RLSA-2026:1240

Security

Mirrored from RHSA-2026:1240

Issued at: 2026-02-12

Updated at: 2026-02-12

Synopsis

Important: fence-agents security update

Description

The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster.

Security Fix(es):

* urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion (CVE-2025-66418)

* urllib3: urllib3 Streaming API improperly handles highly compressed data (CVE-2025-66471)

* urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) (CVE-2026-21441)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected products

Rocky Linux 8 aarch64

Rocky Linux 8 x86_64

Fixes

2419455

2419467

2427726

CVEs

CVE-2025-66418

CVE-2025-66471

CVE-2026-21441

Affected packages

Rocky Linux 8 x86_64 - AppStream

fence-agents-0:4.2.1-129.el8_10.20.src.rpm

Rocky Linux 8 aarch64 - AppStream

fence-agents-0:4.2.1-129.el8_10.20.src.rpm

Rocky Linux 8 x86_64 - ResilientStorage

fence-agents-aliyun-debuginfo-0:4.2.1-129.el8_10.20.x86_64.rpm

fence-agents-azure-arm-debuginfo-0:4.2.1-129.el8_10.20.x86_64.rpm