Our industry-aligned Secure Development Lifecycle (SDL) practices ensure that Red Hat produces trustworthy, high-quality software to meet our customer's business needs. We harden both our code and supply chain infrastructure through scans and testing, and utilize threat models and weakness patterns to design and build with security as a primary objective:
About security
Red Hat Product Security manages all security vulnerabilities reported or discovered within Red Hat software. We assess and classify the level of severity for vulnerabilities, which is used to indicate risk to Red Hat software, its customers, and the overall ecosystem. This classification then determines the orchestration of efforts necessary to respond to incidents.
Red Hat Product Security engineers analyze and track all known vulnerabilities. Our security classifications are used to prioritize risk in our software, and we work with each of our engineering teams to resolve those risks. We then disclose these risks in an open manner using industry formats and standards such as OVAL, CSAF, CVRF, our CVE pages, and security API.
| CVE | Synopsis | Impact | Publish date |
|---|---|---|---|
No description is available for this CVE. | Low | 4/4/2025 | |
A stack-buffer-overflow vulnerability was found in the Assimp::MD2Importer::InternReadFile function within the Assimp Library. This issue occurs when processing certain malformed files, leading to an out-of-bounds write and potential application crash. | Moderate | 4/4/2025 | |
A flaw was found in jupyterlab-git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $(<command>). These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks "Git > Open Git Repository in Terminal" from the menu bar, then the injected command <command> is run in the user's shell without the user's permission. This issue allows for arbitrary code execution via command injection. A wide range of actions are permitted by this issue, including but not limited to: modifying files, exfiltrating data, halting services, or compromising the server's security rules. | Important | 4/3/2025 | |
A flaw was found in the Minio package. The signature component of the authorization may be invalid, which would mean that, as a client, you can use any arbitrary secret to upload objects, given the user already has prior WRITE permissions on the bucket. Prior knowledge of the access key and bucket name this user might have access to is necessary, and an access key with WRITE permissions is necessary. However, with relevant information in place, uploading random objects to buckets is trivial and easy via curl. | Important | 4/3/2025 | |
A flaw was found in the XZ Utils library. In affected versions, the multithreaded .xz decoder in liblzma has a bug where invalid input can trigger a heap use-after-free condition, allowing writes to an address based on the null pointer plus an offset. This issue may result in a crash or other undefined behavior. Applications and libraries that use the `lzma_stream_decoder_mt` function are affected. | Important | 4/3/2025 |
Red Hat concentrates on product compliance by bringing together several disparate functions to focus on accelerating security requirement implementation and compliance framework achievement. Product Security:
Participates in the requirements phase of the traditional Software Development Lifecycle (SDLC) and the validation of successful requirement implementation.
Coordinates the planning of security certification efforts across Red Hat service and product portfolios to support Red Hat’s open hybrid cloud strategy and market success in restricted sales markets.
Informs security and risk decisions across Red Hat by developing tools and solutions that automate security and compliance functions, and conducting critical analysis functions.
Security and privacy
Receive email notifications of security updates, bug fixes, and enhancements, also known as errata.
Errata notifications are controlled based on your method of subscription management.
Suspected security vulnerabilities in a Red Hat product or service should be sent to secalert@redhat.com.
Your correspondence with us will be kept in the strictest confidence.
Incident reports should be sent to infosec@redhat.com.
Your correspondence with us will be kept in the strictest confidence.
