RLSA-2025:20478 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Moderate

An update is available for zziplib. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The zziplib is a lightweight library to easily extract data from zip files. Security Fix(es): * zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c (CVE-2018-17828) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Rocky Linux 10 Release Notes linked from the References section. rocky-linux-10-s390x-appstream-rpms zziplib-0.13.78-2.el10.s390x.rpm a16e447699c63bd1e671f573cf74bd5efaadc92d7ab7ce1e37589a48e0516da1 zziplib-utils-0.13.78-2.el10.s390x.rpm b411c09d0c8f90effce78b1a866bd1664608d7a1559c542da819074da557e0cd RLSA-2025:21002 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for squid. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fix(es): * squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling (CVE-2025-62168) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms squid-6.10-6.el10_1.1.s390x.rpm 78a71c1b593830b588fc629f4e22841cf3a8e9c9337266b13e733b0511f5fb91 RLSA-2025:20994 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for ipa. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Rocky Enterprise Software Foundation Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * FreeIPA: idm: Privilege escalation from host to domain admin in FreeIPA (CVE-2025-7493) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms ipa-client-4.12.2-24.el10_1.1.s390x.rpm b5f0ac2fa002f92deb579dfbffbb4bbd1be4dbd6200346da9096be1f318dcf32 ipa-client-common-4.12.2-24.el10_1.1.noarch.rpm 1ed48f9ea27e3d51c6938f8e04aa918e384c4163a7cfb53d1b4afa22cf261bd1 ipa-client-encrypted-dns-4.12.2-24.el10_1.1.s390x.rpm 7f622a9452b88711a056498b4e11de2402c18da23dcfd4454a7dbb7231ca574b ipa-client-epn-4.12.2-24.el10_1.1.s390x.rpm 80b574bb4a4ef2486eec8510af6c0ffda4c2ce5f1cf436aa577b163f99d91a9a ipa-client-samba-4.12.2-24.el10_1.1.s390x.rpm a54bdf8c28985ed0c5c99420ea5590cb272fe5209d9203e7ce36c70144cf1923 ipa-common-4.12.2-24.el10_1.1.noarch.rpm c1b9d1f2220bf3eb358abd8e95f7790745255ec3f3b399abaf7aad2953c0e5eb ipa-selinux-4.12.2-24.el10_1.1.noarch.rpm 75744bb5b01ef62b6915e55785bd42a945b325ddb7f123f0a11777702a42f904 ipa-selinux-luna-4.12.2-24.el10_1.1.noarch.rpm 5093abf0e161cee519dc8d2a71d8ede28a212cab1c0cba7f4681439fe58bbc1a ipa-selinux-nfast-4.12.2-24.el10_1.1.noarch.rpm 47ba228ca00a37cc15ccf6a9c4652a6fca96634201e65eb95a4cb354e38eb33c ipa-server-4.12.2-24.el10_1.1.s390x.rpm 02a4162976b019246b5125bc9a2e0f41230ba74ca3f5781e0f86077ac90f3d39 ipa-server-common-4.12.2-24.el10_1.1.noarch.rpm d51abb9a704469c8fcfc1b2a1b4ddb7c26c16a2435b35a61d62cefb5aeebd594 ipa-server-dns-4.12.2-24.el10_1.1.noarch.rpm 1c1d5b78f31b2f73883906d472f58a8ea5e8a54a3a1bbc3cfc84b44f3f514b8c ipa-server-encrypted-dns-4.12.2-24.el10_1.1.s390x.rpm 47819e338d70de175be075e6cc29fe8f1d921b496be9b6fa9f756dfb81e69b92 ipa-server-trust-ad-4.12.2-24.el10_1.1.s390x.rpm c6ab500a568b020683271c0880e3324575f7b0c89b4019096982a0b0bcd4f558 python3-ipaclient-4.12.2-24.el10_1.1.noarch.rpm fb3029b088891bad80443ccc23f16928d47e9ed109d7081e2bcb4ef7f6bee08d python3-ipalib-4.12.2-24.el10_1.1.noarch.rpm d0443950c78b0bd4142c09462e1f2bcacabd02835e3afb176e71bd02b62ad86b python3-ipaserver-4.12.2-24.el10_1.1.noarch.rpm 0bd398d681243e4de7c442df874a15304a0cf695e5736b5040399a851b644bf4 RLSA-2025:21020 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for sssd. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system, and a pluggable back-end system to connect to multiple different account sources. Security Fix(es): * sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems (CVE-2025-11561) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms sssd-idp-2.11.1-2.el10_1.1.s390x.rpm d5213c4e91b2a2088e03b9fc2cad2c8f0642ed49b2be4fba90f59e91d6499e9f RLSA-2025:21032 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for libsoup3. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME applications to access HTTP servers on the network in a completely asynchronous fashion, very similar to the Gtk+ programming model (a synchronous operation mode is also supported for those who want it), but the SOAP parts were removed long ago. Security Fix(es): * libsoup: Integer Overflow in Cookie Expiration Date Handling in libsoup (CVE-2025-4945) * libsoup: Out-of-Bounds Read in Cookie Date Handling of libsoup HTTP Library (CVE-2025-11021) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms libsoup3-3.6.5-3.el10_1.6.s390x.rpm d27c470f14c64e56306a8a438867ef750a6610f62ddb35464c43f79e7a2ecc77 libsoup3-devel-3.6.5-3.el10_1.6.s390x.rpm e60bc2ccde55c492299bece3979425d9dd7094ec089accd53833f26771623e18 RLSA-2025:21037 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for qt6-qtsvg. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Scalable Vector Graphics (SVG) is an XML-based language for describing two-dimensional vector graphics. Qt provides classes for rendering and displaying SVG drawings in widgets and on other paint devices. Security Fix(es): * qtsvg: Use-after-free vulnerability in Qt SVG (CVE-2025-10729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms qt6-qtsvg-6.9.1-2.el10_1.1.s390x.rpm b45f7e68f81df6c22957d07dddb0725765f50928a0a0d8035646ceee51b120b4 qt6-qtsvg-devel-6.9.1-2.el10_1.1.s390x.rpm 89c8f025ceeb8f43663be6c99b1e39e2d0f8abf0425e0fad9eb5f4cd13a43e6b RLSA-2025:21034 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for bind. