Issued:: 2026-03-24
Updated:: 2026-03-24

RHSA-2026:5533 - Security Advisory

Overview
Updated Packages

Synopsis

Important: osbuild-composer security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Security Fix(es):

crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

BZ - 2418462 - CVE-2025-61729 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
BZ - 2434432 - CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0

SRPM
osbuild-composer-46.3-7.el9_0.src.rpm	SHA-256: 505de879bbf8c5319d02dc122d676cdb4f0e6016ed90b44bbe180dd014c80145
ppc64le
osbuild-composer-46.3-7.el9_0.ppc64le.rpm	SHA-256: 2f92ad67efeebb88178056d4e2c6b661ebfdde68a155b6290ff4818688fb59f7
osbuild-composer-core-46.3-7.el9_0.ppc64le.rpm	SHA-256: af9e4d025418d031a0588587b4e76cbad51baf2a600afe896f00050958c71028
osbuild-composer-core-debuginfo-46.3-7.el9_0.ppc64le.rpm	SHA-256: 1e823ee98897eb1c21621cd173abbfef7e8a4201b7ae87f8b9c193958be18dfd
osbuild-composer-debugsource-46.3-7.el9_0.ppc64le.rpm	SHA-256: 5cd789976306e917b8094d42317a2a47cde19b33f1fb7469370beb9b40b3b672
osbuild-composer-dnf-json-46.3-7.el9_0.ppc64le.rpm	SHA-256: 1788d052db7a3b3d7cb573ac0ce89a527dc19ec41bc872629143123c95b1a2a4
osbuild-composer-tests-debuginfo-46.3-7.el9_0.ppc64le.rpm	SHA-256: 4125e0da8eb39fc97b38162ac357abb7a6961a1dc10831cc7653e010105ce099
osbuild-composer-worker-46.3-7.el9_0.ppc64le.rpm	SHA-256: 8715e37bf61d0a9c6097acd58a57fcf8effedb381a7247ff1ae44b10be7089a6
osbuild-composer-worker-debuginfo-46.3-7.el9_0.ppc64le.rpm	SHA-256: 039cdcfa87630e280fe22f3610e9d15034fae9b3fa912c3d69a8e912a78f1652

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0

SRPM
osbuild-composer-46.3-7.el9_0.src.rpm	SHA-256: 505de879bbf8c5319d02dc122d676cdb4f0e6016ed90b44bbe180dd014c80145
x86_64
osbuild-composer-46.3-7.el9_0.x86_64.rpm	SHA-256: 8da3328b437a69ab46659c4fd9adbb631cb17ece5ebdf4dc0c0d7bf89bba2e65
osbuild-composer-core-46.3-7.el9_0.x86_64.rpm	SHA-256: e3b40f76e15c2069a86c55964d42363da5326c0b7b3e07beea7494cc8a98cdd4
osbuild-composer-core-debuginfo-46.3-7.el9_0.x86_64.rpm	SHA-256: f35d08cb6f60bb2eb158ef47d5d1ddb58bbff2ff46e29d312027518010e355eb
osbuild-composer-debugsource-46.3-7.el9_0.x86_64.rpm	SHA-256: 668ade0d377098685f32ca662502458e0bedc4a4e0f11f5c6f5fbb009b2c45db
osbuild-composer-dnf-json-46.3-7.el9_0.x86_64.rpm	SHA-256: b5929209028a29c5b1ec7a02602a07299967d4014b7581c9f155ee1995061f6f
osbuild-composer-tests-debuginfo-46.3-7.el9_0.x86_64.rpm	SHA-256: 13f3fe1a695ff0e89155fabc787ebf157e812c1045183f0b65a197c7678d3ab9
osbuild-composer-worker-46.3-7.el9_0.x86_64.rpm	SHA-256: 6512aee82d68731fd2dae935cc302b2b67692d8eaf5b447d896e1d20f13e29c3
osbuild-composer-worker-debuginfo-46.3-7.el9_0.x86_64.rpm	SHA-256: 9a7e5ced4f08271f6b81ebea38f94de921169d77df3d77464d1241a9bbe1a9c7

