Red Hat Security Advisory: RHTAS 1.3.2 - Red Hat Trusted Artifact Signer Release

CVE-2025-61729 — crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-64756 — glob: glob: Command Injection Vulnerability via Malicious Filenames CVE-2025-66418 — urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66471 — urllib3: urllib3 Streaming API improperly handles highly compressed data CVE-2025-66506 — github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token CVE-2025-66564 — github.com/sigstore/timestamp-authority: Sigstore Timestamp Authority: Denial of Service via excessive OID or Content-Type header parsing CVE-2026-21441 — urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) CVE-2026-22772 — fulcio: Fulcio: Server-Side Request Forgery (SSRF) via unanchored regex in MetaIssuer URL validation CVE-2026-22774 — devalue: devalue: Denial of Service due to excessive resource consumption from untrusted input CVE-2026-22775 — devalue: devalue: Denial of Service due to improper input validation CVE-2026-23745 — node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives CVE-2026-23950 — node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition