RLSA-2025:21485 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Moderate

An update is available for java-25-openjdk. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The OpenJDK 25 packages provide the OpenJDK 25 Java Runtime Environment and the OpenJDK 25 Java Software Development Kit. Security Fix(es): * JDK: Enhance Path Factories (CVE-2025-53066) * JDK: Enhance Certificate Handling (CVE-2025-53057) * JDK: Enhance String Handling (CVE-2025-61748) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Note that the OpenJDK 25 package does not yet include FIPS support. This is expected to be reinstated in a future update. rocky-linux-10-x86-64-appstream-rpms java-25-openjdk-25.0.1.0.8-2.el10.x86_64.rpm fef7787b64d8a6ba1e4c1350ae3b3dc8696d98643973c21a9eac3f3bbbfcebd1 java-25-openjdk-demo-25.0.1.0.8-2.el10.x86_64.rpm 271726b9605410756a9d1ae00e239e242c3d26750e753c3484498795ee96aadc java-25-openjdk-devel-25.0.1.0.8-2.el10.x86_64.rpm 01399503bb50925104ca69a35f8c6f29ea51a77c8b26f29433a6edb7671012d5 java-25-openjdk-headless-25.0.1.0.8-2.el10.x86_64.rpm f60d95ada35c8a61460ded1e6d518f3218642d210b91641c45e08b46fa671503 java-25-openjdk-javadoc-25.0.1.0.8-2.el10.x86_64.rpm 702419de9f24f2f3dc47a52b5e09b787d6d5643740a88828ce930f49c12aebf4 java-25-openjdk-javadoc-zip-25.0.1.0.8-2.el10.x86_64.rpm c3bf0890884961f24c78bae0b96bcca7513cf227f04709ca65db4340dac0cca4 java-25-openjdk-jmods-25.0.1.0.8-2.el10.x86_64.rpm aad3009b25a93ee555c5406a4da1c1c6e9eeb9c4a4346b7bcedbdd889c4e4f1f java-25-openjdk-src-25.0.1.0.8-2.el10.x86_64.rpm 95193e537e949096651efdc5961e5af769d280e54aebc56fcb337a7e4da12fa3 java-25-openjdk-static-libs-25.0.1.0.8-2.el10.x86_64.rpm 0039eba06a5877218fd6de3509d1ea7d86b82181bf79be5898f7857dd713b782 RLSA-2025:21691 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for haproxy. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. Security Fix(es): * haproxy: denial of service vulnerability in HAProxy mjson library (CVE-2025-11230) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms haproxy-3.0.5-4.el10_1.1.x86_64.rpm e77f47567771730ba24a53c27de871b50c4b423cf63af96275f7f75db2431d84 RLSA-2025:21936 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for valkey. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Valkey works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Valkey also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Valkey behave like a cache. You can use Valkey from most programming languages also. Security Fix(es): * redis: Lua library commands may lead to integer overflow and potential RCE (CVE-2025-46817) * Redis: Redis: Authenticated users can execute LUA scripts as a different user (CVE-2025-46818) * Redis: Redis is vulnerable to DoS via specially crafted LUA scripts (CVE-2025-46819) * Redis: Redis Lua Use-After-Free may lead to remote code execution (CVE-2025-49844) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms valkey-8.0.6-2.el10_1.x86_64.rpm 0b4c2ee2c4a3996c703dee42eea75839b25f0954978dc50361b55790abd4b44f valkey-devel-8.0.6-2.el10_1.x86_64.rpm b996ef8149abb585a9fbe571ffeb839d2ba578484fc1dd1d330ad4ae8ccb133f RLSA-2025:21816 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Moderate

An update is available for golang, delve. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The Go Programming Language. Security Fix(es): * golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms delve-1.25.2-1.el10_1.x86_64.rpm 28162c2aa0f6da1137aafe28c551256f6753577d5e0ba1fceb3f4661b1a76ac4 golang-1.25.3-1.el10_1.x86_64.rpm 2f3f7cdbc35a6b0bb8c5074813284459bb7021f2d25780c0ba020494d2bf9e08 golang-bin-1.25.3-1.el10_1.x86_64.rpm a779a6f243a8ce0e072e0212ae2dd7d85782e4d84136556eb203b80636dd3d68 golang-docs-1.25.3-1.el10_1.noarch.rpm 9e7dbd3039937982d0083ea4030a03960311db7aeb1ae99d25a440a2991a2fa8 golang-misc-1.25.3-1.el10_1.noarch.rpm e6fb8d50f403ed9b6bc1c92db1313138fe48b005ee3b4e36a7572176e99ced2a golang-race-1.25.3-1.el10_1.x86_64.rpm ac0aa2ca77237424a1c2832ce6891b0d440c4a7e4ec0006c77fe9e4569ffa7c4 golang-src-1.25.3-1.el10_1.noarch.rpm fcab9736bf045d0b8c60b64b37f6a5b541dc262e34b835d0d69e0d519e1c7f3f golang-tests-1.25.3-1.el10_1.noarch.rpm ba530d6269e26f0abab9df12cb744896239302378e95e398f111e917ace9c370 go-toolset-1.25.3-1.el10_1.x86_64.rpm b1a4d56304d8fb4a138ebbdcd64dcdf974d460ad9473b43a273888b35d13bcf8 RLSA-2025:20478 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Moderate

An update is available for zziplib. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The zziplib is a lightweight library to easily extract data from zip files. Security Fix(es): * zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c (CVE-2018-17828) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Rocky Linux 10 Release Notes linked from the References section. rocky-linux-10-x86-64-appstream-rpms zziplib-0.13.78-2.el10.x86_64.rpm 79fa105b4ddcd385d8ce3af8fd2a762ec250e580b618783bb50e562dd5dc22a1 zziplib-utils-0.13.78-2.el10.x86_64.rpm e328dfc41afc9624191cf1b8c97535face15fd83ea8b9e191bb07fe9a0a85c29 RLSA-2025:21002 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for squid. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fix(es): * squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling (CVE-2025-62168) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms squid-6.10-6.el10_1.1.x86_64.rpm 5d58fde7365c0f27102c2da8951388dfad404bbe57565937b463354005d79ad3 RLSA-2025:20994 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for ipa. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Rocky Enterprise Software Foundation Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * FreeIPA: idm: Privilege escalation from host to domain admin in FreeIPA (CVE-2025-7493) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms ipa-client-4.12.2-24.el10_1.1.x86_64.rpm 4df4c9d900d84bc20229cdeb7e6cacbda2bc48501f5aaaffbb9c2841a69feb63 ipa-client-common-4.12.2-24.el10_1.1.noarch.rpm 1ed48f9ea27e3d51c6938f8e04aa918e384c4163a7cfb53d1b4afa22cf261bd1 ipa-client-encrypted-dns-4.12.2-24.el10_1.1.x86_64.rpm b63a3e8fc7adaa5c5ccad6fb972bb1d4d7c980ad202c736dd5c56b2252c3442c ipa-client-epn-4.12.2-24.el10_1.1.x86_64.rpm 50922b9b91c3609452a312144f5c26e0f55d6ba2967b8a90b75d55cbe363fe4f ipa-client-samba-4.12.2-24.el10_1.1.x86_64.rpm 8923d269f8998e1503d4ac3a9982c3941c8d5a6477bf82fe218d2d08e7ee759e ipa-common-4.12.2-24.el10_1.1.noarch.rpm c1b9d1f2220bf3eb358abd8e95f7790745255ec3f3b399abaf7aad2953c0e5eb ipa-selinux-4.12.2-24.el10_1.1.noarch.rpm 75744bb5b01ef62b6915e55785bd42a945b325ddb7f123f0a11777702a42f904 ipa-selinux-luna-4.12.2-24.el10_1.1.noarch.rpm 5093abf0e161cee519dc8d2a71d8ede28a212cab1c0cba7f4681439fe58bbc1a ipa-selinux-nfast-4.12.2-24.el10_1.1.noarch.rpm 47ba228ca00a37cc15ccf6a9c4652a6fca96634201e65eb95a4cb354e38eb33c ipa-server-4.12.2-24.el10_1.1.x86_64.rpm 884ee33548a6a4f2b4782897be7e94d299efcc945b4bfa4e9dfa20eda3e2d59d ipa-server-common-4.12.2-24.el10_1.1.noarch.rpm d51abb9a704469c8fcfc1b2a1b4ddb7c26c16a2435b35a61d62cefb5aeebd594 ipa-server-dns-4.12.2-24.el10_1.1.noarch.rpm 1c1d5b78f31b2f73883906d472f58a8ea5e8a54a3a1bbc3cfc84b44f3f514b8c ipa-server-encrypted-dns-4.12.2-24.el10_1.1.x86_64.rpm ab5b7a3fe55136d99f377f672c90cbcf867043e80546a0dd207550bf11383843 ipa-server-trust-ad-4.12.2-24.el10_1.1.x86_64.rpm 2f3eb3f475d63c146f00fcfb685c3683bfb44d7a89882512cf92cef09c432214 python3-ipaclient-4.12.2-24.el10_1.1.noarch.rpm fb3029b088891bad80443ccc23f16928d47e9ed109d7081e2bcb4ef7f6bee08d python3-ipalib-4.12.2-24.el10_1.1.noarch.rpm d0443950c78b0bd4142c09462e1f2bcacabd02835e3afb176e71bd02b62ad86b python3-ipaserver-4.12.2-24.el10_1.1.noarch.rpm 0bd398d681243e4de7c442df874a15304a0cf695e5736b5040399a851b644bf4 RLSA-2025:21032 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for libsoup3. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME applications to access HTTP servers on the network in a completely asynchronous fashion, very similar to the Gtk+ programming model (a synchronous operation mode is also supported for those who want it), but the SOAP parts were removed long ago. Security Fix(es): * libsoup: Integer Overflow in Cookie Expiration Date Handling in libsoup (CVE-2025-4945) * libsoup: Out-of-Bounds Read in Cookie Date Handling of libsoup HTTP Library (CVE-2025-11021) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms libsoup3-3.6.5-3.el10_1.6.x86_64.rpm 9c45387d49258f8098c567ac2587405764f8246fd3ffbb382c9b67d722965795 libsoup3-devel-3.6.5-3.el10_1.6.x86_64.rpm 8eee3b5a4e945cef76f63de2cd7f41eebe8e16216b492e0a616abf7bf332a8f3 RLSA-2025:21037 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for qt6-qtsvg. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Scalable Vector Graphics (SVG) is an XML-based language for describing two-dimensional vector graphics. Qt provides classes for rendering and displaying SVG drawings in widgets and on other paint devices. Security Fix(es): * qtsvg: Use-after-free vulnerability in Qt SVG (CVE-2025-10729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms qt6-qtsvg-6.9.1-2.el10_1.1.x86_64.rpm e10889240f77e91991a6eaba599dacb050ccd9a3de4f0cb2215baeaf8d344a00 qt6-qtsvg-devel-6.9.1-2.el10_1.1.x86_64.rpm 08645db2f57ba12b2cdeff0780db0fb6946cf6078246357366fa29760f883bfb RLSA-2025:21034 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for bind. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Cache poisoning attacks with unsolicited RRs (CVE-2025-40778) * bind: Cache poisoning due to weak PRNG (CVE-2025-40780) * bind: Resource exhaustion via malformed DNSKEY handling (CVE-2025-8677) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms bind-9.18.33-10.el10_1.2.x86_64.rpm 80cd62e71c915db9f358a0a0a1738dba34f502e66cf5dc4e751c32d25d02f383 bind-chroot-9.18.33-10.el10_1.2.x86_64.rpm e45d5e7c370405a143aaf6b527247132eec86501976603327a52cfbabce0277c bind-dnssec-utils-9.18.33-10.el10_1.2.x86_64.rpm b204e08f20804c5db18e13e2847575ea171eaaa3e4377a42c611108a8edb3149 bind-libs-9.18.33-10.el10_1.2.x86_64.rpm 05907e050ac0fb48a01b75ad8245f185cdf339de1385e1178efbfac4719327e3 bind-license-9.18.33-10.el10_1.2.noarch.rpm 2c9c63219d146ae32dc4bc03c04bf15a22ceef7fa40fdd33bd8865eac1c33a16 bind-utils-9.18.33-10.el10_1.2.x86_64.rpm 08234432b4469be6a4144afff4fdeae136bb9cf7cb15fdc1e42a0eab54283926 RLSA-2025:21142 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for python-kdcproxy. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python-kdcproxy: Unauthenticated SSRF via Realm?Controlled DNS SRV (CVE-2025-59088) * python-kdcproxy: Remote DoS via unbounded TCP upstream buffering (CVE-2025-59089) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms python3-kdcproxy-1.0.0-19.el10_1.noarch.rpm 92ae0a11b605fc8a2757c1ea35a49218ca517b019c9804e8a23375aa7aec3b5f RLSA-2025:21220 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for podman. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix(es): * runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects (CVE-2025-52881) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms podman-5.6.0-6.el10_1.x86_64.rpm d8c7e66b25c9dd4b11a21c53de29b67528ce39d489e1cd97d146d6aafd49c15c podman-docker-5.6.0-6.el10_1.noarch.rpm 6db94e38c5be0caccf548d216622fd7c72e5d8298bdcadd0ce06fcb54934dcdf podman-remote-5.6.0-6.el10_1.x86_64.rpm ab4b7b0766040b375bea3cbd63c5f3e204d0aefe1a9f8ec330837769d8beff83 RLSA-2025:21281 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for firefox. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): * firefox: Mitigation bypass in the DOM: Security component (CVE-2025-13018) * firefox: Use-after-free in the Audio/Video component (CVE-2025-13014) * firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016) * firefox: Same-origin policy bypass in the DOM: Workers component (CVE-2025-13019) * firefox: Use-after-free in the WebRTC: Audio/Video component (CVE-2025-13020) * firefox: Race condition in the Graphics component (CVE-2025-13012) * firefox: Spoofing issue in Firefox (CVE-2025-13015) * firefox: Mitigation bypass in the DOM: Core & HTML component (CVE-2025-13013) * firefox: Same-origin policy bypass in the DOM: Notifications component (CVE-2025-13017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms firefox-140.5.0-2.el10_1.x86_64.rpm dc7f29a72c34b77600be5be5ec8e6c7a5c2a920e4b31f31bcc4f4786da98b92d RLSA-2025:21843 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for thunderbird. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fix(es): * firefox: Mitigation bypass in the DOM: Security component (CVE-2025-13018) * firefox: Use-after-free in the Audio/Video component (CVE-2025-13014) * firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016) * firefox: Same-origin policy bypass in the DOM: Workers component (CVE-2025-13019) * firefox: Use-after-free in the WebRTC: Audio/Video component (CVE-2025-13020) * firefox: Race condition in the Graphics component (CVE-2025-13012) * firefox: Spoofing issue in Firefox (CVE-2025-13015) * firefox: Mitigation bypass in the DOM: Core & HTML component (CVE-2025-13013) * firefox: Same-origin policy bypass in the DOM: Notifications component (CVE-2025-13017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms thunderbird-140.5.0-2.el10_1.x86_64.rpm 5f19ee39d0ed99c592928848823868d617a10a4de259a495033a51df65290ca1