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0

SRPM
osbuild-composer-46.3-7.el9_0.src.rpm	SHA-256: 505de879bbf8c5319d02dc122d676cdb4f0e6016ed90b44bbe180dd014c80145
aarch64
osbuild-composer-46.3-7.el9_0.aarch64.rpm	SHA-256: ffff2c334aecf1a56f363cd64cee357af24f225069be45a3efa14c944d2c305c
osbuild-composer-core-46.3-7.el9_0.aarch64.rpm	SHA-256: 28a46de11f9907bc93c3606fbfd146658f7780a164f9546b7233c0933a20a18c
osbuild-composer-core-debuginfo-46.3-7.el9_0.aarch64.rpm	SHA-256: 0daedf222e4d8be37d34b7e512338f90223dbfc4e296f8245fce5624a1f6aa3f
osbuild-composer-debugsource-46.3-7.el9_0.aarch64.rpm	SHA-256: 6accc46dbb963593af2b84fa10da6f942c6f2ee57fdec34f283fdbe48f7621b9
osbuild-composer-dnf-json-46.3-7.el9_0.aarch64.rpm	SHA-256: 93ab525bf692bde635d165ae670ede31993a292a55224c36a6dbfce8eaa79d01
osbuild-composer-tests-debuginfo-46.3-7.el9_0.aarch64.rpm	SHA-256: 1a16d28fd39620b6c8bf3ce89ab00ca7c0f7fc1bbae54d4c9652e1c40de686ed
osbuild-composer-worker-46.3-7.el9_0.aarch64.rpm	SHA-256: 92edc27fc6ac187b7601c9d8a2c801c8edaec03b3b2286d763650a4f560ca3c0
osbuild-composer-worker-debuginfo-46.3-7.el9_0.aarch64.rpm	SHA-256: 6e9b64d5555d3d3180754eaf0638df4038838c7db7be98cbeb6f3ff83ac379f5

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0

SRPM
osbuild-composer-46.3-7.el9_0.src.rpm	SHA-256: 505de879bbf8c5319d02dc122d676cdb4f0e6016ed90b44bbe180dd014c80145
s390x
osbuild-composer-46.3-7.el9_0.s390x.rpm	SHA-256: 6641ae5b404bd1ee4f0c5b7906867985d50f25e57239563804326d699f1ae38d
osbuild-composer-core-46.3-7.el9_0.s390x.rpm	SHA-256: 2f00f3a27b398fceabcad09adbaf6347ce01d6861b679da7ea807a6784c71168
osbuild-composer-core-debuginfo-46.3-7.el9_0.s390x.rpm	SHA-256: 77bfabbee89ab79d9259e53da404b09aa6f526393ca9707b52136fb69ef13897
osbuild-composer-debugsource-46.3-7.el9_0.s390x.rpm	SHA-256: e30862a5a523690e0371cd19e3a21f79c8c5c2a2f7401c156006ad0a65d19bec
osbuild-composer-dnf-json-46.3-7.el9_0.s390x.rpm	SHA-256: 53079aa0980ac102eb5d989ddbf59b5a1313d85f4993d8ae65c3c656ecd0b002
osbuild-composer-tests-debuginfo-46.3-7.el9_0.s390x.rpm	SHA-256: ef7b2bedfd5c05b9937775c5b5f5d5a8a678e9bef1f3ebbf3a059061abd8f8f2
osbuild-composer-worker-46.3-7.el9_0.s390x.rpm	SHA-256: 7b5802fa5bf8e8544234a073942a1679dbdfc7644d66c163ec522e93f709c203
osbuild-composer-worker-debuginfo-46.3-7.el9_0.s390x.rpm	SHA-256: 4bc87ebf77a7bfd3da18421ea21aab0080b95b4c805936bf756dd98c785b36b0

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation