RLSA-2025:20478 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Moderate

An update is available for zziplib. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The zziplib is a lightweight library to easily extract data from zip files. Security Fix(es): * zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c (CVE-2018-17828) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Rocky Linux 10 Release Notes linked from the References section. rocky-linux-10-x86-64-appstream-rpms zziplib-0.13.78-2.el10.x86_64.rpm 79fa105b4ddcd385d8ce3af8fd2a762ec250e580b618783bb50e562dd5dc22a1 zziplib-utils-0.13.78-2.el10.x86_64.rpm e328dfc41afc9624191cf1b8c97535face15fd83ea8b9e191bb07fe9a0a85c29 RLSA-2025:21002 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for squid. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fix(es): * squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling (CVE-2025-62168) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms squid-6.10-6.el10_1.1.x86_64.rpm 5d58fde7365c0f27102c2da8951388dfad404bbe57565937b463354005d79ad3 RLSA-2025:20994 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for ipa. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Rocky Enterprise Software Foundation Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * FreeIPA: idm: Privilege escalation from host to domain admin in FreeIPA (CVE-2025-7493) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms ipa-client-4.12.2-24.el10_1.1.x86_64.rpm 4df4c9d900d84bc20229cdeb7e6cacbda2bc48501f5aaaffbb9c2841a69feb63 ipa-client-common-4.12.2-24.el10_1.1.noarch.rpm 1ed48f9ea27e3d51c6938f8e04aa918e384c4163a7cfb53d1b4afa22cf261bd1 ipa-client-encrypted-dns-4.12.2-24.el10_1.1.x86_64.rpm b63a3e8fc7adaa5c5ccad6fb972bb1d4d7c980ad202c736dd5c56b2252c3442c ipa-client-epn-4.12.2-24.el10_1.1.x86_64.rpm 50922b9b91c3609452a312144f5c26e0f55d6ba2967b8a90b75d55cbe363fe4f ipa-client-samba-4.12.2-24.el10_1.1.x86_64.rpm 8923d269f8998e1503d4ac3a9982c3941c8d5a6477bf82fe218d2d08e7ee759e ipa-common-4.12.2-24.el10_1.1.noarch.rpm c1b9d1f2220bf3eb358abd8e95f7790745255ec3f3b399abaf7aad2953c0e5eb ipa-selinux-4.12.2-24.el10_1.1.noarch.rpm 75744bb5b01ef62b6915e55785bd42a945b325ddb7f123f0a11777702a42f904 ipa-selinux-luna-4.12.2-24.el10_1.1.noarch.rpm 5093abf0e161cee519dc8d2a71d8ede28a212cab1c0cba7f4681439fe58bbc1a ipa-selinux-nfast-4.12.2-24.el10_1.1.noarch.rpm 47ba228ca00a37cc15ccf6a9c4652a6fca96634201e65eb95a4cb354e38eb33c ipa-server-4.12.2-24.el10_1.1.x86_64.rpm 884ee33548a6a4f2b4782897be7e94d299efcc945b4bfa4e9dfa20eda3e2d59d ipa-server-common-4.12.2-24.el10_1.1.noarch.rpm d51abb9a704469c8fcfc1b2a1b4ddb7c26c16a2435b35a61d62cefb5aeebd594 ipa-server-dns-4.12.2-24.el10_1.1.noarch.rpm 1c1d5b78f31b2f73883906d472f58a8ea5e8a54a3a1bbc3cfc84b44f3f514b8c ipa-server-encrypted-dns-4.12.2-24.el10_1.1.x86_64.rpm ab5b7a3fe55136d99f377f672c90cbcf867043e80546a0dd207550bf11383843 ipa-server-trust-ad-4.12.2-24.el10_1.1.x86_64.rpm 2f3eb3f475d63c146f00fcfb685c3683bfb44d7a89882512cf92cef09c432214 python3-ipaclient-4.12.2-24.el10_1.1.noarch.rpm fb3029b088891bad80443ccc23f16928d47e9ed109d7081e2bcb4ef7f6bee08d python3-ipalib-4.12.2-24.el10_1.1.noarch.rpm d0443950c78b0bd4142c09462e1f2bcacabd02835e3afb176e71bd02b62ad86b python3-ipaserver-4.12.2-24.el10_1.1.noarch.rpm 0bd398d681243e4de7c442df874a15304a0cf695e5736b5040399a851b644bf4 RLSA-2025:21020 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for sssd. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system, and a pluggable back-end system to connect to multiple different account sources. Security Fix(es): * sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems (CVE-2025-11561) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms sssd-idp-2.11.1-2.el10_1.1.x86_64.rpm 09d6c2667c360db9d09c7053cc7a0937f5328b7696585bb62e09bc8589e28666 RLSA-2025:21032 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for libsoup3. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME applications to access HTTP servers on the network in a completely asynchronous fashion, very similar to the Gtk+ programming model (a synchronous operation mode is also supported for those who want it), but the SOAP parts were removed long ago. Security Fix(es): * libsoup: Integer Overflow in Cookie Expiration Date Handling in libsoup (CVE-2025-4945) * libsoup: Out-of-Bounds Read in Cookie Date Handling of libsoup HTTP Library (CVE-2025-11021) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms libsoup3-3.6.5-3.el10_1.6.x86_64.rpm 9c45387d49258f8098c567ac2587405764f8246fd3ffbb382c9b67d722965795 libsoup3-devel-3.6.5-3.el10_1.6.x86_64.rpm 8eee3b5a4e945cef76f63de2cd7f41eebe8e16216b492e0a616abf7bf332a8f3 RLSA-2025:21037 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for qt6-qtsvg. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Scalable Vector Graphics (SVG) is an XML-based language for describing two-dimensional vector graphics. Qt provides classes for rendering and displaying SVG drawings in widgets and on other paint devices. Security Fix(es): * qtsvg: Use-after-free vulnerability in Qt SVG (CVE-2025-10729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms qt6-qtsvg-6.9.1-2.el10_1.1.x86_64.rpm e10889240f77e91991a6eaba599dacb050ccd9a3de4f0cb2215baeaf8d344a00 qt6-qtsvg-devel-6.9.1-2.el10_1.1.x86_64.rpm 08645db2f57ba12b2cdeff0780db0fb6946cf6078246357366fa29760f883bfb RLSA-2025:21034 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for bind. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Cache poisoning attacks with unsolicited RRs (CVE-2025-40778) * bind: Cache poisoning due to weak PRNG (CVE-2025-40780) * bind: Resource exhaustion via malformed DNSKEY handling (CVE-2025-8677) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms bind-9.18.33-10.el10_1.2.x86_64.rpm 80cd62e71c915db9f358a0a0a1738dba34f502e66cf5dc4e751c32d25d02f383 bind-chroot-9.18.33-10.el10_1.2.x86_64.rpm e45d5e7c370405a143aaf6b527247132eec86501976603327a52cfbabce0277c bind-dnssec-utils-9.18.33-10.el10_1.2.x86_64.rpm b204e08f20804c5db18e13e2847575ea171eaaa3e4377a42c611108a8edb3149 bind-libs-9.18.33-10.el10_1.2.x86_64.rpm 05907e050ac0fb48a01b75ad8245f185cdf339de1385e1178efbfac4719327e3 bind-license-9.18.33-10.el10_1.2.noarch.rpm 2c9c63219d146ae32dc4bc03c04bf15a22ceef7fa40fdd33bd8865eac1c33a16 bind-utils-9.18.33-10.el10_1.2.x86_64.rpm 08234432b4469be6a4144afff4fdeae136bb9cf7cb15fdc1e42a0eab54283926 RLSA-2025:21038 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for kea. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

