Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

CVE-2025-22873 — os: os: Information disclosure via path traversal using specially crafted filenames CVE-2025-47910 — net/http: CrossOriginProtection bypass in net/http CVE-2025-47911 — golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html CVE-2025-47912 — net/url: Insufficient validation of bracketed IPv6 hostnames in net/url CVE-2025-47914 — golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages CVE-2025-58181 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication CVE-2025-58183 — golang: archive/tar: Unbounded allocation when parsing GNU sparse map CVE-2025-58185 — encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1 CVE-2025-58186 — golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http CVE-2025-58187 — crypto/x509: Quadratic complexity when checking name constraints in crypto/x509 CVE-2025-58188 — crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509 CVE-2025-58189 — crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information CVE-2025-58190 — golang.org/x/net/html: Infinite parsing loop in golang.org/x/net CVE-2025-61723 — encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem CVE-2025-61724 — net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto CVE-2025-61725 — net/mail: Excessive CPU consumption in ParseAddress in net/mail CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61727 — golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs CVE-2025-61728 — golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip CVE-2025-61729 — crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-61730 — crypto/tls: Handshake messages may be processed at the incorrect encryption level in crypto/tls CVE-2025-61731 — cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive CVE-2025-61732 — cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy CVE-2025-68119 — cmd/go: cmd/go: Local code execution and arbitrary file write via malicious module version strings CVE-2025-68121 — crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption CVE-2026-25679 — net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-27139 — os: FileInfo can escape from a Root in golang os module CVE-2026-27141 — golang.org/x/net/http2: golang.org/x/net/http2: Denial of Service due to malformed HTTP/2 frames CVE-2026-27143 — golang: cmd/compile: possible memory corruption after bound check elimination CVE-2026-27144 — golang: cmd/compile: no-op interface conversion bypasses overlap checking CVE-2026-32281 — crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation CVE-2026-32282 — golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root CVE-2026-32283 — crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages CVE-2026-32288 — archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive CVE-2026-32289 — html/template: golang: html/template: Cross-Site Scripting (XSS) via improper context and brace depth tracking in JS template literals CVE-2026-33809 — golang: golang.org/x/image/tiff: golang.org/x/image/tiff: Denial of Service via maliciously crafted TIFF file CVE-2026-33813 — golang.org/x/image: golang: golang.org/x/image: Denial of Service via malformed WEBP image parsing