OESA-2026-2944

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2944
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2944.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2944
Upstream
Published
2026-07-09T12:53:47Z
Modified
2026-07-14T08:15:10.972658801Z
Summary
rpm-ostree security update
Details

rpm-ostree is a hybrid image/package system. It supports "composing" packages on a build server into an OSTree repository, which can then be replicated by client systems with atomic upgrades. Additionally, unlike many "pure" image systems, with rpm-ostree each client system can layer on additional packages, providing a "best of both worlds" approach.

Security Fix(es):

The openssl crate before 0.10.55 for Rust allows an out-of-bounds read via an empty string to X509VerifyParamRef::set_host.(CVE-2023-53159)

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.(CVE-2024-12224)

A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.(CVE-2025-3416)

Database specific
{
    "severity": "Critical"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / rpm-ostree

Package

Name
rpm-ostree
Purl
pkg:rpm/openEuler/rpm-ostree&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2022.16-11.oe2203sp4

Ecosystem specific

{
    "noarch": [
        "rpm-ostree-help-2022.16-11.oe2203sp4.noarch.rpm"
    ],
    "src": [
        "rpm-ostree-2022.16-11.oe2203sp4.src.rpm"
    ],
    "x86_64": [
        "rpm-ostree-2022.16-11.oe2203sp4.x86_64.rpm",
        "rpm-ostree-debuginfo-2022.16-11.oe2203sp4.x86_64.rpm",
        "rpm-ostree-debugsource-2022.16-11.oe2203sp4.x86_64.rpm",
        "rpm-ostree-devel-2022.16-11.oe2203sp4.x86_64.rpm"
    ],
    "aarch64": [
        "rpm-ostree-2022.16-11.oe2203sp4.aarch64.rpm",
        "rpm-ostree-debuginfo-2022.16-11.oe2203sp4.aarch64.rpm",
        "rpm-ostree-debugsource-2022.16-11.oe2203sp4.aarch64.rpm",
        "rpm-ostree-devel-2022.16-11.oe2203sp4.aarch64.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2944.json"