rpm package
almalinux/yggdrasil
pkg:rpm/almalinux/yggdrasil
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32283 | Hig | 7.5 | < 0.4.8-5.el10_1 | 0.4.8-5.el10_1 | Apr 8, 2026 | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | |
| CVE-2026-32282 | Med | 6.4 | < 0.4.8-5.el10_1 | 0.4.8-5.el10_1 | Apr 8, 2026 | On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R | |
| CVE-2026-25679 | Hig | 7.5 | < 0.4.8-4.el10_1 | 0.4.8-4.el10_1 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-68121 | Cri | 10.0 | < 0.4.8-3.el10_1 | 0.4.8-3.el10_1 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61726 | — | < 0.4.8-3.el10_1 | 0.4.8-3.el10_1 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2025-61729 | — | < 0.4.8-3.el10_1 | 0.4.8-3.el10_1 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-3931 | Hig | 7.8 | < 0.4.5-3.el10_0 | 0.4.5-3.el10_0 | May 14, 2025 | A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorizat |
- affected < 0.4.8-5.el10_1fixed 0.4.8-5.el10_1
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
- affected < 0.4.8-5.el10_1fixed 0.4.8-5.el10_1
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R
- affected < 0.4.8-4.el10_1fixed 0.4.8-4.el10_1
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 0.4.8-3.el10_1fixed 0.4.8-3.el10_1
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61726Jan 28, 2026affected < 0.4.8-3.el10_1fixed 0.4.8-3.el10_1
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- CVE-2025-61729Dec 2, 2025affected < 0.4.8-3.el10_1fixed 0.4.8-3.el10_1
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- affected < 0.4.5-3.el10_0fixed 0.4.5-3.el10_0
A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorizat