INFSA-2025:7147: rpm-ostree security update
Information about definition
Identificator: INFSA-2025:7147
Type: security
Release date: 2025-06-10 11:41:57 UTC
Information about package
The rpm-ostree tool binds together the RPM packaging model with the OSTree model of bootable file system trees. It provides commands that can be used both on client systems and on server-side composes. The rpm-ostree-client package provides commands for client systems to perform upgrades and rollbacks.
Vulnerabilities description
- CVE-2025-24898
A flaw was found in the rust-openssl package. In certain versions, ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the sever buffer's lifetime is shorter than the client buffer's, this can cause a use-after-free error. This could cause the server to crash or return arbitrary memory contents to the client.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-24898
|
no information | 4.8 | no information |
Updated packages