc64le.rpm SHA-256: 16b0159b0bbe9bd8496ca973eaa8dd536a7a36ee750bc15bc113a1e00f612311
osbuild-composer-core-debuginfo-149-4.el10_1.ppc64le.rpm SHA-256: 325b90da578bec2687cba7edea7c0ab21ab0f4ac402ed9126621dc17121a29c8
osbuild-composer-debugsource-149-4.el10_1.ppc64le.rpm SHA-256: 39832612aac46c03b4b9c8b8f1ecb85525b183db456eed9f40d5bd4b5119d342
osbuild-composer-tests-debuginfo-149-4.el10_1.ppc64le.rpm SHA-256: de3ca84953a59f1681aacb1e0b9a82001d3dbbce145c32c51b74355755e821f5
osbuild-composer-worker-149-4.el10_1.ppc64le.rpm SHA-256: 50f5c56b98024c1f14fef3dca9dd691a2a35b288948650be37c02b98e7f2bdd6
osbuild-composer-worker-debuginfo-149-4.el10_1.ppc64le.rpm SHA-256: 79a09c69a3b454f5c8823f03a4fdb2f15e26ac33f1555a85c3180d8cfa88a1b8

Red Hat Enterprise Linux for ARM 64 10

SRPM
osbuild-composer-149-4.el10_1.src.rpm SHA-256: 0bfa40e4508e3304b358f26257a3d53302c1e0f360e36e7850b70c77a7cb6be6
aarch64
osbuild-composer-149-4.el10_1.aarch64.rpm SHA-256: 620eb3b647a357cc5ec23bc787f41d5613f725ff4663611fdf9e0b10be9848ba
osbuild-composer-core-149-4.el10_1.aarch64.rpm SHA-256: 8d9428c7332357fdb735bed0c3437b60f9c28d67623a12720dd9c1c70f62a66b
osbuild-composer-core-debuginfo-149-4.el10_1.aarch64.rpm SHA-256: 84a4a2a9f1dd29e11fbb27f3bc306bb3fe83939800ee8dfe362c0207dde805f3
osbuild-composer-debugsource-149-4.el10_1.aarch64.rpm SHA-256: f96d394812c09388dd4e2ddebd45f06d118bad09acd3663d00a0305704bc6e1e
osbuild-composer-tests-debuginfo-149-4.el10_1.aarch64.rpm SHA-256: d07b8cf81598a21398f28ccd2a6e9bff9967333e328c099c54972d8e42d9ece2
osbuild-composer-worker-149-4.el10_1.aarch64.rpm SHA-256: bd78b7261437160ad32799cd5101edd7cd62d3f86618091535c2725d713742d5
osbuild-composer-worker-debuginfo-149-4.el10_1.aarch64.rpm SHA-256: 8734973be9247a8befbad4dd3c038916403b5c7689e2167cc14ff4b1450520ab

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.