ALSA-2026:3839

[ALSA-2026:3839] Important: image-builder security update

Type:

security

Severity:

important

Release date:

2026-05-05

Description:

A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood.  

Security Fix(es):  

  * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
  * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
  * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	image-builder-31-3.el9_7.aarch64.rpm	4f21840d850bc5196a1d38cb83ccbce08ed30d86a4f680c06b17a4d40170cee7
ppc64le	image-builder-31-3.el9_7.ppc64le.rpm	8cc97532131e62963ff4d414459acb9c7a235308c310c26a2b44c68f594c69e1
s390x	image-builder-31-3.el9_7.s390x.rpm	3a8782458c1d9d7eaad13d8b30330ef098154c9c5262f986b697917a7d124a51
x86_64	image-builder-31-3.el9_7.x86_64.rpm	0fe0404404b147514402ad4bbd679281d271985eea37ac3a0516bf0b087789a1

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.