ALSA-2026:3753

[ALSA-2026:3753] Important: osbuild-composer security update

Type:

security

Severity:

important

Release date:

2026-03-10

Description:

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.  

Security Fix(es):  

  * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
  * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
  * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
  * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	osbuild-composer-149-4.el9_7.alma.3.aarch64.rpm	1273fa7ceec8d4a310684a2c91767187e6d4a29e88ea95b90d53a6f118e7ff04
aarch64	osbuild-composer-worker-149-4.el9_7.alma.3.aarch64.rpm	5a2aa79b5b800642ac6598f100ba6d6d313b786ecb59777e6160a6f307fec8da
aarch64	osbuild-composer-core-149-4.el9_7.alma.3.aarch64.rpm	ffcde276a2493bba40b4070618fb2063af57fc0113ec75c583589c2fae5cfeb9
ppc64le	osbuild-composer-149-4.el9_7.alma.3.ppc64le.rpm	6fde8c5af94156486c96019a0cf5b713c2cb82582b89fd1346930b794d3e0092
ppc64le	osbuild-composer-core-149-4.el9_7.alma.3.ppc64le.rpm	7d37d76bb3b7c7de9f7eff594188d93ba8baa318f51a5776c5545d06612c7a6b
ppc64le	osbuild-composer-worker-149-4.el9_7.alma.3.ppc64le.rpm	dc9c3929f2ae4580b6e1644a6be9ebe92f50879e97d9c6c9f182041319ec5e1c
s390x	osbuild-composer-core-149-4.el9_7.alma.3.s390x.rpm	1f74b65aa27e8c063d1d2897f7da8e4d3679da0ead50e5b02671487fda1ecd95
s390x	osbuild-composer-149-4.el9_7.alma.3.s390x.rpm	3359e17ad152b4efaacc4d48878b2a55915358c05cacfd2fd38581f40040e4ae
s390x	osbuild-composer-worker-149-4.el9_7.alma.3.s390x.rpm	8382194e0a3b3d01d53ff164ccd31c2c314a732d3470941de50a9e3d303776a5
x86_64	osbuild-composer-worker-149-4.el9_7.alma.3.x86_64.rpm	1cb1363561049faac16aa9b61cc3dfc15b99d682f0149c65c13b79f8aafba211
x86_64	osbuild-composer-149-4.el9_7.alma.3.x86_64.rpm	9bf4d0af426120fa74b5f4174ae0bb0f3de6743c55ba91723ac97915670e237d
x86_64	osbuild-composer-core-149-4.el9_7.alma.3.x86_64.rpm	e4af96613ca38e3c81d6b6ed0dbefe4ac6f8c271e80ee85113a4465922613c65

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.