{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "rebuild with newer golang 1.25.7-1.el9_6.tuxcare.els5 to fix the following CVEs\n - CVE-2026-32280: fix denial-of-service in crypto/x509 certificate chain\n building with a large number of intermediate certificates\n - CVE-2026-32282: fix TOCTOU symlink race in os.Root.Chmod on Linux\n - CVE-2026-32283: fix TLS 1.3 connection deadlock when multiple key update\n messages arrive in a single record\n- CVE-2026-32286: fix panic on negative DataRow field length in vendored\n jackc/pgproto3\n- CVE-2026-34986: fix panic on JWE decryption with key-wrapping algorithms in\n vendored go-jose", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/tuxcare9.6esu/advisories/2026/clsa-2026_1781004077.json" } ], "tracking": { "current_release_date": "2026-06-09T11:28:13Z", "generator": { "date": "2026-06-09T11:28:13Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1781004077", "initial_release_date": "2026-06-09T11:28:13Z", "revision_history": [ { "date": "2026-06-09T11:28:13Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "osbuild-composer: Fix of 5 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.6", "product": { "name": "AlmaLinux 9.6", "product_id": "AlmaLinux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Rocky Linux 9.6", "product": { "name": "Rocky Linux 9.6", "product_id": "Rocky Linux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:resf:rocky_linux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Rocky Linux" } ], "category": "vendor", "name": "Rocky Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product_id": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-core@132.2-3.el9_6.alma.1.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product_id": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-tests@132.2-3.el9_6.alma.1.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product_id": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-worker@132.2-3.el9_6.alma.1.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product_id": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer@132.2-3.el9_6.alma.1.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product_id": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer@132.2-3.el9_6.alma.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product_id": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-tests@132.2-3.el9_6.alma.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product_id": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-worker@132.2-3.el9_6.alma.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product_id": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-core@132.2-3.el9_6.alma.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product_id": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-core@132.2-3.el9_6.alma.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product_id": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-worker@132.2-3.el9_6.alma.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product_id": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer-tests@132.2-3.el9_6.alma.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product_id": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/osbuild-composer@132.2-3.el9_6.alma.1.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" }, "product_reference": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" }, "product_reference": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" }, "product_reference": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" }, "product_reference": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" }, "product_reference": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" }, "product_reference": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" }, "product_reference": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" }, "product_reference": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" }, "product_reference": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" }, "product_reference": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" }, "product_reference": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" }, "product_reference": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" }, "product_reference": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" }, "product_reference": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" }, "product_reference": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" }, "product_reference": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64" }, "product_reference": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64" }, "product_reference": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64" }, "product_reference": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64" }, "product_reference": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64" }, "product_reference": "osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64" }, "product_reference": "osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64" }, "product_reference": "osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64" }, "product_reference": "osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34986", "cwe": { "id": "CWE-131", "name": "Incorrect Calculation of Buffer Size" }, "notes": [ { "category": "description", "text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "known_affected": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-34986" } ], "release_date": "2026-04-06T16:22:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-09T11:21:35.138859Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077" }, { "category": "none_available", "date": "2026-04-06T16:22:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-32286", "cwe": { "id": "CWE-1285", "name": "Improper Validation of Specified Index, Position, or Offset in Input" }, "notes": [ { "category": "description", "text": "The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "known_affected": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-32286" } ], "release_date": "2026-03-26T20:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-09T11:21:35.138859Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077" }, { "category": "none_available", "date": "2026-03-26T20:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-32282", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access ('Link Following')" }, "notes": [ { "category": "description", "text": "On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "known_affected": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-32282" }, { "category": "external", "summary": "https://go.dev/cl/763761", "url": "https://go.dev/cl/763761" }, { "category": "external", "summary": "https://go.dev/issue/78293", "url": "https://go.dev/issue/78293" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2026-4864", "url": "https://pkg.go.dev/vuln/GO-2026-4864" } ], "release_date": "2026-04-08T02:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-09T11:21:35.138859Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077" }, { "category": "none_available", "date": "2026-04-08T02:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-32280", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "description", "text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "known_affected": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-32280" } ], "release_date": "2026-04-08T01:06:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-09T11:21:35.138859Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077" }, { "category": "none_available", "date": "2026-04-08T01:06:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-32283", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "description", "text": "If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "known_affected": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-32283" }, { "category": "external", "summary": "https://go.dev/cl/763767", "url": "https://go.dev/cl/763767" }, { "category": "external", "summary": "https://go.dev/issue/78334", "url": "https://go.dev/issue/78334" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2026-4870", "url": "https://pkg.go.dev/vuln/GO-2026-4870" } ], "release_date": "2026-04-08T02:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-09T11:21:35.138859Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781004077" }, { "category": "none_available", "date": "2026-04-08T02:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els1.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els2.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-core-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-tests-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64", "Rocky Linux-9.6:osbuild-composer-worker-0:132.2-3.el9_6.alma.1.tuxcare.els3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }