1. HYCU Support
  2. Security Advisories
  3. Security Updates

HYCU 5.2.1-1025 security updates

Updated

Latest R-Cloud Hybrid Cloud edition download

HYCU version 5.2.1

This release contains fixes for the following vulnerabilities:

  • RHBA-2026:0860:
    • CVE-2025-22247: open-vm-tools: Insecure file handling
  • RHSA-2025:13315:
    • CVE-2025-7345: gdk‑pixbuf: Heap‑buffer‑overflow in gdk‑pixbuf
  • RHSA-2025:14135:
    • CVE-2025-5914: libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c
  • RHSA-2025:14553:
    • CVE-2023-49083: python-cryptography: NULL-dereference when loading PKCS7 certificates
  • RHSA-2025:14557:
    • CVE-2025-6020: linux-pam: Linux-pam directory Traversal
    • CVE-2025-8941: linux-pam: Incomplete fix for CVE-2025-6020
  • RHSA-2025:14560:
    • CVE-2025-8194: cpython: Cpython infinite loop when parsing a tarfile
  • RHSA-2025:15017:
    • CVE-2025-8067: udisks: Out-of-bounds read in UDisks Daemon
  • RHSA-2025:15022:
    • CVE-2025-4207: postgresql: PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation
    • CVE-2025-8714: postgresql: PostgreSQL code execution in restore operation
    • CVE-2025-8715: postgresql: PostgreSQL executes arbitrary code in restore operation
  • RHSA-2025:15702:
    • CVE-2025-58060: cups: Authentication Bypass in CUPS Authorization Handling
  • RHSA-2025:16823:
    • CVE-2025-26465: openssh: Machine-in-the-middle attack if VerifyHostKeyDNS is enabled
  • RHSA-2025:17415:
    • CVE-2025-6395: gnutls: NULL pointer dereference in _gnutls_figure_common_ciphersuite()
    • CVE-2025-32988: gnutls: Vulnerability in GnuTLS otherName SAN export
    • CVE-2025-32990: gnutls: Vulnerability in GnuTLS certtool template parsing
  • RHSA-2025:17509:
    • CVE-2025-41244: open-vm-tools: Local privilege escalation in open-vm-tools
  • RHSA-2025:17715:
    • CVE-2025-53905: vim: Vim path traversial
    • CVE-2025-53906: vim: Vim path traversal
  • RHSA-2025:18286:
    • CVE-2025-5318: libssh: out-of-bounds read in sftp_handle()
  • RHSA-2025:18815:
    • CVE-2025-53057: openjdk: Enhance certificate handling (Oracle CPU 2025-10)
    • CVE-2025-53066: openjdk: Enhance Path Factories (Oracle CPU 2025-10)
  • RHSA-2025:19276:
    • CVE-2025-9900: libtiff: Libtiff Write-What-Where
  • RHSA-2025:19610:
    • CVE-2025-11561: sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems
  • RHSA-2025:19714:
    • CVE-2025-4945: libsoup: Integer Overflow in Cookie Expiration Date Handling in libsoup
    • CVE-2025-11021: libsoup: Out-of-Bounds Read in Cookie Date Handling of libsoup HTTP Library
  • RHSA-2025:19835:
    • CVE-2025-40778: bind: Cache poisoning attacks with unsolicited RRs
  • RHSA-2025:20034:
    • CVE-2025-8176: libtiff: LibTIFF Use-After-Free Vulnerability
  • RHSA-2025:21776:
    • CVE-2013-0340: expat: internal entity expansion
    • CVE-2022-23990: expat: integer overflow in the doProlog function
    • CVE-2024-28757: expat: XML Entity Expansion
    • CVE-2025-59375: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing
  • RHSA-2025:21977:
    • CVE-2025-5372: libssh: Incorrect Return Code Handling in ssh_kdf() in libssh
  • RHSA-2025:22063:
    • CVE-2025-58364: cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
  • RHSA-2025:23383:
    • CVE-2025-9086: curl: libcurl: Curl out of bounds read for cookie path
  • RHSA-2025:23481:
    • CVE-2025-61984: openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand
    • CVE-2025-61985: openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand
  • RHSA-2026:0241:
    • CVE-2025-64720: libpng: LIBPNG buffer overflow
    • CVE-2025-65018: libpng: LIBPNG heap buffer overflow
    • CVE-2025-66293: libpng: LIBPNG out-of-bounds read in png_image_read_composite
  • RHSA-2026:0421:
    • CVE-2025-14523: libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins)
  • RHSA-2026:0524:
    • CVE-2025-12817: postgresql: CREATE STATISTICS does not check for schema CREATE privilege
    • CVE-2025-12818: postgresql: libpq: libpq undersizes allocations, via integer wraparound
  • RHSA-2026:0596:
    • CVE-2025-58436: cups: Slow client communication leads to a possible DoS attack
    • CVE-2025-61915: CUPS: Local denial-of-service via cupsd.conf update and related issues
  • RHSA-2026:0728:
    • CVE-2025-68973: GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write
  • RHSA-2026:0932:
    • CVE-2025-64720: libpng: LIBPNG buffer overflow
    • CVE-2025-65018: libpng: LIBPNG heap buffer overflow
    • CVE-2026-21925: openjdk: Improve JMX connections (Oracle CPU 2026-01)
    • CVE-2026-21933: openjdk: Improve HttpServer Request handling (Oracle CPU 2026-01)
    • CVE-2026-21945: openjdk: Enhance Certificate Checking (Oracle CPU 2026-01)
  • RHSA-2026:0991:
    • CVE-2025-13601: glib: Integer overflow in in g_escape_uri_string()
  • RHSA-2026:1254:
    • CVE-2025-66418: urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
    • CVE-2025-66471: urllib3: urllib3 Streaming API improperly handles highly compressed data
    • CVE-2026-21441: urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)
  • RHSA-2026:1592:
    • CVE-2025-54349: iperf3: iperf Heap Buffer Overflow
  • RHSA-2026:1631:
    • CVE-2025-12084: cpython: python: cpython: Quadratic algorithm in xml.dom.minidom leads to denial of service
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more