ALSA-2026:3752

[ALSA-2026:3752] Important: osbuild-composer security update

Type:

security

Severity:

important

Release date:

2026-03-11

Description:

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.  

Security Fix(es):  

  * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
  * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
  * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
  * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	osbuild-composer-149-5.el10_1.alma.3.aarch64.rpm	3319d7c5386075a9ae17465f222033e533e25e2bb4dc8c0cfa55df09c5431d15
aarch64	osbuild-composer-core-149-5.el10_1.alma.3.aarch64.rpm	8fe5e654c2464234a230638b14e61dc03d8fdf54a2364d1df73348c3ec615bc1
aarch64	osbuild-composer-worker-149-5.el10_1.alma.3.aarch64.rpm	9d742e1cfca27500d2c1843a3234e410209e3167329e3a453700f8e3cd1e24b6
ppc64le	osbuild-composer-core-149-5.el10_1.alma.3.ppc64le.rpm	633a36fd6f7c4cb17c26625e1cf8cf73c3d7b5d5307db8f1e7a3454853d13549
ppc64le	osbuild-composer-worker-149-5.el10_1.alma.3.ppc64le.rpm	7b076fef3a351617a2ead0ab15cbda18e48864383eda40abbd3ee44ae9eab19a
ppc64le	osbuild-composer-149-5.el10_1.alma.3.ppc64le.rpm	fe7c7cef3d2e57394fbf2b0a543d57d1b2888c39883684fa1a7ef76f1c148b77
s390x	osbuild-composer-worker-149-5.el10_1.alma.3.s390x.rpm	623b5a2b72439a6b358fb74fe134264f18e192f061f6e53c88a537a8f6d9ba45
s390x	osbuild-composer-149-5.el10_1.alma.3.s390x.rpm	88fa4639e1c784a37b228a978e80c5e1b18b2d516ab6e32759be70b9f39603f1
s390x	osbuild-composer-core-149-5.el10_1.alma.3.s390x.rpm	9bd5d82b3c3edc8267b79231afb84f75ae41c9a716c718f51a1b722868dbb7a9
x86_64	osbuild-composer-core-149-5.el10_1.alma.3.x86_64.rpm	027d5078d3459f05ea3a0efbc211468b74f7f1fadbc0081ef4204b66f55b62e5
x86_64	osbuild-composer-worker-149-5.el10_1.alma.3.x86_64.rpm	801a8ffc6709d106b62483ac9c16e5a3295d0b6b47d42d0f3f851d28ad8908cb
x86_64	osbuild-composer-149-5.el10_1.alma.3.x86_64.rpm	93a028b843dd107f766a2d7c5d273c21968d953f0c97b3a47ac316d7f223767d
x86_64_v2	osbuild-composer-149-5.el10_1.alma.3.x86_64_v2.rpm	073eb90a05cecdf04e8f1daed8e4e7a1045207fc5b97a70ed4113ef6603adb0b
x86_64_v2	osbuild-composer-core-149-5.el10_1.alma.3.x86_64_v2.rpm	1ece7662100018b7df03488b40bb37220b3b6c4622ab6f36024810ac72dd1cd5
x86_64_v2	osbuild-composer-worker-149-5.el10_1.alma.3.x86_64_v2.rpm	6c53457c733755eaa5262fb9582b2c4207e78f7cd4512344c82c42e6e04d82ba

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.