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Cache poisoning attacks with unsolicited RRs (CVE-2025-40778) * bind: Cache poisoning due to weak PRNG (CVE-2025-40780) * bind: Resource exhaustion via malformed DNSKEY handling (CVE-2025-8677) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms bind-9.18.33-10.el10_1.2.s390x.rpm c641d62bb7b728c5bad186017530fe13ff3ea147a4a53e16bb762b66dd9057a2 bind-chroot-9.18.33-10.el10_1.2.s390x.rpm 2e1dfa1fe1df8730a25a6e6717d466dcf6b676bc2bf4b7831dd5e680fa2aa282 bind-dnssec-utils-9.18.33-10.el10_1.2.s390x.rpm e2c47a9b87760c43bd5cae91c92b7b38066fa89987f7df2987883d361b40e382 bind-libs-9.18.33-10.el10_1.2.s390x.rpm 386c2136967ed2fca52d8f5e82dddc9d13a34de77f1c6e217183e43fad094c03 bind-license-9.18.33-10.el10_1.2.noarch.rpm 2c9c63219d146ae32dc4bc03c04bf15a22ceef7fa40fdd33bd8865eac1c33a16 bind-utils-9.18.33-10.el10_1.2.s390x.rpm ed2397d2bf451013b74ae78f0fddc91f75f332435f139879da521d4e5971db9c RLSA-2025:21038 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for kea. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

DHCP implementation from Internet Systems Consortium, Inc. that features fully functional DHCPv4, DHCPv6 and Dynamic DNS servers. Both DHCP servers fully support server discovery, address assignment, renewal, rebinding and release. The DHCPv6 server supports prefix delegation. Both servers support DNS Update mechanism, using stand-alone DDNS daemon. Security Fix(es): * kea: Invalid characters cause assert (CVE-2025-11232) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms kea-doc-3.0.1-2.el10_1.noarch.rpm 2e06ffd8b769f6354fddbed1c50c648c01d8cae0b1f15327c9ece578f5a48525 kea-hooks-3.0.1-2.el10_1.s390x.rpm 74eb4914c437f9ff710086fbbbbaae83330155660a9da964b343de22f5d52715 RLSA-2025:21142 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for python-kdcproxy. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python-kdcproxy: Unauthenticated SSRF via Realm?Controlled DNS SRV (CVE-2025-59088) * python-kdcproxy: Remote DoS via unbounded TCP upstream buffering (CVE-2025-59089) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms python3-kdcproxy-1.0.0-19.el10_1.noarch.rpm 92ae0a11b605fc8a2757c1ea35a49218ca517b019c9804e8a23375aa7aec3b5f RLSA-2025:21220 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for podman. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix(es): * runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects (CVE-2025-52881) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms podman-5.6.0-6.el10_1.s390x.rpm 2331dee9f0f237222f658b0aae98a6a6da78c6fd44057a176cbc34da2ed508d0 podman-docker-5.6.0-6.el10_1.noarch.rpm 6db94e38c5be0caccf548d216622fd7c72e5d8298bdcadd0ce06fcb54934dcdf podman-remote-5.6.0-6.el10_1.s390x.rpm 8516a1f1dc8f802f60ad7590c3c552c9b558a7c981460c8140bbf87e731da581 RLSA-2025:21281 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for firefox. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): * firefox: Mitigation bypass in the DOM: Security component (CVE-2025-13018) * firefox: Use-after-free in the Audio/Video component (CVE-2025-13014) * firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016) * firefox: Same-origin policy bypass in the DOM: Workers component (CVE-2025-13019) * firefox: Use-after-free in the WebRTC: Audio/Video component (CVE-2025-13020) * firefox: Race condition in the Graphics component (CVE-2025-13012) * firefox: Spoofing issue in Firefox (CVE-2025-13015) * firefox: Mitigation bypass in the DOM: Core & HTML component (CVE-2025-13013) * firefox: Same-origin policy bypass in the DOM: Notifications component (CVE-2025-13017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms firefox-140.5.0-2.el10_1.s390x.rpm aba81bc6f8b00ca8505b12f21facdf7b1aafe565e37bddb00ffe6f6757d4ebf8 RLSA-2025:21843 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for thunderbird. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fix(es): * firefox: Mitigation bypass in the DOM: Security component (CVE-2025-13018) * firefox: Use-after-free in the Audio/Video component (CVE-2025-13014) * firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016) * firefox: Same-origin policy bypass in the DOM: Workers component (CVE-2025-13019) * firefox: Use-after-free in the WebRTC: Audio/Video component (CVE-2025-13020) * firefox: Race condition in the Graphics component (CVE-2025-13012) * firefox: Spoofing issue in Firefox (CVE-2025-13015) * firefox: Mitigation bypass in the DOM: Core & HTML component (CVE-2025-13013) * firefox: Same-origin policy bypass in the DOM: Notifications component (CVE-2025-13017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-s390x-appstream-rpms thunderbird-140.5.0-2.el10_1.s390x.rpm 6443ba24fa97052046adfccb8f8dfcbd8cff6aef30b2eb94a3f7130f836e2ded