RLSA-2026:19137

Synopsis

Important: go-fdo-server security update

Description

This package provides a server-side implementation of the FIDO Device Onboard (FDO) specification, written in Go. FDO is an open standard for the late binding of device credentials, allowing for automated and secure on-boarding of devices when they are first powered on in their final location.

Security Fix(es):

* github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability (CVE-2026-33816)

* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected products

Rocky Linux 10 aarch64 Rocky Linux 10 ppc64le Rocky Linux 10 riscv64 Rocky Linux 10 s390x Rocky Linux 10 x86_64

Fixes

2456338 2455972

CVEs

CVE-2026-32283 CVE-2026-33816

Affected packages

Rocky Linux 10 x86_64 - AppStream

go-fdo-server-debugsource-0:1.0.1-1.el10_2.x86_64.rpm go-fdo-server-rendezvous-0:1.0.1-1.el10_2.noarch.rpm go-fdo-server-0:1.0.1-1.el10_2.src.rpm go-fdo-server-0:1.0.1-1.el10_2.x86_64.rpm go-fdo-server-debuginfo-0:1.0.1-1.el10_2.x86_64.rpm go-fdo-server-owner-0:1.0.1-1.el10_2.noarch.rpm go-fdo-server-manufacturer-0:1.0.1-1.el10_2.noarch.rpm

Rocky Linux 10 aarch64 - AppStream

go-fdo-server-debugsource-0:1.0.1-1.el10_2.aarch64.rpm go-fdo-server-rendezvous-0:1.0.1-1.el10_2.noarch.rpm go-fdo-server-0:1.0.1-1.el10_2.src.rpm go-fdo-server-owner-0:1.0.1-1.el10_2.noarch.rpm go-fdo-server-manufacturer-0:1.0.1-1.el10_2.noarch.rpm go-fdo-server-0:1.0.1-1.el10_2.aarch64.rpm go-fdo-server-debuginfo-0:1.0.1-1.el10_2.aarch64.rpm

Rocky Linux 10 ppc64le - AppStream

go-fdo-server-0:1.0.1-1.el10_2.src.rpm

Rocky Linux 10 riscv64 - AppStream

go-fdo-server-0:1.0.1-1.el10_2.src.rpm

Rocky Linux 10 s390x - AppStream

go-fdo-server-0:1.0.1-1.el10_2.src.rpm