DHCP implementation from Internet Systems Consortium, Inc. that features fully functional DHCPv4, DHCPv6 and Dynamic DNS servers. Both DHCP servers fully support server discovery, address assignment, renewal, rebinding and release. The DHCPv6 server supports prefix delegation. Both servers support DNS Update mechanism, using stand-alone DDNS daemon. Security Fix(es): * kea: Invalid characters cause assert (CVE-2025-11232) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms kea-doc-3.0.1-2.el10_1.noarch.rpm 2e06ffd8b769f6354fddbed1c50c648c01d8cae0b1f15327c9ece578f5a48525 kea-hooks-3.0.1-2.el10_1.x86_64.rpm f351da28c0c2194629bc504ca433c422d280685ec9631537ecb1fcb9c926976f RLSA-2025:21142 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for python-kdcproxy. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python-kdcproxy: Unauthenticated SSRF via Realm?Controlled DNS SRV (CVE-2025-59088) * python-kdcproxy: Remote DoS via unbounded TCP upstream buffering (CVE-2025-59089) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms python3-kdcproxy-1.0.0-19.el10_1.noarch.rpm 92ae0a11b605fc8a2757c1ea35a49218ca517b019c9804e8a23375aa7aec3b5f RLSA-2025:21220 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for podman. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix(es): * runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects (CVE-2025-52881) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms podman-5.6.0-6.el10_1.x86_64.rpm d8c7e66b25c9dd4b11a21c53de29b67528ce39d489e1cd97d146d6aafd49c15c podman-docker-5.6.0-6.el10_1.noarch.rpm 6db94e38c5be0caccf548d216622fd7c72e5d8298bdcadd0ce06fcb54934dcdf podman-remote-5.6.0-6.el10_1.x86_64.rpm ab4b7b0766040b375bea3cbd63c5f3e204d0aefe1a9f8ec330837769d8beff83 RLSA-2025:21281 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for firefox. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): * firefox: Mitigation bypass in the DOM: Security component (CVE-2025-13018) * firefox: Use-after-free in the Audio/Video component (CVE-2025-13014) * firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016) * firefox: Same-origin policy bypass in the DOM: Workers component (CVE-2025-13019) * firefox: Use-after-free in the WebRTC: Audio/Video component (CVE-2025-13020) * firefox: Race condition in the Graphics component (CVE-2025-13012) * firefox: Spoofing issue in Firefox (CVE-2025-13015) * firefox: Mitigation bypass in the DOM: Core & HTML component (CVE-2025-13013) * firefox: Same-origin policy bypass in the DOM: Notifications component (CVE-2025-13017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms firefox-140.5.0-2.el10_1.x86_64.rpm dc7f29a72c34b77600be5be5ec8e6c7a5c2a920e4b31f31bcc4f4786da98b92d RLSA-2025:21843 Copyright 2025 Rocky Enterprise Software Foundation Rocky Linux 10.1 1 Important

An update is available for thunderbird. This update affects Rocky Linux 10. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fix(es): * firefox: Mitigation bypass in the DOM: Security component (CVE-2025-13018) * firefox: Use-after-free in the Audio/Video component (CVE-2025-13014) * firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016) * firefox: Same-origin policy bypass in the DOM: Workers component (CVE-2025-13019) * firefox: Use-after-free in the WebRTC: Audio/Video component (CVE-2025-13020) * firefox: Race condition in the Graphics component (CVE-2025-13012) * firefox: Spoofing issue in Firefox (CVE-2025-13015) * firefox: Mitigation bypass in the DOM: Core & HTML component (CVE-2025-13013) * firefox: Same-origin policy bypass in the DOM: Notifications component (CVE-2025-13017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. rocky-linux-10-x86-64-appstream-rpms thunderbird-140.5.0-2.el10_1.x86_64.rpm 5f19ee39d0ed99c592928848823868d617a10a4de259a495033a51df65290ca1