rpm-ostree is a hybrid image/package system. It supports "composing" packages on a build server into an OSTree repository, which can then be replicated by client systems with atomic upgrades. Additionally, unlike many "pure" image systems, with rpm-ostree each client system can layer on additional packages, providing a "best of both worlds" approach.
Security Fix(es):
The openssl crate before 0.10.55 for Rust allows an out-of-bounds read via an empty string to X509VerifyParamRef::set_host.(CVE-2023-53159)
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.(CVE-2024-12224)
A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.(CVE-2025-3416)
{
"severity": "Critical"
}{
"noarch": [
"rpm-ostree-help-2022.16-11.oe2203sp4.noarch.rpm"
],
"src": [
"rpm-ostree-2022.16-11.oe2203sp4.src.rpm"
],
"x86_64": [
"rpm-ostree-2022.16-11.oe2203sp4.x86_64.rpm",
"rpm-ostree-debuginfo-2022.16-11.oe2203sp4.x86_64.rpm",
"rpm-ostree-debugsource-2022.16-11.oe2203sp4.x86_64.rpm",
"rpm-ostree-devel-2022.16-11.oe2203sp4.x86_64.rpm"
],
"aarch64": [
"rpm-ostree-2022.16-11.oe2203sp4.aarch64.rpm",
"rpm-ostree-debuginfo-2022.16-11.oe2203sp4.aarch64.rpm",
"rpm-ostree-debugsource-2022.16-11.oe2203sp4.aarch64.rpm",
"rpm-ostree-devel-2022.16-11.oe2203sp4.aarch64.rpm"
]
}