RHSA-2025:4669: Important: osbuild-composer security update
First published: Wed May 07 2025(Updated: )
A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.<br>Security Fix(es):<br><li> golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Enterprise Linux 8 | ||
| Red Hat Enterprise Linux Server for IBM z Systems | ||
| Red Hat Enterprise Linux for ARM 64 | ||
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | ||
| redhat/osbuild-composer | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-core | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-core-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-debugsource | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-tests-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-worker | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-worker-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-core | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-core-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-debugsource | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-tests-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-worker | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-worker-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-core | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-core-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-debugsource | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-tests-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-worker | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer-worker-debuginfo | <118.2-1.el9_5 | 118.2-1.el9_5 |
| redhat/osbuild-composer | <118.2-1.el9_5.aa | 118.2-1.el9_5.aa |
| redhat/osbuild-composer-core | <118.2-1.el9_5.aa | 118.2-1.el9_5.aa |
| redhat/osbuild-composer-core-debuginfo | <118.2-1.el9_5.aa | 118.2-1.el9_5.aa |
| redhat/osbuild-composer-debuginfo | <118.2-1.el9_5.aa | 118.2-1.el9_5.aa |
| redhat/osbuild-composer-debugsource | <118.2-1.el9_5.aa | 118.2-1.el9_5.aa |
| redhat/osbuild-composer-tests-debuginfo | <118.2-1.el9_5.aa | 118.2-1.el9_5.aa |
| redhat/osbuild-composer-worker | <118.2-1.el9_5.aa | 118.2-1.el9_5.aa |
| redhat/osbuild-composer-worker-debuginfo | <118.2-1.el9_5.aa | 118.2-1.el9_5.aa |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of RHSA-2025:4669?
The severity of RHSA-2025:4669 is categorized as important.
How do I fix RHSA-2025:4669?
To fix RHSA-2025:4669, you need to update the affected packages to version 118.2-1.el9_5.
Which packages are affected by RHSA-2025:4669?
RHSA-2025:4669 affects multiple packages including osbuild-composer, osbuild-composer-core, and their respective debuginfo packages.
Is RHSA-2025:4669 applicable to all Red Hat Enterprise Linux versions?
RHSA-2025:4669 applies to specific versions of Red Hat Enterprise Linux, including versions for x86_64, IBM z, ARM 64, and Power.
What is osbuild-composer in relation to RHSA-2025:4669?
Osbuild-composer is a service for building customized OS artifacts that is affected by RHSA-2025:4669.
- collector/redhat-errata-latest
- source/Red Hat
- anchor-id/RHSA-2025:4669
- agent/software-canonical-lookup
- agent/severity
- agent/source
- agent/type
- collector/redhat-errata
- agent/remedy
- agent/references
- agent/last-modified-date
- agent/title
- agent/softwarecombine
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/red hat
- canonical/red hat enterprise linux 8
- canonical/red hat enterprise linux server for ibm z systems
- canonical/red hat enterprise linux for arm 64
- canonical/red hat enterprise linux for power, little endian - extended update support
- package-manager/redhat